Vulnerable persons records management toolkit
Public records which may provide evidence of incidents, allegations, disclosures and investigations of abuse of vulnerable persons must be managed in your workplace.
A toolkit is available below to guide your public authority in meeting its records management responsibilities.
Your public authority should already have a risk management framework in place. This toolkit aims to support your existing framework in the context of interactions with vulnerable persons.
This toolkit will support Queensland government and non-government organisations, including non-state schools.
The previous Guideline on creating and keeping records for the proactive protection of vulnerable persons was originally developed in response to Recommendation 8.1, in Volume 8: Recordkeeping and Information Sharing of the Final Report of the Royal Commission into Institutional Responses to Child Sexual Abuse.
However, it was also intended to provide practical coverage for Recommendations 8.2-8.5.
| # | Recommendation |
|---|---|
| 8.1 | To allow for delayed disclosure of abuse by victims and take account of limitation periods for civil actions for child sexual abuse, institutions that engage in child-related work should retain for at least 45 years, records relating to child sexual abuse that has occurred or is alleged to have occurred. |
| 8.2 | The National Archives of Australia and state and territory public records authorities should ensure that records disposal schedules require that records relating to child sexual abuse that has occurred or is alleged to have occurred be retained for at least 45 years. |
| 8.3 | The National Archives of Australia and state and territory public records authorities should provide guidance to government and non-government institutions on identifying records which, it is reasonable to expect, may become relevant to an actual or alleged incident of child sexual abuse, and on the retention and disposal of such records. |
| 8.4 | All institutions that engage in child-related work should implement the following principles for records and recordkeeping, to a level that response to the risk of child sexual abuse occurring within the institution.
|
| 8.5 | State and territory governments should ensure that non-government schools operating in the state or territory are required to comply, at a minimum, with standards applicable to government schools in relation to the creation, maintenance, and disposal of records relevant to child safety and wellbeing, including child sexual abuse. |
Watch 'What is RCIRCSA?' or 'Recordkeeping and Vulnerable Persons: an overview' for a quick overview.
The guideline was expanded to also cover records that may be relevant to:
A public authority must make and keep complete and reliable records to comply with the Public Records Act 2023.
This includes:
- when a public record is made or received in relation to an interaction with a vulnerable person, and
- when a public record is made or received as part of a business process.
All public authorities must have established policies and processes which support the making of complete and reliable records. Public authorities must ensure service providers and volunteers are also aware of these recordkeeping responsibilities.
Due to the type of services provided to, and the nature and extent of interaction, with vulnerable persons, each public authority is likely to have different public records that may be relevant to a current or future abuse incident or allegation.
Incidents, allegations and disclosures of abuse – vulnerable persons
A complete and reliable public record about an incident, allegation or disclosure of abuse will likely include:
- details about the incident, allegation or disclosure, including:
- names of those involved, and
- witnesses, and
- locations, dates and times
- details of conversations about the incident, allegation or disclosure
- details of follow up actions undertaken by the public authority
- contextual information about the public record, including:
- who created the public record, and
- when the public record was created, and
- file reference numbers, and
- details to show linkages to other public records made by the public authority
- references to other supporting documents about the incident, allegation or disclosure.
Public records relating to vulnerable persons may contain sensitive information. Public authorities should ensure that appropriate steps are taken to securely store these public records. The Information security policy (IS18:2018) establishes the policy requirements related to the implementation of information security to maintain the confidentiality, integrity and availability of information.
How to identify relevant public records for the proactive protection of vulnerable persons
To protect a person’s legal rights and entitlements, public authorities have a responsibility to make and keep public records which may provide corroborating evidence for any incidents, allegations, disclosures and investigations relevant to the proactive protection of vulnerable persons.
Public records provide corroborating evidence of interactions and contact with vulnerable persons which may be relevant to future allegations and/or investigations of abuse.
Public authorities should be aware that the following public records may become relevant to an actual or alleged incident of abuse:
- public records that relate to the general operations of the public authority, and
- public records specifically related to the delivery of services to vulnerable persons.
The General Retention and Disposal Schedule (GRDS) contains the following disposal authorisations:
| Disposal authorisation | Description of records | Retention period and trigger |
|---|---|---|
| 1558 | Incidents, allegations, disclosures and investigations of abuse - vulnerable persons Records relating to the proactive protection of vulnerable person including:
Includes records that may not document a criminal offence but may require further investigation to ensure inappropriate behaviour towards vulnerable persons is not occurring. | Keep for 100 years after the creation of record |
| 1559 | Evidence of interactions and contact with vulnerable persons Records providing evidence of interactions and contact with vulnerable persons identified following the implementation of the Guideline. Includes records documenting the processes followed to identify corroborating evidence or records relevant to future incidents, allegations, disclosures or investigations of abuse. | Retain until 31 December 2028 |
| 1560 | Governance practices for proactive protection of vulnerable persons Records relating to the development and implementation of a public authorities' policies, plans, strategies, training material and other guidance that sets out requirements for the proactive protection of vulnerable persons. Records may include, but are not limited to:
| Keep permanently |
If your public authority's core retention and disposal schedule contains disposal authorisations that also apply to public records of vulnerable persons, you should always apply the longest retention period.
Watch 'Vulnerable persons and records we need to keep' for a quick overview.
