Last updated:

Key messages

Personal information is at risk when agencies do not have an effective disposal program in place and continue to hold public records for longer than the required minimum legal retention period.

Records can be in any format and include documents, databases, database entries, emails, messages, images, recordings etc. Public records are any records made or received by a public officer in the course of their duties.

  • The Public Records Act 1973 has precedence in determining the retention requirements for public records over the Privacy and Data Protection Act 2014
  • Destruction of public records CAN ONLY be carried out in accordance with Standards, including RDAs, issued by the Keeper of Public Records
  • Records MUST NOT be de-identified before the minimum retention period is reached without the written authorisation from the Keeper of Public Records
  • It is critical that agencies implement an effective disposal program for records held in all formats and within all systems and storage environments
  • Permanent value records must be transferred to PROV when no longer needed for business purposes. Records containing personal information which should not be accessible to others will be withheld from public access for a period of time. PROV will ensure records are preserved and the information protected
  • Public offices should only collect and retain personal information when it is necessary for their functions or activities.

 

Concerns about retaining personal information

Public offices may be concerned about retaining peoples' personal information for extended periods of time - in case they are not compliant with the Privacy and Data Protection Act 2014 (PDP Act) and due to the increased risk of data breaches where an office holds more information that it needs to conduct business.

This guidance sets out the legal requirements around retaining and disposing of personal information under the PDP Act and the Public Records Act 1973 (PR Act).

The PDP Act, PR Act and IPPs

The PDP Act contains 10 Information Privacy Principles (IPPs) that govern the way an organisation collects and handles personal information.

Organisations that are bound by Part 3 of the PDP Act are Victorian public sector organisations, including local councils, and contracted service providers for Victorian public sector organisations. The Office of the Victorian Information Commissioner (OVIC) oversees compliance with the IPPs.

Relevantly, IPP 4.2 states that an organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.

Any purpose includes the obligation under the PR Act to meet the minimum retention periods specified by the Keeper of Public Records. Retention periods are specified to meet the business needs of government and community expectations.

Public offices must comply with mandatory Standards issued under s12 of the PR Act. These set out obligations which govern the creation, capture, management, retention and disposal of public records/information/data.

Public records can only be destroyed when authorised by the Keeper of Public Records. This authorisation is usually given in Retention and Disposal Authorities (RDAs) which are legal instruments:

  • specifying the minimum legal retention period(s) that records must be kept
  • authorising the destruction of records once the minimum retention period is met (time-expired records)
  • identifying the records that must be permanently retained as State Archives through transfer to PROV.

While at first glance organisations may perceive there is friction between IPP 4.2 and public records requirements, this is not the case.

The 'any purpose' referred to in IPP 4.2 includes the obligation to meet the minimum retention periods specified by the Keeper of Public Records.

Furthermore, s6 of the PDP Act states that where there is any inconsistency with another Act, the other Act prevails. This means that the obligations issued under the PR Act, including those which govern the retention and disposal of public records/information/data, take precedence over the PDP Act. This means there is no conflict between the two Acts - public records can only be destroyed when authorised by the Keeper of Public Records.

An obligation to destroy or de-identify does not apply to information that a public office is legally obliged to retain for the period specified in the relevant RDA. This means that public records cannot be de-identified and must be retained in full for the specified minimum retention period UNLESS removal of identifying data is approved by the Keeper of Public Records. 

Note: Section 3 of the PDP Act defines de-identified information as meaning that personal information no longer relates to an identifiable individual or an individual that can be reasonably identified. The OVIC website includes guidance about this.

Protecting personal information when permanent value records are transferred to PROV

As part of the transfer process, the public office and PROV determine whether records should be withheld from public access for a specified period. The most common reason is because they contain personal information. Authorisation for withholding records from public access under one of the sections of the PR Act is obtained from the Minister responsible for PROV, in consultation with the Minister responsible for the records being transferred.

Full and complete permanent value records must be transferred to PROV - information cannot be removed, redacted or de-identified.

 

Collecting and holding unnecessary personal information

IPP 1.1 of the PDP Act requires public offices to only collect and capture personal information when necessary for their functions and activities. Public offices should seek advice from PROV if they have collected personal information which is not necessary for their functions or activities, but do not have authorisation (i.e. under an RDA) to destroy it. In some cases, this might be because the personal information is contained within records that must be kept for a longer period of time.

 

What public offices need to do

Public offices should only collect personal information when it is necessary for their functions and activities. Public offices must have arrangements and processes in place to ensure information, data and records are retained for the minimum lawful retention period and disposed of appropriately.

Regular and managed disposal, covering records of all formats in all systems and storage environments, mitigates the risk of security breaches and unauthorised access to records. It reduces both the information management overhead and storage costs and aids the discovery of reliable, relevant and accurate information.

Public offices should not hold records, particularly records holding personal information, for longer than they are legally required by the Keeper of Public Records or needed for legitimate purposes. Once the minimum retention period for temporary records is reached and the business has confirmed no further allowable purpose for the records, the office should destroy the records.

Public records of permanent value must be determined (usually through RDAs) and transferred to PROV when no longer needed for business purposes - this will ensure they are preserved, protected and access is managed appropriately. This must be undertaken in accordance with PROV transfer requirements. As part of the transfer process, public offices and PROV work together to determine if records need to be withheld from public access for a specified period.

Data and records must be securely managed until they can be lawfully disposed of. Advice on preventing and responding to cyber security incidents is provided on the cyber security in the Victorian Government webpage.

 

Example scenarios

Example A

You are a regulator that handles complaints about public sector organisations. At the end of the complaint, the complainant member of the public tells you that they want all records of the complaint to be destroyed since the complaint is no longer active.

You check the relevant RDA which stipulates that you must retain documents related to complaints for a period of 5 years. You write to the complainant to explain that you cannot action their request.

By doing so you will have adhered to your organisations PR Act obligations and will not contravene IPP 4.2

 

Example B

A member of the public is concerned about recent data breaches and is doing a 'check-up' with organisations they have interacted with to see if they still hold their personal information.

The individual recalls that they were involved in replying to a survey your organisation was conducting about a project in their local area. This occurred around 5 years ago and the individual asks you to delete their survey responses.

You check the relevant RDA and realise that the minimum retention period for these types of records expired about 3 years ago. By not destroying the information your organisation may be contravening IPP 4.2.

 

Material in the Public Record Office Victoria archival collection contains words and descriptions that reflect attitudes and government policies at different times which may be insensitive and upsetting

Aboriginal and Torres Strait Islander Peoples should be aware the collection and website may contain images, voices and names of deceased persons.

PROV provides advice to researchers wishing to access, publish or re-use records about Aboriginal Peoples

Learn more