POPI Act

PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2015 (AS AMENDED) (Hereinafter referred to as “the POPI Act”)

  1. INTRODUCTION
      The WALDICK INC. POPI policy is a document designed to ensure that WALDICK INC. is an accountable institution, is compliant with legislation and that it is able to deal with any privacy concerns that may arise during the course and scope of its business as a law firm.
    1. The POPI Policy is designed to ensure that the Protection of Personal Information Act is given force and effect through the risk based approach adopted by WALDICK INC.
    2. It is further designed to ensure that all employees at the institution are aware of and able to implement the various measures contained herein to know our clients, assess their financial status and apply the relevant legislation appropriately and satisfactorily.
    3. WALDICK INC. is committed to protecting its clients’ privacy and ensuring that their personal information is used appropriately, transparently, securely and in accordance with the applicable laws.
    4. This POPI policy sets out the manner in which WALDICK INC. deals with their clients’ personal information and stipulates the purpose for which said information is used. The Policy shall be made available at the company website www.waldickinc.co.za and by request from Herman Waldick (herman@waldickinc.co.za).
  2. SCOPE AND DEFINITIONS

    All documents and electronic transactions generated within and/or received by WALDICK INC.

    DEFINITIONS:

    1. “Clients”: includes, but are not limited to, Directors, shareholders, debtors, creditors as well as affected personnel and/or departments related to WALDICK INC.
    2. “Confidential Information”: refers to all information or data disclosed to or obtained by WALDICK INC. by any means whatsoever and shall include, but not be limited to:
      1. financial information and records;
      2. documents regarding legal personae;
      3. discussions relating to ongoing or past litigation;
      4. discussions relating to advice given; and
      5. all other information including information relating to the structure, operations, processes, intentions, product information, know-how, trade secrets, market opportunities, customers and business affairs but excluding the exceptions listed in paragraph 5 hereunder.
    3. “Constitution”: Constitution of the Republic of South Africa 108 of 1996.
    4. “Biometrics”: means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
    5. “Child”: means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him or herself.
    6. “Code of conduct”: means a code of conduct issued in terms of Chapter 7 of the POPI Act.
    7. “Competent person”: means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
    8. “Consent”: means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
    9. “Data subject”: means the person to whom personal information relates.
    10. “De-identify”:, in relation to personal information of a data subject, means to delete any information that:
      1. identifies the data subject;
      2. can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
      3. can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ‘‘de-identified’’ has a corresponding meaning.
    11. “Direct marketing”: means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
      1. promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
      2. requesting the data subject to make a donation of any kind for any reason.
    12. “Data”: refers to electronic representations of information in any form.
    13. “Documents”: include books, records, pleadings, affidavits, accounts, printed letters, printed emails, printed company data, printed personal data, and any information which has been stored or recorded electronically, photographically, magnetically, mechanically or electro-mechanically, or in any other form.
    14. “ECTA”: Electronic Communications and Transactions Act 25 of 2002.
    15. “Electronic communication”: means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
    16. “Enforcement notice’’: means a notice issued in terms of section 95 of the POPI Act.
    17. “Filing system”: means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
    18. “Information matching programme”: means the comparison, whether manually or by means of any electronic or other device, of any document that contains personal information about ten or more data subjects with one or more documents that contain personal information of ten or more data subjects, for the purpose of producing or verifying information that may be used for the purpose of taking any action in regard to an identifiable data subject.
    19. “Information officer”: of, or in relation to, a:
