Retention and Destruction Policy and Procedure
1. INTRODUCTION |
- It is important to identify the time periods that information should be retained by the Organisation. A retention period is usually the minimum period that records of information must be retained. After the retention period has elapsed, such records must either be archived or destroyed.
- It is also important not to retain information for longer than necessary. Where a retention period has expired, the record in question can be destroyed.
2. OBJECTIVE |
The objective of this policy and procedure (“Policy”) is to (i) determine the retention period of records that the Organisation keeps, and (ii) describe the process of destruction or archiving such records, where applicable.
3. SCOPE |
- This Policy applies to all (i) employees, (ii) contractors, (iii) visitors, and / or (iv) other persons authorised to access and use the Organisation’s systems (“Users”) that create and / or use records that relate to the Organisation’s business operations.
- This Policy applies to all records of information, whether in manual or electronic format.
- Unless the contrary is specified, to the extent that any terms used in this Policy are defined in the Protection of Personal Information Act 4 of 2013 (“POPIA”), such terms will be given the meaning ascribed to them in POPIA.
4. REFERENCE DOCUMENTS |
This Policy should be read in conjunction with other policies of the Organisation that regulated the protection of personal information, as this term is defined in POPIA (“Personal Information”).
5. PROCEDURES |
- Records
- Lifecycle of records
- The Organisation acknowledges that records have a lifecycle and that, if they have come to an end of their retention period, a decision should be made regarding archiving or destroying them.
- The records management life cycle is as follows:
- The origination of the record is determined either by the creation of the record by the Organisation, or the receipt of the record by the Organisation from a compliant third party.
- Once a record is created or received, it is used, updated, modified, stored, maintained and / or protected by the Organisation on a day to day basis.
- At the end of the useful life of the record in question, or when required by relevant and applicable legislation, the Organisation must evaluate whether such record should be archived or destroyed.
- Retention of records
- Proper record management is an important part of doing business and the Organisation must ensure that it complies with all legislation that is applicable to the records held by it.
- As there may be different retention periods depending on the nature of the record, the information set out below will assist in determining the applicable retention period for a record:
- In the event that a minimum retention period is prescribed by legislation, then the retention period set out in such legislation applies.
- In the event that there is no legislated retention period, the retention period set out in the Organisation’s code of conduct (“Code”) applies.
- In the event that there is no retention period stipulated in the Code, or if the Organisation does not have a Code, then the retention period prescribed by any specific applicable contract or agreement applies.
- In the event that there is no retention period stipulated in any specific contract or agreement, then any retention period agreed to by the Data Subject in question applies (and a Data Subject may agree to records of their Personal Information being held for longer periods of time than that prescribed by legislation or by the Organisation itself).
- In the event that a Data Subject has not stipulated or consented to a specific retention period in respect of their records of Personal Information, then any retention period prescribed by the chief executive officer (“CEO”) or compliance officer of the Organisation will apply.
- In the event that none of the above apply, then the Organisation’s information officer may determine the applicable retention period.
- A table of retention periods are also set out in Annexure A for further guidance.
- Destruction
- Destruction decision
- The destruction of records is not the same as the disposition of records.
- The disposition of records refers to the wide range of actions undertaken to manage records over time, which may include the transfer of records to an archival storage.
- The destruction of a record is the act of destroying a record permanently by obliterating such record, so that the information stored in it can no longer be physically or electronically reconstructed or recovered. Any decision to destroy a record must be formally approved by the CEO in writing.
- Where the retention period for a record has expired, a decision must be made to either (i) continue to retain the document (if permitted by law), (ii) transfer the record to an archival storage, or (iii) destroy the record. Some of the factors that will influence this decision are:
- whether the record reached its useful life;
- could there be a future challenge where the record is needed in a civil or criminal case; and
- does the record need to be retained for commercial or business purposes?
- The abovementioned decision must be formally made and must be properly documented. Such decision must be in writing and must be signed off by the CEO.
- Destruction of paper records
- Where a formal decision has been made to destroy Organisation records, the destruction must be done securely. Paper records must either be shredded by the Organisation or placed in confidential bins to be removed by a reputable third-party provider.
- Paper records must not be discarded in trash cans or destroyed by other unsecured methods.
- Destruction of electronic records
- Before electronic records are destroyed, archiving the records should be considered. If the decision is made to destroy the record, then one of the following techniques must be used:
- Overwriting: Overwriting is an effective method of destroying electronic records. This method involves the use of software that overwrites the record multiple times (up to 10 (Ten) times) with strings of “1’s” and “0’s”. This makes the possibility of recovering the record much more remote.
- Physically destroying storage media: Physically destroying the storage media or record must be used where (i) Personal Information, and / or (ii) sensitive or confidential information of the Organisation is stored on a record. This is also the most appropriate method of destroying records stored on portable media, such as hard drives, and shredding CDs and DVDs.
- Before electronic records are destroyed, archiving the records should be considered. If the decision is made to destroy the record, then one of the following techniques must be used:
- Destruction decision
- Lifecycle of records
6. RIGHTS RESERVED BY THE ORGANISATION |
The Organisation reserves the right to monitor, audit, screen, and preserve Organisation information as the Organisation deems necessary, in its sole discretion, in order to maintain compliance with this Policy and, by extension, all relevant provisions of POPIA. Any dissemination, unauthorised use or benefit from any Organisation information by a User in contravention of this Policy may result in disciplinary action being taken against such User by the Organisation. Furthermore, the use of any account or system in such a way that breaches any of the provisions of this Policy will be reported to the appropriate supervisor or manager within the Organisation, which may lead to further disciplinary action being taken.
