Other activities and record types
Some activities and record types have additional considerations and recordkeeping requirements.
Find out how to manage these records.
Table of contents
You need to consider information privacy when managing your records, especially those that contain information about people.
You will need to make sure that appropriate access restrictions and permissions are applied to records that contain sensitive or personal information.
Draft documents are public records. How long you need to keep them will depend on the significance of the final document and the changes the draft shows.
What drafts to keep
You will need to capture and keep a draft if it:
- contains decisions, comments, feedback, annotations, requests, actions or any other kind of significant information that is not captured elsewhere and provides context to the development process or the final version
- helps with internal processes (e.g. so that a workflow approval can be initiated, or to show that a certain step in a process has been completed).
Some drafts need to be kept for a specified period of time (e.g. draft submissions and legislation). Check your retention and disposal schedule to find out how long you need to keep drafts.
When to destroy drafts
The General Retention and Disposal Schedule contains a record class for drafts.
Drafts that do not need to be kept can normally be disposed of under this record class when business use ceases so long as they meet the specific criteria listed.
Your agency will need to decide when the business use for those drafts ceases (e.g. immediately, next day, 6 months).
You can choose to implement a specific retention period for drafts if necessary (e.g. 6 months for all draft publications).
Electronic or digital signatures are a method of authenticating a person as the source of a digital message and indicates their approval of the information contained in the message.
Digital signatures include:
- digitised signatures–a scanned handwritten signature inserted as an image; use of signature blocks (e.g. on emails)
- online forms–Adobe forms; workflow approvals in applications (e.g. timesheets)
- touch screens–signature on a touch screen using a stylus (e.g. Australia Post courier delivery)
- digital signatures–use of digital code and encryption technology to verify the contents of an digital document.
The Electronic Transactions (Queensland) Act 2001 provides for the use of digital signatures, as long as they meet 3 criteria:
- the signature identifies a person and indicates their intention (e.g. providing approval via an email)
- the signature is appropriate (reliable) for its purpose (noting that digital signatures offer greater security than digitised signatures)
- the person receiving the document consents to receiving a signature in electronic form.
Schedule 1 of the Act outlines exclusions regarding the use of digital signatures.
Implementing digital signatures
Your business may be subject to legislative provisions that require your records to be in a particular format.
In the absence of any specific legislative requirement, you should use a risk-based approach to deciding whether a digital or physical (wet) signature should be used.
If you are implementing digital signatures, you should:
- perform (and document) a risk assessment for the use of digital signatures–some records may require more robust forms of identification/authorisation than others (e.g. contractual documents over a certain value)
- undertake an environmental scan for business requirements or other legal or policy obligations that may require ‘wet’ signatures
- develop and document processes and/or any policies and related responsibilities regarding the use of digital signatures
- ensure any newly developed processes are understood so they can be implemented as standard business practice (for defensibility)
- ensure appropriate security measures are in place to prevent any unauthorised use of digital signatures
- appropriately manage the document to which the signature has been added as a record, to ensure it maintains its complete and reliable characteristics throughout its life.
The Queensland Law Society article Electronic signatures: When are they effective?(210 KB) provides more detail about the relationship between electronic/digital signatures and legislative framework for electronic communications.
See also the Queensland Audit Office’s case study factsheet on Electronic signing—financial statements for an overview of their legal requirements, and their internal process when signing their independent auditor’s opinions electronically.
Credit cards and associated data have their own set of recordkeeping requirements.
The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities involved in payment card processing.
It contains specific mandatory requirements regarding the storage and disposal of credit card details.
- Sensitive authentication data (3 digit numbers on the back cards) should never be stored–this information must be destroyed immediately after the transaction has been authorised.
- Primary Account Number (PAN) (the card number) needs to be rendered unreadable when it is stored.
Destruction of credit card data
The General Retention and Disposal Schedule includes 2 record classes authorising the destruction of both cardholder and sensitive authentication data in accordance with the standard.
Consider your recordkeeping process for payments to ensure that cardholder data can be destroyed immediately or as soon as business use has ceased and that other required information can be stored for the required retention period.
What information can be kept?
Under the PCI DSS, the primary account number and any other credit card information must only be kept if there is a valid legal, business or regulatory need for that data.
If you do need to keep any information for a certain period of time after the card transaction has occurred, you must ensure that the cardholder data is stored or redacted in some way.
