Record Management Policy

Corporate |

Purpose

This policy defines how the organisations corporate records are to be managed throughout their lifecycle – from creation through to disposal. Corporate records management is important as it supports:

  • The day-to-day business underpinning the delivery of care.
  • The knowledge base of the organisation through a demonstrable history of administrative and managerial decision making.
  • Legal, regulatory and contractual requirements, including requests for information under the Freedom of Information Act and compliance with the Data Security and Protection Toolkit (DSPT).

Information has most value when it is accurate, up to date and accessible at the point of need. Therefore, the principles of this policy are:

  • To ensure information is accessible to those who legitimately need it as part of their role.
  • To ensure information is not duplicated or unnecessarily created.
  • To have a consistent method in how information is recorded and referenced.
  • To hold information only for as long as it is required and then to destroy it using the appropriate secure method.

This Policy delivers assurance for:

Confidentiality

The assurance that records are accessed only by authorised people or processes.

Integrity

The assurance that records are modified only through legitimate need and that processes are in place to detect and stop unauthorised modification attempts.

Availability

The assurance that records are available at the point of need.

The Policy will reinforce compliance with the organisation\\\’s Records Retention and Disposal Schedule so that corporate records are retained according to the Schedule and are subject to a secure disposal process.

Scope

This policy applies to all corporate records held by the organisation.

The retention of records and processes for archiving and destruction applies to both corporate and clinical records.

This policy concerns the lifecycle of a record i.e., from creation to archive or destruction. It does not cover how the information should be disclosed or shared. Guidance on this can be found in the Access and Disclosure of Personal and Sensitive Information Policy.

All staff, volunteers and trustees are responsible for abiding by this policy.

Duties & Responsibilities

Chief Executive

The Chief Executive has overall responsibility, on behalf of the organisation, for ensuring the implementation of this policy.

Senior Information Risk Officer

SIRO The Senior Information Risk Officer is responsible for leading and fostering a culture that values, protects and uses information for the success of the organisation and champions information security risk management at Board level.

Caldicott Guardian

The Caldicott Guardian is responsible for ensuring patient information is handled in accordance with the Caldicott requirements. Although this policy deals with corporate information, there are likely to be scenarios where both patient and corporate information are processed side by side.

Directors

Directors are responsible for: –
a) Implementing this policy on behalf of the Chief Executive

b) Delegating responsibility to managers for the policy’s implementation

c) Monitoring the effectiveness of managers in implementing the policy

d) Ensuring sufficient resources are available to deal with the implementation
of this policy

IG Manager

The IG Manager is responsible for coordinating the organisation\\\’s corporate records management activities and managing the IG Team to support the implementation of this policy.

Information Asset Owners & Managers

Information Asset Owners & Managers should:

  • be aware of their responsibilities under this policy.
  • Document activities in respect of records management for their function
  • Ensure appropriate system specific training is provided to users.
  • Assist in the completion of corporate records audits for their function.

All staff All staff should:

  • be responsible for the records they create or use in the performance of
    their duties.
  • Familiarising themselves and complying with this policy.

Governance & Reporting

The implementation and monitoring of this policy will be overseen by the Information
Governance (IG) group who will assist in identifying actions required to implement this policy and ensure they are included within the IG work programme.

Actions arising from the implementation of this policy will be incorporated into the IG work programme. The work programme is developed by the IG Group and progress updates are submitted to Directors, the Quality & Governance Committee and the Board according to the Organisation\\\’s schedule of meetings.

UK GDPR Article 5 Principles relating to processing of personal data states that Personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial
    purposes (‘purpose limitation’);
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical
    purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Record Creation and Naming

Records must be arranged in a record-keeping system that will enable the quick and easy retrieval of information.

Each function (for example, Finance, Estates, IT) must ensure it has a suitable records management system to ensure it appropriate captures its requirements to keep information safe, secure and for legitimate purposes. It is the responsibility for the record creator to ensure that each file and document:

  • Has an appropriate naming convention that is unique, meaningful and reflect the records contents.
  • Is held in a structured and predictable order.
  • Where appropriate includes a reference number so records relating to the same issue can be found e.g., employee number, invoice number, NHS Number etc.
  • Documents include a version control number where there is likely to be variations and includes the date the record is created or received and who created the record.
  • Any hard copy records received must be date stamped.
  • There should be an appropriate file structure used to store the information, to include electronic file share, shared email accounts and hard copy indexing and filing systems. Where mixed media are used to store information, the same file structure for each media type should be used if possible.

