Data Disposal
Life of PI. Caroline Mutton

Data Disposal

When beginning any programme, starting with the end in mind is essential.?

  1. Take the time to plan out the result you want to achieve and?
  2. Map out the steps you need to take to get there.?

Starting with the end in mind will help you stay focused and use your structured and unstructured records efficiently and sometimes effectively.

Should we apply this approach to your data privacy programme?

@Caroline recommends this approach and has provided us with questions to help us define the target state.

Here are the critical questions that need answering about record disposal:

  1. What does the company need to dispose of?
  2. Why must we dispose of it?
  3. When must we dispose of it?
  4. How must we dispose of it?
  5. What disposal evidence do we need?

What does the company need to dispose of?

No alt text provided for this image

All types and formats of enterprise information require disposal.

Information types include application data, metadata, reference and master data, and warehouse data.

Information can exist in any form: structured, semi-structured, unstructured and non-digital—the less structured the data, the more metadata we require to manage the disposal.

All information should be classified and associated with a retention policy/schedule.

It is also essential to understand the state of the information:

  1. Does the info represent a record - evidence of an action?
  2. If the information is not a record, disposal can occur much faster.

Why must we dispose of it?

Most data privacy regulations state that we MUST only retain records for as long as necessary to achieve the collection or processing purpose (POPIA s14.1).?

There are generally some caveats to the statement above:

  1. Retention is required or authorised by law.
  2. The responsible party needs to maintain the record for purposes relating to its function or activities.
  3. A contract between the involved parties requires record retention.
  4. The data subject consents to record retention.

There was much debate on Who must define and agree on the?End-of-Life. Regarding POPIA, the responsible party must determine the purpose and means of processing. All its vendors and cloud services must process personal records under the responsible party's direction.?

Yes, the processing party can provide advice/suggestions, but the responsible party carries the end-of-life definition and risk of persistent storage.

No alt text provided for this image

Data Privacy indeed defines the roles and responsibilities for the disposal of P.I. records, but we must not ignore good data management practices concerning disposal:

  1. Data Risk Management
  2. Data Quality business rules (Currency?dimensions and concepts)
  3. Minimising ROT (Redundant, Obsolete or Trivial)
  4. Business Performance requirements
  5. Data Storage Tiers

When must we dispose of it?

Your retention policy will define what criteria should be applied when defining and calculating the appropriate retention schedule for a record.

No alt text provided for this image
Disposal Conditions

The retention schedule determines when the disposal date of the record. This date will depend on the following criteria:

  1. The original or subsequent purpose
  2. Legal obligation
  3. Operational reasons
  4. Data Subject contract
  5. Data Subject consent
  6. Historical, Statistical or Research purposes
  7. Support queries against decisions

How must we dispose of it?

P.I. record disposal must be defensible in a court of law.

If you can't legally prove that you have disposed of the records, you must present the information if requested.

It is essential to recognise device sanitisation and secure disposal standards.

There are several archival and disposal techniques, which we refer to as data transition buckets:

  1. System Of Record Information Archiving using a Data Warehouse or Data Lake
  2. Feature aggregation for operational, tactical and strategic decision-making

What disposal evidence must we keep?

The evidence for record disposal includes:??

  1. The disposal process, including the disposal decision and the date.??
  2. A record of the disposal method used.?
  3. A history of the process used to verify the destruction.??
  4. A history of third-party vendors involved in the disposal process, such as a shredding service.??
  5. Document any legal or regulatory requirements related to the disposal of specific records.


We have recorded this webinar so if you'd want to hear the recording, kindly comment on this article and we will gladly share it with you.

Ruvimbo Michelle Murau

Admitted Attorney of the High Court of South Africa| Privacy| Risk Advisory| Regulatory Compliance

1 年

Thank you for this!!! Will you kindly share the recording as well.

Nelly Rapotu

Information Management | Data Steward | Records Manager

1 年

Great article could I please get access to the recording. Thank you ??

Hilton Isaacs

Senior Records Management Officer at City of Cape Town

1 年

Thank you for this valuable article, please share the link to the webinar, would like to hear more insights on the topic. Thank you!

Lisa B.

Strategic Information & Data Integration Leader | Advancing Digital Transformation and Operational Excellence | Championing Compliance, Innovation, and Stakeholder Engagement

1 年

I would really like to access this recorded webinar of this timely topic as we are working on our assessment framework and what you have highlighted above is really beneficial about defining the target state.

Cecilia Poittevin

MBA | Ingeniera de Sistemas | Gestión de Datos y Analíticas | Protección de datos Personales

1 年

Great article Howard Diesel. Thanks for sharing

要查看或添加评论,请登录

社区洞察

其他会员也浏览了