You will need to ensure that your system can meet the requirements in the standard. If you can’t, this information cannot be stored.
Include the capture and management of credit card data into your agency’s recordkeeping procedures, or include recordkeeping requirements in procedures for taking payments.
The diaries of local governments mayors and councillors are public records and need to be managed as such.
The Local Government Sector Retention and Disposal Schedule covers records created, received or kept by Mayors and Councillors in their official capacity, including official work diaries.
Find out what diaries to keep.
Personal emails and information relating to political parties generated by Mayors and Councillors when they are not acting in their official capacity are not public records.
The responsibility for running local government elections resides with the Queensland Electoral Commission.
Although election records can be sentenced under section 13.8 of the Local Government Sector Retention and Disposal Schedule, we recommend local governments also consult with the Electoral Commission about the retaining and disposing of these records.
If your agency has contact with lobbyists, you must capture and manage records relating to that contact.
The Integrity Act 2009 governs the contact between lobbyists and the government including opposition representatives.
The Queensland Integrity Commissioner maintains the Register of Lobbyists which is required under s68 of the Act.
See also the Crime and Corruption Commission's Lobbying (corruption prevention advisory).
Contact with a lobbyist
Contact with lobbyists includes telephone calls, emails, written mail and face-to-face meetings. Contact may also be through social media and other online channels.
It’s important that you capture the decisions and actions from these interactions with lobbyists to show there was no undue influence in providing an accountable and transparent government.
Ensure you record any contact with lobbyists on your agency’s register of contact with lobbyists by providing the:
- date of the meeting
- title(s) and name(s) of government representatives
- name of the lobbyist entity
- name of the client
- purpose of the meeting.
How long to keep records of contact with lobbyists
Any records that you create can be sentenced under the General Retention and Disposal Schedule.
If you have contact with entities that are not considered lobbyists, these records can be sentenced according to the business activity they relate to.
Your agency is responsible for the ongoing management of legacy records created by your agency or inherited from another agency as part of a machinery-of-government change (MOG) or administrative change.
Legacy records must be kept, managed and remain accessible for their full retention period.
Close legacy records when the function they relate to ceases. You should also update metadata to document that the function has ceased and that no new records will be created.
If you have inherited legacy records from an agency that has closed, consider how they will be managed. You may need to decide if it is easier to manage them separately or if they should be integrated into your current recordkeeping system.
If you integrate legacy records into your recordkeeping system, you will need to update existing tools, procedures, policies and business systems to include them.
You will also need to update metadata to document the records’ history.
Find out more about documenting a MOG or administrative change, and recordkeeping activities and event history metadata.
Sentencing and disposing of legacy records
Legacy records should be sentenced under a current retention and disposal schedule. If there isn’t a schedule you can use to sentence the records, they can't be destroyed. These records will must be kept and preserved until disposal authorisation is given.
Find out about disposal authorisation and how to develop or review a retention and disposal schedule.
If you are sentencing a large number of legacy records, find out how to sentence them in bulk
If necessary, legacy records can be stored or sent to secondary or offsite storage until they can be disposed of.
You may need to review your core retention and disposal schedule if the legacy records are not covered.
Right to information requests
Any records which are subject to a request for access under the Right to Information Act 2009, the Information Privacy Act 2009 or any other relevant Act must not be destroyed until the action, and any applicable appeal period, has been completed.
See also the Office of the Information Commissioner's advice on Documents of an agency and documents of a Minister.
A duty of care exists for agencies to ensure records that may foreseeably be needed as evidence in a judicial proceeding, including any legal action or a Commission of Inquiry, are not disposed of.
The destruction of evidence is an offence under the Criminal Code Act 1899 (s.129)–‘for a person, who knowing something is or may be needed in evidence in a judicial proceeding, damages it with intent to stop it being used in evidence’.
Internal processes should be implemented to meet this obligation. You may need to consult with your legal or Right to Information area.
If it is reasonably expected that a judicial proceeding may occur or if your legal team requests it, an internal disposal freeze can be issued for certain records. This will help to prevent them from accidentally being destroyed. For example, you could expect that you will need to retain property files that refer to the use of asbestos in buildings.
Note: A preference for paper or electronic forms of evidence may apply. This will depend on the rules and procedures under which the relevant judicial or review body operates.
