Record Retention Policy

Policy Statement

  • The management of records from creation to destruction should be accomplished in a uniform manner that promotes:

    • Compliance with legislation and regulations

    • Appropriate business objectives.

    • The management, maintenance, and replacement of associated information systems technology in an efficient and cost-effective manner.

 

  • This Record Retention Policy outlines the ATG procedures to create, preserve and access ATG records. To ensure that our records are accurate and secure, we ask our employees to adhere to this policy.

Scope

  • In this policy, a “record” is any type of electronic or paper file that we store in our systems. This includes files both employees and external sources create.

 

  • All legal and business documents, as well as formal internal and external communications, fall under this policy.

 

  • This policy applies to employees who may create, access and manage records.

 

  • The HR and Finance departments, which manage sensitive and critical information, are primarily responsible for keeping accurate and secure records. However, every other employee who creates and stores important records is obliged to follow this policy too.

Policy Elements

 

  • Creating Records: We place a high value on ATG’s records. By storing information, we are able to:

    • Make better decisions

    • Support our day-to-day operations

    • Forecast and prepare for the future

    • Learn from past mistakes

    • Preserve and defend ATG’s legality

    • Evaluate our operations and employee productivity 

    • Develop plans to improve and grow the company

 

  • Creating and storing certain types of records is mandatory. Employees should keep records that:

    • Are mandated by legislation

    • Are necessary for them or other employees to perform their jobs

    • Indicate internal or external changes that affect our operations, employees, partners or customers

    • Include decisions, reports, data and activities that are important to our business

    • Describe business ventures, deals and communication with regulatory bodies or the public

    • Employees, teams and departments may keep other records if they decide they’re useful to their jobs.

 

  • General Guidelines for Creating Records. Employees should:

    • Ensure that information is accurate and complete

    • Store records in appropriate mediums

    • Name, categorize and share records properly

    • Mark appropriate records as confidential

    • Clarify who is authorized to access records

    • Check records that electronic systems automatically generate, to ensure their accuracy and proper storage.

 

  • Authorization: Records may have different levels of authorization that limit their accessibility. The authorization level is usually determined by those who create the records; ATG Policy or legislation. The following records are strictly confidential and require a high-level authorization:

    • Employment records

    • Unpublished financial data

    • Customer/ vendor/ partner/ job applicant information and contracts

    • Customer Backend Information

     Access to those records is restricted to employees who directly manage that information.

 

  • Other types of records, like company performance metrics and internal policies, may be accessible to all permanent employees. However, employees are prohibited from disclosing these records to people outside of ATG, unless expressly authorized. ATG confidentiality and data protection policies always apply to all relevant records.

 

  • All employees must protect our records, whether marked as confidential or not.

Records Storage

  • Records shall be stored in safe/secure locations and protected from environmental and other potential harm, including:

    • Ordinary hazards, such as fire, water, mildew, rodents and insects

    • Man-made hazards such as theft, accidental loss

    • Unauthorized use, disclosure, and destruction.

 

  • Authorized personnel shall label records storage containers in sufficient detail to facilitate prompt and accurate content identification.  Records shall be filed in records storage containers by year or other specified identification methods to facilitate their reference, review and destruction.

 

  • Vital Records, not able to be kept electronically, shall be duplicated and the duplicate records stored at off-site locations, separate from corporate records, for reconstructive use in the event of a disaster.

 

Types of Records

  • Electronic Records

    • The procedures and records retention periods set forth in this Policy shall be applicable to electronically stored Records.  

    • Records generated and maintained in information systems or equipment are to be periodically reviewed by applicable information owners and/or custodians to ensure that record retention requirements set forth in this Policy are being met for electronic information systems.

 

  • E-Mail

    • E-mail systems facilitate both internal and external business communications on a day-to-day basis.   

    • Messages contained on email systems are kept for a limited period of time.  E-mail systems therefore should not be considered or used as an information archival or storage system.  

    • As stated above, e-mail messages that meet the criteria of a Record defined herein should be preserved in hard copy or stored electronically separately from email systems for record retention and archival purposes.

 

  • Physical records

    • Printed records must be stored safely in locked filing cabinets or closed offices.

    • Confidential files mustn’t be left in open office areas.

    • When employees need to carry physical records out of our offices, they must prevent them from being damaged, lost or stolen.

    • We advise our employees to avoid relocating records as much as possible.

 

  • Electronic records

    • Electronic records will be protected by passwords, firewalls and other security settings (both locally and in the cloud.) Employees are responsible for keeping these records intact.

    • When employees access electronic, confidential records outside of our offices, they should ensure that both their devices and networks are secure.

    • Screens and devices may not be left unattended while logged in to our company’s accounts.

Data Retention Periods

 

  • As a general rule, we will keep all records for a minimum of two years, except where legislation requires we retain certain records for a longer period.

  • The recommended retention period for each category of records is outlined in the Records Retention Schedule in Annexure A. This schedule outlines the minimum retention periods for records as set out in the applicable legislation

 

  • Under POPIA we are not permitted to retain records for longer than is necessary, and so we will always adhere to these minimum requirements as set out by legislation

Discarding Records

  • After the data retention period has passed, authorized employees may choose to discard records for a specific reason.

  • They will do this either by shredding physical documents or deleting data from a database or computer. Printed copies of electronic files will also be shredded.

  • Records may also be discarded upon request from a stakeholder, but only if it is in accordance with the relevant legislation

Policy Review

This policy shall be reviewed on at least an annual basis to:

 

  • Determine if there have been changes in International, National or Internal references that may impact on this policy.

  • Determine if there are improvements or changes within the ATG systems or processes that should be reflected in this policy