Records Management

Chapter 6: Recordkeeping requirements for third-party systems

Schools are responsible for ensuring that third-party systems comply with all the recordkeeping requirements outlined in the School Records Management policy and this guidance.

This guidance aims to create awareness around the recordkeeping requirements that apply to third-party systems that create, manage or hold school records.

Any school system that is not provisioned by the department is considered a 'third-party' system. Refer to the School Administration Systems policy and to Arc to identify which systems are provisioned by the department, and systems which have undergone security and privacy assessments.

When using a third-party system or application to create, manage or store records (such as Compass, Xuno, and so on), schools are strongly encouraged to use a DE contract template to ensure the provider will meet the requirements outlined below.

This guidance page must be read in conjunction with the Procurement – Schools policy and the Information Security – InfoSafe policy.

System requirements

System security and privacy

For policy and guidance on what schools must do to ensure the security of new systems and the suppliers who provide them, refer to:

• ICT Software in Schools – Risk Assessment policy
• Information Security – InfoSafe policy.

For policy and guidance on what schools must do to ensure new systems manage privacy appropriately refer to: Privacy and Information Sharing policy.

Retention and disposal

The supplier must:

• ensure the system can retain records for the minimum retention periods outlined in the School records retention guide (XLSX) (staff login required)
• only destroy (delete) ‘time-expired’ records (records that have served their minimum retention period) when no longer required with the written approval of the school principal
• ensure the system can facilitate compliant retention and disposal of records and their metadata or be able to export these records to another system which can manage retention and disposal.

System maintenance

Suppliers must:

• regularly audit and review systems (including software, servers, and networks) for their suitability in meeting recordkeeping needs and obligations, that is, functionalities are working as expected
• routinely maintain systems to ensure that they are reliable, operate effectively and do not place records at risk. This involves monitoring performance to ensure that any system changes do not inadvertently impact recordkeeping controls
• perform regular preventative maintenance, such as application of patches to ensure systems function reliably. Corrective actions must be implemented if issues arise.

Examples of functionality checks:

• access restrictions are working as expected
• correct metadata is being captured and auto-populated where possible
• workflow is functioning as expected
• records are held in the correct formats
• unauthorised activities are being prevented (that is, deletions, alterations)
• audit logs are being correctly generated and stored
• records remain discoverable and readable over time (that is, can be found through searching and are not corrupted).

Additional monitoring may be required during times when changes are occurring, such as administrative changes, system upgrades or data migrations.

Examples of maintenance activities:

• ensuring that product versions and security patches are kept up to date
• checking that system functionality is working correctly and reliably
• testing backup arrangements, to check that records and associated metadata remain accessible and uncorrupted
• checking that any system technologies or storage devices (servers, tapes and so on) are held in appropriate environmental conditions, checked for degradation, and replaced/rotated as necessary.

System transition

Transitioning a system can place records at risk of loss or corruption. Examples of transitions are:

• upgrading a system
• replacing a system – which involves migrating some or all of the data/records and associated metadata to the replacement system and decommissioning the old system
• changing service or hosting arrangements – for example changing service providers or moving from an in-house hosting arrangement to an externally hosted cloud-based arrangement.

When systems undergo transition, third-party providers must ensure that:

• records and their metadata are protected (continue to be complete so that records retain their context)
• records remain accessible and usable for their minimum required retention period
• if a transition involves migration of records, checks are performed to ensure both records and metadata have been migrated successfully
• permanent value records are identified and protected.

Decommissioning and end of agreement

When third-party systems are decommissioned or when agreements with suppliers end, schools must ensure that:

• ‘time-expired’ records are destroyed by the supplier
• records that have not yet reached their minimum retention period are transferred to the schools’ custody, in long-term sustainable formats, along with their associated metadata
• the supplier does not retain any copies of school records and data once records have been successfully migrated to their new location.

The Records and Mail Services team can be contacted on 1800 359 140 or at archives.records@education.vic.gov.au for further information or advice.

System planning and procurement for recordkeeping

Step-by-step

Follow the steps outlined below along with the Schools procurement procedure (PDF) (staff login required) when procuring business systems that will create, manage, or hold records.

Step one – planning

Identify the recordkeeping needs and obligations that the system must be able to support.

• 1.1 Define the process, function, or activity that the system is being procured to facilitate and determine recordkeeping needs.

• 1.2 Identify the record types and associated retention periods that will be managed in the system.

  The School records retention guide (XLSX) (staff login required) outlines the minimum retention periods for school records types.

• 1.3 Identify the recordkeeping and information handling obligations associated with that process.

  For example:

  • Will the system hold personal or sensitive information that must be kept secure with controlled access to certain people?
  • Will the system need to be able to store large files or a lot of data? Large scanned documents, digital images or video files can take up a lot of storage space and will often require the purchase of additional digital storage.
  • Will the system hold data that needs to be retained long-term?
  • Will the system be used to collect information needed only for short term administrative purposes, that does not need to be retained, such as personal information collected for identity verification only, or credit card payment details that must be immediately and permanently deleted after use?

Step two – system and supplier selection

• 2.1 When choosing a system, check the required capability to meet the identified recordkeeping needs and obligations, including:

  • role-based access controls
  • secure and sufficient digital storage
  • deletion controls (including prevention or authorisation of deletion; permanent/irrevocable deletion where appropriate, based on your identified information handling obligations)
  • storage and/or migration of inactive records in long-term sustainable formats, such as .PDF or .CSV
  • back-up and recovery regimes.

  This step will also help you identify and address actions that are required for security and privacy compliance.

• 2.2 If the third-party system will be used to collect and store personal and/or sensitive information schools may need to complete a Privacy Impact Assessment.
• 2.3 Follow the ICT Software in Schools – Risk Assessment and Information Security – InfoSafe policies to ensure all new systems meet information security and ICT security requirements.
• 2.4 Document these requirements in an agreement between the school and the supplier to ensure recordkeeping obligations are met in the third-party system by using the departmental contract and agreement templates which contain standard recordkeeping clauses:
  • School Council agreement for the provision of services (DOCX) (staff login required)
  • School Council short form services contract (DOCX) (staff login required)

Step three – set up and implementation

• 3.1 Ensure that the requirements and system functionalities identified in step 1 and 2 are set up in the selected system. School technicians may be able to assist schools with this.
• 3.2 School technicians must monitor system performance and set-up from time to time to ensure that the supplier is meeting the recordkeeping requirements set out in the service agreement, such as access controls, system maintenance and security patches.