This summary is not intended to give detailed information about the lawful requirements for each type of organization, but rather to create awareness that such laws exist and that we need to start complying.   You need to be aware of the following:

• Data management and data protection in companies are governed by two acts,  the most significant being the Promotion of Access to Information (PAI), Act No 2, 2000.
• PAI applies to both public and private companies.
• PAI does not differentiate between big and small companies.
  
• Electronic Information can be used in a court of law as long as you know where the information came from, how it was protected and how it was retained.  If you company has systems and policies in place that governs these processes then electronic information is valid proof unless the other party can proof that the information has been altered by other means than storage, display and communication.  This goes to show that we can actually use email, electronic documents, faxes received via email etc. as proof in court cases.  We must just ensure that we have good systems and processes in place.
• PAI states that you must be able to produce certain records on request of stakeholders like your clients.
• The types of records and retention periods thereof are specified in detail by Acts which apply to specific organizations.  One example of such an Act is the Financial Intelligence Center Act (FICA) which applies to financial institutions.  In general it seems like these types of Acts include both communication data like email, faxes and letters as well as operational data such as databases, application files and other applicable documents.  The minimum required retention period for most company data varies from 1 year to 15 years.
• Every company should appoint a Chief Information Officer (CIO).  The CIO will have the responsibility to ensure that the company complies with PAI and other applicable Acts.
• The company's directors automatically become responsible for compliance if a CIO is not appointed.
• The current maximum fine for non-compliance in South Africa is R10 Million.
• The CIO (or the board of directors when a CIO has not been appointed) can personally be held liable for non-compliance to these Acts.
• PAI specifies costs which a company may charge for supplying records on a stakeholder's request.  Companies may not charge more than the specified rates and should ensure that systems are in place which will enable them to provide records on a cost effective basis.
• In the event of a court case a company must disclose all electronic information that will be used during the case to the other parties before the case commences.  Failure to disclose the information in time will deem any such evidence inadmissible.
  

So what should we make of these Acts?  According to Mr. Van Gaalen Acts like PAI features increasingly more in recent court cases where everyday companies are involved and therefore companies should start complying sooner rather than later.  We would like to assist our customers with their efforts to comply with these Acts and propose the following process:

1. Appoint a person or entity whose responsibility it will be to ensure that your organization complies with PAI and related Acts.
   
2. Conduct research to determine which records your type of organization should protect and retain and for what period of time.
3. Establish policies and procedures within your organization to ensure that everyone is aware of their lawful duty and knows how to perform it.
4. Acquire appropriate systems and technology which will ensure that:
1. Your organization complies with PAI both in terms of data protection and in terms of data retention.
2. Enables your organization to produce records in a cost effective manner when required.
5. Review policies and procedures based on amendments to the Acts or new information on a continuous bases.

Contact Mattelo for further assistance. 

Please note that we are not a law firm and therefore cannot take legal responsibility for our interpretation of the content in Mr. Van Gaalen's presentation and the related Acts.