The Act outlines that information should be stored, secured and retained for as long as necessary i.e. that ‘records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected’.
Practically this may be one of the most difficult provisions to comply with as it requires a very clear picture of all purposes for which a piece of information is kept and a thorough understanding of business processes.
Records of personal information may be retained for periods in excess of those outlined in subsection (1) of the act for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
However, if a responsible party that has used a record of personal information of a data subject to make a decision about the data subject, must:
- retain the record for such period as may be required or prescribed by law or a code of conduct; or
- if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.
The responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record as set out in the Act. Moreover, destruction or deletion of a record must be done in a manner that prevents its reconstruction in an intelligible form, whether in physical or digital form.
If requested by the data subject, has the right to transfer or transmit their personal data into another automated processing system.
Example moving from insurance company provider A to B.
Personal information may, with the exception of storage, only be processed for purposes of proof, or with the data subject’s consent, or with the consent of a competent person in respect of a child, or for the protection of the rights of another natural or legal person or if such processing is in the public interest. Where processing of personal information is restricted the responsible party must inform the data subject before lifting the restriction on processing.
There are exceptions to this rule, where the information may be kept for a longer period. These exceptions are as when required by law, when reasonably required and for the purpose required to by contracts.
1. Examples: Required by Law
Records may be retained for longer when the retention “is required or authorised by law”
Some example of where records need to be kept for various timeframes by law or code of conduct years:
- Law: SARS tax records – See Record Keeping Timeframes
- A person who has submitted a return: Five (5) years: counting from the date of submission of a return until the last day of the period.
- Code of Conduct: HPCSA Health Records Timeframes
- Health records should be stored for a period of not less than six (6) years as from the date they became dormant.
- For minors under the age of 18 years health records should be kept until the minor’s 21ST birthday because legally minors have up to three years after they reach the age of 18 years to bring a claim. This would apply equally for obstetric records.
- For mentally incompetent patients the records should be kept for the duration of the patient’s lifetime.
2. Examples: Reasonably required
Records may be retained for longer when the organisation “reasonably requires the record for lawful purposes related to its activities and functions”.
- This could also be for a civil or criminal evidence
3. Examples: Required by Contract
As an example, your service contract with a customer might state that you are required to provide your customer with important safety or medical updates regarding your product or service. In order to perform under the contract, you would therefore need their contact information
- An example of a contracting agreement
- An example of a title deed