Once you become the custodian of someone’s personal information you also have a responsibility to maintain their records and take reasonable, practical steps to ensure that the information is complete, accurate, not misleading and remains updated where necessary. The extent of your responsibility will depend on the purpose for which the personal information was collected or further processed. This means that the more information you record, the more information you have to maintain. So consider carefully what you really need and have a system ready to make sure you can maintain it in a way that will keep your administration costs low and activities manageable.
Your systems must be updated to record when information was captured, when it was last updated and when last it was confirmed by the owner. See the sections on “Recurring Tasks” and “Reporting by Modified Date” in the PoPI Implementation Guide for details on how to achieve this. We recommend setting your systems up in a way that these maintenance-related activities and associated reminders can happen automatically, e.g. via your BNS or company website (assuming your website is adequately secure and meets the criteria attached to this).
It is often necessary in small businesses to copy or recapture information into other system databases like their financial, sales or inventory system for purposes of doing quotations, sending statements or invoices, etc. Unless the business has a business nervous system in place to consolidate, control and monitor the flow of this information their information officer would have to maintain these records manually. Based on the maintenance requirements it is essential that you have a system that can keep track of the primary record (source) of all personal information as well as any copies and/or secondary storage locations of personal information (or parts thereof). For automation to be a success it is critical that you have a BNS or custom system in place that can tie these update requests and related activities to the correct back-end processes. This will ensure staff do not drop the ball and follow all the rules involved in dealing with this information in a responsible way. This approach would also simplify, if not entirely automate, the process of updating secondary systems and databases which will in turn reduce mistakes and increase quality, improve efficiency and speed up the process all resulting in a better client service. Imagine the possibility of a change request, submitted by the client, automatically and intelligently kicking off one or more administration processes to review their risk profile if they move to another suburb or province. This could also trigger actions to review and update a client’s Service Level Agreement based on a significant change, etc.