Businesses face an increasingly complex challenge: how long to keep their records. From small enterprises to major corporations, the question isn't just about storage space anymore – it's about legal compliance, risk management, and data protection.
The more information retained beyond the statutory date, the greater the risk of data breaches is a warning issued by the South African Institute of Chartered Accountants (SAICA). But on the other hand destroying records too early could land organizations in serious legal trouble.
Corporate Records: The Backbone of Business DocumentationClose Corporations Face Strict Requirements
The requirements for closed corporations are among the most demanding in South African business law:
Accounting records and supporting schedules must be kept for 15 years
Annual financial statements require a 15-year retention period
Founding statements (CK1) and amendments (CK2 & CK2A) must be kept indefinitely
Minutes and resolutions are subject to indefinite retention
The Companies Act Framework
The Companies Act 71 of 2008 sets different standards that have become a cornerstone of business documentation:
Basic company records require a minimum 7-year retention
Notice of incorporation and memorandum of incorporation must be kept indefinitely
Securities register and company rules need indefinite retention
Financial statements and accounting records require 7 years of safe keeping
Consumer Protection and Financial Documentation: A Balancing Act
The Consumer Protection Act takes a more lenient approach, requiring just 3 years of retention for:
Consumer information and communications
Conflict of interest disclosures
Records of advice
Promotional competition records
Auction documentation
However, financial institutions face stricter requirements under various laws:
Customer due diligence records: 5 years from relationship end
Transaction records: 5 years from completion
Suspicious transaction reports: 5 years from reporting date
Employment Records: Beyond the Basics
The employment sector presents some of the most varied retention requirements in South African law. While basic records like books of account need only three years of retention, other documents demand permanent storage. Employee disciplinary records, for instance, must be kept indefinitely – a requirement that often catches businesses off guard.
Health and Safety Documentation
Perhaps most striking are the health and safety record requirements:
Health & safety committee records: 3 years
Incident records: 3 years
Asbestos records: An astounding 50 years
Hazardous biological agents records: 40 years
The Tax Landscape
SARS has established clear guidelines based on different scenarios:
Submitted returns must be kept for 5 years from submission
Records for unsubmitted returns must be retained indefinitely
Documents under audit or appeal must be kept until resolution
VAT documentation requires 5 years of retention
The POPIA Impact
The Protection of Personal Information Act has revolutionized record retention in South Africa. While other laws set minimum retention periods, POPIA effectively sets maximum ones.
Organizations must now:
Keep records only as long as necessary for their original purpose
Justify extended retention through law or contract
Destroy records in a way that prevents reconstruction
Ensure electronic deletions are permanent and unrecoverable
Best Practices for Modern Business
Comprehensive Documentation System
Maintain records in their original form
Implement orderly filing systems
Ensure accessibility for inspections
Electronic Record Management
Obtain proper authorization for electronic systems
Secure special permission for offshore storage
Implement robust backup systems
Best way to dispose of documentation (after the appropriate periods):
To ensure the secure and compliant disposal of company documents, combining secure practices with the services of certified disposal companies is a highly effective approach.
Here are comprehensive steps for safely getting rid of sensitive company documents:
Shredding: For in-office shredding, use a cross-cut or micro-cut shredder to thoroughly destroy paper documents. Alternatively, there are companies who provide on-site shredding with industrial-grade machines, ensuring documents are immediately and securely destroyed.
Secure Collection: Certified disposal companies often provide secure, locked containers or bins for on-site storage of documents awaiting disposal. These bins can be kept at the company’s location until regular pick-up by the disposal service, maintaining security at every stage.
Electronic Data Destruction: For digital files, use secure deletion software to overwrite data multiple times before disposal.
Certified disposal services can physically destroy or degauss hard drives, issuing a certificate of destruction for each device.
Certificate of Destruction: After processing, certified companies issue a certificate of destruction, documenting the method, date, and time of disposal. This certificate serves as proof for regulatory compliance with data protection laws, and helps verify that the company has taken due diligence in securely destroying sensitive information.
Environmentally Responsible Disposal: Many certified disposal companies recycle shredded paper and e-waste, ensuring compliance with environmental standards. This sustainable approach allows companies to meet both data protection and environmental responsibilities.
As businesses increasingly digitize their operations, the challenges of record retention are evolving. The key isn't just keeping everything forever or destroying records as soon as possible – it's about finding the balance between compliance and practicality.
Proper record retention isn't optional – it's essential for survival in an increasingly regulated environment. The cost of proper record retention may be significant, but the cost of non-compliance could be far higher.
Remember: When multiple retention periods apply to the same records, always follow the longer period. When in doubt, consult legal experts who can provide guidance specific to your industry and circumstances. In the world of record retention, knowledge isn't just power – it's protection