Compliance with the Public Records Act (Vic)

This guidance applies to Victorian local governments.

Introduction

Datalink offers a retention and disposal service to ensure our customers can remain compliant with their legal obligations.

Legislation overview

As a service provider to Victorian government customers, Datalink aligns our practices with:

  • the Public Records Act 1973 (Vic),

  • the standards and Retention & Disposal Authorities (RDAs) issued by the Public Record Office Victoria (PROV), and

  • the information retention and disposal requirements of ISO 27001 7.5.3 and Annex A.5.33.

Customers of different jurisdictions can nominate different legislative requirements and schedules.

PROS 09/05 VAR 2: Retention & Disposal Authority for Records of Local Government Functions

Retention and Disposal Authorities (RDAs) are rules predefined by PROV that legally authorise the disposal of records they cover.

This is the principal RDA that covers local government functions.

Within its schedule it includes emergency management, community preparedness, emergency response, community recovery, environmental health, compliance management and other local government functions, covering all the use cases within Crisisworks.

It is issued under section 12 of the Public Records Act 1973 and authorises disposal (destruction) of public records when the minimum retention period has been met.

A simplified table is below.

Number
Heading
Years
Disposal text summary

5.1

Community Preparedness

2

Destroy 0 – 2 years after administrative use has concluded.

5.2

Emergency Response

7

Significant event: transfer to PROV for state archives

Moderate event, no death: destroy 25 years after incident

Minor event: destroy 7 years after incident

5.3

Community Recovery

7

Destroy 7 years after finalisation of support, and 2 years after administrative use has concluded.

8.2

Compliance Administration and Enforcement

7

Permits: destroy 1 year after administrative use has concluded. Penalties: destroy 7 years after resolution of the matter

12.2

Service Infrastructure Management

7

Destroy 7 years after action completed

While customers can provide granular instructions to Datalink at any time for the permanent deletion of their data, Datalink offers a simple schedule that operates to the rule of 7 years after event closure, unless the event has the risk setting set to High.

This covers all the disposal criteria above, and assumes the event may be re-opened by council for administrative use up until that time.

Some low-level, ephemeral records (drafts, rough working papers, duplicates) may be disposed of earlier under Normal Administrative Practice (NAP), which is separate from the substantive records of recovery.

For a full reference: Retention & Disposal Authority for Records of Local Government Functions

Guidance summary

For records created as part of emergency response and recovery activities, generally the following apply:

  • Records relating to direct support provided to individuals or businesses must be retained for 7 years after support is finalised, then securely destroyed.

  • Records of facilitating access to support provided by other agencies must be retained for 2 years after administrative use concludes, then securely destroyed.

  • Keeping records beyond these periods is not generally permitted by PROV, as it increases privacy and security risks.

Our Customers are the relevant “public office” under the Public Records Act, and are legally responsible for determining when their records have met the authorised minimum retention period and for instructing us to carry out secure deletion.

Under these requirements, the customer is responsible for determining when records have met their authorised retention period and may lawfully be destroyed. Our role is to securely delete records only on your instruction.

While this guide shows the standard retention and disposal rules, some data may have other requirements (financial data), so it's best to check with your applicable officer.

Retention and disposal

How retention works

Retention is automatic in Crisisworks, as it is not possible to delete records.

Some PROV requirements (specifically emergency response activity for a significant event) have an ongoing requirement to retain data indefinitely.

While Crisisworks can and will hold onto this data for the life of the service contract, the retention requirement involves transferring the records to PROV (e.g. using Crisisworks reports and exports), so they can retain the records as part of the State Archives.

How disposal works

Destruction of records will only be undertaken with formal approval from our customer.

Datalink has established a simplified rule to cover the main schedules in PROS 09/05 VAR 2.

Each year Datalink scans our Crisisworks sites for data likely to require secure deletion:

  • The event has been closed and untouched for > 2 years

  • The data within the event is last edited > 7 years ago

  • The event is not marked as medium or high severity

If records exist, Datalink will seek formal authorisation from the customer. Datalink requires Customers (as the public office) to confirm in writing that it’s appropriate to delete.

If the customer approves the deletion, Datalink will perform the securely deletion on the nominated events.

PreviousAdding Australian Postcode Areas using MapIt dataNextTechnical Reference

Last updated

Was this helpful?