By Lize de la Harpe, legal adviser
In the last edition we discussed the requirements for Direct Marketing.
In this edition we will take a closer at the requirements for the Retention of Records in the context of POPIA.
What are “records”?
The term “record” is defined in section 1 of POPIA as any recorded personal information:
- regardless of form or medium (*including written records, tape recordings, books, maps, plans and even photographs!);
- in the possession or under the control of the responsible party;
- whether or not it was created by a responsible party; and
- regardless of when it came into existence.
How long records may be kept?
In order to answer this question, we first have to take a step back and recap on Condition 3 - being Purpose specification - as discussed in Part 4 (*see copy attached).
As previously explained, Condition 3 prescribes that personal information must be collected for a specific, explicitly defined and lawful purpose. Conversely, responsible parties should not keep personal information for longer than is necessary for achieving the purpose for which it was collected or further processed, unless one of the exceptions apply (*which we will discuss below!).
Section 14 – retention of records
Section 14 - which forms part of Condition 3 -governs the retention and destruction of records of personal information by a responsible party.
Section 14(1) states that responsible parties may not retain records of personal information for any longer than is necessary for the achieving the purpose for which the information was collected or further processed UNLESS:
- the retention of the record is required or authorised by law (*for example, FAIS requires records to be kept for 5 years); OR
- the responsible party reasonably requires the record for lawful purposes related to its functions or activities (*for example, where a product provider needs to keep personal information about a customer so that they can deal with possible complaints about the services or to defend possible future legal claims); OR
- retention of the record is required by a contract between the parties; OR
- the data subject (or a competent person where the data subject is a child) has consented to such retention.
Put simply: a responsible party may only keep records of personal information for longer than the purpose for which it was collected or further processed if it can base such retention on one of the exceptions as listed in section 14.
In addition to the above, section 14(2) makes provision for records of personal information to be kept longer for than the purpose if its kept for historical, statistical or research purposes, provided that the responsible party has established appropriate safeguards against the records being used for any other purpose.
Section14(3) states that where a responsible party has used a record of personal information to make a decision about a data subject, the record must be kept for such period as may be required by law or a code of conduct, or if there is no law or code of conduct, for a period which will afford the data subject a reasonable opportunity to request access to the record (*for example, where decisions are made in respect of FICA or for underwriting purposes).
What happens when the client asks us to delete his/her records?
Section 5 of POPIA deals with the rights of data subjects. Section 5(c) states that a data subject has the right to request, where necessary, the correction, destruction or deletion of his/her personal information as provided for in terms of section 24.
You will recall we touched on the destruction or deletion of records upon the request of the data subject as provided for in section 24 – see attached Part 8 where we covered Data subject participation (Condition 8).
In terms of section 24(1)(b), a data subject may (inter alia) request a responsible party to destroy or delete a record of personal information which the responsible party is no longer authorised to keep in terms of section 14 the Act.
This then brings us right back to section 14 as discussed above. As long as the responsible party can base its retention of such records on one of the exceptions as set out in section 14, the retention thereof will not be unlawful.
Destruction of records
Once a responsible party is no longer authorised to retain the record of personal information in terms of section 14(1) or (2) (as discussed above), the responsible party must destroy, delete or de-identify the information as soon as reasonably possible.
(*PS: the act defines “de-identify” as meaning to delete any information that identifies the data subject, can be used or manipulated by a reasonably foreseeable method to identify the data subject or can be linked to other information that can identify the data subject).
Destruction or deletion of a record must be such that the personal information cannot be reconstructed in an intelligible form afterwards.
In addition, section 14(6) states that responsible parties must restrict processing of personal information if:
- the accuracy is contested by the data subject, for a period enabling the responsible party to verify accuracy; or
- the responsible party no longer needs the personal information for achieving the purpose for which it was collected (or subsequently processed), but must be maintained for purposes of proof; or
- the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or
- the data subject requests the transmission of the personal information to another automated processing system.
Where processing is restricted as above, it may (with the exception of storage!) only be processed:
- for purposes of proof; or
- with the data subject’s consent; or
- for protection of the rights of another natural or legal person; or
- if such processing is in the public interest.
Once restricted, the responsible party must inform the data subject before lifting the restriction on the processing.
Data retention policies
As also discussed in Part 4, it is advisable for businesses to adopt a formal policy on the retention and destruction of records. Such retention policies should balance legal- and privacy concerns against economics and need-to-know concerns to determine the appropriate retention periods, archival rules, data formats, the permissible means of storage, access and encryption.
The type of records kept will vary from business to business. Each business should therefore carefully consider its own retention and destruction requirements. When selecting storage media and file formats for electronic records, due consideration must be given to the security, integrity, and accessibility requirements of the records.
We have now discussed Retention of Records in detail – in the next edition we will take a closer look at the requirements applicable to the transfer of personal information outside the Republic (Cross border transfer).