A risk analysis can assist in identifying public records which may be regarded as corroborating evidence.
Risk analysis workflow - proactive protection of vulnerable persons
- Step 1: Identify interactions/contact with vulnerable persons
- List functions and activities carried out by your public authority
- List which functions and activities include contact with vulnerable persons
- Step 2: Review how interactions are managed and identify level of risk involved
- Define the nature of the interaction of each contact (see below)
- Assess level of risk relating to potential for abuse in relation to each contact
- Step 3: Mitigate risk by change in process or procedure and decide on best evidence to retain
- Risk management - mitigate risks, prevent harm and retain best evidence of interaction with vulnerable persons
Public authorities, including those that infrequently interact with vulnerable persons, must carefully assess the activities and functions they undertake and how these actions may impact vulnerable persons. For public authorities with infrequent interactions with vulnerable persons, consider embedding strong governance practices and raising staff awareness of general responsibilities.
Example
The main function of a water authority may revolve around water supply, drainage, sewerage, and salinity mitigation services, however, the water authority may also occasionally conduct tours of their facilities. Tour groups may include vulnerable persons e.g. school groups or senior citizens groups.
In this example, the water authority will need to consider:
- the nature of the interaction with vulnerable persons, and
- any risk of abuse occurring, and
- what steps must be taken to mitigate any identified risk, and
- identify and retain best evidence of the interaction to support the proactive protection of vulnerable persons.
Nature of interactions and evaluation of risk – contact with vulnerable persons
Not all public authorities have the same level of risk that an incident or allegation of abuse could occur. It is critical to analyse identified interactions between a public authority and vulnerable persons and assess if the nature of the interaction carries a level of risk to the vulnerable person.
Risk management for public authorities interacting with vulnerable persons
When analysing the risk associated with any interactions with vulnerable persons, it is important to remember that risk should be considered from the point of view of the vulnerable person.
This requires flipping the traditional risk lens to assess the risk on behalf of someone else – not necessarily just the risk to the public authority.
The flipping of the traditional risk lens is consistent with legislative changes made to the Civil Liability Act 2003, which reverses the onus of proof to the public authority.
Changes to legislation require the institution to demonstrate that they took all reasonable steps to prevent abuse of a vulnerable person.
Risk management is a common activity for public authorities. Each public authority will likely have their own risk management framework already in place and in use.
Consider how these existing risk management frameworks can be applied rather than developing a new framework for the context of identifying risk related to interactions with vulnerable persons.
If your public authority does not have a risk management framework in place, the following resources are available to assist with the development of a new framework:
- the Queensland Treasury Guide to Risk Management which provides an overview of the key concepts of risk management and guidance on the practical application of risk management processes
- the risk management process described in AS/NZS ISO 31000:2018 Risk Management – Principles and Guidelines.
Included below are generic examples of the types of interactions a public authority may have with vulnerable persons. These examples highlight the potential of abuse occurring.
Individual scenarios within each public authority will differ and will carry different levels of risk. Use your own risk management framework to identify potential risks for interactions with vulnerable persons that are specific to your circumstances.
Mitigate risk and decide on best evidence
To determine the best corroborating evidence for your public authority about an interaction with vulnerable persons, the evidence will need to confirm the who, when and what (evidence of the event, participants and activities).
The RCIRCSA recognised uncertainty exists for institutions regarding which records may provide evidence for, or be relevant to, a current or future allegation or disclosure of child sexual abuse. A similar uncertainty exists for public authorities when considering which public records provide the best evidence of interactions with vulnerable persons.
For a public authority, the best evidence of an interaction may be a public record made, used and kept for a different purpose. For example, a vehicle logbook could already provide the best evidence of when a staff member was at work. In other situations, it may require the public authority to make a new public record to provide evidence of interactions with vulnerable persons.
Mitigation and treatment strategies should be developed once the risk priorities of your public authority are agreed upon. This may include making and retaining public records to document interactions with vulnerable persons.
The proactive protection of vulnerable persons is a shared responsibility across a public authority and potential risks must be appropriately monitored, managed and treated.
It is important that any identified risks for interactions with vulnerable persons are:
- considered as part of the wider strategic planning agenda by the senior and executive leadership
- ownership of identified risks is appropriately allocated to key representatives from legal, audit, or business units.
Risks should be regularly reviewed and monitored to ensure that:
- the treatment actions have been completed, and
- to evaluate the effectiveness of treatment actions, and
- to manage any new risks, and
- to identify any additional treatment actions.
Proactive protection of vulnerable persons
Decisions around making and keeping evidence of contact and interactions with vulnerable persons should be documented and form part of a public authority’s governance process.
Suggestions for the proactive protection of vulnerable persons include:
- use the results from the workflow to assess the interactions and level of risk
- consider how changes in business processes will be triggered and/or documented to mitigate risk
- use the public authority’s risk register as an annual health check
- document any periodical business process reviews to identify new areas of potential risk
- delivery of annual training sessions for employees on the importance of making and keeping complete and reliable public records.
The Australian Society of Archivists has produced an online training course to assist anyone managing Out of Home Care Records.
You can read Proactive protection of vulnerable persons (PDF, 222 KB) and Queensland legislation changes and vulnerable persons (PDF, 231 KB) for answers to some common questions.