In light of the Protection of Personal Information (POPI) Act 4 of 2013, gone are the days when you could keep records of Personal Information (PI) for ‘just in case’ or ‘because it might be useful someday’.
The POPI Act contains specific requirements regarding the retention and destruction of PI of data subjects. Not only should you (as a responsible party) take care to prevent the loss of PI, but you also need measures in place to address the risks associated with keeping too much PI.
Physical and digital records
Secure retention and destruction of physical PI records or deletion of electronic records are important steps to comply with the POPI Act. They also reduce the chances of data breaches taking place.
PI is only considered destroyed or deleted if it cannot be reconstructed in an intelligible form. Data breaches, particularly identity theft, often result when PI is incorrectly destroyed or deleted.
Certain business practices may lead to the insecure destruction of physical records. For example, criminals who ‘dumpster dive’ may find documents with PI that are routinely thrown out with ordinary refuse.
Securely destroying digital records may pose challenges, as multiple copies of PI may exist on your systems or devices, such as laptops and cell phones. All these records need to be deleted. It is therefore important to implement correct policies or practices in your business to destroy and delete PI. Your employees should also be trained accordingly.
Legitimate reasons to retain PI
Section 14 of the POPI Act states that “records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected.” So, PI must be destroyed as soon as reasonably possible after you no longer have any legal justification to retain it. Underestimating this obligation can cause considerable practical problems if not tackled systematically.
However, there are legitimate reasons to retain personal information. These are:
- If required or authorised by law. Labour legislation, the Companies Act and many financial services laws require you to retain PI.
- If you reasonably need the record for lawful purposes related to its functions or activities, such as contracts with clients that specify the terms of service or product offering. You can keep this PI only for as long as a legal liability or claim relating to the contract is possible.
- If a contract between parties requires retaining a record. The contract must specify the retention requirement and ideally the applicable time periods.
- If the data subject consents to the retention. Consent must be voluntary, specific and informed; it must never be assumed. To be able to make an informed decision, the data subject must be informed why retention is required and for how long.
- Records are often retained for historical, statistical or research purposes. This is a wide allowance that the regulator and courts will probably interpret this conservatively, given the nature and purpose of the act. You should be able to justify for what specific and reasonable historical, statistical or research purposes the retention is necessary.
- Safeguards should also be put in place to prevent the records from being used for any other purpose. If possible, it is advisable to ‘de-identify’ the PI. This entails destroying any information that: (1) identifies the data subject; (2) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or (3) can be linked by a reasonably foreseeable method to other information that identifies the data subject.
- If PI is used to make a decision about a data subject, for example, if the data subject qualifies for a particular product or will be employed. This PI must be retained for any period required or prescribed by law or a code of conduct. If no period is prescribed, the period that will afford the data subject a reasonable opportunity to request access to the record applies, taking into account the intended use of the PI.
Destruction or deletion of PI
PI data is a crucial component of any business, and it is important to have a policy in place on how employees should treat this. Here are some practical tips to keep in mind when drafting such a policy:
- In essence, it should address how employees may obtain, create (for example unique identifiers), store, transmit, protect and destroy or delete PI.
- It must be simple, practical and easily executable. Employees should not be expected to spend excessive time sorting and managing PI records alongside their other duties.
- You need to identify what PI should be collected, where to store it and how to keep it secure. You also should assign a retention period to the PI when it is collected. Responsible parties operating in the financial services industry should give careful consideration to the retention periods that FICA and FAIS legislation require.
- Ideally you would have several retention periods to suit the different purposes for which the PI is used and the type of PI that need to be retained. When the longest allowed retention period expires, you no longer have a reason to keep the PI and all records of it should be destroyed or de-identified.
- You can securely destroy physical records by implementing a process, for example, shredding paper documents correctly on site. There should also be a policy to minimise the printing of records.
- When dealing with digital or electronic records, consider emails and the risks involved. Email should preferably not be a system of record keeping. Emails that need to be deleted should be fully deleted and not accessible in a deleted items folder.
- Also consider electronic PI that has been stored in a cloud or back-up. Records in the cloud should all be deleted or de-identified. Access to PI on servers or back-ups should be conservatively and responsibly managed.
Stakeholders in the financial services industry have concerns regarding what the reasonable retention periods for certain PI should be. It is foreseen that an industry specific code of conduct will be approved by the Regulator to help clarify the practical challenges and uncertainties relating to PI.
While retaining PI longer than you are legally allowed violates the POPI Act, compliance should not be your only consideration when managing PI. It is pointless to keep data that is not needed, cannot be retrieved efficiently or could be accidently accessed while you incur costs in attempting to securely store it. A data breach could affect a lot of PI data and negatively impact your business reputation.
Furthermore, as your clients trust you to manage their financial future, they also trust you to responsibly manage their PI. If you would like to discuss how to manage your clients’ PI in line with the POPI Act requirements, please contact your Masthead consultant.
If you need help in guiding your staff through the process of understanding the POPI Act and the impact it will have on various processes and people in your business, or need support and guidance in the steps you need to take, or policies and processes you need to implement to become and remain POPI complaint, we can assist. Contact us for more information.