A Tablepress Test

POPI Records Management Assessment Tool v1.0 Assessment Sheet only.xlsx

Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
0TOTAL RATINGS
1 Records managementRecords management organisationCondition 5: Information Quality;You should assign lead responsibility for records management within the organisation at a level of seniority high enough to be able to affect change to policy, process and culture. You should:
11.1Records managementRecords management organisationCondition 5: Information Quality;nominate an appropriately skilled records management lead to coordinate the management of records within your business;
11.2Records managementRecords management organisationCondition 5: Information Quality;ensure they have the necessary authority and resources to fulfil this responsibility effectively;
11.3Records managementRecords management organisationCondition 5: Information Quality;for larger organisations, appoint 'owners' with day-to-day responsibility for the security, use, accuracy and retention of manual and electronic records.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
2 Records managementRecords management policyCondition 5: Information Quality;A policy will enable you to address how records are used within your organisation in a consistent manner. This can be part of a general policy or a standalone policy statement that is supported by specific records management procedures such as storage and maintenance of records or disposal of records. You should:
22.1Records managementRecords management policyCondition 5: Information Quality; Condition 3: Purpose specification (Retention and Restriction of records)clearly set out in policy your business's approach to records management together with responsibilities for implementing the policy and monitoring compliance;
22.2Records managementRecords management policyCondition 5: Information Quality; Condition 3: Purpose specification (Retention and Restriction of records)ensure the policy is approved by management, published and communicated to all staff; and
22.3Records managementRecords management policyCondition 5: Information Quality; Condition 3: Purpose specification (Retention and Restriction of records)review and update the policy at planned intervals or when required to ensure it remains relevant.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
3 Records managementRecords management riskCondition 5: Information Quality;You should carry out regular exercises to identify, assess and manage records management risks. This process simply seeks to identify what might go wrong with a process and why. Measures can then be put in place to mitigate these risks. You should:
33.1Records managementRecords management riskCondition 5: Information Quality; Condition 3: Purpose specification (Retention and Restriction of records)undertake a risk assessment of all records held within your organisation; and
33.2Records managementRecords management riskCondition 5: Information Quality; Condition 3: Purpose specification (Retention and Restriction of records)where a corporate risk register is already in place, record risks to records management functions (these might include records not being updated, not being destroyed in a timely manner or not being held securely).
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
4 Records managementRecords management trainingPart B: Information Officer (Duties of Information Officer);You should brief all staff on their responsibilities for the creation, use, maintenance and eventual destruction of records. You should:
44.1Records managementRecords management trainingPart B: Information Officer (Duties of Information Officer);ensure your business has incorporated records management (RM) within a formal training programme that comprises mandatory RM induction training and delivery of regular refresher material for all staff;
44.2Records managementRecords management trainingPart B: Information Officer (Duties of Information Officer);provide specialist training to those with specific RM functions; and
44.3Records managementRecords management trainingPart B: Information Officer (Duties of Information Officer);Promote records management awareness generally amongst all staff through various promotional materials such as posters, newsletters and intranet articles.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do this
5 Records managementOutsourcingCondition 7: Security SafeguardsIf you outsource the processing of personal information you may still remain responsible for the personal information under the POPI Act and therefore you should:
55.1Records managementOutsourcingCondition 7: Security Safeguardschoose an organisation that provides sufficient guarantees about how it will protect the personal information;
55.2Records managementOutsourcingCondition 7: Security Safeguardsensure written and enforceable contracts are in place setting out information security conditions; and
55,3Records managementOutsourcingChapter 9: Transborder Information Flowsconsider whether outsourcing involves the transfer of personal information overseas (which could include hosted services or cloud computing solutions) and ensure the recipient will provide adequate protection.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
6 Records managementMonitoring and reportingCondition 7: Security SafeguardsYou should develop ways of checking compliance to ensure policies and procedures are adhered to. You should:
66.1Records managementMonitoring and reportingCondition 7: Security Safeguardsundertake periodic checks on records security and monitor compliance with records management procedures; and
66,2Records managementMonitoring and reportingCondition 7: Security Safeguardsmeasure the outcomes of any records security checks or compliance monitoring against key performance indicators to provide strategic oversight to those with overall responsibility for RM.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
7 Records managementRecord creationPart B: Information Officer (Duties of Information Officer);Condition 3: Purpose specification (Retention and Restriction of recordsYou should ensure procedures and guidelines for referencing, titling and indexing new records are in place in order to provide for controlled access to such records and allow for efficient management, retrieval and disposal. You should:
77.1Records managementRecord creationCondition 3: Purpose specification (Retention and Restriction of records)ensure you have minimum standards for creation of paper or electronic records in place and have processes that establish that there is a legitimate purpose for using personal information prior to collecting it (which includes email);
77.2Records managementRecord creationPart B: Information Officer (Duties of Information Officer);establish procedures and guidelines for staff to ensure new records are titled and indexed in a way that allows efficient management, retrieval and disposal; and
77.3Records managementRecord creationCondition 7: Security Safeguardswhere applicable, ensure you have some form of security classification or marking protocols in place, to identify records that contain more sensitive information.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
8 Records managementRecords inventoryCondition 3: Purpose specification (Retention and Restriction of records)In order to ensure that personal information is managed effectively and securely it is necessary for you to know what you hold and how. You should:
88.1Records managementRecords inventoryCondition 3: Purpose specification (Retention and Restriction of records)carry out an 'information audit' or 'records survey' to identify records and personal information sets held by the organisation; and
88.2Records managementRecords inventoryCondition 3: Purpose specification (Retention and Restriction of records)create a central log or record of which business functions create certain records, which records are vital to the functioning of the business, where they are kept, how long they are kept for and who needs to use them now and in the future.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
9 Records managementInformation standardsCondition 5: Information QualityThe POPI Act requires that personal information is accurate and up to date. What is considered to fall under these categories will change over time and as an organisation's business needs change. You should:
99.1Records managementInformation standardsCondition 3: Purpose specification (Retention and Restriction of records)have processes in place to ensure that personal information which is inaccurate or is out of date is removed from records on a regular basis.
