How long should a school store the personal information of its former students?
Although this is a simple question, a simple answer is not generated. In an era where data is vast, yet can be stored indefinitely, the reach of future inquirers must be considered in formulating a policy for keeping records in the present. Already, the impact of the Royal Commission into Institutional Responses to Child Sexual Abuse (Royal Commission) has been felt in some states, and accordingly state education departments have produced guidance on record management specifically for the Royal Commission.
Schools have to consider their legal obligations, their duty of care to students (who quickly become former students) and their reputational risks in making this decision. The findings now being handed down by the Royal Commission show how important it is that the records of schools are retained. It is clear that in the future, schools may become subject to legal proceedings where a spotlight will be shone on their past actions.
What happens at a school today could affect its reputation in 25 years’ time, just as what happened 25 years ago can affect its reputation now.
This is particularly the case since information in the Royal Commission Interim Report shows that on average, the timing between an incident of abuse and a subsequent claim is 22 years.
So, from a reputational risk perspective, for how long should a school retain records that include personal information and, in particular, sensitive personal information of its former students?
Starting at the pointy end of this issue, the often devastating information coming to light in the Royal Commission puts every school on notice. In this age, there is no excuse for not keeping records – whether it be incidents, investigations, determinations etc. It is now inexpensive (and getting more so) to store data in electronic form - even if paper records need to be scanned into electronic records. The legal risk is also evident - a school will not be able to prove (or disprove) what it did or did not do in a particular case. But aside from this, the reputational risk can be longer-lasting, and possibly more devastating. How does a school justify its position in relation to an internal investigation if it maintains that it acted correctly at all times but then destroyed the records of that investigation?
What does the law say?
Aside from suffering reputational damage for the deliberate destruction of documents, a school's officers could be found criminally liable for such actions. Under the Crimes Act 1914 (Cth) and corresponding State legislation, it's an offence to intentionally destroy documents that a person knows are, or may be, required as evidence in a judicial proceeding in order to prevent them being used in a court proceeding.
In many cases, the criminal offence of document destruction relates to situations where legal proceedings have already been initiated, and the destruction would mean an interference with the judicial process. But, this offence also relates to cases where a person contemplates a real possibility that there may be a forthcoming judicial process. In many cases however, neither situation would be contemplated and this means that schools are not required to keep all personal information indefinitely.
The Australian Privacy Principles (APPs) (see the CompliSpace whitepaper for more information) are applicable to non-government schools and are informative in terms of what sort of information can be retained. Under APP 3 a school should not collect personal information unless it is reasonably necessary for, or directly related to, one or more of its functions or activities. If information is not 'personal information' it doesn't matter how a school collects it. To be captured by the APPs, personal information must be contained on a 'record' (e.g. written down, on a database, in a photograph or video etc).
When a school does collect personal information it must take active measures to ensure the security of the personal information it holds and to actively consider whether it is permitted to retain personal information (APP 11). Where personal information is no longer needed, the school must destroy or de-identify it. Unfortunately, the APPs give no further guidance as to what 'needed' means, making it hard for schools to determine how long personal information should be retained.
The personal information retention obligations are clearer for government schools. In addition to being subject to state privacy legislation such as the Privacy and Personal Information Protection Act 1998 (NSW), government schools are also subject to record keeping legislation, under which related record disposal policies have been released for the public education sector. Below is a list of each State and Territory's record keeping legislation and associated policies (Policies).
|NSW||State Records Act 1988||Disposal Authority DA60|
|VIC||Public Records Act 1973||General Retention & Disposal Authority for School Records|
|TAS||Archives Act 1983||Disposal Authorisation No. 2280|
|ACT||Territory Records Act 2002||Records Disposal Schedule - School Management Records|
|NT||Information Act (in force 02.06.14)||General Disposal Schedule for School Records|
|WA||State Records Act 2000||Records Relevant to Royal Commission General Disposal Authority for State Government Information|
|SA||State Records Act 1997||General Disposal Schedule 22: For Primary and Secondary SchoolsGeneral Disposal Schedule 32: For Records of Relevance to the Royal Commission|
|QLD||Public Records Act 2002||Early Childhood Education and CareGeneral Retention and Disposal Schedule for Administrative Records|
Not all school records referred to in the Policies will contain personal information however some do and the Policies set out different document retention periods for different types of records. The suggested retention periods vary between the Policies. For example, in Victoria 'student reference files' containing information such as medical details and parental information should only be retained for 1 year after the student has left the school. While in the ACT and NSW, the suggested disposal action for similar information is 'retain until student reaches age of 25, or for 7 years, whichever is later then destroy'.
It's hard to understand how the appropriate time period to retain the same sort of information can be regarded so differently by the States and Territories. The divergence in opinion in recommendations for government schools also shows how difficult it is for non-government schools to make decisions in relation to document retention in the absence of any disposal guidelines which legally apply to them. That said, while the legislation and policies listed above don't apply to non-government schools they can still be used by them for good guidance on what sort of 'disposal actions' to apply to the various types of records kept by them.
Non-government schools should also have regard to the South Australian and Western Australian policies which specifically address 'records of relevance' to the Royal Commission. The South Australian General Disposal Schedule No. 32 effectively places a 'disposal freeze' order on the destruction of records of relevance or likely relevance to the Royal Commission. Such records must be retained until 31 December 2023. In Western Australia, the State Records Commission reminds State organisations to preserve all relevant records 'until the action (Royal Commission) and any subsequent actions are completed'. Basically, government schools in those States are in the same position as non-government schools everywhere in that they are under a general obligation not to destroy documents which might be relevant to legal proceedings in the future.
What should your school do?
This article has so far explained why personal information should be retained and the different legal obligations that apply to government and non-government schools. Ultimately, when deciding how long to retain personal information, non-government schools need to make their own decisions, with regard to various factors in the context of their own organisational risk management procedures.
There are some factors which impact on this decision, including whether your school has limited storage space, or whether your school could afford to pay for such space off-site if required. But, modern technology now allows schools to inexpensively and easily scan and save electronic copies of records.
Schools should ask themselves the question - if it's inexpensive, why would we not retain all or some records containing personal information of students indefinitely?
As the Royal Commission has shown, it is important that schools are able to produce evidence for future legal proceedings. For this reason, and from a risk and reputational management perspective, long-term document storage may be a priceless investment for the future non-government schools.
Has your school considered long-term document storage? If your current school's document retention policy adequate? What are your thoughts?
The contents of this article are generic in nature and do not represent advice that can be relied upon. This article has been prepared without taking account of any person’s individual objectives, situation or particular needs You should seek professional advice based on your own personal circumstances. The author and any other parties involved in the preparation or distribution of this article expressly disclaim any form of liability to any person in respect of this article and any consequences arising from its use by any person in reliance in whole or any part of the contents of this article.