Board packs, minutes, resolutions, and board committee reports contain the highest-sensitivity information in most organisations: strategic plans, financial performance, legal exposures, executive remuneration, merger and acquisition discussions, and regulatory concerns. Their mishandling creates legal, reputational, and commercial risk that can be severe.
What Makes Board Documents Different
Board documents are different from operational documents in three important ways:
- Legal sensitivity: Board discussions on litigation, regulatory matters, and legal strategy may attract legal professional privilege. Disclosure of these documents to unauthorised parties can waive privilege.
- Market sensitivity: For listed companies, board documents may contain price-sensitive information. Leakage constitutes insider trading under the Financial Markets Act.
- Strategic sensitivity: Mergers, acquisitions, restructuring, and strategic plans can cause significant commercial harm if disclosed to competitors, employees prematurely, or the press.
Common Board Document Governance Failures
- Board packs distributed via standard email, remaining in the inboxes of directors who have since resigned
- Board minutes stored on general shared drives accessible to all management-level staff
- Directors printing board packs and leaving them in home offices, cars, or other insecure locations
- Company secretaries using consumer file-sharing platforms (Dropbox, Google Drive personal) to distribute board materials
- Former directors retaining access to board document systems after resignation
- AI tools used to summarise or analyse board documents
Personal Information in Board Documents
Board documents frequently contain personal information: executive remuneration (salary, bonuses, benefits), individual performance assessments, medical or incapacity information affecting specific individuals, and disciplinary matters. This information is subject to POPIA and must be protected accordingly.
A Governance Framework for Board Documents
- Board portal: Use a dedicated board portal (iShare, BoardEffect, Diligent or similar) rather than email for distribution of board packs. Portals provide access controls, remote wipe, and access logging.
- Access lifecycle management: Implement formal processes for granting and revoking access when directors are appointed or resign.
- Classification: All board documents should be classified as Restricted — the highest sensitivity level — by default.
- Retention policy: Board minutes are permanent legal records and must be retained indefinitely. Board packs may be subject to different retention rules; document these clearly.
- AI tool prohibition: Board documents must be explicitly excluded from use with any AI tool in the AI acceptable use policy.
- Destruction of physical copies: Printed board packs must be shredded after use, not recycled or discarded in general waste.
The Company Secretary's Role
The Company Secretary (or equivalent) is typically the information custodian for board documents. They should own the governance framework, manage access permissions, maintain the retention schedule, and ensure that departing directors return or delete all board materials.
Find out where your business stands on this risk.
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used. A structured assessment gives management the visibility to know - not just assume.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.