Recordkeeping during COVID-19
As public authorities continue to respond to the ever-evolving challenges of COVID-19, Queensland State Archives (QSA) recognises that usual business practices will likely be disrupted and that recordkeeping may not always be front of mind.
We would like to remind public authorities that their recordkeeping responsibilities under the Public Records Act 2002 remain as important as ever.
There is an ongoing need for records related to the pandemic AND as part of BAU to be created, managed and maintained.
Records created during this crisis will:
- help support the success of the response
- enable you to continue business as usual
- ensure that there is evidence of the decisions made to support and enable this critical work
- become key records for future generations to refer back to on how we all dealt with this event.
UNESCO and the International Council on Archives have released a joint statement regarding the importance of creating documentary heritage both now and for the future.
Proof of vaccination
If staff or visitors must be fully vaccinated to enter your premises, you must keep a register that you have sighted either:
- Vaccination certificate issued by the Australian Government
- Medical exemption
The public health direction only requires that you sight the proof of vaccination document.
If your agency chooses a sight only policy, any proof of vaccination documents received from staff or visitors can be destroyed under GRDS Disposal Authorisation 1273 - External Reference Information.
Registers will need to be retained for the duration of the public health direction, or the public health direction requirements change.
Retaining proof of vaccination documents
If your agency's recordkeeping practices go beyond the public health direction requirements, and see you retain proof of vaccination documentation you will need to be guided and directed by your internal policy.
Retention and disposal of records that support contact tracing activities
Agencies subject to the Restrictions on Businesses, Activities and Undertakings Direction (the Direction) issued by the Chief Health Officer must collect and keep contact information about all guests and staff for contact tracing purposes. Contact information should be securely stored, not used for any other purpose and deleted after not less than 30 days and not more than 56 days.
See the Direction for further information on the requirement to collect contact information.
You may need to determine if the Direction applies to your agency and whether you are required to collect contact information.
Any records of contact information collected to support contact tracing purposes are considered public records and need to be stored and managed accordingly. They are not considered transitory or short-term records.
You will need to consider information privacy requirements when collecting, storing and disposing of this information. For more information, see the Office of the Information Commissioner advice on Contact tracing registers and privacy rights.
The following table sets out how records documenting contact information collected for contact tracing purposes should be managed, retained and destroyed, and how it differs to other information already collected by your agency (e.g. personnel records or records of building access).
It is up to your agency to determine the most appropriate length of time to keep any contact information collected under the Direction where the 30-56-day retention period applies. This should be based on your agency's own requirements and circumstances, and the level of risk.
| Information collected or record created | How to manage these records | Retention period and disposal authorisation |
|---|---|---|
| All required contact information of guests and/or staff is collected ONLY to support contact tracing | Create a defensible process outlining how the information will be collected, managed and destroyed, including how long it is to be kept and why. Information should be stored securely in accordance with the Direction, and all other relevant requirements. Note: You should consider having a privacy statement about why the contact information is being collected. Contact your agency's privacy unit for guidance on this. Supply this contact information to public health officers if requested. | Retain for 30 to 56 days then destroy the information in accordance with the Direction. Document disposal as part of your defensible process. Note: Ensure you delete all iterations of the contact information where reasonably possible. |
All required contact information about guests and/or staff is already collected for another business purpose. The required information may be documented in more than 1 record. Example includes contact details for staff on personnel files AND building security logs showing dates and times staff are on site. | Information should be managed according to the normal business practice for these records. A separate record documenting required contact information does not need to be created to support contact tracing. Information should be stored securely in accordance with relevant requirements. Supply this contact information to public health officers if requested. If contact information is to be kept for less than 56 days, you may need to document that decision in a defensible process. Note: You may need to update your privacy statement about why the information is being collected to include contact tracing as well. | Retain for:
OR
whichever is the longer period. Manage and document disposal as per normal practice for the retention period applied. |
Some required information collected about guests and/or staff for another business purpose (e.g. name, date on site). Additional information needs to be collected to support contact tracing (e.g. email address, contact number). Examples include:
| Information collected and records created as part of existing processes should be managed according to normal business practice. Create a separate record with ALL required contact information for contact tracing purposes. Records for contact tracing and records for the regular business activity should be stored and managed separately. Create a defensible process outlining how the additional information will be collected, managed and destroyed, including how long it is to be kept and why. Information should be stored securely in accordance with the Direction, and all other relevant requirements. Supply this contact information to public health officers if requested. | Retain information collected for the other business purpose for the retention period specified in the relevant disposal authorisation for that business activity. Document disposal as per normal practice. Retain new records created to support contact tracing, with all required information, for:
OR
whichever is shorter, THEN destroy in accordance with the Direction. Document disposal as part of your defensible process. Note: Ensure you delete all iterations of the contact information where reasonably possible. |
| Correspondence sent to public health officers with contact information attached or included. | Capture and manage the correspondence according to your agency's current business practice for COVID related activities and actions taken. Contact information collected for contact tracing purposes still falls under the requirements of the Direction and must only be retained for the maximum 56 days specified, even if it is requested by public health officers. This information may need to be destroyed before the correspondence is due for destruction. Consider including how this will be managed as part of your defensible process for how the contact information will be collected, managed and destroyed. | Retain correspondence as per the relevant disposal authorisation for that activity. Contact information supplied must still only be retained for 56 days then destroyed in accordance with the Direction. Document disposal of correspondence records as per normal practice. |
Defensible process and documenting disposal of contact information
You need to document the disposal of contact information collected and destroyed under the Direction.
