School record keeping obligations are multifaceted and data retention remains an ongoing and complicated issue. Retaining data for too long raises the risk of data breaches being more damaging and significant for schools. However, we acknowledge schools are also grappling with retention requirements, particularly regarding child safety information.
But how long is too long? Schools are not at liberty to simply dispose of all information relevant to a student once they have ceased being educated by that school. For example, Victorian schools are obliged under the Ministerial Order 1359 (MO1359) to create, maintain and dispose of records relevant to child safety and wellbeing in accordance with the Public Records Office Victoria (PROV) Recordkeeping Standards, including minimum retention periods (clause 6.2(f)).
But what does this mean in practice?
School recordkeeping obligations require schools to define their maximum retention periods for different categories of records and ensure these are applied across physical and digital information assets.
Child Safety and Wellbeing Records
The reference to ‘child safety and wellbeing’ in MO1359 is broader than the PROV standard, PROS 19/08, introduced in response to the Royal Commission into Institutional Responses to Child Sexual Abuse. This standard requires organisations, in relation to records about organisational responses to child sexual abuse, to:
- indefinitely retain records about the development of policy, strategy and procedure;
- retain reporting and investigation records for 99 years; and
- retain training and development records for 45 years.
Other considerations regarding recordkeeping
What about documents that are not ‘records about organisational responses to child sexual abuse’? This is where schools need to balance competing obligations, such as contractual and legal requirements, including under privacy law, which requires organisations to destroy records when they are no longer required. Student data may involve sensitive and health information and other detailed personal information which carry specific privacy obligations.
There are several matters to consider when balancing privacy and the MO1359 requirement to retain records relevant to ‘child safety and wellbeing’. We recommend all schools create a Data Retention Policy that outlines those considerations and identifies the retention periods for different categories of student data to have a clear understanding of their framework for data management and retention.
There is no ‘one size fits all’ document that will serve the school’s purpose in this regard. Each school will have to make decisions itself and develop its own policy.
The shift to digitised and digital records also means that Schools need to consider privacy and data retention in their systems and applications. Privacy and data security risks can be managed by undertaking a privacy impact assessment to consider how school requirements translate into new systems and processes.
How we can help
Moores has helped a number of schools and other education providers with the creation of Data Retention Policy’s since MO1359 was enacted in July 2022.
We have also facilitated privacy risk assessments for new systems and processes that impact student data and records management.
We are more than happy to guide you through the steps required to ensure you are creating adequate retention periods, implementing new systems in alignment with your privacy requirements, and also advising how best to avoid a data breach in respect of such personal and sensitive information.
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.
This article was originally published October 2022. Updated December 2023.
Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.