Lexify-logo_120mmW_300dpi_white
Lexify

Legal advisory services for smart business

Data destruction: when is it a good time?
Lucia Boscia
July 6, 2021

In the Protection of Personal Information Act 4 of 2013 (POPI Act), the law makers describe the activities that make up ‘processing’ and these include the erasure and destruction of personal information.


If personal information is permanently deleted, the POPI Act will no longer apply. A smaller compliance burden should not be the only reason for destroying personal information.  A word of caution: before actually destroying data, a responsible party (as defined in the POPI Act) must be sure that it does not have any obligations under other laws, like tax or company laws, that it may breach if data is destroyed.


If there is no consent for keeping personal information or if retention cannot be justified, a responsible party must destroy personal information. An easy example is a prospective job candidate who does not give consent for their CV to be kept on record if their job application fails.


For reasons of information security, data destruction may be useful to prevent unauthorized access. When company-owned devices like computers, tablets and cell phones are stolen, a responsible party must destroy the personal information contained in them. It should be obvious that accessing the personal information stored on the now stolen devices would be unauthorized access. There are many security measures for mobile devices, for example data encryption, password protection or remote wiping. The last mentioned is a time sensitive security feature that is set up by a responsible party. It allows the network administrator or owner of the devices to remotely erase / destroy data and therefore the personal information that is stored on the stolen devices. The practice should also be adopted for departing employees who fail to return the devices of the company when their employment ends.


In short, data destruction does have merit: it can stop unauthorized access and ensures compliance with the POPI Act. The destruction of data should be orchestrated by company policies. It is an irreversible practice so it must be done thoughtfully and carefully.  

Category : POPI_Act
linkedin
Instagram
Google+
Twitter
Facebook