The information regulator issued a guideline on procedures for making information electronically available (dated March 2022). The purpose of the guideline is to recommend the procedures for public and private bodies to make information electronically available to enable people to obtain reasonable access to records swiftly, inexpensively, and effortlessly. The regulator issued the guidelines in terms of the Promotion of Access to Information Act 2 of 2000 (PAIA) and considers relevant records retention provisions covered under the Protection of Personal Information Act 4 of 2013 (POPIA).

Data governance is a critical component of data protection. There are several laws that govern how public and private bodies should manage records and make records accessible. For example, the Constitution guarantees every person the right to access information that may be held by the state or another person. PAIA further enforces access to information from public and private bodies if the person requesting information:

  1. has a right of access to any records held by a public body (section 11), or
  2. from a private body requires the record to exercise or protect their rights (section 50).

Objectives of the guideline

The main objective of the guideline is to provide guidance to public and private bodies in ensuring–

  • an efficient and systematic control of the creation, receipt, maintenance, management, use and disposition of records in an electronic environment, based on international standards ISO 15489 – Records management; and
  • that their electronic records can be managed to make information available to users and to ensure authentic and reliable electronic records are protected for the long term; and
  • the reliability, usability, authenticity, and integrity of their records.

What does the guideline cover?

The guidelines are 87 pages long. It contains a lengthy list of definitions and a lot of background information before it delves into the purpose and objectives. The guideline provides guidance on several topics. We’ve summarised some of the most important topics below.

A statutory and regulatory framework

This section of the guideline lists a collection of laws governing electronic records that public and private bodies must be fully aware of. The guideline references the following “main” laws and instruments:

  • PAIA
  • POPIA
  • The National Archives and Records Service of South Africa Act 43 of 1996
  • The Public Finance Management Act 1 of 1999
  • The Promotion of Administrative Justice Act 3 of 2000
  • The Electronic Communications and Transactions Act 25 of 2002
  • ISO 15489 – Records management
  • ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements
  • ISO 30300:2011, Information and documentation – Management systems for records – Fundamentals and vocabulary.

Electronic Records Management policy

The regulator recommends that public and private bodies should define and document a policy for records management. The policy must provide measures to create and manage authentic, reliable, and usable records that can support business functions.

Creating electronic information systems

Responsible parties must ensure that their electronic recordkeeping systems have accurately documented policies. The system must have the functionality to assign responsibilities and have methodologies to manage records. Furthermore, an electronic recordkeeping system must be:

  • consistent so that it produces credible records.
  • complete so that it contains content, structure, and context generated by the transaction they document
  • accurate so that it is quality controlled at input to ensure the information in the system correctly reflects what was communicated in the transaction, and
  • preserved so that its records reflect content, structure, and context within any system by which the records are retained over time.

Developing classification schemes

The guideline states that the classification scheme forms the foundation of any electronic or paper records management programme. A classification scheme must identify:

  • different categories of business functions and activities, and
  • the records generated because of the work performed, and it must group those records into logical units to facilitate access, storage, and disposal.

Creating a retention and disposal schedule

Organisations must use a record retention and disposal schedule for record management. The retention and disposal schedules must identify how long a responsible party should retain records within different series. The responsible party should also decide whether they should keep the records for their value, destroy it, or render it obsolete.

Responsible parties must consider POPIA’s provisions relating to records. For example, a responsible party should not retain records of personal information any longer than is necessary. (See section 14(1)) There are exceptions to this rule. For example, you may retain a record for a longer period if:

  • it is required or authorised by law.
  • the responsible party needs the record for lawful purposes related to its functions or activities.
  • retention of the record is required in terms of a contract; or
  • the data subject or a competent person where the data subject is a child has consented to the retention of the record.

A responsible party that uses a data subject’s record of personal information to make a decision about the data subject must retain the record for a period as may be required or prescribed by law or a code of conduct. If there is no law or code of conduct prescribing a retention period, the responsible party must retain the record for a period which will give the data subject sufficient time to request access to the record.

Destroying or deleting or de-identifying records

Responsible parties should destroy records with no long-term enduring value. Additionally, a responsible party must destroy or delete a record of personal information:

  •  or de-identify it as soon as possible. (The guideline does not recommend an exact timeframe. The guideline says, “as soon as reasonably practicable”. (See section 14(4) and (5) of POPIA)
  • in a manner that prevents its reconstruction in an intelligible form. (See section 14(5) of POPIA)

Other general topics include:

  • Transferring records – Organisations must transfer any records that have long-term enduring value to an archive facility. Organisations should transfer electronic records in their original format and a copy.
  • Training – Information officers should ensure that records managers attend a Records Management Course to equip them with the necessary skills to enable them to perform their tasks.
  • Security of electronic records – Public and private bodies must consider generally accepted information security practices and procedures which may apply in terms of specific industry or professional rules and regulations.
  • Electronic / digital signatures – The regulator recommends that organisations use electronic or digital signatures.

Offences

The guideline highlights the sanctions that apply under PAIA. It is an offence to destroy, damage, alter, conceal, or falsify a record. (Section 90 of PAIA)

 Anyone found guilty of an offence can receive a fine or face imprisonment for up to two years.

Actions you can take

  • Consider what impact the information regulator’s guidelines will have on your organisation by downloading them.
  • Keep up to date with all the regulatory developments in records management by joining our programme.
  • Know why keeping documentation and records is so important by looking at what the law requires.