Policy
The purpose of this policy is to assist schools to understand and meet requirements for creating, managing, storing, and disposing of school records.
Summary
- School staff must create, safeguard and store school administration and student records in accordance with this policy.
- School principals are the delegated custodians of their school’s records and are responsible for compliance with this policy and guidance.
- Schools must create and manage new records in digital formats whenever practicable and avoid creating and managing records in hardcopy.
- Schools must retain and manage records for the minimum retention periods outlined in the School records retention guide.
- Records must only be disposed of with written approval of the school’s principal after their minimum retention period has been met.
- Certain records may be routinely disposed of as part of Normal Administrative Practice without formal approval from the school principal, such as duplicate copies, working documents and drafts.
- School principals must ensure that the disposal of records is planned and conducted periodically (for example, annually) and in accordance with this policy.
- Schools planning to digitise and then destroy hardcopy records must first contact Records and Mail Services for advice by calling 1800 359 140 or emailing archives.records@education.vic.gov.au
- When using a contractor or service provider to deliver services, programs or products, schools are strongly encouraged to use DE template contracts to ensure compliance with this policy.
- Hardcopy records must be stored on school premises or with an Approved Public Record Storage Supplier (APROSS).
- The Guidance tab provides further information to support the implementation of this policy and good recordkeeping practices.
Details
Schools are responsible for creating, managing, storing and lawfully disposing of records in accordance with the Public Records Act 1973 and standards issued by the Public Record Office Victoria (PROV). This policy and associated guidance pages support schools to comply with these recordkeeping requirements.
Recordkeeping
Schools must systematically and routinely create and keep full and accurate records of school operations and activities, including records relating to:
- finance
- handling of incidents, complaints and investigations
- operations
- personnel management
- school governance
- student management, support, health and wellbeing and teaching and learning.
Records must be retained in accordance with minimum retention periods.
For a list of common school record types and their minimum retention periods, refer to:
- School records retention quick reference guide (staff login required).
For a full list of school record types and their minimum retention periods, refer to:
- School records retention guide (staff login required).
Recordkeeping requirements must be included in local processes and practices where possible and considered when drafting required local policies for school operations (for a good example of this, see the template Attendance in the School Policies Templates Portal).
Schools must create and manage new records in digital formats whenever practicable and avoid creating and managing records in hardcopy.
Digital records must be created or captured in authorised departmental systems, such as CASES21 and eduPay. They may also be kept in third-party systems (for example, student management systems) which meet the relevant compliance requirements, such as privacy, information security and child safety.
For further guidance on appropriate systems for creating, storing, and managing digital records, refer to Chapter 5 – Digital recordkeeping.
All records must:
- be given meaningful titles so that they can be easily identified, retrieved and used for authorised purposes throughout their retention period. For further guidance, refer to Chapter 2 – Records naming conventions
- include information about their content and context to ensure they are findable and accessible over time and maintain their authenticity, for example, creation date, modification date, who created the record, and so on. For further guidance on minimum metadata requirements, refer to Chapter 5 – Digital recordkeeping.
Access and control
Schools must have systems and processes for managing access to digital and hardcopy records to ensure the authenticity, security, reliability and accessibility of these records.
Access to records
Records must be organised and stored in a way that makes them easily accessible to authorised staff and enables the timely processing of requests for school information including for subpoenas, inquiries, freedom of information requests, audits, and investigations.
Schools must support openness and transparency, while balancing privacy and information sharing principles. However certain types of records must have restricted access as required by legislation, regulation, and policies including:
- Requests for Information about Students
- Child and Family Violence Information Sharing Schemes
- Privacy and Information Sharing
- Records Management – Employee Information.
For further guidance on restricted records refer to Chapter 3 – Records that must be restricted.
Controls
Access controls must be designed and applied to processes and systems to ensure records are only accessed, amended, used, released or disposed of, as authorised.
For further information, refer to Chapter 5 – Digital recordkeeping, Chapter 4 – Hardcopy records storage and the Information Security – InfoSafe policy.
Right to access, correct or add information to records
Schools must uphold the rights of individuals to access, update and correct records containing their personal or health information, where it is inaccurate, incomplete, out of date, or where it would give a misleading impression.
Schools must also ensure that the information they hold is kept accurate, complete, and up to date.
Schools may make routine or administrative amendments to records when required or requested, for example, when a parent or carer notifies the school of a change in contact details. Schools must make amendments to records to support students affirming their gender, when requested and as reflected in the student’s Gender affirmation student support . Such amendments might include updating a student’s first name or pronouns in CASES21. It is good practice to note why the amendment was made on the relevant file or database.