      1. public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17 of the POPI Act; or
      2. private body means the head of a private body as contemplated in section 1, of the POPI Act.
    20. “Minister”: means the Cabinet member responsible for the administration of justice.
    21. “Electronic signature”: refers to data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature.
    22. “Electronic transactions”: include e-mails sent and received.
    23. “PAIA”: Promotion of Access to Information Act 2 of 2000.
    24. “Data subject”: means the person to whom personal information relates.
    25. “Group undertakings”: means a controlling undertaking and its controlled undertakings.
    26. “Operator”: means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under direct control of that party.
    27. “Person”: means a natural or juristic person.
    28. “Personal information”: means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
      1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person
      2. information relating to the education or the medical, financial, criminal or employment history of the person;
      3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person
      4. the biometric information of the person;
      5. the personal opinions, views or preferences of the person;
      6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
      7. the views or opinions of another individual about the person; and
      8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
    29. ‘‘Prescribed’’: means prescribed by regulation or by a code of conduct.
    30. ‘‘Private body’’: means:
      1. a natural person who carries or has carried on any trade, business or profession, but only in such capacity;
      2. a partnership which carries or has carried on any trade, business or profession; or
      3. any former or existing juristic person, but excludes a public body.
    31. ‘‘Processing’’: means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:
      1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
      2. dissemination by means of transmission, distribution or making available in any other form; or
      3. merging, linking, as well as restriction, degradation, erasure or destruction of information.
    32. ‘‘Professional legal adviser’’: means any legally qualified person, whether in private practice or not, who lawfully provides a client, at his or her or its request, with independent, confidential legal advice.
    33. ‘‘Regulator’’: means the Information Regulator established in terms of section 39 the POPI Act.
    34. ‘‘Re-identify’’: in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that
      1. identifies the data subject;
      2. can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
      3. can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ‘‘re-identified’’ has a corresponding meaning.
    35. ‘‘Republic’’: means the Republic of South Africa.
    36. “Responsible part”: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
    37. “Restriction”: means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information.
    38. “Public body”: means
      1. any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
      2. any other functionary or institution when
      3. exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
      4. exercising a public power or performing a public function in terms of any legislation.
    39. “Public record”: means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that body.
    40. “Record”: means any recorded information;
      Regardless of form or medium, including any of the following:
      1. Writing on any material;
      2. Information produced, recorded, or stored by means of any tape recorder, computer equipment, whether hardware, software or both, or other device, and any material subsequently divided from information so produced, recorded or stored;
      3. Label, marking or other writing that identifies or describes anything which it forms part of;
      4. Book, plan, map, graph, or drawing;
      5. Photograph, film, negative, tape or other device which one or more visual images are embodied so as to be capable of being reproduced;
      6. In the possession or under the control of a responsible party, regardless of when it came into existence.
    41. “POPI policy”: means personal information processing policies, which are adhered to by the business or operation within that group of undertakings when transferring personal information to a business or operator.
    42. ‘‘This Act’’: includes any regulation or code of conduct made under the POPI Act.
    43. ‘‘Unique identifier’’: means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.
  3. RIGHTS OF A DATA SUBJECT