Due to the potential high volume of records and the frequency of disposal, you can implement a defensible process to demonstrate that you have:
- met the requirements of the Direction
- a process in place that outlines:
- how the information is to be collected and stored
- the authorisation to destroy the records (the Direction)
- how long the information is to be kept and why, particularly if it's less than the maximum 56 days
- how and when the information is to be destroyed and who destroyed it
- how disposal is to be documented
- approval of the process from your CEO or authorised delegate (i.e. a standing endorsement to destroy the records)
You may also need input or endorsement from:
- areas involved in collecting the information and managing visitors
- those managing your agency's response to the current pandemic
- any teams involved with information privacy, right-to-information or legal responses to any issues that may arise.
Include the name of the Direction in full and the date it was issued when citing it as the disposal authorisation to destroy the records. You don't need further disposal authorisation for these records in a retention and disposal schedule–the direction is sufficient.
Any records containing contact information that are created and kept for another business purpose should be disposed of as normal.
Find out more about how to destroy records and developing a defensible process for contact information records.
Records provided to public health officers
If contact information your agency has collected is requested for contact tracing purposes, talk to the public health officers about how best to provide a copy of that information and in what format.
Any records that public health officers request and use for contact tracing are managed by Queensland Health as per their normal practice for contact tracing for reportable diseases.
It is recommended a copy of the contact information provided to public health officers is retained by your agency for the full 56 days but no longer. This ensures a full record of contact information is collected and retained by your agency.
More information
For more information, see the Restrictions on Businesses, Activities and Undertakings Direction, s362B of the Public Health Act 2005, and other relevant directions issued by the Chief Health Officer.
Recordkeeping responsibilities when working from home or remotely
If you are working from home or remotely, it is important to remember that your recordkeeping responsibilities do not change.
You still need to:
- make and keep records of work activities
- keep records safe
- ensure there is no unauthorised disposal of records
- comply with your agency's recordkeeping policies and procedures
- make sure the records are transferred or captured into your official recordkeeping or business systems when you return to your normal workplace.
Agencies should set clear expectations and processes about how records are created, managed and maintained when working form home, in particular for those that are unable to access the official business systems and capture records as they normally would.
Risks when working from home or remotely
With staff working from home, there are increased and additional risks to records.
- Records may not be captured straight away or at all.
- Information security may be less if people are using private networks and devices, or even public networks.
- Lack of ability to control duplicates or versions.
- Less able to control access to records, particularly confidential or sensitive.
- Other staff may not be able to access the records they need if stored on a personal or individual device (e.g. USB, desktop, portable hard drive).
- Some records may not be included in any back-ups if not on a networked drive, application or agency cloud.
Things to consider
- What records you need to capture and how–take a look at the Decide what records to capture and how page.
- How you might manage public records in private accounts if you can't use a work device or accounts–see our Public records in private accounts advice.
- How you would use digital signatures to sign documents if you can no longer print and scan them–check out Implement and use digital signatures.
- The security classifications that apply to records you use–check out our Security and access to records advice.
- What records need to be accessed by others–check out our Security and access to records advice.
- What social media content is a record–take a look at Social media records.
- Whether there might be new record formats your agency needs to capture, like recorded teleconferences, or chats (e.g. using Microsoft teams)
- Your agency's recordkeeping policies and procedures to see what is already in place to enable working from home, and what may need to be updated.
- Consider what processes, procedures need to change or where work-arounds may need to be implemented
- What information security requirements may also impact how staff mange and access records – talk to your IT area.
Resources and tools
Resources and tools for records management have been developed to help you implement best practice records management in your agency.