News / Legal Brief

Know the pages you will be judged against

Nov 1,2017

by Ahmore Burger-Smidt, Head of Data Privacy Practice

The Protection of Personal Information Act, Act 4 of 2013 (“POPIA“) establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of companies to collect and use personal data for business and other purposes against the right of individuals to respect the privacy of their personal details. Even though the legislation is complex, it is underpinned by a set of straightforward principles.

POPIA applies to all manual/paper records of personal data, which must be kept securely, as well as electronic files.

POPIA requires that personal data is retained by companies for no longer than is necessary for the purpose or purposes for which it is obtained. This requirement places a responsibility on companies, as responsible parties, to be clear about the length of time for which data will be kept and the reason why the information is being retained.

It is a key requirement of data protection legislation that personal data collected for one purpose cannot be retained once that initial purpose has ceased. Equally important to note is that, as long as personal data is retained, the full obligations of POPIA attach to it.

Companies should always consider the implications of retaining data, for example:

  • larger capacity may be required in order to store larger amounts of data, i.e. if data is needed and kept for a long time;
  • their ability to satisfy a data subject’s request for access to their personal data. This could be more difficult if companies retain data for longer than they need it;
  • it may be more difficult to verify the accuracy of data that was obtained a long time ago;
  • data may become outdated and could be used in error.

The POPIA legislation requires companies to ask themselves:

  • whether they have defined the retention periods for which they will keep each type of data which they hold;
  • whether the retention periods are sufficient and not excessive in relation to the purpose(s) for which they are processing the data;
  • what the legislative and regulatory obligations are when deciding on retention periods.

To comply with POPIA, companies should consider having in place:

  • a defined policy on retention periods for all items of personal data held;
  • necessary procedures to implement such a policy;
  • the ability to assign specific responsibility to a designated person for ensuring that files are regularly evaluated safely and securely, and that personal information is not retained any longer than necessary. This process can include appropriate anonymisation of personal data after a defined period if there is a need to retain non-personal data. Anonymisation must be irrevocable and the removing of names/addresses may not necessarily be sufficient. Also, the deletion of information is no longer needed;
  • importantly, certain legislation prescribes a statutory minimum retention period.  It is imperative that organisations are mindful of these statutory minimum retention periods as minimum requirements.

Presently information can be kept  cheaply and effectively on computer. Electronic storage often means that companies do not remain clear about the length of time for which data will be kept and the reason why the information is being retained. The golden rule should always be, if there is no good reason for retaining personal information, then that information should be routinely deleted.

Information should never be kept “just in case” a use could be found for it in the future.

It is suggested that companies consider the following points, as they may help companies to decide on how long retention periods should be:

  • the purpose for which the data is or will be processed;
  • any surrounding circumstances, e.g. whether or not the company still has dealings with the data subject;
  • legislation and regulatory requirements;
  • agreed practice within the industry.

Companies should pay particular attention to old information about former customers or clients, which might have been necessary to hold in the past for a particular purpose, but which they no longer require. If companies would like to retain information about customers to help them provide a better service in the future, companies must obtain the customers’ consent in advance. Good housekeeping would also dictate that companies regularly review the need to retain records.

Therefore, companies should have in place a clear, transparent and compelling justification for retaining each class of data for a specified period. This is guided by a records retention schedule.

A data retention policy might not be seen as a very exciting and interesting topic. However, considering the obligations in terms of POPIA, companies should consider a data retention policy to define the periods for which they are going to hold data and to ensure consistency across the organisation.

All personal information kept by companies must be kept in compliance with POPIA. Every piece of personal information held, creates a risk of falling foul of POPIA.