It is incumbent upon organisations to take control of the manner in which personal information is disposed of and to ensure that appropriate mechanisms within the organisation are established to address potential risks.
By Marco Schepers, director: corporate, mergers and acquisitions, and Zinhle Novazi, candidate attorney, at Tabacks Attorney
The pertinent question facing organisations in the era of POPIA is how an organisation should go about deleting or destructing personal information it has processed? For example, can an organisation dispose of personal information in the form of hard copies by simply recycling it? Or can simply deleting a folder from one’s computer or laptop really dispose of the personal information? Will this be enough in terms of complying with POPIA?
POPIA places an obligation on responsible parties when it comes to the deletion or destruction of personal information under its control. Of interest, POPIA does not prescribe the method/s of destructing or deleting personal information, and does not provide any comprehensive guidelines on how responsible parties who process personal information should go about destroying or deleting a record of personal information. POPIA merely states in section 14(5) that personal information must be destroyed or deleted in a manner that prevents its reconstruction in an intelligible form.
Request for Deletion of Personal Information
In terms of section 5 of POPIA, the person whose personal information is processed (Data Subject) not only has the right to have his personal information processed in accordance with the conditions for lawful processing of information in POPIA, but also has the right to request the correction, destruction or deletion of his personal information as provided for in section 24 of POPIA. In terms of section 24, the Data Subject may request a responsible party to correct or delete his personal information which is in the possession or under the control of a responsible party, provided that the personal information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or it has been unlawfully obtained. Alternatively, the Data Subject may also request the responsible party to delete or destroy his personal information in instances where the responsible party is no longer authorised to retain the personal information in terms of section 14.
Destruction of Personal Information
Given the somewhat limited extent of section 14(5) of POPIA, it is suggested that organisations should implement, as well as document, the process of data destruction and deletion they undertake to ensure that personal information is destroyed or deleted in a manner that prevents its reconstruction in an intelligible form. This would apply to both hard copies/documents, as well as electronic versions and will require organisations to consciously think about, and in some instances completely overhaul, how and in what manner they destroy or delete personal information and whether such processes meet muster as required by the test established by POPIA in terms of section 14(5).
In certain instances, organisations may consider taking the easy route out and hire a reputable company to destroy the hard copy or electronic data for them. Organisations should exercise caution on this approach as in such instances it is the organisation’s responsibility to ensure that such a company is compliant with POPIA when such data is destroyed and deleted, as in instances of a data beach, both the company providing the service and the organisation could be held liable in terms of POPIA.
In light of POPIA, the onus is on organisations to ensure that personal information is sufficiently destroyed and deleted.
Any actions undertaken by organisations to destroy or delete personal information will be under scrutiny should such processes not at a minimum ensure that the personal information is destroyed or deleted in a manner that prevents its reconstruction in an intelligible form.
So therefore, disposing of personal information by recycling or deleting a file electronically may not, in the face of POPIA, be enough as some remanence of that personal information may be retained. It is therefore incumbent upon organisations to take control of the manner in which personal information is disposed of and to ensure that appropriate mechanisms within the organisation are established to address potential risks.