If your agency has operations in other States or overseas, ensure your risk assessment considers the applicable evidence laws in these jurisdictions.
Once legal proceedings have finished, consider the potential future legal need for the records (e.g. for an appeal).
Records do not need to be resentenced once legal proceedings have finished and disposal freezes have lifted; however, they may need to be reassessed and resentenced based on their disposal trigger and the significance of the records (if it has changed).
Records will need to be kept for longer than the current retention period if there is a likelihood they will be required again.
Before destroying records, ensure that there is no further business or legal requirements for retaining them.
Backups of entire systems and information in case of failure are usually done for disaster recovery or business continuity purposes.
Your agency IT team will create and manage backups. You may need to ensure that:
- backups can be used to restore some or all records
- individual records can be extracted
- backups are managed appropriately, kept for as long as necessary and destroyed correctly.
You may need to consider:
- the backup cycle (e.g. daily, weekly or monthly)
- whether backups are incremental, full or a combination of both depending on when it’s done
- how critical the information being backed up is and how often it is changed in the application
- how often backups are tested to ensure that the system can be recovered from the backups
- how long backups are kept–they can be destroyed after business action completed under the General Retention and Disposal Schedule, however, you and your agency’s IT team will need to decide when that is
- whether your IT team knows how to extract individual records from the backup.
It may be necessary to have multiple backups in multiple locations. While this can make it difficult to destroy data, it may be necessary if a location or backup fails.
Why backups are not a recordkeeping system
Backups are not recordkeeping systems and should only be used for business continuity and disaster preparedness purposes. This is because they:
- save all your data as one collection of information or as an entire system–this makes it difficult to find information and manage retention periods
- are usually unable to ensure records remain accessible, usable and preserved for the entire time you need to keep the records
- don’t usually keep or maintain any of the metadata associated with the records
- use proprietary storage software meaning you need to pay to maintain access to your backups
- increase the risks to your records and information the longer you keep them, particularly if vendors change or go out of business
- are at risk of technological obsolescence if they rely on specific software or hardware.
Find out more about what to do with backups.
Information Standard 18: Information security (IS18) includes information on backup requirements and the appropriate disposal of media.
Shared service providers are a form of outsourcing, although usually the provider is another government agency rather than a private entity.
Find out about outsourcing a function or activity.
Custody, ownership and responsibility for records
During any shared service arrangement, the shared service provider will create, receive and manage public records on your agency’s behalf.
Your agency is responsible for these records and ensuring you continue to meet your recordkeeping obligations. The status of records during outsourcing cheat sheet outlines which agency is responsible for which records.
Find out more about custody, ownership and responsibility for records.
There are specific recordkeeping considerations when using a shared service provider. You need to make sure:
- both your agency and the service provider are clear on who is responsible for which records, including endorsing the transfer or disposal of records.
- the service provider creates and keeps complete and reliable records of the activities they perform on behalf of your agency
- the service provider is aware of their responsibilities to create and keep records documenting the function
- records are kept safe, preserved and returned to you at the end of the agreement unless lawfully destroyed
- everyone has access to the records that they need
- recordkeeping responsibilities and requirements associated with the function being outsourced can continue to be met (e.g. access restrictions, privacy, preservation)
- Note: You can delegate responsibility to endorse the disposal or transfer of records to a position within the service provider.
Find out more about recordkeeping considerations and what to include in a shared service agreement.
Find out about the options to provide access to records when outsourcing.
Sentencing records created and managed by a shared service provider
The service provider does not need permission from QSA to use your agency’s core retention and disposal schedule for your core records.
Any records about the management of the service arrangement should also be sentenced against the most appropriate class in either your agency’s core retention and disposal schedule or the GRDS.
The shared service provider can sentence their core and administrative records against their agency core schedule or the GRDS as normal.
You can find more information about shared service providers under machinery-of-government and administrative changes.
This advice includes things to consider before entering into a shared service arrangement and recordkeeping requirements.
- About machinery-of-government and administrative changes
- Things to consider when outsourcing
- Custody, ownership and responsibility for records
- Identifying records involved when outsourcing
- Provide access to records when outsourcing
- Recordkeeping considerations for shared service arrangements and outsourcing agreements
- Prepare and transfer records to a shared service provider
See also cloud services and storage.