In pursuit of the rush to amass big data, businesses often lose sight of the fact that they’re legally obliged to store some of those documents, and that how and where they’re stored also matters. Not only could failure to comply potentially attract a massive fine, it could also have reputational implications for the business.
If you live in South Africa or do business here, you’re required by law to keep various types of records, which vary depending on the applicable legislation and the industry you’re in.
South Africa has various pieces of legislation, including the Tax Administration Act, the Companies Act, the Basic Conditions of Employment Act, the National Credit Act and the Consumer Protection Act – to name but a few – not to mention the Protection of Personal Information Act, once it comes into force, that govern document retention. Over and above these there is also industry-specific legislation that must be complied with.
Mark Taylor, CEO of Nashua, says: “Because there are so many laws that impact document retention, it can be confusing for businesses to know which data they’re required to retain and how long they need to keep it.”
It’s a minefield for business. Not only are there different types of records that need to be retained, but there are also stipulations around whether the original document is required, while in some instances a copy might suffice. How long must the documents be retained and is there a maximum prescribed period? How must they be looked after and where must they be kept? What may (or may not) be done with that information while it is being retained? How should it be secured?
Then there’s the quandary of whether the record has to be retained in electronic form (digital) or hard copy. And if, when and how that information has to be destroyed. Not to mention which piece of legislation takes priority when there are conflicting requirements. “It’s easy to see why businesses might struggle to be compliant,” says Taylor.
There are three key factors to consider when it comes to record retention. You need to know:
- The types of records to be retained;
- Whether the record must be retained as an original or a copy; and
- The minimum period of retention.
Some laws even prescribe where the records must be kept, adding to the layers of difficulty in compliance, and when POPIA comes into effect, it will impact all documentation that includes personally identifiable information.
Taylor goes on to clarify when an electronic document is considered to be an original record: “According to the Electronic Communications and Transactions Act, records that were originally created in electronic format are regarded as original versions of that document and can be stored as such. Where a copy has to be retained, the record can be retained either electronically or as a hard copy. Naturally, where documents are retained in electronic or digital format, there are security requirements that must be complied with to preserve the integrity of those records.”
He has the following advice for businesses to protect their electronic records:
- Store them on a medium that’s appropriate for long-term retention.
- The electronic repository must have sufficient storage capacity.
- Archives and backups must be securely maintained.
- Keep separate records with particulars of historical archives and backups.
- Deploy documented technical and organisational measures to safeguard against unauthorised access, theft, loss or intentional or accidental damage, destruction and falsification.
- Implement systems to facilitate the discovery of any attempted or actual changes, falsification or unauthorised access.
To find out more about record retention and the South African law, click here to download Nashua’s document retention guide.
Share