Are your document destruction practises POPIA compliant?

By now you have heard about the Protection of Personal Information Act (POPIA) and the obligation on you as a corporate to appropriately gather, process and store your customers' private information in accordance with this law. But what about the way sensitive information is disposed of?

According to POPIA, in much the same way confidential information must be correctly handled, it must also be correctly destroyed. Section 14(5) states that personal information must be destroyed or deleted in a manner that prevents its reconstruction in an intelligible form. This applies to customer information in both digital and hard copy formats.

Although this section of the law doesn't specify the method by which hard copies of client information must be destroyed, it does point to the fact that simply throwing such data in the office dustbin or putting it out with the general paper recycling is not sufficient.

In fact, section 24 of POPIA states that customers may request companies holding their personal data to delete it in the event that the information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or has been unlawfully obtained. Customers can also ask for their data to be destroyed in cases where companies are no longer authorised to retain the personal information.

Taking these two sections of the law into account, it's clear there is an obligation on companies to be able to thoroughly destroy customer data on demand, if legally required to do so.

Office shredding vs a professional shredding service

So, where does this leave manual shredding using a regular office shredder, or outsourcing shredding to third parties?

Technically, the law does not prohibit manual document destruction, provided the company concerned can show, if necessary, that the documents were secured throughout the destruction process. For example, documents can only be destroyed by staff who are authorised to handle sensitive information. The parts of the shredded document must then be jumbled so as to render them unrecognisable, so they cannot be 'reconstituted'. The shredded documents should then be safeguarded until their eventual demise, by recycling or other means.

There are times in this process where a company or its staff may not be able to entirely secure hard copy documents containing sensitive company information. This could be potentially devastating for a corporate and its professional reputation.

A second option is to use a document shredding service for secure document destruction. In this instance, it's prudent to look for organisations whose destruction processes are POPIA compliant.

This means companies that:

• Have certified processes that meet the most stringent local and international standards, ensuring all security protocols are maintained throughout these processes
• Employ barcoded consoles for secure in-office document disposal
• Employ cross-cutting technology for thorough, unrecognisable document destruction
• Fully recycle all shredded documents to guarantee complete document destruction
• Issue certificates of destruction, ensuring complete confidentiality

 Using a document destruction service without such measures in place could result in a data breach, with both the company and the shredding service provider potentially being held liable in terms of POPIA.

As South Africa's first-ever document destruction service provider to offer POPIA-compliant shredding solutions, Cleardata meets all these requirements.