7. ENFORCEMENT AND POTENTIAL DISCIPLINARY ACTIONS |
Any violation of this Policy may result in disciplinary action being taken against the User in question. Such disciplinary action will be taken in accordance with the Organisation’s applicable disciplinary code, and may include the (i) termination of employment in relation to employees of the Organisation, or (ii) cancellation or termination of contractual relations in the case of other Users, such as contractors or consultants. Notwithstanding the aforegoing, should any authorised User fail to adhere to this policy, the individual will be dealt with as prescribed by the Organisation’s disciplinary code and procedures.
8. POLICY AWARENESS AND UPDATE |
- Training and awareness: The (i) requirement for, and (ii) a User’s obligation in terms of, this Policy will be explained in detail in the Organisation’s induction program, in the case of employees of the Organisation. Further training and additional awareness regarding the Policy will be offered from time to time by the Organisation. The Organisation will specifically make Users who are not employees of the Organisation aware of the Policy.
- Dissemination: This Policy will be made available on the Organisation’s network, intranet or similar portals.
- Review: This Policy will be reviewed from time to time in order to ensure ongoing compliance with POPIA, but such revisions will take place at least annually. More frequent review may be required in response to (i) exceptional circumstances, (ii) organisational change, or (iii) relevant changes in legislation or guidance.
9. ANNEXURE A |
Information is only retained by the Organisation for as long as there is a legitimate purpose for the information to be retained, or if there is a legal requirement to retain certain information. In some cases, a decision may be made by the Organisation to retain information for a specific period of time, even if there is no legislated retention period.
The following table sets out the retention periods of information that is held by the Organisation.
CATEGORIES OF RECORDS ON EACH SUBJECT | FORM HELD | RETENTION PERIOD |
Organisation secretarial records | ||
Notice of Incorporation | Electronic and physical | Indefinite |
Memorandum of Incorporation and alterations or amendments | Electronic and physical | Indefinite |
Rules | Electronic and physical | Indefinite |
Register of Organisation secretary and auditors | Electronic and physical | Indefinite |
Notice of shareholders’ meetings, including any resolutions adopted and reports presented at an AGM | Electronic and physical | 7 (Seven) years |
Record of directors | Electronic and physical | 7 (Seven) years |
Minutes of directors’ meetings | Electronic and physical | 7 (Seven) years |
Financial records of the Organisation | ||
Annual financial statements | Electronic and physical | 7 (Seven) years |
Accounting records as required by the Companies Act 71 of 2008 | Electronic and physical | 7 (Seven) years |
Financial agreements | Electronic and physical | 7 (Seven) years |
Banking details | Electronic and physical | 7 (Seven) years |
South African Reserve Bank (“SARS”) submissions and other documents relating to taxation | Electronic and physical | 5 (Five) years after submission to SARS |
Insurance of the Organisation | ||
Insurance policies held by the Organisation | Electronic and physical | 7 (Seven) years |
Register of all immovable property owned by the Organisation | Electronic and physical | 7 (Seven) years |
Employees | ||
List of Employees | Electronic and physical | 3 (Three) years |
Personal information of employees | Electronic and physical | 3 (Three) years after termination |
Employee contracts of employment | Electronic and physical | 3 (Three)years after termination |
Pension fund and provident fund | Electronic and physical | 3 (Three) years |
Salaries of employees | Electronic and physical | 3 (Three) years |
Leave records | Electronic and physical | 3 (Three) years |
Health and safety – records of earnings and other prescribed particulars of all employees | Electronic and physical | 4 (Four) years |
Health and Safety – committee and incident reports | Electronic and physical | 3 (Three) years |
Organisation policies and directives | ||
Internal policies, procedures and directives relating to employees and the Organisation | Electronic and physical | 7 (Seven) years |
External policies, procedures and directives relating to clients and other third parties | Electronic and physical | 7 (Seven) years |
Agreements or contracts | ||
Standard agreements | Electronic and physical | 3 (Three) years after termination |
Contracts concluded with customers | Electronic and physical | 5 (Five) years after termination |
Non-disclosure agreements | Electronic and physical | 3 (Three) years after termination |
Letters of intent, memoranda of understanding | Electronic and physical | 3 (Three) years after termination |
Third party contracts (such as joint venture agreements) | Electronic and physical | 3 (Three) years after termination |
Office management contracts | Electronic and physical | 3 (Three) years after termination |
Supplier contracts | Electronic and physical | 3 (Three) years after termination |
Regulatory | ||
Licenses or authorities | Electronic and physical | Indefinite |
Published Information | ||
External newsletters and circulars | Electronic and physical | 1 (One) year |
Internal newsletters and circulars | Electronic and physical | 1 (One) year |
Information on the Organisation published by third parties | Electronic and physical | 1 (One) year |
Customer Information | ||
Customer details | Electronic and physical | 5 (Five) years after termination |
Contact details of individuals within customers | Electronic and physical | 5 (Five) years after termination |
Communications with customers | Electronic and physical | 3 (Three) years after termination |