In the corporate world, company secretaries are the custodians of very important information for the companies under which they are officers.  This is in line with the requirements of the Companies Act, which requires that a company maintains and retains certain information and instruments of operation.  In this article, we focus on the requirement to maintain company registers vis-à-vis data protection considerations.

Company registers required to be maintained include a register of members, directors, secretaries, debenture holders, charges and beneficial owners. The Data Protection Act 24 of 2019 defines personal data as information relating to an identified or identifiable natural person.  Various company registers’ contain entries, which collect personal data that leads to the identification of natural persons such as names, identification details, contact details, residential addresses, and personal details of members and directors of the company. Evidently, the data that is usually collected and reflected in the registers by company secretaries by the very nature falls within the ambit of the Data Protection Act.

Furthermore, the Companies Act provides that the register should be kept at the company’s registered office for inspection. It is not uncommon to find that some companies will have their registered office at the Company Secretary’s address, especially where such services are outsourced. Addressing an inspection request then raises the question of how a company secretary should prepare such registers and further, how the Company Secretary can exercise their discretion in terms of an inspection request to avoid a data breach. A data breach occurs when there is an accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data transmitted.

Generally to avoid a data breach and to protect data in the development and maintenance of registers such as the Directors and Members Register, the Company Secretary may consider doing certain things. For one, the company secretary should consider designing the registers in such a way that the identification of natural persons is limited to those who may not have a legal right to peruse or take copies of the registers. This can be through limiting access to information and pseudonymisation of information needed, such as not storing full names and addresses. This is common with system access rights where different users have different access to different levels of information based on their needs and responsibilities.  As well, additional personal data such as identification numbers, online and telephone contacts should not be collected unless there is a specific use for it and if collected, should not be available for perusal or copying. As well a Company Secretary should ensure safety in storage of the registers and finally, privacy considerations should be given during an inspection request. In providing access to information, the company secretary should strike a balance between the best interest of the company, the privacy rights of the data subject and the legitimate reason for an inspection request.

On storage, in the case of a physical register, the company secretary should be keen to ensure that they are stored in a safe and secure location such as a safe. On the spectrum of digital versions or copies, the company secretary should ensure secure data storage through considerations such as encryption, access control mechanisms and protection against data breaches through data corruption threats. Ideally, the focus should be to ensure that the information is kept out of the hand of anyone not authorized to see the registers and making sure that data remains available after incidents such as system failures.

In handling inspection requests, which are legally allowable, discretion in execution should still be applied. For instance, the risks involved in an inspection request by the company’s auditor will be quite different from an inspection request for journalistic or public interest purposes. In the former, the company’s relationship will most likely be covered by confidentiality terms under the contractual document, whilst in the latter, the company secretary may reject such a request, redact information and even in some circumstances have the request subjected to board approval. Furthermore, the purpose of the request should also be subjected to a legitimate reason test. A legitimate reason test should essentially sieve out inspection requests which are incompatible with the interests of the company and which pose the risk of a data breach for those whose data has been collected.

From the discourse above, it is crucial for company secretaries to carefully balance the need for compliance against a legal risk of a data breach whilst maintaining company registers. The evolving data protection conversation should provide innovative ways to achieve compliance, as the global and local to data protection conversation evolves.

At Qwasha we believe in the role of good corporate governance for long-term sustainability and growth. We simplify compliance by training and advising boards, auditing and advising on compliance, and assisting with recruitment and onboarding of directors. Reach out on info@qwasha.co.ke for assistance.

DISCLAIMER:

This briefing is a highlight of legislative and policy changes and is intended to be of general use only. It is not intended to create an advocate-client relationship between the sender and the receiver. It does not constitute legal advice or a legal opinion. You should not act or rely on any information contained in this legal update without first seeking the advice of an advocat.