Retention of Electronic Records

Many business owners overlook their systems for the maintenance and retention of electronic records, much to their detriment. Various legislations regulate the retention of electronic records; as such it is critical that you review your internal processes to ensure you are not exposed to the risk of litigation and criminal fines.

Failure to implement a proper electronic storage solution will result in unnecessary risks and liability exposure for businesses. It is therefore imperative that systems are reviewed and strengthened.

Below are certain requirements that must be kept in mind when reviewing these systems:

Retention of Email Messages:

Currently no law regulates the retention and archiving of email messages in South Africa and many businesses delete emails after 2 to 3 months. However it is international practice that email messages are archived for a period of at least 3 years.

The risks that businesses are exposed to without an adequate retention system include unauthorised deletion, disclosure and tampering of email messages.

The Promotion of Access to Information Act gives effect to the Constitutional right to access to information. Businesses that fail to retain outgoing email for a period of at least three years may not be able to comply with these public disclosure requests and may face litigation and criminal fines.

Tax Administration Act:

Records are kept in the original form, in an orderly fashion, and in a safe place, or, where retained in electronic form, in an “acceptable electronic form”, or in a form specifically authorised by a senior SARS official.

This “acceptable electronic form” must ensure that the information has remained complete and unaltered and is capable of being displayed or produced to the person who is inspecting the record.

It is required that the person required to keep records is able to, within a reasonable period when called on by SARS, to provide SARS with an electronic copy of the records, in a format that SARS is able to readily access, read and analyse, or to send the records to SARS in an electronic form that is readily accessible by SARS, or to provide SARS with a paper copy of those records.

Taxpayers who keep records in an electronic format must ensure that measures are taken for the adequate storage of the electronic records. It is necessary to store all electronic signatures, login codes, keys, passwords or certificates required to access the electronic records, and the procedures to obtain full access to any electronic records that are encrypted.

Taxpayers who retain electronic records must have the records available for inspection by SARS at all reasonable times, and at premises physically located within the country, or accessible from such premises (if authority has been granted by SARS). The electronic records must be able to be made available for purposes of an audit or investigation conducted by SARS.

Electronic Communications and Transactions Act:

Where a law requires information to be retained, that requirement is met by retaining such information in in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received.

The origin and destination of that data message and the date and time it was sent or received can he determined.

There are certain principles stated for the electronic collection of personal information and also the timeframe that this information must be kept: