Retention of Records Policy
The Protection of Personal Information Act No 4 of 2013 (“POPIA”) is largely principle based legislation. The nature and extent of the activities and operations of a responsible party as applied against the eight conditions and other provisions of POPIA and its regulations means there is no one size fits all approach to compliance.
However with a solid understanding of what personal information is processed by the business and the purpose behind such processing, one may find it beneficial to develop and implement a Retention of Records Policy and Register for better management of retention periods and related considerations given that the nature and extent of records may be extensive and difficult to otherwise keep track of.
Technology utilised and approaches may differ from organisation to organisation.
Basis of Implementing Retention Policy under POPIA
Section 14 of POPIA provides that a responsible party must retain personal information for only such period as is necessary to achieve the purpose for which it is collected or subsequently processed unless one of the following applies:
- Retention of the record is required or authorised by law;
- The responsible party reasonably requires the record for lawful purposes related to its functions or activities;
- The records are retained for purposes of a contract between the parties thereto;
- The data subject has consented to the retaining of the record.
Records of personal information may be retained for periods in excess of those contemplated above for historical, statistical or research purposes provided that the responsible party has established appropriate safeguards against the records being used for any other purposes.
Taking into consideration the above, what might a Retention Policy address?
- General Provisions may include:
- What the scope of the policy is i.e. that it is the policy of the Responsible Party in addressing retention of records in hard copy and electronic format as well as any other content to be addressed;
- Administration of the policy i.e. the persons within the organisation responsible for the policy which under POPIA would include the Information Officer and Deputy Information Officers;
- Addressing the manner in which records are destroyed or deleted when no longer authorised to retain the record and addressing that the Responsible Party will destroy or delete a record of personal information or de identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in a manner which prevents its reconstruction in an intelligible form aligning with the conditions in POPIA;
- Content addressing how legal proceedings or other similar proceedings may impact a retention period;
- Expectations of staff around storage of personal information, transmitting of organisation information externally and issues of confidentiality;
- Addressing Records Pertaining to a Decision about a Data Subject – recording that same would be retain for period prescribed by law or a code of conduct or if no such law or code of conduct exists establish retention period which allows the data subject reasonable opportunity to request access to record;
- General principles pertaining to correspondence and internal communications within the Responsible Party and how same is addressed dependent on whether such items:
- Relate/support other records which are retained for specific periods for example a contract concluded by the Responsible Party or records required to be retained for seven years under the Companies Act 71 of 2008;
- Are significant in nature and dependent on the period for which the item is foreseen to have significance.
- General principles around electronic communications such as:
- Will the communications be uploaded to a Cloud;
- Time period within which work related emails are to be deleted or considerations around this point;
- Relevance and significance of emails and whether same relate to a record which is to be retained for a specific period.
The retention policy may also incorporate a retention register as an annexure or by reference which can distinguish between:
|Record types||(for example business contracts, company law records, HR records, etc)|
|Personal Information||Detailing whether a record contains personal information- yes/no|
|Retention Period||The time period itself as well as how it is determined to commence and lapse or if same is a permanent record such as company incorporation documents|
|Clarifying or setting out the basis of retention aligned with POPIA, for example the record is retained as:||Retention of the record is still necessary for the purpose it has been collected or subsequently processed for;|
|it is required or authorised by law (for example in terms of Basic Conditions of Employment Act);|
|it is required for lawful purposes related to functions or activities of the responsible party;|
|the data subject has consented to a longer retention period;|
|it is retained for historical, statistical or research purposes (note responsible party must establish reasonable safeguards against record being utilised for any other purpose)|
Article by Lisa Boogaard
19 Sep 2021