POPI requires that ‘records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected…” Section 14(1) Practically this may be one of the most difficult provisions to comply with as it requires a very clear picture of all purposes for which a piece of information is kept and a thorough understanding of business processes. There are some exceptions to this rule, where the information may be kept for longer:
Section 14(2) – (7) have further exceptions relating to retention for research / statistical purposes, where the personal information was used in a decision about the data subject, restriction of records etc.
It will probably be difficult to achieve a retention policy that covers the potentially thousands of record categories used by the organisation. One strategy is to start with the most widespread documents, like invoices and / or those containing the most sensitive personal information.
For more information, please see visit the POPI Compliance website.