99.2Records managementInformation standardsCondition 2: Process limitation (Minimality)In addition, the POPI Act says that personal information should be adequate, relevant and not excessive. If you do not make decisions regarding what personal information you should hold for your business purposes then you are at risk of collecting excessive personal information and infringing the privacy of an individual or you may hold too little to facilitate effective decision making regarding individuals. You should therefore:
99.3Records managementInformation standardsCondition 3: Purpose specification (Retention and Restriction of records)ensure a process is in place to guarantee appropriate steps are taken to confirm the accuracy of personal information that is newly collected, or that has been recorded and retained over a period of time;
99.4Records managementInformation standardsCondition 2: Process limitation (Minimality)establish initial and then periodic reviews to check that personal information collected is not excessive for the purpose / processing requirements; and
99.5Records managementInformation standardsCondition 3: Purpose specification (Retention and Restriction of records)where information is identified as out of date, regular records weeding should take place to remove inaccurate personal information.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
10 Records managementTracking and off-site storage of paper recordsCondition 3: Purpose specification (Retention and Restriction of records)Appropriate procedures should be in place to ensure that you know what records are off-site and who is holding them so they can be recovered if necessary or destroyed when they reach the end of their retention period. You should:
1010.1Records managementTracking and off-site storage of paper recordsCondition 3: Purpose specification (Retention and Restriction of records)implement tracking mechanisms to record the movement and ensure the security of manual records between office and storage areas and also in instances where records are taken off site;
1010.2Records managementTracking and off-site storage of paper recordsCondition 2: Process limitation (Minimality);minimise personal information wherever possible when transferring personal information off-site;
1010.3Records managementTracking and off-site storage of paper recordsCondition 7: Security Safeguardsuse an appropriate form of transport eg secure courier for sensitive or special personal information;
1010.4Records managementTracking and off-site storage of paper recordsCondition 7: Security Safeguardslog the transfer in and out where appropriate and put checks in place to ensure that personal information is received; and
1010.5Records managementTracking and off-site storage of paper recordsCondition 7: Security Safeguardsemploy security measures such as lockable containers, tamper evident packaging or removal from public view / accessibility.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
11Records managementOff-site transfer of electronic recordsCondition 7: Security SafeguardsPersonal information may be transferred off-site using electronic means such as email or removable media eg USB sticks or DVDs. CD/DVDs, USB drives, laptops, tablets and smartphones in particular are highly vulnerable to theft or loss, and uncontrolled use can lead to personal information leakage. You should:
1111.1Records managementOff-site transfer of electronic recordsCondition 7: Security Safeguardsalways use an appropriate form of transport eg secure courier for sensitive personal information when transferring personal information off-site;
1111.2Records managementOff-site transfer of electronic recordsCondition 7: Security Safeguardsminimise personal information being transported;
1111.3Records managementOff-site transfer of electronic recordsCondition 7: Security Safeguardslog the transfer in and out where appropriate and check to ensure that personal information is received; and
1111.4Records managementOff-site transfer of electronic recordsCondition 7: Security Safeguardsemploy security measures to safeguard the personal information such as tamper evident packaging, and storage on encrypted devices.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
12Records managementSecure storage of recordsCondition 7: Security SafeguardsPaper and electronic records should be stored securely with appropriate environmental controls and higher levels of security around sensitive personal information. You should:
1212.1Records managementSecure storage of recordsCondition 7: Security Safeguardsstore paper records in lockable offices, cabinets and drawers with higher levels of security around sensitive personal information;
1212.2Records managementSecure storage of recordsCondition 7: Security Safeguardsensure keys to such offices, cabinets and drawers are stored securely and records are locked away when staff are absent for extended periods eg overnight;
1212.3Records managementSecure storage of recordsCondition 7: Security Safeguardsconsider appropriate environmental controls to protect paper records from threats such as fire or water ingress; and
1212.4Records managementSecure storage of recordsCondition 7: Security Safeguardsimplement a clear screen and clear desk policy and culture with regular checks to provide assurances in compliance.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
