Documents, documents and more documents - is it time to spring clean? - Ahmore Burger-Smidt, Werksmans Attorneys
Documents, documentand more documents – is it time to spring clean? Ahmore Burger-Smidt
The POPI Bill and records retention Records of personal information must not be retained (any) longer than (is) necessary for achieving the purpose for which the information was collected or subsequently processed, unless – retention of the record is required or authorised by law the responsible party reasonably requires the record for lawful purposes related to its functions or activities retention of the records is required by a contract between the parties thereto the data subject have consented to the retention of the record the purposes for which the information was collected or subsequently processed is or becomes part of a data bank
The POPI Bill and records retention (continue) A responsible party that has used a record of personal information of a data subject to make a decision about the data subject, must – retain the record for such period as may be required or prescribed by law or a code of conduct if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record The destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form
Understand the landscape records website data email IP staff
The motivation for the retention of records Businesses retain records and emails for several reasons – Operational reasons Legislative compliance – no less than 25 laws of general application prescribe the retention of certain records for certain periods in certain formats In industries like financial services, health, retail, mining, insurance and energy there are further specific retention laws Retain evidence – disciplinary hearings and litigation
Why all the hype? CCMA CASES INVOLVING EMAIL80007000600050004000300020001000 0 2000 2001 2002 2003 2004 2005 2006
Are you under any obligation to retain recordsand emails? General laws that prescribe the retention of business records include the following - Companies Act Income Tax Act, VAT Act, Customs & Excise Act Labour Relations Act, Employment Equity Act, Basic Conditions of Employment Act National Credit Act Consumer Protection Act Promotion of Access to Information Act Electronic Communications & Transactions Act Regulations of Interception of Communications Act
Tackling the Records Management monster Records consist of paper and electronic records Sometimes, electronic versions of the paper records exist: these need to be reconciled Off-site archiving is not Records Management Retention and disposal: electronic and physical records don’t necessarily have the same retention requirements Information (including records) should be treated as an organisational asset Assets are managed throughout their lifecycle, from acquisition to disposal The value of assets to the organisation is measured and tracked The risks specific to an asset class are identified and mitigated Assets have owners and custodians Every effort is made to ensure that value-adding assets are retained and protected from abuse Assets are shared across the organisation for maximum value
What next? Your business needs to retain certain records – because legislation prescribed such retention or because you might need the record later to prove or disprove something… Which records have to be retained? In what format? For how long? May you scan paper records and dispose of the originals? The ECT Act 25 of 2002 allows you to retain your records in electronic format – subject to certain important conditions that are aimed at maintaining the integrity and evidential weight of the record. In addition to the records subject to prescribed retention periods, all outgoing emails should be retained for at least 3 years.
Off-site storage:Not necessarily the easy solution Can you locate any given record from your off-site provider within a reasonable timeframe? Do you have an enterprise-wide index of which documents are stored where? Do you have a record of which documents have been retrieved, when, by whom, and when they were returned? If your provider has scanned your documents, can the images be retrieved easily on demand? Is your provider insured, and do they have adequate protection against fire, water damage, theft and other hazards?
Should you focus on records retention? The unauthorised use, disclosure or destruction of private and sensitive data can ruin your reputation and your business! Disaster may be avoided (or you may at least have a legal leg to stand on if disaster struck) when you adopt a Privacy and Data Protection Policy combined with a records retention policy to govern the collection, retention, security and use of private and sensitive data. Such policies create rules, prohibitions, responsibilities and procedures regarding the proper use and protection of private and personal data.
Do you need all the information you have? Data you may delete Operational data Legal data retention POPI compliance management
The risk of non-compliance Criminal fines and civil liability No or worthless evidence Inability to conduct disciplinary hearings Inability to defend allegations of wrong-doing Poor corporate governance regarding records Ignoring potentially more effective / cheaper way of doing business Limited security / access control
Records Management: Roadblocks and toll gateson the road to compliancePassing the buckNo board buy inLast things firstDecentralisedLegacy technology
What should you be doing? Conduct a health check on your business to determine levels of legal compliance and adequacy for business requirements Adopt a records management policy Adopt an email archiving policy Adopt electronic evidence policy Adopt and update records retention schedules (detailing all relevant retention legislation, records subject to retention requirements, retention periods and formats)
You need to know the what and how….No time to flirt!Time to spring clean your house!