    (As referred to in Section 5 of the POPI Act)

    (For purposes of WALDICK INC. and our POPI policy, “Data Subject” herein also refers to as “the Client”)

    1. A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information.
    2. The Data Subjects right include inter alia the following:
      1. to be notified that his/her personal information is being collected/has been accessed by an unauthorised party; (section 18 and 22 of the POPI Act)
      2. to be ensured that such information is being hold by a responsible party and to be able to request access/amendments or deletion of such information; (section 23 and 24 of the POPI Act)
      3. to have the right to object to provide certain information, including for the use of direct marketing; (section 11 of the POPI Act)
      4. not to be subjected to a decision which is based solely on the basis of the automated processing of his, her or its personal information.
    3. In terms of section 74 of the POPI Act the data subject has the right to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject and to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99 of the POPI Act.
  4. PERSONAL INFORMATION COLLECTED
    1. Section 9 of the POPI Act reads as follows:

      Sec 9. Personal information must be processed-

      1. lawfully; and
      2. in a reasonable manner that does not infringe the privacy of the data subject.
    2. WALDICK INC. collects and processes client’s personal information pertaining to the client’s needs. The type of information will depend on the need for which it is collected and will be processed for that purpose only. Whenever possible, WALDICK INC. will inform the client as to the information required and the information deemed optional.
    3. WALDICK INC. aims to have agreements in place with all product suppliers, insurers and third party service providers to ensure mutual understanding with regard to protection of the client’s personal information and all suppliers will be subject to the same regulations applicable to WALDICK INC.
    4. With the clients consent, WALDICK INC. may also supplement the information provided with information WALDICK INC. receives from publicly available information and from other sources to ensure the client’s legal needs are met.
    5. For purposes of this policy, clients include potential and existing clients.
  5. THE USAGE OF PERSONAL INFORMATION
    1. The client’s personal information will only be used for the purpose for which it was collected and agreed. This may include:
      1. To provide accurate services and production to the data subject;
      2. To ensure accurate legal advice;
      3. To ensure that all documents contain the correct information;
      4. For the detection and prevention of fraud, crime, money laundering or other offences, including but not limited to all those contained in the Financial Intelligence Centre Act (FICA)
      5. For billing purposes;
      6. For audit and record keeping purposes;
      7. Providing communication to clients about regulatory matters which may affect them;
      8. In connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law.
    2. The processing of information must be done in accordance with the provisions of the POPI Act to be considered lawful.
    3. Section 4 of the POPI Act lists the eight conditions for lawful processing of personal information, which are:
      1. Accountability - as referred to in section 8 of the POPI Act;
      2. Process limitation - as referred to in section 9 to 12 of the POPI Act;
      3. Purpose specification - as referred to in section 13 and 14 of the POPI Act;
      4. Further processing limitation - as referred to in section 15 of the POPI Act;
      5. Information Quality - as referred to in section 16 of the POPI Act;
      6. Openness - as referred to in section 17 and 18 of the POPI Act;
      7. Security Safeguards - as referred to in section 19 to 22 of the POPI Act;
      8. Data subject participation - as referred to in section 23 to 25 of the POPI Act;.
    4. In other instances, the POPI Act may exempt the processing of personal information from one or more of the above conditions.
    5. These Exclusions in terms of Section 6 and 7 of the POPI Act are the processing of personal information purely on a personal or household activity, by a public body and for any journalistic, literary or artistic purposes.
    6. According to Section 10 of the POPI Act. The personal information may only be processed if certain conditions (as listed below) are met and accompanied with supporting information from WALDICK INC.

      These conditions of the processing of personal information includes:

      1. The client consents to the processing of the information- this consent will be obtained during the introductory appointment and needs analysis stage of the relationship;
      2. The necessity of processing: in order to conduct an accurate analysis of the client’s needs for purposes of legal advice;
      3. Processing complies with an obligation imposed by law on WALDICK INC.;
      4. Processing protects a legitimate interest of the client.
  6. DISCLOSURE OF PERSONAL INFORMATION
    1. WALDICK INC. may disclose a client’s personal information to any Advocate legitimately hired to defend a client’s interests in court. In addition, third party platform suppliers of WALDICK INC. may require the information to process any IT platform maintenance work and for bookkeeping purpose.
    2. WALDICK INC. has a duty to ensure personal information is only used in terms of the processing limitations and. Any IT third party or bookkeeper will have an agreement in place with WALDICK INC. ensuring confidentiality.
    3. WALDICK INC. may also disclose a client’s information where it has a duty or a right to disclose in terms of applicable legislation, the law, or where it may be deemed necessary to protect WALDICK INC’s rights.
  7. SAFEGUARDING CLIENT INFORMATION

    (As referred to in section 19 to 22 of the POPI Act)

