Retaining and destroying personal data

"When it comes to fruition, the law will dictate that all information gathered on an individual is done so fairly and lawfully, is used only for the specified purpose for which it was obtained and that it is adequate and relevant and not excessive to purpose," says Gianmarco Lorenzi, MD of Cleardata, a Metrofile Holdings group company. "These guidelines aim to specifically protect the rights of the person signing a contract or buying a service from an organisation and handing over personal information."

Too often, companies use the opportunity to collect information from customers and use this occasion to build a marketing database for potential future use. In extreme conditions this information has in the past been sold on to third-party suppliers. "The whole role of the PPIA is to ensure the protection of a consumers rights, limit third party access to their data and in turn stop the illegal solicitation and sale of personal information. It is the hope of government to stop unlawful behaviour in its tracks," he adds.

Outside of the aforementioned data gathering and capturing requirements, the PPIA also states that all information must be:

• accurate and up to date;
  
• accessible to the subject or person of whom it related to;
  
• kept secure and
  
• most importantly destroyed at the end of the contract the individual has with its service provider.

"Companies drown in data, they horde it, store it, and file it, just in case they are required to legally call upon it at a later date. While there has been no one law governing information and records retention, but rather industry specific laws, the PPIA will squash the notion of ambivalence and make companies with this information responsible for knowing what to retain and how long they are allowed to keep it."

To that end, the Act it defines that a "requester" must be given access to any record of a private body if: that record is required for the exercise or protection of any rights; that person complies with the procedural requirements in this Act relating to a request for access to that record; and access to that record is not refused in terms of any ground for refusal contemplated in.

"So there are some areas within the PPIA that need clarification and there are those that have some industry bodies up in arms, but the positive side is that it is going to force business to be more responsible with the data they have on their customers. Conversely it is also going to instil more responsible record and information keeping practices, as well as dictate that business not hold onto information ad infinitum, but securely destroy it when its 'expiration' date is met."

The grounds for which an organisation may retain or need to destroy data and information is clearly described in the PPIA. All organisations must:

• review their document management procedures and practices;
  
• map all records at the very top of the organisation;
  
• categorise all their record types;
  
• develop clear availability policies;
  
• implement procedures and forms to deal with requests;
  
• appoint, educate and empower personnel to deal with requests;
  
• develop clear categorisation and storage policies;
  
• ensure that procedures and policies are adhered to.

"It is a scary prospect for organisations who have not had data management and disposal policies in place, as the initial investment of establishing these systems and procedures into place is going to be daunting and in some instances costly. However the reality is that it really is an 'about time' situation, as many businesses have been very frivolous with the information in their hands.

"It is my belief that the PPIA should be embraced by organisations as an opportunity to get their house in order and not a threat. Make sure documents that need to be stored are done so under lock and key, and that the information to be destroyed is done so confidentially and by qualified professionals that also understand your legal requirements. Remember ultimately the consumer is the one that is going to win, so if you get this right you can be in a position to gain customer loyalty and mindshare," he concludes.

For more information go to www.cleardata.co.za.