Records Management Advice – Advice on State Recordkeeping and COVID-19 - Updated

The COVID-19 Pandemic is a significant event in world history and the Western Australian State and local governments’ responses are likely to be of historical and research interest. It is important that all relevant records of information are managed in line with the organisation’s Recordkeeping Plan and retained and disposed of appropriately.

The State Records Office (SRO) recommends that Chief Information Officers, Records and Information Managers and public officers:

• ensure organisations continue to document COVID-19 responses,
• be vigilant in respect to remote recordkeeping practices for those staff working from home,
• assist organisational teams and individuals with records management obligations, and 
• update Records and Information Management Policies and Procedures as processes change.

Recordkeeping remains as important as ever as records created during COVID-19 will:

• help support the success of the response,
• enable you to continue business as usual,
• ensure that there is evidence of the decisions made to support and enable this critical work, and
• become key records for future generations to refer back to on how we all dealt with this event.

Please note: Organisations where COVID-19 responses form part of their core responsibilities, must take special care to ensure all relevant records of policies, input, programs, services etc.  are captured and retained as State archives.    

COLLECTING AND MAINTAINING VACCINATION STATUS RECORDS
In accordance with the directions made under the Public Health Act 2016 certain employers have an obligation to collect and maintain records of specified workers’ COVID-19 vaccination status. This includes evidence of vaccination and evidence of exemption.

The following page on the wa.gov.au website - COVID-19 Coronavirus: Getting proof of COVID-19 vaccinations describes ways to provide evidence of vaccination status.

There are different ways in which employers might collect evidence of vaccination status, having regard to their business processes, the size of their workforce and other operational considerations. The SRO strongly recommends that internal policies and procedures are developed and implemented for consistency, and that the minimum information required is collected only, taking into account the following requirements:

Employee, Volunteer and Visitor Evidence of Vaccination Status
When collecting evidence of vaccination status for specified workers (which may include employees, volunteers and visitors) in accordance with a direction under the Public Health Act 2016 or Emergency Management Act 2005, State and local Government Organisations may consider:

• Recording evidence of vaccination status where it can be consistently and securely managed in accordance with record keeping standards and other regulations as appropriate.
• Retention and disposal requirements for these records may be different than those for other records ordinarily kept with an employee’s personal file or using the organisation’s HR system.
• The capture of records (including metadata) related to the management of records of vaccination status e.g., collection, updates (including redaction) and disposal of evidence of vaccination.

Third Party Contractor and Temporary Personnel Services (Temporary Agency Staff) Evidence
of Vaccination Status
In some circumstances, an employer may be legally required (e.g. by a direction) or otherwise
voluntarily choose to collect evidence of vaccination status of third-party contractors (not directly
employed by the organisation) engaged to undertake work or perform a service or function on behalf of
the organisation, for example: Consultants (Management and Business Consultants, Trainers, and the
like), Trades (Plumbers, Electricians, Painters, and the like), Services (Cleaners, Security, Café and
Hospitality venues hosted on premise). State or local government organisations should consider
records of sighting, or advice of third-party contractor vaccination status.

Protection of records
Directions requiring the recording of evidence of vaccination status include obligations on employers to
protect such records from misuse and loss, and unauthorised access, modification or disclosure. This
is broadly aligned with Australian Privacy Principle 11 under the Commonwealth Privacy Act 1988.
Employers are encouraged to consider what procedures can be put in place to help ensure that records
of vaccination status are secure (e.g., internal practices, procedures and systems, physical security,
access security etc). Evidence of a person's vaccination status is considered to be ‘sensitive personal
information’ under the Privacy Act and generally requires a higher level of protection than other types
of personal information. While the Privacy Act does not generally apply to Western Australian
government agencies, in the absence of WA privacy legislation, you are encouraged to consider the
requirements of this Act for sensitive information when dealing with vaccination records.

CONTACT REGISTERS
From 5 December 2020, it became mandatory for particular businesses and venues to collect contact details of customers and patrons. 

The government directive requires businesses to keep a record of name and contact information for all staff, volunteers, and visitors.  Information that needs to be collected includes the location, date, name, telephone number and arrival time.

These records must be provided to the Chief Health Officer if requested.