Requests to make a substantive change to a record by adding or removing information, for example, a request to change details of an incident report or a teacher’s observations in a school report, would need to be made formally undersection 39 of the Freedom of Information and must be referred to the Freedom of Information (FOI) unit at foi@edumail.vic.gov.au
For further information, refer to the Freedom of Information, Requests for Information about Students, and policies.
Records storage and preservation
Schools must store all digital and hardcopy records:
- in locations and conditions that protect them from misuse (including unauthorised access, sharing, alteration, destruction or theft), damage, deterioration or loss. This includes when records are being transmitted, transported, migrated, digitised or held on third-party systems
- using formats, methods, locations and services to enable records to survive and remain readable and accessible for their minimum required retention periods
- in systems and storage locations that provide for their efficient retrieval as well as their export and migration or relocation when required
- with an effective maintenance program in place for systems and storage locations to ensure issues are identified and rectified in a timely manner.
For policy and guidance on the maintenance of physical infrastructure, including storage locations, refer to the Buildings and Grounds Maintenance and Compliance policy.
Schools must take precautions, such as use of locked storage areas and strong passwords, to ensure that no records are unlawfully removed from their custody and where this has occurred, they must take appropriate actions to recover them. Appropriate actions include requesting the return of records, if their location is known, and contacting Records and Mail Services at archives.records@education.vic.gov.au to report the loss of records.
When records are stored with third-party providers (for example, cloud or software‐as‐a‐service provider) schools are strongly encouraged to use a DE template contract or service agreement to ensure compliance with this policy.
For further information on this, refer to Chapter 6 – Recordkeeping requirements for third-party systems.
Offsite storage
Hardcopy records must be stored on school premises or with an Approved Public Record Storage Supplier (APROSS). Only temporary retention records can be moved to an APROSS facility, for example, attendance rolls or student files. Permanent records such as pupil registers and school council records must not be stored with an APROSS. Refer to the School record retention guide (staff login required) to identify permanent records.
For information about APROSS facilities refer to the Public Record Office Victoria page: Approved Public Record Office Storage Supplier (APROSS): Information for .
For further guidance, refer to Chapter 4 – Hardcopy records storage.
Schools can contact Records and Mail Services at archives.records@education.vic.gov.au for advice or questions about offsite storage.
Systems and applications
Third-party systems or applications must comply with this policy and guidance.
Systems and applications holding school records must allow for the easy identification, retrieval and use during their retention period.
When using a third-party system or application to create, manage or store records (such as Compass, Xuno, and so on), schools are strongly encouraged to use a DE contract template to ensure compliance with this policy.
The following contract and agreement templates contain recordkeeping clauses that are compliant with this policy:
- School council agreement for the provision of services (staff login required)
- School council short form services contract (staff login required).
Refer to Chapter 6 – Recordkeeping requirements for third-party systems for further information.
The use of School Administration Systems to create and manage records helps schools comply with recordkeeping obligations, and ensure that the privacy, security and integrity of information is suitably protected and maintained. For guidance on mandatory systems of record for school administration processes and information refer to the School Administration Systems policy.
Digitising hardcopy records
Schools wishing to digitise (see definition below) then destroy hardcopy records must contact Records and Mail Services at archives.records@education.vic.gov.au before commencing, for guidance on how to ensure the digitised records comply with recordkeeping requirements set out in Chapter 7 – Digitising hardcopy records.
Records disposal
Schools must routinely and lawfully dispose of records that have met their retention requirements to avoid the over-retention of personal information and to keep record holdings to a minimum.
The School records retention guide (staff login required) outlines how long different types of records need to be kept to assist schools in assessing if records are ready for destruction.
Schools may only destroy records if:
- the records have reached their minimum required retention period and
- the principal has approved the disposal in writing to provide evidence the disposal activity is authorised.
Principals cannot authorise the disposal of:
- any records that are reasonably likely to be required in current or future legal proceedings or a public inquiry, for example, records related to a known risk or incident in the past
- any record that may be required for a current Freedom of Information request
- permanent records or records that are of historic value (for example, Pupils’ Registers, enrolment cards, records created in the 1800s and school anniversary publications). Chapter 1 – Permanent and long-term temporary records contains further details regarding what records cannot be disposed.
Some school information may be destroyed without formal approval once it is no longer required. Refer to Chapter 9 – Normal Administrative Practice for further information.
Schools must securely dispose of digital and hardcopy records in ways that ensure:
- personal, confidential, or sensitive information is protected and cannot be accessed inappropriately
- the records are irretrievable and cannot be reconstructed.
The department recommends the use of secure disposal bins for hardcopy records, for example, locked paper recycle bins.