Other information that needs to be recorded will vary considerably depending upon the type of record, but could include elements listed above, plus the location of where the record is held.

Templates for key documents such as policies already prompt the author to include certain information.

Filing and Storing of Records

Each department must ensure a suitable filing structure is used, as described in section 4 of this policy and store records accordingly.

The long-term storage of emails in Outlook should be avoided, especially those with attachments due to the impact these have on storage volumes and retention schedules which may lead to a breach of the Data Protection Act. Emails that need to be kept must be stored on the network file share with other relevant documents, stored in a particular system designed for long term storage or deleted if they are not required.

The Organisation has systems in place to back up information stored on the network drive. Therefore, it is important that any records stored on the hard drive of any mobile device should be moved / copied to the network drive to ensure they are retained. 

Personal data should never be stored locally on a mobile device.

Storing information on network drives, the intranet and internet enables people across the large geographic area of the Organisation to access that information. Publishing information on the intranet and/or internet also eliminates the need for multiple copies of the document to be stored and for people to access the most up to date version of that document. Publication of documents in this way is encouraged where appropriate.

As an alternative to keeping paper records, scanned copies may be an option. This would also increase the accessibility of the information across the Organisation if required. 

When scanning documents consider the cost associated with the initial scan and any later media conversion, especially if the record has to be kept for a long period of time and if any legislation requires that the original document must be kept and/or submitted as evidence in court.

Records can be stored on a wide range of media and systems. Ensure that the information is still available as technology evolves and systems change.

For hard copy records, e.g., personnel files ensure a system exists to log when the record has been released and to whom. A chase system may also be required to ensure the record is returned.

Retention of Records

The Organisation must keep records for predetermined periods of time for legislative, regulatory and general business purposes. An organisation-wide Records Retention Schedule has been compiled, based on the NHS national schedule and can be found in the Information Governance pages on the intranet and offers more comprehensive guidance.

Records must be kept for the minimum period stated in the Retention Schedule. The Information Governance Group will approve any amendments to the records retention schedule.

The minimum retention periods should be calculated from the end of the year of the last record. For example, a file in which the first entry is in February 2018 and the last in September 2020, and for which the retention period is seven years, should be kept in its entirety until the beginning of 2028.

The Organisation must not keep records for a shorter retention period than the minimum set out in this schedule, but there may be circumstances in which they need to apply a longer retention period if this is the case please refer to section.

Where a set of records contains records with differing retention periods and they cannot be separated without compromising the context and meaning of the set, the set will be retained for the longest of the individual retention periods.

Records should not be kept for longer than is necessary or used beyond the remit for the purpose of holding it, unless an exemption under the GDPR or DPA can be legitimately applied.

Managing records according to the Retention Schedule will:

  • Maintain compliance with the Data Protection Act (personal data should not be kept
    longer than is necessary).
  • Reduce Freedom of Information administration as records must be supplied to a requestor
    if they are held, even if they are outside their retention period.
  • Reduce the costs and space associated with storing records unnecessarily.

Once records have reached their retention period, they must be subject to a final disposal which will be irreversible destruction or a permanent archive for records of historical interest.

The Estates team now arranges the archiving of physical records, and the ICT Service Desk can offer advice on the secure destruction of electronic records, equipment and devices.

Retention and Disposal Schedules / FOIA Act 2000

Retention and disposal schedules are a very important part of accounting for the legitimate absence of information under the Freedom of Information (FOI) Act 2000, and the Data Protection Act 2018. Demonstrating to requesters, or the Information Commissioner, that disposal decisions have been made and implemented following due process, will enable NHS England to defend legitimate records management activity.

The retention periods given in this schedule are the minimum periods for which records must be retained for health and care purposes. In most cases, it will be appropriate to dispose of records once this period has expired, unless the records have been selected for permanent preservation. If a situation arises where it is necessary to maintain specifically identified individual records, or group of records for longer than the stated minimum, advice must be sought from the Information Governance Team.

