- Information sharing entities must keep accurate and complete records about information sharing, including any complaints made about information sharing (see Chapter 6 for further information about complaints).
- Record keeping obligations set by the apply in relation to both written and verbal sharing of information.
- If an information sharing entity refuses a request from another information sharing entity to disclose information, it must record the request and why it was refused and provide these reasons to the requesting entity in writing.
- Information sharing entities must take reasonable measures to protect the security of information.
- If an information sharing entity becomes aware that information recorded or shared about any person is incorrect, it should take reasonable steps to correct that information.
Record keeping requirements
Information sharing entities must comply with the record keeping and information management requirements of the Child Information Sharing Scheme as outlined in the and in this chapter.1 They must also comply with record keeping obligations under other applicable legislation.
Keeping and managing records in accordance with this chapter will ensure that information can be easily identified and corrected if required and that privacy complaints can be responded to appropriately. Many information sharing entities already keep comprehensive records under their existing practices, although they will need to review whether they meet the requirements under the Child Information Sharing Scheme.
When sharing information about any individual under the Child Information Sharing Scheme, whether verbally or in writing, information sharing entities must keep records in accordance with the Child Wellbeing and Safety (Information Sharing) Regulations.
When a request has been received, the following must be recorded:
- the name of the information sharing entity that requested the information
- the information that was requested
- the date on which the information sharing entity made the request.
When disclosing information voluntarily or in response to a request, the following must be recorded:
- the name of the information sharing entity that received the information
- the date the information was disclosed
- a record of the information that was disclosed
Note: A record may consist of a summary or short description of the content of the confidential information that was disclosed. If information sharing records are held separately from case notes it is recommended that a summary of the confidential information is attached to the record and not a full excerpt or copy of the disclosed information. This may assist in managing information securely to avoid the risk of intentional or unintentional privacy breaches.
- whether the views of the child and/or their relevant family members were sought and obtained in relation to the information that was disclosed
Note: The views of the child and relevant family members should be sought if appropriate, safe and reasonable to do. If it is not considered appropriate, safe or reasonable to seek and obtain the views of either the child or the relevant family members for any reason, this must be recorded. See Chapter 2 for more information on seeking the views of a child or family member about information sharing.
- whether the child and/or their parent was informed that their information was or would be disclosed
- copies of any of the following documents that are relevant to the disclosure of information:
Good practice considerations
While not required by the Child Wellbeing and Safety (Information Sharing) Regulations, information sharing entities should consider recording the following information.
When making a request:
- the date of the request
- the name of the information sharing entity that the request was made to
- the information that was sought
- the reason why the information was sought.
When disclosing information, the following additional details may be recorded:
- how the threshold for sharing under the scheme was met
- what the views of the child and/or relevant family member were about information sharing
- if the child and/or parent was not notified that their information was or would be shared, the reason why.
Record keeping requirements if a request is refused
An information sharing entity must refuse a request to share information under the Child Information Sharing Scheme if they do not believe it satisfies the threshold for sharing (see Chapter 1). An information sharing entity must also refuse a request if the information cannot be shared because of another law.
If an information sharing entity refuses a request from another information sharing entity to disclose information under the Child Information Sharing Scheme, it must record the request and the reason why it was refused. The response must be provided to the requesting information sharing entity in writing, in a timely manner. The reason provided should be formulated with care and be appropriate to the situation so as not to increase any risks or inadvertently share excluded information.
Record keeping requirements if a complaint is made
Individuals or other information sharing entities may submit complaints to an information sharing entity about how information was shared under the Child Information Sharing Scheme, as outlined in Chapter 6. If a complaint is received, the recipient entity must record:
- the date the complaint was made and received
- the nature of the complaint
- any action that was taken to resolve the complaint
- any necessary action that has been taken to prevent or lessen the risk of further similar complaints by addressing the reasons for the complaint
- time taken to resolve the complaint
- if the information sharing entity was unable to resolve the complaint, any further action (if any) that was taken.
Other record keeping considerations
Accuracy and currency of records may have substantial impacts on the quality of the information held and shared by information sharing entities, which may in turn impact on children’s wellbeing and safety.
If an information sharing entity becomes aware that information recorded or shared about any person is incorrect, it should take reasonable steps to correct that information.
Information sharing entities must take reasonable steps to protect the information they hold against loss, misuse and unauthorised access, modification or disclosure. They must also ensure that information is managed securely to avoid the risk of intentional or unintentional privacy breaches.
The Child Information Sharing Scheme does not replace or override existing laws and standards in relation to protective data security and law enforcement data security. Information sharing entities must continue to comply with any applicable requirements.
In Victoria, information sharing entities that are public offices (for example, government departments) are governed by the Public Records Act 1973 and must keep and dispose of public records in accordance with any applicable requirements set by the Public Records Office Victoria (website link: ). Many contracted service providers are also obliged to comply with these requirements through their funding agreements.
Reviewed 09 January 2023