As part of the nationally coordinated response to COVID-19, each state and territory government has issued directives requiring certain government agencies, businesses and organisations to collect and retain information identifying members of the public and contractors that attend their premises, to support contact tracing. This information is used where there has been a confirmed case of COVID-19 on the premises. These requirements are set out in government directives issued by the Chief Health Officers of the state and territory governments.

The exact nature of the contact tracing information requirements varies between jurisdictions and is subject to change as new directives are issued and existing directives are revised or withdrawn.

What contact tracing information is required?

Contact tracing records may take many forms, including manual registers (paper based or digital) and data collected from online booking systems and apps.

Data collected for contact tracing should only be used for contact tracing purposes, kept securely and permanently deleted after the minimum required retention period.

For specific guidance on contact tracing information requirements refer to the current government Chief Health Officer directive for the relevant state or territory in which the impacted agency premises are located.

Disposal of contact tracing information

The directives issued by Chief Health Officers generally do not specifically require destruction of contact tracing records – though most require the information be retained for at least 28 days from the time of collection. For government directives to specifically require destruction they must categorically state that records cannot be retained beyond a certain point in time.

Where there is no specific destruction requirement referred to by the relevant state or territory government directive, Australian Government agencies should dispose of these contact tracing records after they reach the minimum retention period specified in the WORK HEALTH AND SAFETY function of AFDA Express Version 2 – class 62652.

Where government directives (for example, Chief Health Officer directives) of the relevant state or territory in which the agency premises are located, specifically require destruction of the contact tracing records within a certain period – this is considered a positive destruction requirement under legislation for the purposes of Section 24 of the Archives Act 1983. In such cases, agencies should destroy these records in accordance with the relevant directive, rather than AFDA Express Version 2 – class 62652.

For example, at the time of writing, Queensland requires contact tracing information to be kept for a minimum of 30 days, but it must be destroyed no longer than 56 days after collection; while the Northern Territory requires that contact tracing information be destroyed 28 days after collection.

Note: Agencies in jurisdictions where government directives specifically require destruction of contact tracing records, must ensure that they do not use visitor books or security registers for contact tracing purposes – as these records are created to support other business purposes and must be retained for a minimum of 7 years under AFDA Express Version 2 – classes 62661 and 62671.

The National Archives intends to undertake a comprehensive review of the retention periods of these and other COVID-19 related records, and may alter retention periods for these records following this review.

Where Australian Government agencies require additional advice and guidance in relation to COVID-19 contact tracing records, they should contact the Agency Service Centre.