This situation may arise due to:

  • Public inquiries
  • Ongoing access request, for example, where the ongoing processing of an access request cuts over the minimum retention period. It would not be acceptable to dispose of a record that is part way through being processed for an access request because the minimum retention period has been reached.
  • Where there is a continued business need beyond the minimum retention period.
  • Where records contain personal data, the decision to retain must comply with UK
    GDPR.

Approval for continued retention beyond the periods laid out in this Schedule must be sought from the Information Governance Team, recorded, made in accordance with formal policies and procedures by authorised staff and set a specific period for further review.

Processes for Archiving and Destruction

The Corporate Records Retention and Disposal Schedule identifies the main classifications of corporate records held by our organisation and provides appropriate retention rules for each. The Schedule detailed retention guidance in this document is for corporate records only, for guidance on the retention of clinical records please refer to the guidance within the NHS Records Management Code of Practice 2021 and the NHSE Primary Care Services Records Retention Schedule.

All staff are responsible for regularly reviewing the information that they hold and for ensuring that they do not retain information that is no longer required. This might take the form of, for example, reviewing emails and deleting any that are no longer required or sorting through and disposing of paper documents on desks.

Many staff will keep personal or informal notes or notebooks as part of their day to day activities. If any critical or important information is captured in personal notes, those notes must be captured and saved centrally. Those working during incidents such as the COVID-19 response and keeping physical notes should ensure that incident related information is recorded in a dedicated book which can be safeguarded.

Occasionally documents and information held by a department may not be listed on the Corporate Records Retention and Disposal Schedule. This may because the information does not constitute a corporate record. Alternatively, it may be because the record is indeed on the schedule, but using different terminology or a wider term (e.g., petty cash records ought to be retained in line with ‘records of financial transactions’)

Toward the end of the relevant minimum retention period for a record, the record’s owner should review the record and decide on the next steps. One of the following actions will usually apply:

  • Review: records may need to be kept for longer than the minimum retention period due to on-going administrative need. As part of the review, staff in the Organisation should have regard to the Data Protection Act, which requires that personal data is not kept longer than is necessary. If it is decided that the records should be kept for a period longer than the minimum the Organisation\\\’s Records Retention Schedule may need to be amended.
  • Archive: Some paper records may need to be kept for a significant period of time but are no longer current (i.e., you are unlikely to need them on a regular basis). These should be archived with the Organisation\\\’s archived paper record’s supplier. When the record is due for destruction discuss whether the record should be kept further or destroyed. If you need to archive files, please contact the Information Governance team for advice.
  • Destroy: Some paper records do not need to be kept but do have personal or sensitive information. These should be destroyed securely either by shredding using a suitable machine or destroyed using the local approved disposal process.

For the destruction of electronic records this is detailed in the Electronic Records Policy.

Digital Continuity

Digital continuity is the assurance that digital information is available for as long as it is needed. Access to digital information must survive operating system upgrades, application software upgrades, organisational mergers, system decommissioning etc.

Information Asset Owners are responsible for ensuring they have digital continuity;
disaster recovery and business continuity plans for relevant records.

Training Requirements

Records management training and guidance will be provided for users by Information Asset Owners with support from the Information Governance Team.

Monitoring

The Data Security and Protection Toolkit include requirements relating to corporate records management. Compliance against these requirements will be monitored and supported through the IG work programme.

Associated Documents & Legislation

  • The Freedom of Information Act 2000
  • Records Management: NHS Code of Practice
  • The Common Law Duty of Confidentiality
  • The NHS Confidentiality Code of Practice
  • The Data Security and Protection Toolkit
  • Public Records Act 1958
  • Local Government Act 1972
  • Local Government Act 1974
  • Limitation Act 1980
  • Local Government (Access to Information) Act 1985
  • Access to Health Records Act 1990
  • Data Protection Act 2018
  • Health and Social Care Act 2012
  • Inquiries Act (2005)
  • Management of Records Code of Practice
  • The UK General Data Protection Regulation (UK GDPR) Document 2000