Nigeria: Record Retention Compliance For Business Organisations¹

Introduction:

Record or document retention essentially deals with the maintenance and storage of documents either in electronic form or otherwise, until the completion of the document's lifecycle. Generally, record retention serves three broad purposes the first being for future reference, the second being disaster recovery, and finally, legal documentation.¹ Organisations consider record/document retention as an ordinary business practice but fail to realise that record/document retention is of legal import and could attract unintended consequences. Some laws prescribe the tenure for retention of a specific type of record/document after which they can be destroyed. This article will highlight the significance of record/document retention and recommend good retention practices for business organisations.

Defining Record Retention:

Record or document retention, involves storing, maintaining, and archiving information over a period of time.² A record retention policy is a business guide that states how to manage record /documents from creation to disposal. It also helps employees understand how to dispose of record/documents properly to protect corporate data and client information. At the end of the required period or lifespan of the record, it is expected that the records may either be archived or destroyed.Although organisations are not legally required to create policies on record/document retention, this is highly recommended based on global best practices. For organisations set on compliance, it may be necessary to begin by creating a record retention policy that shows how the organisation thinks about record retention and determines its record retention infrastructure. Good retention policies make for easy reference and contain a retention schedule that serves as a timetable outlining specific retention periods for records depending on the nature of the document and its content.

A record retention policy must take into cognisance, the nature of the record/document and the relevant legislation that stipulates the timeline for retention.In addition, an organisation will have to determine the record infrastructure which is simply the place or system where records are kept for the sake of accessibility and safety. This could be a digital records management system or a traditional file room.

Legal Provisions on Record Retention:

As previously stated, record retention periods may be mandated by law or established according to industry standards. Business organizations dealing with personal data, employee records, tax and financial records, as well as invoices and receipts, will find the following provisions of the law relevant and valuable:

1. Data Protection Act 2023: Concerning retention of personal data in Nigeria, Section 24(1) (d) of the Data Protection Act 2023,³ and the Nigeria Data Protection Regulation⁴ do not prescribe a specific duration but require some justification or lawful bases for the retention of personal data, however long or short.⁵ The crux of this provision is that personal data should only be retained or stored as long as is necessary for the purpose for which it was collected or processed.⁶ However, a synthesis of the provisions of Article 8.0 of the NDPR-Implementation Framework⁷ is that where there is no applicable law, the retention period for personal data is a matter of contract which is to be stated in the terms of service or other binding document between the parties.⁸ In the absence of any applicable law or an agreement in respect to record retention period , the framework prescribes the following:

a) 3 (three) years after the last active use of a digital platform

b) 6 (six) years after the last transaction in a contractual agreement

c) Upon presentation of evidence of death by a deceased's relative

d) Immediately upon request by the Data Subject or his/her legal guardian where (i) no statutory provision provides otherwise and (ii) the Data Subject is not the subject of an investigation or suit that may require the Personal Data sought to be deleted. It should be noted however, that these provisions relate only to personal data.

2. The Labour Act:⁹ The Act deals with employer-worker and employer-employee relationships and provides that records of wages and conditions of employment should be retained for three (3) years after the time to which they refer.¹⁰ In addition, employers are required to keep a record showing the name and address of the worker; his town (or other place) of origin; the date of his birth; the name and address of his next of kin; the date and place of his engagement; his National Provident Fund number;¹¹ and the date of cessation of employment which are to be retained for three (3) years. The Labour Act prescribes a fine not exceeding N200 as the penalty for employers who knowingly and with intent to avoid compliance with the Act fail to keep the above records as prescribed by the Act.¹²

3. The Companies and Allied Matters Act (CAMA):¹³ Corporate bodies are required to retain records/documents stored in pursuance of the provisions of CAMA in soft copies for Six (6) years.¹⁴ This includes reports, registers, minutes, financial statements, balance sheets, resolutions etc.

