In light of the looming Protection of Personal Information Act (POPI) becoming effective, all local businesses must ensure that they familiarise themselves with the guidelines imposed by POPIA and amend daily document destruction processes in order to avoid financial losses resulting from fines as well as reputational damage.

While many large, corporate organisations may have appointed an in-house specialist to facilitate the shredding of sensitive documentation, there are still some SMME’s and start-up businesses that remain unsure of the protocol prescribed by POPIA. The destruction of physical documentation is a key element of effective records and information management and cannot be overlooked in the planning process.

Despite many companies having elected to store documents digitally, there are many who are not planning on moving away from a paper-based management system. It is therefore important for businesses of all sizes to implement responsible document management practices from a grass-root level upwards to avoid a security breach.
Personal information that is protected by POPIA includes, but is not limited to:

  • Personal Contact Information: All documents containing contact details such as telephone numbers, home addresses and email addresses are protected by POPI and may not be shared with a third party without the express permission from the individual. In addition, the contact information provided may not be used for any purpose other than the one it was collected for, such as bulk emails or telesales.
  • Demographic Information: Information regarding the demographics of an individual such as their date of birth, ID number, ethnicity, age and even religious beliefs is often used for identity fraud and it is therefore imperative that all demographic information be destroyed securely once the purpose for which the information was collected no longer applies.
  • Private Correspondence: All conversations between a representative and a client / individual are protected by POPIA and may not be forwarded to third parties without express permission. Printed copies of the emails must therefore be securely destroyed once they are no longer required.
  • Biometric Information: Biometric information refers to details such as blood type, fingerprints and medical history and may not be shared with unauthorised third parties.

As a general rule of thumb, organisations should shred and recycle all documents in the office once they are no longer required.