    1. It is a requirement of the POPI Act to adequately protect personal information. WALDICK INC. will continuously review its security controls and processes to ensure that personal information is secure.
    2. The WALDICK INC. Information Officer (IO) is Herman Waldick whose details are available below and who is responsible for compliance with the conditions of lawful processing of personal information and other provisions of the POPI Act.
    3. The POPI policy has been put in place at the WALDICK INC. office and the POPI policy has already taken place and will be conducted on an ongoing basis annually.
    4. Each new employee will be required to sign an employment contract containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of the POPI Act.
    5. Every employee currently employed by WALDICK INC. will be required to sign an addendum to their employment contract containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of the POPI Act.
    6. WALDICK INC. archived information that is stored on site, shall only be accessible by authorised personnel.
    7. Off-site storage facilities will be required to sign a service level agreement guaranteeing their commitment to the protection of personal information; this shall be conducted as and when required.
    8. All electronic files are backed up by WALDICK INC’s IT service provider; which also provides system security that protects third party access. They are also responsible for electronic information security.
    9. Consent to process client information is obtained from clients (or a person who has been given authorisation from the client to provide the clients personal information) during the introductory, appointment and needs based analysis stage of the relationship.
    10. The Information Officer and Office details are as follows:
      1. NAME: HERMAN WALDICK
      2. TEL: 012 643 0004
      3. ADDRESS: CENTURION LAW CHAMBERS, 58 LYTTELTON ROAD, CLUBVIEV, CENTURION, PRETORIA
      4. EMAIL: herman@waldickinc.co.za
      5. WEBSITE: www.waldickinc.co.za
    11. The Information Officer and deputies will encourage compliance with the POPI Act by the business and ensure lawful processing of information and deal with any requests from the public. Any power or duty conferred by the POPI Act on the Information Officer is bestowed upon the Deputy Information Officer
  8. ACCESS AND CORRECTION OF PERSONAL DATA
    1. Clients have the right to access the personal information WALDICK INC. holds about them.
    2. Clients also have the right to ask WALDICK INC. to update, correct or delete their personal information on reasonable grounds.
    3. Once a client objects to the processing of their personal information, WALDICK INC. may no longer process said information. WALDICK INC. will take all reasonable steps to confirm its client’s identity before providing details of their personal information or making changes to their personal information.
  9. AMENDMENTS TO THIS POPI POLICY
    1. Amendments to, or a review of this policy, will take place on an annual basis or as and when changes to applicable legislation takes place.
    2. Clients are advised to access WALDICK INC’s website periodically to keep abreast of any changes. Where material changes take place, clients will be notified directly or changes will be stipulated on the WALDICK INC. website.
  10. AVAILABILITY OF THE MANUAL
    1. This manual is made available in terms of the regulations of the POPI Act. The manual is available on request at all material times at the offices of WALDICK INC. or by contacting the IO.
    2. Section 14 of the Promotion of Access to Information (Act 2 of 2000) prescribes that a Public Body, such as the Department of Justice and Constitutional Development, must compile a manual.
    3. The manual should provide details of the Information Officer (and deputies, where available), structure, functions and records of such a Body.
    4. The purpose of the manual is to provide information that shall enable a person to understand the functions of the public body and the records in its custody. Armed with the information a person shall be able to identify the records she/he wants and the procedure to follow to request for access to such records.
  11. ACCOUNTABILITY

    (As referred to in section 8 of the POPI Act)

    All personal information being processed by the business must be identified and processed lawfully. WALDICK INC. accepts that it exercises control over the information; even when such information is passed onto a third party for processing.

  12. PROCESSING LIMITATION

    (As referred to in section 9 to 12 of the POPI Act)

    1. All information will be process in a lawful and reasonable manner. WALDICK INC. may not act unlawfully in collecting data.
    2. All processing will be done in a reasonable manner; taking into account the interests and reasonable expectations of a data subject as well as the provisions of the POPI Act.
    3. Personal information will only be processed in an adequate manner, where relevant and not excessively. As such, it will only be used for the purpose collected.
  13. FURTHER PROCESSING LIMITATION

    (As referred to in section 15 of the POPI Act)

    1. WALDICK INC. will take into account the purpose for which the data was collected originally, should further processing be required.
    2. WALDICK INC. will take into account the purpose of the intended further processing and the purpose for which the information has been collected.
    3. The information that will be taken into account includes:
      1. The nature of the information concerned;
      2. The consequences for the data subject;
      3. The manner in which the data was collected; and
      4. Any contractual rights or obligations.
    4. Further processing will only take place if:
      1. The data subject has consented to such;
      2. The information is available in, or derived from, a public record or has deliberately been made public by the data subject.
    5. Further processing is necessary to:
      1. Avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution or punishment of any offences;
      2. To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue;
      3. For the conduct of any court or tribunal proceedings that have commence or are reasonably expected to commence;
      4. In the interests of national security;
      5. If it is necessary to prevent or mitigate a serious and imminent threat to public health or public safety;
      6. The life or health of the data subject is in serious or imminent threat.
  14. PROCESS SPECIFICATION

    (As referred to in section 13 to 14 of the POPI Act)

    WALDICK INC. will only collect information for the purpose specified that is explicitly defined and lawful and which relates to the function or activity of the business.

