Retention of records
Retain only as long as necessary
POPI requires that ‘records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected…” Section 14(1) Practically this may be one of the most difficult provisions to comply with as it requires a very clear picture of all purposes for which a piece of information is kept and a thorough understanding of business processes. There are some exceptions to this rule, where the information may be kept for longer:
1. When required by law
- Records may be retained for longer when the retention “is required or authorised by law” Section 14(1)(a)
- Since numerous laws mandate the retention of different categories of record it can be a challenge just to find the relevant law.
- This guide detailing retention periods compiled by the South African Institute of Chartered Accountants is a good starting point.
2. Reasonably required
- Records may be retained for longer when the organisation “reasonably requires the record for lawful purposes related to its activities and functions” Section 14(1)(b)
- What is reasonable will depend on the circumstances in each case which may lead to some uncertainty.
3. Required by contract
- As an example, your service contract with a customer might state that you are required to provide your customer with important safety updates regarding your product. In order to perform under the contract you would therefore need their contact information.
- Consent under POPI has to be specific, voluntary and informed.
- Since the burden of proof would be on you to show that it was given, some sort of record would be desirable.
- It’s also important to remember that under 18s normally need a competent person to give consent.
Section 14(2) – (7) have further exceptions relating to retention for research / statistical purposes, where the personal information was used in a decision about the data subject, restriction of records etc.
It will probably be difficult to achieve a retention policy that covers the potentially thousands of record categories used by the organisation. One strategy is to start with the most widespread documents, like invoices and / or those containing the most sensitive personal information.
For more information, please see visit the POPI Compliance website.