Documentation, Records & Privacy Policy
-
PURPOSE
Establish uniform rules for creating, storing, accessing, sharing and disposing of all WHS related information, so DeadlyScience Ltd (DS):
1. Meets statutory obligations under the State Records Act 1998 (NSW), Model WHS Act 2011, Privacy Act 1988 and the Records Management & Retention Schedule (Compliance Sub-policy 3).
2. Safeguards sensitive data—health, child, Indigenous Cultural & Intellectual Property (ICIP), incident evidence—against loss, unauthorised access or misuse.
3. Preserves high-quality evidence to support incident investigations, regulator audits and continuous-improvement analytics (WHS-13).
-
SCOPE
Covers all formats (paper, digital, audio-visual, IoT sensor logs) of WHS documents and data generated or received by DS staff, volunteers, contractors, suppliers and program participants worldwide, including:
• Risk assessments, SWPs, inspections, audits, training & competence records
• Incident, injury and workers-comp files
• Emergency plans, evacuation diagrams, equipment maintenance logs
• Child-safety forms, cultural-protocol consents, medical certificates
• Psychosocial survey outputs, Pulse-survey raw data
-
LEGAL &STANDARDS FRAMEWORK
Where requirements differ, DS retains the longest period.Instrument / Standard Recordkeeping / Privacy Requirements State Records Act 1998 (NSW) + GDAs “Full & accurate” records; disposal only under approved schedule. Privacy Act 1988 & Australian Privacy Principles (APPs) Collect only necessary personal / health data; secure storage; right of access. Model WHS Act s38 & Regs Pt 3.2 Preserve notifiable-incident sites & records for 5 years. Workers-Compensation Acts Maintain injury & RTW docs for 7 years after claim finalisation. ISO 45001 cl 7.5 Maintain documented information; control evidence of competence, incidents, audits. AIATSIS Code of Ethics Respect ICIP; obtain consent; return or archive records with custodians.
-
POLICY STATEMENTS
1. Single Source of Truth – WHS records live in the SharePoint WHS Document Centre or authorised line-of-business systems (CMMS, LMS, Safety App).
2. Privacy by Design – Personal, health and ICIP data are classified Highly Sensitive, encrypted in transit & at rest, and accessed on a “least-privilege” basis. 3. Retention = Compliance – DS follows the Retention Schedule; destruction occurs only after approval and logged in the Disposal Register.
4. Version Control & Audit Trail – Controlled documents use unique IDs, revision history and automatic audit logs.
5. Transparency & Rights – Individuals can request access to their WHS records within 30 days unless legal exemptions apply.
-
PROCEDURES
5.1 Document Creation & ControlStage Rule Tool / Owner Draft If procedure/SWP: use latest WHS Template; include doc-ID & version. Process Owner Review HSRs & WHS Officer peer-review; cultural review if ICIP. SharePoint “Co-Author” workflow Approval Electronic signature (DocuSign) by WHS Officer & Manager. DocuSign Publish Read-only PDF; live link in SWP Library; QR code posted if site critical. WHS Officer
5.2 Metadata & Classification
• Auto-applied SharePoint labels: PUBLIC, INTERNAL, CONFIDENTIAL, HIGHLY SENSITIVE.
• Incident records, medical & child data default to Highly Sensitive.
• ICIP materials flagged “Return or Archive with Custodians” on disposal.
5.3 Storage & SecuritySystem Main Data Controls SharePoint WHS Policies, SWPs, risk registers MFA; AES-256 encryption; versioning ON Safety App (SaaS) Incident, hazard & investigation reports Role-based access; data export weekly CMMS Plant inspections, maintenance logs Cloud ISO 27001 host; API to Power BI LMS Training & licence records SSO; 7-year archive
5.4 Retention & Disposal (excerpt – align to Retention Schedule)Record Type
Minimum Retention
Disposal Action Notifiable incident files 5 years post-notification Secure delete / shred
Minor injury & near-miss reports 3 years
"" Training & competency docs 7 years after separation
"" Risk assessments, SWPs Life of task + 5 years
Review for historical value
Child-safety consent forms Until child turns 25 + 7 years Secure dispose ICIP field notes As per Custodian agreement (≥ 25 years) Return / archive
Disposal requires Disposal Authorisation Form (DA-01) signed by Records Coordinator + WHS Officer.
5.5 Access & Sharing
• Staff access via Azure AD groups; HSRs get read-only incident summary dashboards.
• External parties (insurers, regulators) receive encrypted, time-limited OneDrive links.
• Personal data released to individuals after identity verification; third-party details redacted.
-
ROLES & RESPONSIBILITIES
Role Key Duties Board / ARC Ensure adequate resources; review privacy breaches. CEO Overall accountability for privacy & records compliance. Records Coordinator Custodian of Retention Schedule; approves disposals. WHS Officer (Policy Owner) Maintain WHS templates, classification rules, audits. IT Manager Implement technical controls, backups, disaster recovery. Process Owners / Managers Ensure team documents use templates; enforce disposal holds (e.g., litigation). All Workers & Volunteers Create accurate records; protect confidentiality; escalate breaches.
-
INTEGRATION WITH OTHER PILLARS
Pillar Documentation Link Compliance & Risk Disposal logs feed Audit Readiness Checklist; privacy breaches escalate via NDB Plan. HR Training records auto-sync; injury-management docs shared under APP 6 exemptions. Financial Ops Workers-comp cost docs retained 7 years; secure invoice links. Program Delivery Fieldwork ICIP consents stored; retention coordinated with community archives. Tech & Cyber Encryption keys & access logs; Data-Breach Response alignment.
-
MONITORING & KPIS
KPI Target Review Records overdue for disposal (> 6 m past date) 0 Quarterly Records Report Privacy breaches (substantiated) 0 ARC Policy & SWP revision currency ≥ 95 % WHS Committee Data-access requests fulfilled ≤ 30 days 100% Compliance Officer
-
TRAINING &AWARENESS
• Induction module – 20 min “WHS Records & Privacy Basics.”
• Annual refresher – 10 min micro-learning + quiz.
• Power users – 2-hr workshop on metadata, disposal and ICIP care.
• Privacy & NDB drills – run with Cyber-Incident Playbook annually.
-
REVIEW & CONTINUOUS IMPROVEMENT
Policy reviewed every 18 months or earlier if:
• Legislation or GDA schedules change;
• Data-breach or audit finding indicates gap;
• New system (e.g., EDRMS) implemented. Consultation via WHS Committee & Records Steering Group; Board approval required.
Our Programs
From on-site, hands-on STEM learning to virtual sessions, kits, and recognition programs, our initiatives engage learners, teachers, and communities in meaningful STEM learning.
DeadlyScience prioritises education providers with limited STEM access, high Indigenous enrolments, or low socio-educational advantage, with a simple Expression of Interest process to apply.