4. The Companies Income Tax Act (CITA):¹⁵ Section 63 of the CITA provides that every company, including a company granted exemption from incorporation, shall, whether or not the company is liable to pay tax under the Act, maintain books or records of accounts, containing sufficient information or data of all transactions. Any book or record required to be kept under this section shall be kept for a period of at least six (6) years after the year of assessment in which the income relates.¹⁶

In addition to all of the above, the Federal Inland Revenue Service (FIRS) published a guide on simple record keeping for business records and defines business records as "written evidence summarising a transaction carried out by a person in his business at a given time or over a given period. Business records are normally kept in books in an organised form. Business records can also be maintained in electronic format". The guide recommends that fixed assets, expenditures, tax affairs, evidence of payments, bank transactions, additional financial capital, personal drawings, sales purchases, cash and credit transactions, and related records be kept for at least six (6) years.¹⁷

5. The Cybercrime (Prohibition, Prevention etc.) Act¹⁸ provides that telecommunications service providers are required to preserve and retain traffic data and subscriber information for a period of two (2) years.¹⁹ In addition, the Consumer Code of Practice Regulations²⁰ issued by the Nigeria Communications Commission (NCC) on consumer information, restates the general principles on data protection and privacy contained in the Nigeria Data Protection Act and the Nigeria Data Protection Regulations.²¹ It also provides some specific retention periods for different operational records/documents. For instance, with respect to complaint submission and handling processes, licensees are required to retain all information recorded and collected for at least twelve (12) months following resolution of a complaint.²² The operator is also required to retain records of a customer's bill and related charges for a minimum period of twelve (12) months.²³

6. Banks and Other Financial Institutions Act:²⁴ The Act provides that proper books of accounts are kept with respect to all transactions²⁵ but does not provide a specific retention period. Nonetheless, organisations operating in the financial service sector, must consider the various Central Bank of Nigeria (CBN) regulations and guidelines that specify durations for retaining various types of documents/records. For instance, the CBN Regulation for Direct Debit Schemes in Nigeria,²⁶ requires that a biller²⁷ maintains documentation/records received from a payer²⁸ or payer's bank for as long as the mandate is active. While documentation on expired mandates are subject to a minimum retention period of six (6) years.²⁹ Credit bureaux are also required to maintain a historical database which covers a five (5) year period and reflects the extent to which clients are regular in meeting their commitments on due dates and information related to clients' delinquencies and payment delays. This database is required to be kept for at least ten (10) years.³⁰ Under the Nigeria Bankers' Clearing System Rules,³¹ the retention period of physical cheques by the presenting bank is a minimum of five (5) years, while operators of the Automated Clearing System shall keep electronic copies of the cheque images for a minimum period of ten (10) years.³²

RECORD DISPOSAL/DESTRUCTION

This is the last stage in the lifecycle of every record. As far as the disposal of records containing personal data is concerned, the NDPR-Implementation Framework states that personal data that is no longer in use or which has been retained beyond the requisite statutorily required storage period shall be destroyed in line with global best practices for such operations.³³ This may be necessary to prevent claims of data breach.

It is considered global best practice for organisations to dispose or destroy documents by utilising professional service providers who issue certificates of destruction as proof. Alternatively, records can be destroyed by designated staff in the presence of other employees as witnesses. Some safe methods of records destruction are shredding, pulping, or recycling for less sensitive record/documents, while digital records can be deleted, overwritten, or degaussed (erasing magnetic data).³⁴

It should be noted however that records/documents that have completed their lifecycle must not be destroyed if they relate to a pending audit, investigation, dispute or any reasonably anticipated dispute to avoid legal liability for interference with or destruction of evidence. Hence, the disposal of records should be conducted with integrity and meticulous care. It is advisable to subject documents scheduled for disposal to a holding period during which a thorough assessment is conducted to mitigate any potential risks associated with their destruction.

Recommendations and Conclusion:

Effective record retention is not just a matter of convenience but a critical component of responsible business operations and legal compliance. Establishing robust record/document retention policies aligns with global best practices and helps organisations streamline their record management processes. As a fundamental step, organisations should conduct data mapping, which involves identifying the various kinds of data, documents/records that traverse the entire business process, the purposes for which they are retained, and assign retention periods in line with the applicable law. As earlier stated, record retention periods are sometimes specified by legislation and in other cases are based on industry practices. Other considerations for determining record retention periods include agreement between parties, likelihood of disputes arising, and reasonable business interest.

