How the PoPI Act will affect your Records Management Programme
The Protection of Personal Information (PoPI) Act can and will have serious implications on the way you manage your records.
What is the Protection of Personal Information (PoPI) Act?
When does it apply?
The PoPi Act was signed into law on the 27th of November 2013, though it has yet to come into effect. This does not however mean you should not be seriously looking at your current Records Management Programme. In fact, you should be taking advantage of the time you have, as once it does come into effect you will only have one year to demonstrate compliance.
What does it do?
The PoPI Act regulates how organisations collect, process and store personally identifiable information. Personally identifiable information includes but is not limited to the following:
- Identity documents
- Phone numbers
- Email addresses
- Physical addresses
- Financial information
- Education Information
- Gender, race and ethnicity
- Photos, videos etc.
- Private correspondence
- Employment history and salary information
Personally identifiable information applies to both living natural persons and juristic persons (companies, CCs etc.).
What is its Purpose?
The purpose of the PoPI Act is to protect your personal information, as an individual or a company, and provide you with certain rights and the ability to exercise some control over it.
Among other things, you are afforded control over:
- when and how you choose to share your information
- who has access to your information
- allows you to access your information and request that it be removed or deleted
- the type of information collected
- the continued accuracy of the information collected.
How will the Protection of Personal Information Act affect your Records Management Programme?
When it comes to your Records and Information Management Policy you will be expected to fulfil a number of obligations. These include:
- You should only collect information as it relates to a specific purpose and consent must be given prior to collecting the information.
- All information must be kept accurate and up to date.
- Reasonable security measures must be taken to ensure the information is protected.
- You may not keep information for longer than is reasonably needed and you will need to have, as part of your Records Management Programme, a retention and destruction policy.
Here are some steps to help you become compliant.
- Firstly, you should make sure you read the PoPi Act, especially chapter three, which outlines the eight conditions for lawfully processing personal information.
- Evaluate the type of personal information you currently collect. Different organisations will collect different information and process it varying ways. Make sure the manner in which you collect the information and how you process it complies with the eight conditions.
- Take a look at how you secure the information you collect and how access to it is controlled. You may need to consider training your personnel on security measures. You should also ensure that both your physical (your premises) storage and your digital storage (hard drives, laptops etc.) are secure.
- Ensure that your Records Management service provider has proper security and access control measures in place for your offsite document and data storage.
The Penalties for Non-Compliance
If your Records Management Programme has not been updated to comply with the PoPI Act when it comes into force you will have 1 year to comply. Failure to comply with the eight conditions of information processing could land you in hot water, which comes in the form of:
- Possible prison terms
- Fines up to R 10 million
- Civil claims by individuals
At Iron Mountain we stand ready to help you meet your compliance obligations. We operate multiple world-class facilities with high-tech security systems and access control.
Speak to us today about how we can help you make your Records Management Programme compliant with the PoPI Act.
Image Credit: Copyright: andreyuu / 123RF Stock Photo