This blog was co-authored by: Preshanta Poonan, associate designate.

South African businesses are required by law to retain a multitude of records depending on the relevant legislation and the industry or business. Since South Africa’s Protection of Personal Information Act, 2013 (POPIA) enactment, there has been much uncertainty surrounding retaining information in South Africa.

POPIA sets out that records of personal information should only be retained under specific circumstances. However, what many people have not been aware of, is that there are several pieces of legislation that have been around long before POPIA which outline the length of retention of records.

Here are five examples of relevant legislation that outline record retention limits:

  • POPIA: According to section 14, records of personal information must not be kept without consent any longer than is necessary for achieving the purpose for which the information was collected. Records may be retained for longer when the retention is required or authorised by law or contract. Therefore, understanding your retention requirements in other legislation is also important for POPIA compliance.
  • Companies Act, 2008: According to section 24, there is a general rule for company records outlining that any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the act and other public regulation must be kept for 7 years or longer as specified in other public regulation.
  • Tax Administration Act, 2011: Section 29 provides that records, books of account, or documents that enable a person to observe the requirements of a tax act, are specifically required under a tax act and that enable the South African Revenue Service (SARS) to be satisfied that the person has observed these requirements should be kept for a period of 5 years following the submission of a tax return, or for 5 years after the relevant tax period. Therefore, companies, businesses and other organisations are obliged to keep their tax records to enable SARS to recreate that filing for at least 5 years after submission for that tax year.
  • Consumer Protection Act, 2008: According to section 36, a person who conducts a promotional competition must retain all the records pertaining to all steps of that competition, including the information relating to the participants and their details, the rules, the prizes, the offers, marketing materials for a period of 3 years.
  • Basic Conditions of Employment Act, 1997: Section 29 and 31 state that employee records outlining the particulars of an employee and their employment terms such as name, occupation, time worked, remuneration and any other prescribed information must be kept for 3 years after the termination of employment or from the date of the last entry in the record.

Can records of personal information be retained indefinitely?

POPIA states that a responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record. After the minimum retention period has lapsed, it is the duty of the company to establish if the record requires further retention and, if not, the record ought to be destroyed or deleted. POPIA sets out that the destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form. Deletion of electronic implies that it can no longer be accessed.

Records retention schedule and policy

It is important to draft a comprehensive records retention schedule and policy for your organisation to ensure that everyone in the organisation is aware of the retention and deletion requirements for different categories of information. There are four main factors to note when it comes to retaining information and building your retention policy:

  • The type of records you hold;
  • The format to retain the record (electronic and physical);
  • The period of retention (and when to delete or destroy); and
  • The security measures in place to secure the records that must be retained.

Each person’s policy will depend on your unique legislative requirements as well as business needs. Get in touch with us to assist you in preparing your records retention schedule and policy.