  15. INFORMATION QUALITY

    (As referred to in section 16 of the POPI Act)

    1. WALDICK INC. will take reasonably practicable steps to ensure personal information is complete, accurate, not misleading and updated where necessary.
    2. Information will be safeguarded to ensure the information remains in compliance with above.
  16. OPENNESS

    (As referred to in section 17 and 18 of the POPI Act)

    WALDICK INC. will ensure it complies with Sections 14 and 51 of the Promotion of Access to Information Act 2 of 2000 (PAIA).

  17. RECORDS THAT CANNOT BE FOUND

    (As referred to in section 19 to 25 of the POPI Act)

    If WALDICK INC. searches for a record and it is believed that the record either does not exist or cannot be found, the requestor will be notified by way of an affidavit or affirmation. This will include the steps that were taken to locate the record.

  18. THE PRESCRIBED FORM AND FEES

    The prescribed forms and fees are available on the website of the Department of Justice and Constitutional Development at www.doj.gov.za under the POPI Act section.

  19. THE RETENTION AND CONFIDENTIALITY OF DOCUMENTS, INFORMATION AND ELECTRONIC TRANSACTIONS

  20. PURPOSE
    1. To exercise effective control over the retention of documents and electronic transactions:
      1. as prescribed by legislation; and
      2. as dictated by business practice.
    2. Documents need to be retained in order to prove the existence of facts and to exercise rights that WALDICK INC. may have. Documents are also necessary for defending legal action, for establishing what was said or done in relation to the business of WALDICK INC. and to minimize WALDICK INC’s reputation risks.
    3. To ensure that WALDICK INC’s interests are protected and that our client’s rights to privacy and confidentiality are not breached.
    4. Queries may be referred to the IO in this regard.
  21. ACCESS TO DOCUMENTS
    1. All company and client information must be dealt with in the strictest confidence and may only be disclosed, without fear of redress, in the following circumstances:
      1. where disclosure is under compulsion of law;
      2. where there is a duty to the public to disclose;
      3. where the interests of WALDICK INC. require disclosure; and
      4. where disclosure is made with the express or implied consent of the client.
      1. Disclosure to third parties:

        All employees have a duty of confidentiality in relation to WALDICK INC. and to clients.

        In addition to the provisions above, the following are also applicable:

        1. Requests for company information are dealt with in terms of the PAIA, which gives effect to the constitutional right of access to information held by the State or any person (natural or juristic) that is required for the exercise or protection of rights.
        2. Private bodies, like WALDICK INC., must however refuse access to records if disclosure would constitute and action for breach of the duty of secrecy owed to a third party.
        3. In terms hereof, requests must be made in writing on the prescribed form to the Information Officer in terms of PAIA. The requesting party has to state the reason for wanting the information and has to pay the prescribed fee.
        4. Confidential company and/or business information may not be disclosed to third parties as this could constitute industrial espionage. The affairs of the company must be kept strictly confidential at all times.
        5. The company views any contravention of this policy very seriously and employees who are guilty of contravening the policy will be subject to disciplinary procedures, which may lead to penalties on the guilty party up to and including dismissal.
  22. STORAGE OF DOCUMENTS

