- You must ensure the collection of personal information is:
- specific – with intended purposes of processing and possible consequences being clear;
- explicitly defined – such that scope creep is determinable; and
- lawful – with an appropriate legal basis for the processing,
related to a function or activity of the responsible party (as defined in the PAIA manual), and with steps being taken to ensure that the data subject is aware of the purpose of the collection of the information unless an exemption applies.
- Data subjects have the right to be informed about the purpose of collection and use of their personal information. You must provide data subjects with information including: your intended purposes, the retention periods for that personal information, and who it will be shared with.
- You must not keep personal data for longer than you need it.
- Your records of personal information may be retained for historical, statistical or research purposes if you have established appropriate safeguards against the records being used for any other purposes.
- You must retain a record of personal information of a data subject used to make a decision about the data subject as prescribed by law, or long enough to enable a data subject to request access to the record.
- You must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after you are no longer authorised to retain the record. The destruction or deletion of the record must be done in a manner that prevents its reconstruction.
- Under certain circumstances, you must restrict processing of personal information if requested to do so by the data subject. Where processing of personal information is restricted, you must inform the data subject before lifting the restriction on the processing.
☐ We know what personal information we hold and why we need it.
What to provide
We provide data subjects with the following information:
☐ The purposes of the collection of their information related to functions or activities of the responsible party (as defined in the PAIA manual) unless an exemption applies.
When to provide it
☐ We provide data subjects with information at the time we collect their personal information.
How to provide it
We provide information to data subjects about the purposes of collection in a way that is:
☐ explicitly defined; and
☐ clear about the lawful purposes.
What to do with it
☐ We retain records of personal information no longer than is necessary for achieving the given purpose, unless an exemption applies.
☐ We retain records of personal information that the data subject has requested it be retained for purposes of proof.
☐ We retain records of personal information for historical, statistical or research purposes only if appropriate safeguards have been established against the records being used for any other purpose.
☐ We regularly review our information and erase or anonymise personal data when we no longer need it.
☐ We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’.
☐ We restrict processing of personal information, under certain circumstances, when requested to do so by data subjects.
- What is a legal register and why maintain a record retention schedule?
- What are the exemptions for retaining information longer?
- What are the safeguards preventing historical, statistical or research records being used for other purposes?
- Do we need a retention policy?
- How should we set retention periods?
- How does this apply to data sharing?
A legal register summarises the legal obligations contained in legislation. A record retention schedule indicates the retention periods for various business records.
Records of personal information can be retained longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, when—
- retention of the record is required or authorised by law;
- the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
- retention of the record is required by a contract between the parties thereto; or
- the data subject or a competent person where the data subject is a child has consented to the retention of the record.
What are the safeguards preventing historical, statistical or research records being used for other purposes?
- Data minimisation
- Storage limitation
Retention policies or retention schedules list the types of record or information you hold, what you use it for, and how long you intend to keep it. They help you establish and document standard retention periods for different categories of personal information.
A retention schedule may form part of a broader ‘IT legal register’, or your general processing documentation.
To comply with documentation requirements, you need to establish and document the retention periods prescribed by law for different categories of information you hold wherever possible. It is also advisable to have a system for ensuring that your organisation keeps to these retention periods in practice, and for reviewing retention at appropriate intervals. Your policy must also be flexible enough to allow for early deletion if appropriate. For example, if you are not actually using a record, you should reconsider whether you need to retain it.
If you are a small organisation undertaking occasional low-risk processing, you may not need a documented retention policy.
POPIA specifies that you must not retain personal information any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed unless the record is required or authorised by law, you have a legitimate interest, it is required by a contract or the data subject has consented to the retention.
It is necessary to identify applicable laws and list the required records. If the basis of retention is legitimate interest, this must be documented, alternatively the retention period must be recorded in the contract between the parties, or consent obtained from the data subject.
If you share personal information with other organisations, you should agree between you what happens once you no longer need to share the information. In some cases, it may be best to return the shared information to the organisation that supplied it without keeping a copy. In other cases, all of the organisations involved should delete their copies of the personal information.