Why File Names Matter in POPIA Compliance

POPIA compliance is often discussed in terms of policies, training and technology. Rarely is file naming mentioned. Yet the way an organisation names its files directly affects its ability to find, classify, protect, and delete personal information — all of which are POPIA obligations.

The POPIA Connection

Consider these POPIA requirements and how file naming affects each:

• Processing limitation (Section 10): You must only retain personal information as long as necessary. If you cannot identify what a file contains from its name, you cannot apply a retention schedule. Files accumulate indefinitely.
• Information quality (Section 16): Personal information must be accurate, complete and kept up to date. If you cannot find the right version of a file, you may use an outdated one.
• Security safeguards (Section 19): You must protect personal information from unauthorised access. Without knowing what a file contains, you cannot apply appropriate access restrictions.
• Data subject participation (Section 23): Data subjects have the right to access their personal information on request. If you cannot locate a specific person's records, you cannot honour this right within a reasonable time.

What Bad File Names Look Like in Practice

A typical ungovernced file repository contains names like:

• Scan001.pdf — scanner default. Could be anything.
• ID copy.jpg — an ID document, but whose? From when? For what purpose?
• New Microsoft Word Document (3).docx — unintentional name, content completely unknown.
• Copy of payroll March.xlsx — which year? Is this a draft or final?
• URGENT - client stuff.pdf — what client? What information?

Each of these names forces you to open the file to know what is inside. At scale — with tens of thousands of files — this is not possible. Classification, retention and access control become guesswork.

What Good File Names Look Like

A structured naming convention encodes the most important metadata in the file name itself:

[Date]_[ClientID]_[DocType]_[Description]_[Version]

Examples:

• 2025-03_SMITH-J_BankStatement_FNB-Cheque_v1.pdf
• 2025-06_DLAMINI-S_IDDocument_FICA-Verification.jpg
• 2025Q1_NKOSI-LLC_FinancialStatements_Draft_v3.xlsx

From the name alone, you can identify: the document type, the data subject, the date, and the version. This makes classification, retention, and access control possible without opening every file.

The Classification Benefit

When file names follow a consistent convention, automated classification becomes possible. A system can scan file names and flag any file containing "IDDocument," "BankStatement," or "MedicalRecord" as Confidential or Restricted without human review. This is the foundation of scalable information governance — and it is only achievable with consistent naming.

Implementation Steps

1. Define a naming standard specific to your organisation and sector
2. Publish it as a written policy with examples for each document type you handle
3. Train all staff on the standard, including what happens to non-compliant files
4. Run a quarterly audit of new files to measure naming compliance rates
5. Use a repository assessment to identify the highest-risk legacy files that need renaming