2. The POPI Bill and records retention
Records of personal information must not be retained
(any) longer than (is) necessary for achieving the
purpose for which the information was collected or
subsequently processed, unless –
retention of the record is required or authorised by law
the responsible party reasonably requires the record for
lawful purposes related to its functions or activities
retention of the records is required by a contract between
the parties thereto
the data subject have consented to the retention of the
record
the purposes for which the information was collected or
subsequently processed is or becomes part of a data bank
3. The POPI Bill and records retention (continue)
A responsible party that has used a record of personal information of
a data subject to make a decision about the data subject, must –
retain the record for such period as may be required or prescribed by law or
a code of conduct
if there is no law or code of conduct prescribing a retention period, retain
the record for a period which will afford the data subject a reasonable
opportunity, taking all considerations relating to the use of the personal
information into account, to request access to the record
A responsible party must destroy or delete a record of personal
information or de-identify it as soon as reasonably practicable after
the responsible party is no longer authorised to retain the record
The destruction or deletion of a record of personal information must
be done in a manner that prevents its reconstruction in an intelligible
form
5. The motivation for the retention of records
Businesses retain records and emails for several reasons –
Operational reasons
Legislative compliance – no less than 25 laws of general
application prescribe the retention of certain records for certain
periods in certain formats
In industries like financial services, health, retail, mining,
insurance and energy there are further specific retention laws
Retain evidence – disciplinary hearings and litigation
7. Are you under any obligation to retain records
and emails?
General laws that prescribe the retention of business records
include the following -
Companies Act
Income Tax Act, VAT Act, Customs & Excise Act
Labour Relations Act, Employment Equity Act, Basic Conditions of
Employment Act
National Credit Act
Consumer Protection Act
Promotion of Access to Information Act
Electronic Communications & Transactions Act
Regulations of Interception of Communications Act
8. Tackling the Records Management monster
Records consist of paper and electronic records
Sometimes, electronic versions of the paper records exist: these
need to be reconciled
Off-site archiving is not Records Management
Retention and disposal: electronic and physical records don’t
necessarily have the same retention requirements
Information (including records) should be treated as an
organisational asset
Assets are managed throughout their lifecycle, from acquisition to disposal
The value of assets to the organisation is measured and tracked
The risks specific to an asset class are identified and mitigated
Assets have owners and custodians
Every effort is made to ensure that value-adding assets are retained and protected
from abuse
Assets are shared across the organisation for maximum value
9. What next?
Your business needs to retain certain records – because
legislation prescribed such retention or because you might
need the record later to prove or disprove something…
Which records have to be retained?
In what format?
For how long?
May you scan paper records and dispose of the originals?
The ECT Act 25 of 2002 allows you to retain your records in
electronic format – subject to certain important conditions
that are aimed at maintaining the integrity and evidential
weight of the record.
In addition to the records subject to prescribed retention
periods, all outgoing emails should be retained for at least 3
years.
10. Off-site storage:
Not necessarily the easy solution
Can you locate any given record from your off-site provider within a
reasonable timeframe?
Do you have an enterprise-wide index of which documents are stored
where?
Do you have a record of which documents have been retrieved, when,
by whom, and when they were returned?
If your provider has scanned your documents, can the images be
retrieved easily on demand?
Is your provider insured, and do they have adequate protection
against fire, water damage, theft and other hazards?
11. Should you focus on records retention?
The unauthorised use, disclosure or destruction of private and
sensitive data can ruin your reputation and your business!
Disaster may be avoided (or you may at least have a legal leg
to stand on if disaster struck) when you adopt a Privacy and
Data Protection Policy combined with a records retention
policy to govern the collection, retention, security and use of
private and sensitive data.
Such policies create rules, prohibitions, responsibilities and
procedures regarding the proper use and protection of private
and personal data.
12. Do you need all the information you have?
Data you may delete
Operational data
Legal data retention
POPI compliance management
13. The risk of non-compliance
Criminal fines and civil liability
No or worthless evidence
Inability to conduct disciplinary hearings
Inability to defend allegations of wrong-doing
Poor corporate governance regarding records
Ignoring potentially more effective / cheaper way of
doing business
Limited security / access control
14. Records Management: Roadblocks and toll gates
on the road to compliance
Passing the buck
No board buy in
Last things first
Decentralised
Legacy technology
15. What should you be doing?
Conduct a health check on your business to determine levels
of legal compliance and adequacy for business requirements
Adopt a records management policy
Adopt an email archiving policy
Adopt electronic evidence policy
Adopt and update records retention schedules (detailing all
relevant retention legislation, records subject to retention
requirements, retention periods and formats)
16. You need to know the what and how….
No time to flirt!
Time to spring clean your house!