Organisations must be mindful that non-compliance with record retention periods could attract fines, loss of licences, and other sanctions. Furthermore, organisations may face the risk of data breaches and loss of valuable information, which could serve as vital evidence to prove or disprove wrongdoing.³⁵ This emphasises the need for organisations to prioritise record retention compliance and utilise customised data management and record management software as appropriate, to facilitate and simplify compliance. On a final note, business organisations should seek legal advice when unsure about retention periods.

Footnotes

1. Financial Crime Academy, "What Is Records Retention? Why It Is Important for Organizations?", available at https://financialcrimeacademy.org/what-is-records-retention/#:~:text=Records%20retention%20is%20the%20process,legal%20documentation%20and%20disaster%20recovery accessed on 18^th July 2023.

2. Shredall Group, "Document Retention Policy: Legal Requirements Guide", available at https://www.shredall.co.uk/blog/document-retention-policy-1 accessed on 22^nd August 2023.

3. Data Protection Act, 2023.

4. Nigeria Data Protection Regulation (NDPR) 2019.

5. Section 24(1)(d) of the Data Protection Act 2023.

6. Article 2.1(c) of the NDPR, 2019.

7. Nigeria Data Protection Regulations (NDPR) - Implementation Framework, 2020.

8. Section 8.2.

9. Labour Act, Cap L1 LFN 2004.

10. Section 75(3).

11. This fund is defunct and has metamorphosed into the National Social Insurance Trust Fund (NSITF).

12. Section 75(4) of the Labour Act Cap L1 LFN 2004.

13. Companies and Allied Matters Act, 2020.

14. Section 864.

15. Companies Income Tax Act, (CITA) Cap C21 LFN 2004 (as amended).

16. Section 63.

17. Federal Inland Revenue Service (FIRS), "A Guide to Simplified Record Keeping", available at https://www.firs.gov.ng/wp-content/uploads/2020/11/SIMPLE-RECORD-KEEPING-2017.pdf accessed on 5^th September 2023.

18. The Cybercrime (Prohibition, Prevention etc.) Act 2015.

19. Section 38.

20. The Consumer Code of Practice Regulations, 2007.

21. Section 35 of the Consumer Code of Practice Regulations, 2007.

22. Section 48.

23. Section 23.

24. The Banking and Other Financial Institutions Act, 2020.

25. Section 23.

26. Regulation for Direct Debit Schemes in Nigeria, 2018.

27. A biller is an entity that debits authorised payments from customers' bank accounts, often for subscription based services.

28. A payer is the party whose account is to be debited as instructed or authorised by a mandate.

29. Section 2.1.10 of the Regulation for Direct Debit Schemes in Nigeria, 2018.

30. Section 5.6.2 of the Guideline for the Licensing, Operations and Regulation of Credit Bureaux and Credit Bureau Related Transactions in Nigeria, 2013.

31. Nigeria Bankers' Clearing System Rules (Revised), 2018.

32. Section 7.6.

33. Article 8.3 of the NDPR-Implementation Framework, 2020.

34. LinkedIn, "What are the Best Practices for Disposing of Records that are No Longer Needed?" available at https://www.linkedin.com/advice/3/what-best-practices-disposing-records#:~:text=The%20disposal%20method%20depends%20on,%2C%20degaussing%2C%20or%20physically%20destroying accessed on 21^st September 2023.

35. Leapxpert, "How to Mitigate Legal and Regulatory Risks Through Effective Recordkeeping", available at https://www.leapxpert.com/how-to-mitigate-legal-and-regulatory-risks-through-effective-recordkeeping/ accessed on 5^th October 2023.

36. Leapxpert, "How to Mitigate Legal and Regulatory Risks Through Effective Recordkeeping", available at https://www.leapxpert.com/how-to-mitigate-legal-and-regulatory-risks-through-effective-recordkeeping/ accessed on 5^th October 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.