Recordkeeping during COVID-19

As public authorities continue to respond to the ever-evolving challenges of COVID-19, Queensland State Archives (QSA) recognises that usual business practices will likely be disrupted and that recordkeeping may not always be front of mind.

We would like to remind public authorities that their recordkeeping responsibilities under the Public Records Act 2002 remain as important as ever.

There is an ongoing need for records related to the pandemic AND as part of BAU to be created, managed and maintained.

Records created during this crisis will:

  • help support the success of the response
  • enable you to continue business as usual
  • ensure that there is evidence of the decisions made to support and enable this critical work
  • become key records for future generations to refer back to on how we all dealt with this event.

UNESCO and the International Council on Archives have released a joint statement regarding the importance of creating documentary heritage both now and for the future.

1. Retention and disposal of records that support contact tracing activities

Agencies subject to the Restrictions on Businesses, Activities and Undertakings Direction (the Direction) issued by the Chief Health Officer, “must keep contact information about all guests and staff for contact tracing purposes for a period of 56 days, unless otherwise specified. This information must include: name, email address, contact number and the date/time period of patronage. If requested, this information must be provided to public health officers. The information should be securely stored, not used for any other purpose and deleted after 56 days.”

You may need to determine if the Direction applies to your agency and whether you are required to collect contact information.

Any records of contact information collected to support contact tracing purposes are considered public records and need to be stored and managed accordingly. They are not considered transitory or short-term records. 

You will need to consider information privacy requirements when collecting, storing and disposing of this information. For more information, see the Office of the Information Commissioner advice on Contact tracing registers and privacy rights.

The following table sets out how records documenting contact information collected for contact tracing purposes should be managed, retained and destroyed, and how it differs to other information already collected by your agency (e.g. personnel records or records of building access).

Information collected or record created How to manage these records Retention period and disposal authorisation
All required contact information of guests and/or staff is collected ONLY to support contact tracing

Create a defensible process outlining how the records will be collected, managed and destroyed.

Information should be stored securely in accordance with the Direction, and all other relevant requirements.

Note: You should consider having a privacy statement about why the contact information is being collected. Contact your agency’s privacy unit for guidance on this.

Supply this contact information to public health officers if requested.

Retain for 56 days then destroy the information in accordance with the Direction.

Document disposal as part of your defensible process.

Note: Ensure you delete all iterations of the contact information where reasonably possible.

All required contact information about guests and/or staff is already collected for another business purpose.

The required information may be documented in more than 1 record.

Example includes contact details for staff on personnel files AND building security logs showing dates and times staff are on site.

Information should be managed according to the normal business practice for these records.

A separate record documenting required contact information does not need to be created to support contact tracing.

Information should be stored securely in accordance with relevant requirements.

Supply this contact information to public health officers if requested.

Note: You may need to update your privacy statement about why the information is being collected to include contact tracing as well.

 

Retain for:

  • the retention period specified in the relevant disposal authorisation for that business activity,

OR

  • for 56 days after the visit then destroy the information in accordance with the Direction,

whichever is the longer period. 

Manage and document disposal as per normal practice for the retention period applied.

Some required information collected about guests and/or staff for another business purpose (e.g. name, date on site).

Additional information needs to be collected to support contact tracing (e.g. email address, contact number).

Examples include:

  • building security logs where name and date on site captured,
  • visitor sign in/sign out sheets where name and contact number and date on site is captured
  • *regular contractors onsite, where only their name and contact number is currently collected
  • *regular guests or visitors who frequent your organisation, such as volunteers, regular patrons, board members.

Information collected and records created as part of existing processes should be managed according to normal business practice.

Create a separate record with ALL required contact information for contact tracing purposes.

Records for contact tracing and records for the regular business activity should be stored and managed separately.

Create a defensible process outlining how the additional information will be collected, managed and destroyed.

Information should be stored securely in accordance with the Direction, and all other relevant requirements.

Supply this contact information to public health officers if requested.

 

Retain information collected for the other business purpose for the retention period specified in the relevant disposal authorisation for that business activity.

Document disposal as per normal practice.

Retain new records created to support contact tracing, with all required information, for:

  • 56 days after their visit

OR

  • to the end of the public health emergency (*for regular visitors),

whichever is shorter, THEN destroy in accordance with the Direction.

Document disposal as part of your defensible process.

Note: Ensure you delete all iterations of the contact information where reasonably possible.