  23. HARD COPIES
    1. Documents are stored in an access controlled office and only authorised personnel have access to same. Off-site archival storage will have a Service Level Agreement (SLA) preventing access to non-WALDICK INC. personnel put in place.
  24. COMPANIES ACT 71 OF 2008
    1. With regard to the Companies Act 71 of 2008 and the Companies Amendment Act 3 of 2011, hardcopies of the documents mentioned below must be retained for a minimum of 7 years:
      1. Any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Act;
      2. Notice and minutes of all shareholders meetings, including resolutions adopted and documents made available to holders of securities;
      3. Copies of reports presented at the annual general meeting of the company;
      4. Copies of annual financial statements required by the Act;
      5. Copies of accounting records as required by the Act;
      6. Record of directors and past directors, after the director has retired from the company;
      7. Written communication to holder of securities; and
      8. Minutes and resolutions of directors meetings, audit committee and director committees.
    2. Copies of the documents mentioned below must be retained indefinitely:
      1. Registration certificate;
      2. Memorandum of incorporation and alterations and amendments.
      3. Rules
      4. Securities registered and uncertified securities register;
      5. Register of company secretary and auditor; and
      6. Regulated companies and register of disclosure of person who holds beneficial interest equal to or in exceed of 5 % of the securities of that class issued.
  25. CONSUMER PROTECTION ACT. NO 68 OF 2008
    1. The consumer protection act seeks to promote a fair, accessible and sustainable marketplace and therefor requires a retention period of 3 years for information provided to a consumer by an intermediary such as:
      1. Full names, physical address, postal address and contact details.
      2. ID number and registration number.
      3. Contact details of the public officer in case of juristic person.
      4. Service rendered.
      5. Intermediary fee.
      6. Cost to be recovered from the consumer.
      7. Frequency of accounting to the consumer.
      8. Amounts, sums, values, charge, feed, remuneration specified in monetary terms.
      9. Disclosure in writing of a conflict of interest by the intermediary in relevance to goods or service to be provided.
      10. Records of advice.
      11. Records of advice furnished to the consumer reflecting the basis on which the advice was given.
      12. Written instruction sent by the intermediary to the consumer.
      13. Conducting a promotional competition refer to section 36(11) (b) and regulation 11 of promotional competitions.
      14. Documents section 45 and regulation 31 for auction.
  26. NATIONAL CREDIT ACT. NO 34 OF 2005
    1. The national credit act aims to promote a fair and transparent credit industry which requires the retention of certain documents for a specified period.
    2. Retention for 3 years from the earliest of the dated of which the registrant created, signed or received the document from the date of termination of the agreement or in case of an application for credit that is refused or not granted for any reason, from the date of receipt of the application which applies to the documents listed in paragraph 24.3 below:
    3. In terms of Regulation 55(1) of the National Credit Act:
      1. Records of registered activities such as an application for credit declined.
      2. Reasons for the decline of the application for credit.
      3. Pre-agreement statements and quotes.
      4. Documentation in support of the steps taken in terms of section 81(2) of the Act.
      5. Records of payments made.
      6. Documentation in support of steps taken after default by consumer.
      7. Records of income, expenses and cash flow.
      8. Credit transaction flow.
      9. Management account and financial statements.
      10. All documents relating to the disputes, inclusive of but not limited to, documents from the consumer.
      11. Documents from the entity responsible for dispute information.
      12. Documents pertaining to the investigation of the dispute.
      13. Correspondence addressed to and received from source of information as set out in section 70(2) of the act and regulation 18(7) pertaining to the issues of the dispute.
      14. Application for debt review.
      15. Copies of all documents submitted by the consumer.
      16. Copy of rejection letter.
      17. Debt restructuring proposal.
      18. Copy of any order made by the tribunal and / or the court and copy of the clearance certificate.
    4. Regulation 56 with regards to section 170 of the National Credit Act:
      1. pplication for credit.
      2. Credit agreement entered into with the consumer.
    5. Regulation 17(1) with regards to credit bureau information:
      1. Documents with a required retention period of 10 years or a rehabilitation order being granted are Sequestrations and Administration orders.
      2. Documents with a required period of 5 years are Rehabilitation order and Payment profiles.
      3. Documents with a required retention period of 5 years or until Judgement is rescinded by the court or abandoned by the credit provider in terms of section 86 of the Magistrate’s Court Act No 32 of 1944 are civil court judgements.
      4. Documents with a required retention period of 2 years are any Enquiries
