The significant increase in data breaches across Australia has fuelled a tension between data retention and data minimisation, prompting many organisations to question and justify the records they retain. In a child safety context, the considerations are particularly complex.
Organisations working with children can look to the five Recordkeeping Principles published by the Royal Commission into Institutional Responses to Child Sexual Abuse. However, the Recordkeeping Principles don’t provide comprehensive guidance on how the Principles should be interpreted in light of privacy law and the obligation to destroy personal information that is no longer needed. This begs the question, how should organisations that work with children navigate this tension between data retention and data minimisation?
The Royal Commission’s Recordkeeping Principles are as follows:
- Creating and keeping full and accurate records relevant to child safety and wellbeing, including child sexual abuse, is in the best interests of children and should be an integral part of institutional leadership, governance and culture.
- Full and accurate records should be created about all incidents, responses and decisions affecting child safety and wellbeing, including child sexual abuse.
- Records relevant to child safety and wellbeing, including child sexual abuse, should be maintained appropriately.
- Records relevant to child safety and wellbeing, including child sexual abuse, should only be disposed of in accordance with law or policy.
- Individuals’ existing rights to access, amend or annotate records about themselves should be recognised to the fullest extent.
The Royal Commission recommended that institutions engaging in child-related work retain, for at least 45 years, records relating to child sexual abuse that has occurred or is alleged to have occurred. This is to allow for delayed disclosure of abuse by victims and to take account of limitation periods for civil actions for child sexual abuse.
Meanwhile, Australian Privacy Principle (APP) 11.2 says that if:
- an APP entity holds personal information about an individual; and
- the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and
- the information is not contained in a Commonwealth record; and
- the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information; then
- the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de‑identified.
Finally, the Public Records Office Victoria (PROV) has a Retention and Disposal Authority for Records of Organisational Response to Child Sexual Abuse Incidents and Allegations, which has specific timeframes for records about child sexual abuse. All schools in Victoria must comply with PROV under MO1359, and other organisations receiving state funding may be required to comply with PROV under their funding agreement.
| Permanent | 99 Years | 45 Years |
|---|
| Policy, strategy and procedure | Reporting and Investigations | Training and Development |
Policies and procedures, including reviews and drafts.
Records of major internal reviews of the process of responding to child sexual abuse incidents and allegations; including final reports, findings and recommendations. | Records documenting the reporting and investigation of child sexual abuse incidents, allegations and disclosures, including those not proven and those referred to external law enforcement agencies. | Records documenting the development of training programs devised to instruct agencies on how to respond to incidents of abuse that has occurred or alleged to have occurred.
Note: This is different to the 7-year standard practice of employee records. |
Adopting a risk-based organisational stance
If your organisation is required to retain documents under PROV, then you need to retain the document for a compliance purpose, meaning you can reconcile APP 11.2 and PROV.
But in the absence of strict legal requirements for what you retain or destroy a child safety record, what should you do?
While the answer may vary between organisations having regard to their operations, risks and record keeping practices, we recommend that organisations adopt a carefully drafted retention and destruction policy which contains the ability to perform risk-based assessments.
There are a number of important considerations when balancing risks, including the following:
Retention Risks
- There are significant risks involved in retaining records about children you work with, particularly when that information may also be sensitive information such as information about disabilities, mental health, cultural or linguistic diversity (CALD), and religious beliefs or affiliations.
- Further, if you work with children you probably retain records of Working With Children Checks (or WWVP depending on your state), which includes criminal records. These categories of information are “sensitive” because they can have a more significant impact on individuals if they are used in the wrong way or subject to a data breach (for example, discrimination).
- A risk assessment considering the risks of retention should also consider the increase of the penalty for serious and repeated interferences with privacy (breaches of the APPs) from $2 million to $50 million.
Destruction Risks
- On the other hand, organisations may be required to – or want to – retain child safety records for a long period of time, particularly in relation to claims of child abuse. We know from the Royal Commission that the average time for a person to disclose child sexual abuse is 23.9 years. Records that fall outside the three PROV categories above, such as records of who attended a school camp, incident reports of physical harm, or the psychologist, carer or supervisor assigned to a specific child for a specific time period, may prove critical in a subsequent historical child safety investigation or prosecution.
- The fourth record keeping principle provides guidance here: it sets out that records should be disposed of according to law or policy. In the absence of law, we recommend that organisations implement a risk-based policy which considers privacy and data security risks, alongside child safety risks.
How we can help
Moores can help you navigate this complicated space, and unearth how these laws and other guidance and policy documents apply to your organisation specifically. We can help you:
- develop or review a policy and procedure for archiving and document management
- analyse and map your storage and destruction practices so you can be confident you are implementing standards that reflect your operations and the applicable laws; and
- advise on requests for information.
For more information on how to navigate this area, please contact our safeguarding team.
Contact us
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.