For further guidance on destroying ‘time-expired’ records in accordance with this policy, refer to Chapter 10 – How to destroy ‘time-expired’ records.
Contracting third-party providers
When using a contractor or service provider to deliver services, programs or products, schools are strongly encouraged to use a DE contract template to ensure compliance with this policy.
For policy and guidance on procurement and template contracts refer to: Schools Procurement policy and Licence and agreement .
For guidance on requirements for information technology providers refer to Chapter 6 – Recordkeeping requirements for third-party systems.
Risk management
Records are critical to school operations and must be treated as assets and managed accordingly.
Schools must monitor and manage risks associated with records storage to reduce the likelihood of records loss, damage or misuse. For example, routinely inspect record storage locations and review systems so the issues are identified and resolved.
Use the Hardcopy records storage compliance checklist (staff login required) to assist with identifying and managing risks associated with hardcopy records storage.
For further information, refer to Chapter 4 – Hardcopy records storage and Chapter 5 – Digital recordkeeping.
In the event that records are lost, stolen or damaged, schools must inform the department by contacting the Records and Mail Services on 1800 359 140 or archives.records@education.vic.gov.au. Records and Mail Services can assist with the assessment and remediation of damaged records.
Child safe standards
The Child Safe Standards are compulsory minimum standards for all Victorian schools to ensure they are well prepared to keep children and young people safe and protect them from abuse. To support compliance with the Child Safe Standards, schools must manage their records in accordance with this policy.
For further information, refer to Chapter 11 – Recordkeeping – child safety and wellbeing.
Responsibilities
All school staff are responsible for managing records in accordance with this policy.
All staff are responsible for ensuring school information is kept securely and only shared when authorised to do so.
The Requests for Information about Students Policy provides further advice on when to share information.
All school volunteers
School volunteers must follow the record-keeping requirements set out in their school’s local Volunteers Policy.
Principals
The Secretary is the owner of all Victorian government schools’ records. School principals are the delegated custodians of the records in their school.
Principals have responsibility for:
- school-level compliance with the requirements set out in this policy
- ensuring that all contracts and agreements entered into by the principal or the school council for the procurement of services, programs or products for, or on behalf of, the school identify and specify recordkeeping requirements
- ensuring that records-related risks are identified and managed
- ensuring appropriate recordkeeping practices, including record creation, access and storage, are incorporated into school activities and processes
- authorising disposal of records that have reached their minimum retention requirements and are no longer needed for legal, FOI or administrative purposes
- ensuring that the disposal of records is planned and conducted periodically (for example, annually) and in accordance with this policy
- ensuring that all school staff receive a copy of the Recordkeeping responsibilities for school staff one page guide.
Definitions
Digitisation
The action of converting a hardcopy record into a digital format, for example, by scanning or photographing the record to produce a digital image.
Normal Administrative Practice
Working papers, drafts, duplicate copies of records stored elsewhere, and short-term facilitative records (such as phone messages) may be destroyed without approval once administrative use has ended.
Permanent records
A public record classified as having enduring value to the Victorian community that must be transferred to the State Archives when no longer needed by the school.
Public records
Records in any format or media made or received by staff and volunteers in Victorian government schools.
Temporary records
A public record that is required to be kept for a specific minimum period of time for legislative or other requirements, before it can be destroyed.
Disposal
When schools no longer require records for current business use, they need to decide whether the records should be:
- stored on school premises pending destruction or transfer
- transferred to the state archives
- destroyed.
Collectively all of these actions are known as records ‘disposal’.
Destruction
Destruction is a method of disposal that renders records unreadable and irretrievable.
Related policies
- Child Safe Standards
- Data Collection and Surveys
- Freedom of Information
- eduSTAR – ICT Services, Software and Advice for Schools
- Essential Safety Measures
- ICT Software in Schools – Risk Assessment
- Information Security – InfoSafe
- Privacy and Information Sharing
- Procurement – Schools
- Records Management – Employee Information
- Requests for Information about Students
- School Administration Systems
Relevant legislation
- Accident Compensation (OHS) Act 1996
- Crimes Act 1958
- Child Wellbeing and Safety Act 2005
- Child Wellbeing and Safety (Information Sharing) Regulations 2018
- Education and Training Reform Act 2006
- Equal Opportunity Act 2010
- Evidence Act 2008
- Family Violence Protection Act 2008
- Family Violence Protection (Information Sharing and Risk Management) Regulations 2018
- Financial Management Act 1994
- Freedom of Information Act 1982
- Health Records Act 2001
- Privacy and Data Protection Act 2014
- Public Administration Act 2004
- Public Records Act 1973
Reviewed 14 October 2024