DATA RETENTION & DESTRUCTION POLICY
Definitions:
The Company: Wyngaardt Brokers (Pty) Ltd.
Competent person: Means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
Access: Either physical access to hard copies and or electronic access through means of software, servers and or company hardware.
Authorised Person: This is a person that is authorised by the information officer to access certain privileged information on authorised devices / areas in order for the company to operate sufficiently and or access such information to the best interest of the company.
Privileged information: High level of confidential information with restricted user authority or permission to access information resources. Privileges / access can be established / restricted at the storage area, folder, file, or application levels.
Information: Includes (but not limited to) employee information, Health and safety information, company information client information, credit card numbers, identification numbers, employee performance reviews, salary details, trade secrets, passwords and information that could harm the business and its employees if the information were disclosed to the public.
Stakeholders: Any association with the company, including, but not limited to suppliers, clients, employees, contractors and or any member of the public associated / impacted by company operations.
Consent: means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
Data subject: means the person to whom personal information relates (possibly your clients and or employees).
Information officer: of, or in relation to, a—
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or (b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;
Regulator: means the Information Regulator established in terms of section 39;
Responsible party: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
Act: The Protection of Personal Information Act, No. 4 of 2013.
1. Purpose:
The purpose of this policy is to control (if authorised) the processing and or capturing of data specifically for the aim and duration intended and or regulated. Contact the information officer prior to disclosing and or interpreting any of the below mentioned. For timelines on keeping of records please contact the HR department.
2. Retention:
2.1 Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—retention of the record is required or authorised by law;
(a) the responsible party reasonably requires the record for lawful purposes related to its functions or activities; (b) retention of the record is required by a contract between the parties thereto; or (c) the data subject or a competent person where the data subject is a child has consented to the retention of the record.
2.2 Records of personal information may be retained for periods in excess of those contemplated in subsection (1) for historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
2.3 A responsible party that has used a record of personal information of a data subject to make a decision about the data subject, must—
(a) retain the record for such period as may be required or prescribed by law or a code of conduct; or (b) if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.
3. Destruction:
3.1 The company must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record. As a policy all soft copy data is automatically discarded and sent to Cold Storage after 6 months.
3.2 The destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form.
3.3 The responsible party must restrict processing of personal information if—
(a) its accuracy is contested by the data subject, for a period enabling the responsible party to verify the accuracy of the information; (b) the responsible party no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof; (c) the processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or (d) the data subject requests to transmit the personal data into another automated processing system.
3.4 Personal information (where applicable) may, with the exception of storage, only be processed for purposes of proof, or with the data subject’s consent, or with the consent of a competent person in respect of a child, or for the protection of the rights of another natural or legal person or if such processing is in the public interest.
3.5 Where processing of personal information is restricted pursuant to subsection (6), the company must inform the data subject before lifting the restriction on processing.
4. Violation / Exemptions:
4.1 Any violation of this policy will result in disciplinary action that can lead to possible termination of services, furthermore the party / parties involved can be held legally and or severely liable in their own capacity for any transgressions and or violations to the detriment of the company and or their stakeholders.
4.2 Exemptions and or exceptions to the policy must all be handed and approved in writing and filed within the POPI file.
4.3 Any violation(s) / interpretations with regards to any section of this policy can be anonymously reported to the information officer and or deputy officer. The company’s grievance procedure can also be used for a more formal approach.
