What is the impact of POPI on Electronic Document and Records Management Systems (EDRMS)? Will an EDRMS help you to comply with POPI? Does POPI mean that you need an EDRMS even more? Will POPI have an impact on your records management and EDRMS?
There is always going to be personal information in documents and records (both physical and electronic). So, when POPI sets out the conditions for the lawful processing of personal information, it is in a way setting out the conditions for the lawful management of documents and records.
POPI requires the responsible party to “maintain the documentation of all processing operations under its responsibility“. This is no easy task. You must be able to provide people with a description of the subjects on which you hold records and the categories of records you hold on each subject. This task is much easier if you have a good EDRMS.
Retention and restriction of records
Organisations, depending on their sector and type, have to comply with between 250 and 750 regulatory records retention requirements. POPI is set to create new requirements in respect of the retention of records and even in regard to how and when we should destroy them.
Section 14 of POPI deals with the retention and restriction of records of personal information, and it prescribes that “records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed“. The purpose therefore becomes very important. There are however some exceptions, for example where the “retention of the record is required or authorised by law“. In some circumstances, you can retain records for “for historical, statistical or research purposes“.
While the objective of POPI is to protect personal information, in practice it translates into significant compliance requirements in respect of records management (and information security) practices. POPI will require organisations to revisit their records management (and information security) practices and policies.
Many organisations are appointing someone in records management as their Information Officer. This shows how important many people consider records management to be in complying with POPI. And the impact that POPI will have on records management.
Failure to produce a record that the law requires you to retain, may cause the organisation to be reported to the relevant regulator or be subject to statutory sanctions. Statutory sanctions for non-compliance may be as severe as a fine of R10 million or imprisonment for 10 years.
In terms of section 91(2) of POPI “the Regulator may make public any information relating to the personal information management practices of a responsible party that has been the subject of an assessment under this section if the Regulator considers it in the public interest to do so“. This could lead to significant reputational damage. Your records management practices may be aired in public.
Any person who fails to produce a document before the Information Regulator (s104 read with s107) can be fined or imprisoned for up to 12 months.
On the Evidentiary Front
The non-retention of records that had to be retained by law may lead to negative inferences to be drawn by the courts in subsequent litigation should they not be available as evidence. The Information Regulator can ask an organisation to produce a record to enable the Information Regulator to investigate a complaint (section 81 of POPI). You need to be able to comply with such a request.
So, good records management (and an EDRMS) can help you to comply with POPI (and other laws). POPI will also have a big impact on your EDRMS. You need to make sure your practices comply with all applicable laws, and that you have considered adhering to all applicable rules, codes and standards.