Transitory and short-term public records
A public record is information recorded on, in or by using any medium, made, received, or kept by a public authority in the course of its business activities and provides evidence of its activities, affairs or business. A public record includes copies, drafts and other transitory and short-term records.
Note: Public records made by Ministers and other elected officials that are not related to, or made as part of official government business are not public records.
Transitory and short-term public records, also known as ephemeral public records, are made as part of routine transactional business practices and are not usually required for ongoing business.
These are public records that may help an action or a process move forward, but don't in themselves have any long-term value and are not needed to understand the business action or process. They are usually only required to be kept for a short period of time.
Examples include drafts not intended for further use or reference, copies of material retained for reference use only, working notes, call centre recordings, routine CCTV footage, and credit card payment data.
Management of transitory and short-term public records
Transitory public records do not need to be formally captured into your public authority's recordkeeping system unless you have a specific requirement to do so.
Each public authority should have procedures in place to assist with the management of transitory and short-term public records. Identify:
- which public records are transitory or short-term records
- which public records need to be formally made
- how they should be managed
- how long they should be kept.
Consider your legal, business and other requirements – these may affect what public records can be considered transitory or short-term, how they should be managed, and how long they need to be kept.
What drafts, copies and transitory public records to keep
Some transitory and short-term public records may need to be made and kept longer.
Drafts
Drafts may need to be captured and kept if they:
- contain decisions, comments, feedback, annotations, requests, actions or any other kind of significant information that is not captured elsewhere and provides context to the development process or the final version
- help with internal processes (e.g. so that a workflow approval can be initiated, or to show that a certain step in a process has been completed).
Some drafts need to be kept for a specified period of time (e.g. draft submissions and legislation). Check your retention and disposal schedule to find out how long you need to keep drafts.
Copies
Copies are public records that are the same as an original/official public record. No information has been added, annotated, changed or deleted on the copy.
Copies will need to be captured and kept as public records if they:
- have been modified in any way
- have become your official record of a business activity
- have been given to you by another public authority (e.g. as part of a Machinery of Government (MoG )or administrative change, if you need access to these public records, a copy needs to be filed with your public authority etc.) and it becomes the public record for your public authority.
These copies need to be kept as a public record and sentenced based on the function or activity they relate to.
If copies are in the custody of a private entity (e.g. as part of an outsourcing or privatisation arrangement), they will need to be managed accordingly.
Other transitory records
Other transitory and short-term public records will need to be captured and kept if they:
- are required for ongoing business use
- are needed as evidence of business activities or used to inform decisions or actions – for example, surveillance footage required for an investigation, call centre recordings made as the public record of advice provided
- result in further action or service – for example, social media post that requires follow-up action.
See the exclusions in each record class for examples of the types of public records that may need to be made and kept.
Retention and disposal of transitory and short-term public records
Disposal authorisation for transitory and short-term public records is given in the General Retention and Disposal Schedule (GRDS).
Record classes in the transitory and short-term section of the GRDS have a disposal action of 'until business action completed'. It is up to your public authority to determine when transitory or short-term public records can be disposed based on:
- your business requirements
- the level of risk acceptable to your public authority
- the public records made.
Before you dispose
Before you dispose of transitory and short-term public records, make sure they are not:
- required for judicial and litigation proceedings, commissions of inquiry, or legal action, whether or not the State is a party to that litigation
- covered by any other laws or policies requiring the public records be retained, for example, a protection notice issued under s.24 of the Public Records Act 2023 ,or retained in accordance with the Evidence Act 1977 and the Criminal Code Act 1899
- relevant to a request to access information including under the Right to Information Act 2009
- needed for accountability purposes or to support the ongoing efficient administration of public authority business
- linked to community expectations about rights and entitlements
- considered to have cultural or known historical value.
You must also ensure public records being disposed are covered by the classes in the GRDS and not listed in the specific exclusions provided in each record class.
Once business use has ceased, public records identified as transitory and short-term can be disposed.
Documenting destruction of transitory public records
You do not need to document the destruction of transitory public records.
However, if transitory public records have been captured into your recordkeeping system, their disposal must be documented and endorsed. You must keep this information as proof they were lawfully disposed.
Credit card data
Credit cards and associated data have their own set of recordkeeping requirements.
The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities involved in payment card processing.
It contains specific mandatory requirements regarding the storage and disposal of credit card details.
- Sensitive authentication data (3 digit numbers on the back of cards) should never be stored — this information must be disposed immediately after the transaction has been authorised.
- Primary Account Number (PAN) (the card number) needs to be rendered unreadable when it is stored.
Destruction of credit card data
The General Retention and Disposal Schedule includes two record classes authorising the destruction of both cardholder and sensitive authentication data in accordance with the standard.
Consider your recordkeeping process for payments to ensure that cardholder data can be disposed immediately or as soon as business use has ceased and that other required information can be stored for the required minimum retention period.
What information can be kept?
Under the PCI DSS, the primary account number and any other credit card information must only be kept if there is a valid legal, business or regulatory need for that data.
If you do need to keep any information for a certain period of time after the card transaction has occurred, you must ensure that the cardholder data is stored or redacted in some way in accordance with the requirements of the PCI DSS.
You will need to ensure that your system can meet the requirements in the standard. If you can't, this information cannot be stored.
Include the capture and management of credit card data into your recordkeeping procedures, or include recordkeeping requirements in procedures for taking payments.