RETENTION OF CONTACT REGISTERS
The Protection of Information (Entry Registration Information Relating to Covid-19 and Other Infectious
Diseases) Act 2021 (WA) protects the confidentiality of information obtained for the purposes of contact
tracing relating to COVID-19 ('entry registration information'). You must:

• protect the confidentiality of entry registration information,
• store entry registration information securely, and
• destroy entry registration information as soon as practicable after 28 days, unless required for contact tracing.   

The use of entry registration information is subject to stringent legal restrictions and significant penalties
attach to misuse of the information. The obligation to store entry registration information securely broadly aligns with Australian Privacy Principle 11 under the Privacy Act, which deals with security of personal information. When storing entry registration information, organisations are encouraged to consider what procedures can be put in place to help ensure that contact registers are secure (e.g., internal practices, procedures and systems, physical security, access security etc).

When disposing of the hard copy contact registers, ensure they are destroyed completely so that no information is retrievable.  For further information, please see the SRO’s Guideline Records Retention and Disposal Instructions - Recommended Methods of Destruction. 

RETENTION OF RECORDS
State and local government organisations are undertaking and documenting a variety of activities relating to their unique business functions and administrative responsibilities in response to the COVID-19 Pandemic.  Records of information, including relevant data, related to the impacts of COVID-19 on agency business will be required as State archives and their retention must be in accordance with the relevant Retention and Disposal Authority:

• Ad Hoc Disposal Schedules related to specific business records e.g., COVID-related records
• The organisation’s Retention and Disposal Schedule covering its core business records
• General Disposal Authority for State Government Information
• General Disposal Authority for Local Government Records
• Sector Disposal Authorities

The following list may be useful in determining what records are required to be retained as State archives as a consequence of COVID-19. Please note the list is not exhaustive and is intended as general advice.

Records Required as State Archives

Records related to:

• Plans, policies and procedures for the handling of COVID-19 incidents and cases
  • Organisation-wide strategic policies relating to COVID-19
  • Organisation-wide internal COVID-19 related plans and supporting procedures
  • Policies, procedures, and advice relating to information management practices for employees who are working from home as a consequence of COVID-19, including guidance for the creation, capture, control and security of data and information
• Committees, taskforces, working groups and other bodies formed to manage the agency’s strategic response to COVID-19.
• Input to bodies formed to manage National and whole of sector COVID-19 responses.
• Organisation-wide risk management activities arising from COVID-19.
• Social media records relating to COVID-19 matters (sentence in accordance with the relevant Retention and Disposal Authority.) For further information see Social Media Content as Government Records
• Media releases relating to COVID-19 matters (master set).
• Any significant cyber security incident that utilised COVID-19 themed material to propagate an attack.
• Inquiries or inspections arising from an outbreak of COVID-19 in the workplace.
• Workplace incidents where employees or members of the public have tested positive to COVID-19.
• Compensation claims by employees and members of the public who contracted COVID-19 while on agency premises.

 
Records NOT required as State archives (Retain in accordance with the relevant Retention and Disposal Authority.)

• Purchase, allocation, distribution and/or installation of additional equipment, stores and services, obtained as a consequence of COVID-19, to protect the safety of staff and members of the public, such as the provision of products to enable workplace hygiene, personal protective equipment, protective screens and other alterations.
• Supply and provision of technology and telecommunications to enable staff required to work from home as a result of COVID-19, including implementing, configuring and modifying specific software-based technology solutions to support staff.
• Plans for, and provision of, a safe work environment and promotion of safe work practices (at home and workplace) to protect staff during a COVID-19 outbreak.

Learning as a community of practice
The SRO recommends that records and information managers share their experience, including lessons learned, as widely as possible through existing networks. The SRO also invites organisations to share their experience with challenges and innovative approaches to the management of records of information during the response with the SRO via sro@sro.wa.gov.au. This information will be invaluable in developing more flexible standards and guidance for all government organisations.

Please make all relevant staff aware of this circular. 

For further Information and assistance please contact the SRO by email: sro@sro.wa.gov.au

Acknowledgement

• National Archives of Australia. AFDA Express Version 2 Implementation Guideline: records relating to the COVID-19 Pandemic
• Office of the Australian Information Commissioner. Australian Privacy Principles
• Queensland Government.  Recordkeeping during COVID-19
• Department of Health. Mandatory vaccination FAQ’s
• Business.gov.au COVID-19 vaccinations and your business
• Australian and New Zealand Information Access Commissioners. COVID-19: The duty to document does not cease in a crisis, it becomes more essential