This is according to Daniella Kafouris, manager at Deloitte & Touche, Legal.
“Organisations should never just delete any information without first adopting a retention schedule that includes information that should be retained in terms of legislation, a contract or subsequent to a data subject consenting thereto,” she says.
The Protection of Personal Information (PPI) Bill contains a section relating to the retention of records, and states that a record of personal information that has fulfilled its purpose, and that an organisation is not required to retain in terms of legislation or agreement, would need to be destroyed or de-identified, Kafouris says.
The implications are that organisations will need to analyse the legislation that is applicable to them, and review relevant retention periods and formats relating to data, she adds.“There are no 'how to' books that organisations can purchase to ensure they are compliant with the legislation,” Kafouris continues. “Each industry will have different legislation specific to organisations that are within the industry,” she says.
The type of data, whether it's in hard- or softcopy format, will also affect how long records need to be kept for, she notes.
Kafouris is a speaker at the ITWeb Governance, Risk and Compliance Conference 2012. She will discuss how to tackle record keeping in line with the PPI Bill. For more information and to find out how you can secure your seat at this event, click here.
Our comments policy does not allow anonymous postings. Read the policy here