      5. Documents with the required retention of 1.5 years are details and result of any disputes lodged by the consumers.
      6. Documents with a required retention period of 1 year are adverse information.
      7. Documents with unlimited required retention periods are Liquidations
      8. Documents required to be retained until a clearance certificate is issued are Debt restructurings.
  27. FINANCIAL ADVISORY AND INTERMEDIARY SERVICES ACT. NO 37 OF 2002
    1. Section 18 of the Act requires a retention period of 5 years, except to the extent that it is exempted by the registrar for the below mentioned documents:
      1. Known premature cancellations of transactions or financial product of the provider by client.
      2. Complaints received together with as indicating whether or not any such complaint has been resolved.
      3. The continued compliance with this act and the reasons for such a non- compliance.
      4. And the continued compliance by representative with the requirement referred to in section 13(1) and (2) of the Act.
      5. The general code of conduct for Authorized financial service provider and representative requires a retention period of 5 years for the below mentioned documents:
      6. Proper procedures to record verbal and written communication relating to a financial service rendered to a client as are contemplated in the act, this code or any other code drafted in terms of section 15 of the Act.
      7. Store and retrieve such records and any other material documentation relating to the client and financial serves rendered to the client.
      8. To keep such client records and documentation safe from destruction.
      9. All such records must be kept for period after termination to the knowledge of the provider of the product concerned or any other case after the rendering of the financial service concerned.
  28. FINANCIAL INTELLIGENCE CENTRE ACT NO 38 OF 2001
    1. Section 22 and 23 of the Act require a retention of 5 years for the documents and records of the activities mentioned below:
      1. Whenever an accountable transaction is concluded with a client, the institution must keep records of the identity of the client.
      2. If the client is acting on behalf of another person, the identity of the person on whose behalf the client is acting and the client’s authority to act on behalf of the other person.
      3. If another person is acting on behalf of the client, the identity of that person and that other person’s authority to act on behalf of the client.
      4. The manner in which the identity of the persons referred to above was established.
      5. The nature of that business relationship or transaction.
      6. In case of a transaction, the amount involved and the parties to that transaction.
      7. All accounts that are involved in the transaction concluded by that accountable institution in the course of that business relationship and that single transaction.
      8. The name of the person who obtained the identity of the person transacting on behalf of the accountable institution.
      9. Any document or copy of a document obtained by the accountable institution.
      10. The documents may also be kept in electronic format.
  29. COMPENSATION FOR OCCUPATIONAL INJURIES AND DISEASES ACT NO 130 OF 1993
    1. Section 81(1) and (2) of the Act requires a retention period of 40 years for the documents such as a register, record or production of the earnings, time worked, payment for piece work and overtime and other prescribed particulars of all the employees.
    2. Section 20(2) of the Act requires a retention period of 40 years: for the following documents such as health and safety committee recommendations made to the employee in terms of issues affecting the health of the employee, any other report made to an inspector in term of the recommendation and records of incident reports reported at work.
    3. Regulation 16(1) of the Asbestos Regulations of 2001 requires a retention period of a minimum of 40 years for the documents such as records of assessments, monitoring, Abestos inventory as well as medical surveillance records.
    4. Regulation 11 of the Noise Induced hearing loss regulations of 2003 includes documents such as all records of assessment and noise monitoring and all medical surveillance records, including the baseline audiogram of every employee.
    5. Regulation 9 of the Hazardous Chemical Substance Regulations of 1995 requires a retention period of 40 years for the documents such as records of assessment and air monitoring and medical surveillance records.
  30. BASIC CONDITIONS OF EMPLOYMENT ACT NO. 75 OF 1997
    1. The Act requires a retention period of 3 years for the such as written particulars of an employee after termination of employment, records in respect of the company workforce, employment equity plan, other records relevant to compliance with the Act including the report which is sent to the director general as indicated in the act.
  31. LABOUR RELATIONS ACT NO 66 OF 1995
    1. Section 53(4), and 99 of the Act requires a retention period of 3 years for the following documents:
      1. The bargaining council must retain books of account, supporting vouchers, income and expenditure statements, balance sheets, auditor’s reports and minutes of the meetings.
      2. Registered trade Unions and registered employer’s organization must retain ballot papers.
      3. Records to be retained by the employer are the collective agreement and arbitration awards.
