All documents created by Queensland Government are public records, including copies, drafts and other transitory and short-term records.
Transitory and short-term records, also known as ephemeral records, are created as part of routine transactional business practices and are not usually required for ongoing business.
These are records that may help an action or a process move forward, but don’t in themselves have any long-term value and are not needed to understand the business action or process. They are usually only required to be kept for a short period of time.
Examples include drafts not intended for further use or reference, copies of material retained for reference use only, working notes, call centre recordings, routine CCTV footage, and credit card payment data.
Table of contents
Transitory records do not need to be formally captured into your agency’s recordkeeping system unless you have a specific requirement to do so.
Each agency should have procedures in place to assist with the management of transitory and short-term records. Identify:
- which records are transitory or short-term records
- which records need to be formally captured
- how they should be managed
- how long they should be kept
Consider your legal, business and other requirements–these may affect what records can be considered transitory or short-term records, how they should be managed, and how long they need to be kept.
Some transitory and short-term records may need to be captured and kept as official records.
Drafts may need to be captured and kept if they:
- contain decisions, comments, feedback, annotations, requests, actions or any other kind of significant information that is not captured elsewhere and provides context to the development process or the final version
- help with internal processes (e.g. so that a workflow approval can be initiated, or to show that a certain step in a process has been completed).
Some drafts need to be kept for a specified period of time (e.g. draft submissions and legislation). Check your retention and disposal schedule to find out how long you need to keep drafts.
Copies are records that are the same as an original/official public record. No information has been added, annotated, changed or deleted on the copy.
Copies will need to be captured and kept as records if it:
- has been modified in any way
- has become your official record of a business activity
- have been given to you by another agency (e.g. as part of a MOG or administrative change, if you need access to these records, a copy needs to be filed with your agency etc.) and it becomes the official public record for your agency.
These copies need to be kept as an official record and sentenced based on the function or activity they relate to.
If copies are in the custody of a private entity (e.g. as part of an outsourcing or privatisation arrangement), they will need to be managed accordingly. See our advice on outsourcing, privatisation and providing access to records during a machinery of government change.
Other transitory records
Other transitory and short-term records will need to be captured and kept if they:
- are required for ongoing business use
- are needed as evidence of business activities or used to inform decisions or actions–for example, surveillance footage required for an investigation, call centre recordings created as the official record of advice provided
- result in further action or service–for example, social media post that requires follow-up action.
See the exclusions in each record class for examples of the types of records that may need to be captured and kept.
Disposal authorisation for transitory and short-term records is given in the General Retention and Disposal Schedule (GRDS).
Record classes in the transitory and short-term section of the GRDS have a disposal action of ‘until business action completed’. It is up to your agency to determine when transitory or short-term records can be destroyed based on:
- your agency’s business requirements
- the level of risk acceptable to your agency
- the records created.
Before you destroy
Before you destroy transitory and short-term records, make sure the records are not:
- required for judicial and litigation proceedings, Commissions of Inquiry, or legal action, whether or not the State is a party to that litigation
- covered by any other laws or policies requiring the records be retained, for example, a current disposal freeze or retained in accordance with the Evidence Act 1977 and the Criminal Code Act 1899
- needed for accountability purposes or to support the ongoing efficient administration of agency business
- linked to community expectations about rights and entitlements
- considered to have cultural or known historical value.
You must also ensure records being destroyed are covered by the classes in the GRDS and not listed in the specific exclusions provided in each record class.
Once business use has ceased, records identified as transitory and records with short term retention can be destroyed.
However, if transitory records have been captured into your agency’s recordkeeping system, their disposal must be documented and endorsed. You must keep this information as proof they were lawfully destroyed.
Credit cards and associated data have their own set of recordkeeping requirements.
The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities involved in payment card processing.
It contains specific mandatory requirements regarding the storage and disposal of credit card details.
- Sensitive authentication data (3 digit numbers on the back cards) should never be stored—this information must be destroyed immediately after the transaction has been authorised.
- Primary Account Number (PAN) (the card number) needs to be rendered unreadable when it is stored.
Destruction of credit card data
The General Retention and Disposal Schedule includes 2 record classes authorising the destruction of both cardholder and sensitive authentication data in accordance with the standard.
Consider your recordkeeping process for payments to ensure that cardholder data can be destroyed immediately or as soon as business use has ceased and that other required information can be stored for the required retention period.
What information can be kept?
Under the PCI DSS, the primary account number and any other credit card information must only be kept if there is a valid legal, business or regulatory need for that data.
If you do need to keep any information for a certain period of time after the card transaction has occurred, you must ensure that the cardholder data is stored or redacted in some way in accordance with the requirements of the PCI DSS.
You will need to ensure that your system can meet the requirements in the standard. If you can’t, this information cannot be stored.
Include the capture and management of credit card data into your agency’s recordkeeping procedures, or include recordkeeping requirements in procedures for taking payments.
See the blog post a change is on the cards for more information on sentencing credit card data.