As agencies continue to respond to the ever-evolving challenges of COVID-19, we recognise the need to implement new business practices and manage associated recordkeeping requirements.
Since the beginning of this pandemic, the Queensland Chief Health Officer has issued various Public Health Directions to help contain the spread of COVID-19. In particular, the Restrictions on Businesses, Activities and Undertakings Direction applies to us and specifies what records we need to create and keep to support contact tracing purposes.
Agencies covered by this Direction must collect and manage the contact information of ALL visitors and staff, provide it to public health officers if requested and destroy it after 56 days.
Lawful disposal
Despite the relatively short retention period, contact information that has been collected for contact tracing purposes is not considered a transitory record which means you need to document evidence you have destroyed it lawfully.
Under the Public Records Act 2002, authorisation to dispose of public records is permissible a couple of ways, commonly it is provided by the State Archivist through an approved retention and disposal schedule, however, in the case of contact information, disposal is authorised under the Direction from the Queensland Chief Health Officer and this is what you need to reference in your disposal documentation.
Your CEO or authorised delegate still needs to endorse the disposal. This means you need to get their sign off on what records will be disposed of and how they will be disposed of. Essentially, your disposal process remains the same but what you reference as the authorisation is different.
Defensible process
Since contact information records are critical records that need to be created and disposed of quite frequently, we recommend documenting your processes in a defensible process
There are no specific templates you must use to document your defensible process, it can be a memo, briefing paper, procedure or guideline template etc.
The critical point is that it is a simple yet robust documentation that demonstrates how you meet the requirements of the Direction (and any other legislative requirements such as information privacy and the Public Records Act 2002), and can defend your processes and decisions and why you have made these decisions.
As you will be collecting highly sensitive, personal information, your processes need to demonstrate you are managing this information securely and following lawful disposal requirements. For example, your defensible process might specify:
- whether access to visitor contact information will be restricted to specified staff members only
- processes to be followed when responding to a request from a public health officer, including which staff members would collate and provide the requested information
- processes followed to ensure the format of the visitor contact information is appropriately secured e.g. if the information is collected in hardcopy format, the physical controls put in place to secure it, if third party software is used to collect contact details, implementation of any required additional security factors
- processes followed to ensure visitor contact information is securely and irreversibly destroyed after 56 days
- the instrument authorising disposal (the Direction)
- what records will be destroyed.
Although your defensible process doesn’t have to be signed off by your CEO/authorised delegate, getting this approval means it can also function as a standing disposal endorsement so you don’t need to seek endorsement each time disposal is due.
As with other standing arrangements, standing disposal endorsements need to be regularly reviewed to make sure they are appropriate for the records they cover. In the case of contact information records, it makes sense to do this when a new Health Direction is issued by the Queensland Chief Health Officer.
Other contact information already collected
If you already collect some or all of the required contact information for other business purposes, it may have different retention periods and disposal requirements and these will be set out under the General retention and disposal schedule (GRDS) or a core or sector schedule, not the Direction. You can find more information about this on our recordkeeping during COVID-19 web page.
More information
- Recordkeeping during COVID-19
- Security and access to records
- Cloud storage and services
- Store, protect and care for digital records
- How to destroy records
- COVID-19 blog series
Other agencies have also published advice specific to the collection of contact information for contact tracing purposes and how to manage it:
- Queensland Government Fact sheet: collecting and storing customer information during COVID-19, Queensland Health
- Contact tracing registers and privacy rights, Office of the Information Commissioner.