Much of the Personal Information that is kept will be in the form of data in databases or systems, and the rest will be in form of documents or records. Managing these correctly is imperative under POPIA. This article will build on the records management elements that will need to be implemented in order to fully comply with the Protection of Personal Information Act.
Records Retention
POPIA requires that records are captured, kept and maintained:
- Only those which are relevent to purpose
- And only for the length of time for which they are required
- They need to be kept up to date
- Only used for the purpose for which they were gathered.
This implies that the following records management aspects need to be considered.
A records retention schedule needs to be created. For further information on how to do this, look at our Guide to implementing records retention.
Records disposal
A disposal programme needs to implemented and then rigidly followed. It is highly risky under POPIA to keep records and not destroy them when their purpose is finished. This does of course apply to all records, and shouldn't be limited to Personal Information records.
A key element of disposal is to ensure that duplicates are also destroyed as they are also Personal Information. A process of identifying and removing duplicates should be adopted. Duplicates could be in paper or electronic formats.
File Plan or Business Classification Scheme
A structured classification scheme should be developed so that records can be easily identified, stored, retrieved and managed. This should be designed to cater for records on all formats and in all locations. This is essential if records are to be managed correctly in terms of POPIA.