    2. Section 99 and 205(3), schedule 8 of section 5 and schedule 3 of section 8(a) of the Act requires an indefinite retention period for the following documents:
      1. Registered trade unions and registered employer organizations must retain a list of its members.
      2. Records of each employees specifying the nature of any transgression, the actions taken by the employer and the reason for the actions.
      3. The commission must retain books of accounts, records of income and expenditure, assets and liabilities.
  32. EMPLOYMENT INSURANCE ACT. NO 63 OF 2002
    1. The Unemployment Insurance Act, applies to all employees and employers except:
      1. Workers working less than 24 hours per month.
      2. Learners
      3. Public servants.
      4. Foreigners working on a contract basis.
      5. Workers who get monthly state (old age) pension.
      6. Workers who earn commission.
    2. Section 56(2) (c) of the Act requires a retention period of 5 years, from the date of submission, for the following documents:
      1. The income tax reference number of that employee.
      2. Any further prescribed information.
      3. Employer reconciliation return.
    3. Schedule 6 paragraph 14(a) to (d) of the Act requires a retention period of 5 years from the date of submission or 5 years from the end of the relevant tax year, depending on the type of transaction for documents pertaining to:
      1. mounts received by that registered micro business during a year of assessment.
      2. Dividends declared by the registered micro business during a year of assessment.
      3. Each asset as at the end of the year of assessment with cost price of more than R10 000.
      4. Each liability as at the end of the year of assessment that exceeded R10 000.
  33. VALUE ADDED TAX ACT NO. 89 OF 1991
    1. Section 15(9), 16(2) and 55(1) (a) of the Act and Interpretation Note 31, requires a retention period of 5 years from the date of submission of the return for the following documents:
      1. here a vendor’s basis of accounting is changed the vendor shall prepare lists of debtors and creditors showing the amounts owing to the creditor at the end of tax period immediately preceding the changeover period.
      2. Importation of goods, bill of entry, other documents prescribed by the custom and excise act and proof that the Vat charge has been paid to SARS.
      3. Vendors are obliged to retain records of all goods and services, rate of tax applicable to the supply, list of suppliers or agents, invoices and tax invoices, credit and debit notes, bank statements, deposit slips, stock lists and paid cheques.
      4. Documentary proof substantiating the zero rating of suppliers.
      5. Where a tax invoice, credit and debit note, had been issued in relation to a supply by an agent or a bill of entry as described in the custom and excise act the agent shall maintain sufficient records to enable the name, address and VAT registration number of the principal to be ascertained.
  34. ELECTRONIC STORAGE
    1. The internal procedure requires that electronic storage of information of important documents and information must be referred to and discussed with the IT who will arrange for the indexing, storage and retrieval thereof. This will be done in conjunction with the departments concerned.
    2. If documents are scanned, the hard copy must be retained for as long as the information is used or for 1 year after the date of scanning , with the exception of documents pertaining to personnel, any document containing information of the written particulars of an employee, including:
      1. employee’s name and occupation,
      2. time worked by each employee, and
      3. date of birth of an employee under the age of 18 years; must be retained for a period of 3 years after termination of employment.
  35. SECTION 51 OF THE ELECTRONIC COMMUNICATIONS ACT NO. 25 OF 2005
    1. The Act requires that personal information and the purpose for which the data was collected must be kept by the person who electronically requires, collects, collates, processes or store the information and record of any third party to whom the information was disclosed must be retained for a period of 1 year or for as long as the information is used.
    2. It is also required that all personal information which has become obsolete must be destroyed.
  36. DESTRUCTION OF DOCUMENTS
    1. Documents may be destroyed after the termination of the retention period specified in herein. Registration will request department to attend to the destruction of their documents and these requests shall be attended to as soon as possible.
    2. Each department is responsible for attending to the destruction of its documents, which must be done on a regular basis.
    3. Files must be checked in order to make sure that they may be destroyed and also to ascertain if there are important original documents in the file.
    4. Original documents must be returned to the holder thereof, failing which, they should be retained by the company pending such return.
    5. After completion of the process, the General Manager of the department shall, in writing, authorise the removal and destruction of the document in the authorisation document. These records will be retained by registration.
    6. The documents are then made available for collection by the removal of the company’s documents, who will ensure that the documents are shredded before disposal. This also will help ensure confidentiality of information.
    7. Documents may also be stored off- site, in storage facilities approved by the company.