Correspondence sent to public health officers with contact information attached or included.

Capture and manage the correspondence according to your agency’s current business practice for COVID related activities and actions taken.

Contact information collected for contact tracing purposes still falls under the requirements of the Direction and must only be retained for the 56 days specified, even if it is requested by public health officers.

This information may need to be destroyed before the correspondence is due for destruction.

Consider including how this will be managed as part of your defensible process for how the contact information will be collected, managed and destroyed.

Retain correspondence as per the relevant disposal authorisation for that activity.

Contact information supplied must still only be retained for 56 days then destroyed in accordance with the Direction.

Document disposal of correspondence records as per normal practice.

 

Defensible process and documenting disposal of contact information

You do need to document the disposal of contact information collected and destroyed under the Direction.

Due to the potential high volume of records and the frequency of disposal, you can implement a defensible process to demonstrate that you have:

  • met the requirements of the Direction
  • a process in place that outlines:
    • how the information was collected and stored
    • the authorisation to destroy the records (the Direction)
    • how and when they are to be destroyed and who destroyed them
  • approval of the process from your CEO or authorised delegate (i.e. a standing endorsement to destroy the records)

You may also need input or endorsement from:

  • areas involved in collecting the information and managing visitors
  • those managing your agency’s response to the current pandemic
  • any teams involved with information privacy, right-to-information or legal responses to any issues that may arise.

Include the name of the Direction in full and the date it was issued when citing it as the disposal authorisation to destroy the records. You don’t need further disposal authorisation for these records in a retention and disposal schedule–the direction is sufficient.

Any records containing contact information that are created and kept for another business purpose should be disposed of as normal.

Find out more about how to destroy records.

Records provided to public health officers

If contact information your agency has collected is requested for contact tracing purposes, talk to the public health officers about how best to provide a copy of that information and in what format.

Any records that public health officers request and use for contact tracing are managed by Queensland Health as per their normal practice for contact tracing for reportable diseases.

It is recommended a copy of the contact information provided to public health officers is retained by your agency for the full 56 days but no longer. This ensures a full record of contact information is collected and retained by your agency.

More information

For more information, see the Restrictions on Businesses, Activities and Undertakings Direction, s362B of the Public Health Act 2005, and other relevant directions issued by the Chief Health Officer.

See also the Queensland Government Fact sheet: collecting and storing customer information during COVID-19 (PDF, 190KB).

2. Recordkeeping responsibilities when working from home or remotely

If you are working from home or remotely, it is important to remember that your recordkeeping responsibilities do not change.

You still need to:

  • make and keep records of work activities
  • keep records safe
  • ensure there is no unauthorised disposal of records
  • comply with your agency’s recordkeeping policies and procedures
  • make sure the records are transferred or captured into your official recordkeeping or business systems when you return to your normal workplace.

Agencies should set clear expectations and processes about how records are created, managed and maintained when working form home, in particular for those that are unable to access the official business systems and capture records as they normally would.

Risks when working from home or remotely

With staff working from home, there are increased and additional risks to records.

  • Records may not be captured straight away or at all.
  • Information security may be less if people are using private networks and devices, or even public networks.
  • Lack of ability to control duplicates or versions.
  • Less able to control access to records, particularly confidential or sensitive.
  • Other staff may not be able to access the records they need if stored on a personal or individual device (e.g. USB, desktop, portable hard drive).
  • Some records may not be included in any back-ups if not on a networked drive, application or agency cloud.

Find out more about assessing and managing recordkeeping risks.

Things to consider

  • What records you need to capture and how–take a look at the Decide what records to capture and how page.
  • How you might manage public records in private accounts if you can’t use a work device or accounts–see our Public records in private accounts advice.
  • How you would use digital signatures to sign documents if you can no longer print and scan them–check out Implement and use digital signatures.
  • The security classifications that apply to records you use–check out our Security and access to records advice.
  • What records need to be accessed by others–check out our Security and access to records advice.
  • What social media content is a record–take a look at Social media records.
  • Whether there might be new record formats your agency needs to capture, like recorded teleconferences, or chats (e.g. using Microsoft teams)
  • Your agency’s recordkeeping policies and procedures to see what is already in place to enable working from home, and what may need to be updated.
  • Consider what processes, procedures need to change or where work-arounds may need to be implemented
  • What information security requirements may also impact how staff mange and access records – talk to your IT area.

More information

The following advice and information may be useful at this time:

Advice

Blogs and videos