13Records managementAccess to paper recordsCondition 7: Security SafeguardsIn order to reduce the risk of unauthorised access organisations should consider who needs access to what personal information in order to fulfil their function. You should:
1313.1Records managementAccess to paper recordsCondition 7: Security Safeguardsrestrict access to records storage areas in order to prevent unauthorised access, damage, theft or loss; and
1313.2Records managementAccess to paper recordsCondition 7: Security Safeguardsimplement role based access in line with the principle of least privilege and check access levels regularly.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
14Records managementAccess to electronic recordsCondition 7: Security SafeguardsIt is important that your business limits access to personal information held in information systems. You should:
1414.1Records managementAccess to electronic recordsCondition 7: Security Safeguardsimplement a process to ensure that access to systems holding personal information is authorised by management;
1414.2Records managementAccess to electronic recordsCondition 7: Security Safeguardsrestrict user permissions to the absolute minimum (or 'least privilege');
1414.3Records managementAccess to electronic recordsCondition 7: Security Safeguardsassign each user with their own username and password to ensure accountability;
1414.4Records managementAccess to electronic recordsCondition 7: Security Safeguardsimplement role based user profiles and access levels to ensure that access to systems is only given to those roles that require it in order to complete their work;
1414.5Records managementAccess to electronic recordsCondition 7: Security Safeguardsreview all network and application user access lists at least annually;
1414.6Records managementAccess to electronic recordsCondition 7: Security Safeguardsensure you have robust starter, mover and leaver processes in place to avoid the risk of unauthorised access or the accrual of unnecessary access levels;
1414.7Records managementAccess to electronic recordsCondition 7: Security Safeguardsenforce strong passwords are set for both network and systems access;
1414.8Records managementAccess to electronic recordsCondition 7: Security Safeguardsenforce regular password changes, and limit the number of failed login attempts; and
1414.9Records managementAccess to electronic recordsCondition 7: Security Safeguardsmonitor user activity to detect any anomalous use.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
15Records managementBusiness continuityCondition 3: Purpose specification (Retention and Restriction of records)Every organisation will hold personal information which it cannot function without. You should:
1515.1Records managementBusiness continuityCondition 3: Purpose specification (Retention and Restriction of records)complete an assessment of the personal information you hold and its criticality to your business functions;
1515.2Records managementBusiness continuityCondition 7: Security Safeguardsensure business continuity plans are put in place to prepare for serious disruption;
1515.3Records managementBusiness continuityCondition 7: Security Safeguardstake regular back-ups of systems and personal information so that you can restore personal information stored electronically in the event of disaster or hardware failure; and
1515.4Records managementBusiness continuityCondition 7: Security Safeguardsstore back-ups off site.
Topic #Question #CategorySub-categoryPOPI Act ReferenceAction itemsWho to do thisPriorityAssessment
16Records managementDisposal of personal informationCondition 3: Purpose specification (Retention and Restriction of records)Once you have completed a records survey, you can assign retention periods to records and personal information sets. You should:
1616.1Records managementDisposal of personal informationCondition 3: Purpose specification (Retention and Restriction of records)have a disposal/retention schedule outlining storage periods for all personal information (this includes manual and electronic records);
1616.2Records managementDisposal of personal informationCondition 3: Purpose specification (Retention and Restriction of records)regularly review the retention/disposal schedule to ensure it continues to meet business needs and statutory requirements;
1616.3Records managementDisposal of personal informationCondition 3: Purpose specification (Retention and Restriction of records)assign responsibility to individuals to ensure retention periods are adhered to;
1616.4Records managementDisposal of personal informationCondition 3: Purpose specification (Retention and Restriction of records)ensure the methods of destruction are appropriate to prevent disclosure of personal information during and after disposal e.g. for paper documents cross shredding or incineration either in-house or by a third party, for electronic documents deletion from systems or “put beyond use” and for hardware degaussing or destruction (shredding); and
1616.5Records managementDisposal of personal informationCondition 3: Purpose specification (Retention and Restriction of records)provide facilities for collecting and holding confidential personal information prior to disposal with instructions regarding how and when these should be used.
Notes0High assurance
0Reasonable assurance
0Limited assurance
0Very limited assurance
0Not applicable
POPI Records Management Assessment Tool v1.0 Assessment Sheet only.xlsx