Records Management Policy
Version: V7
Ratified by:
Quality Reference Group
Date ratified: 15/12/2023
Job Title of author:
Reviewed by Committee or Expert Group
Equality Impact Assessed by:
Related procedural documents
Information Governance and IT Projects Manager
Quality Reference Group
Information Governance and IT Projects Manager
QSPOL01 Incident Reporting & Management Policy
IGPOL53 Information Security Policy
IGPOL65 Transferring Personal Information Policy
IGSOP06 Record Creation & Retrieval Procedure
IGSOP07 Record Retention & Disposal Procedure
IGSOP08 Record Scanning Procedure
Review date: 15/12/2026
It is the responsibility of users to ensure that you are using the most up to date document template – i.e. obtained via the intranet.
In developing/reviewing this policy Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date
Author Status Comment
V2 March 2011 Information Governance Coordinator Ratified Update of V1 dated Oct 2009 for transition to CECS CIC
V3 Jan 2013 Information Governance Manager Ratified 2 Year Review
V3.1 September 2013 Steph Schuster Safety & Quality Administrator No change to review date Updated in line with organisation name change and restructure
V4 May 2015 Information Governance Manager Name changed to “Records Management Policy” from “Information Lifecycle Management Policy”. Inclusion of Scanning Procedure as Appendix 4
V5 August 2018 N/A
V6 July 2020 Information Governance and IT Projects Manager
Q&S August 2018 agreed a 3 month extension
Review Minor changes. Update to main systems used within Provide Group. Removal of appendices and creation of separate SOP’s
V7 Sept 2023 Information Governance and IT Projects Manager Review 3 year review
1. Introduction
Records Management is the process by which an organisation manages all the aspects of records whether internally or externally generated and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal.
The Records Management: NHS Code of Practice© has been published by the Department of Health as a guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. It is based on current legal requirements and professional best practice.
Provide Group records are its corporate memory, providing evidence of actions and decisions and representing a vital asset to support daily functions and operations. Records support policy formation and managerial decision-making, protect the interests of the organisation and the rights of patients, staff and members of the public. They support consistency, continuity, efficiency and productivity and help deliver services in consistent and equitable ways.
The Provide Group Board has adopted this records management policy and is committed to on-going improvement of its records management functions as it believes that it will gain a number of organisational benefits from so doing. These include:
• Better use of physical and server space
• Better use of staff time
• Improved control of valuable information resources
• Compliance with legislation and standards; and
• Reduced costs
The organisation also believes that its internal management processes will be improved by the greater availability of information that will accrue by the recognition of records management as a designated corporate function.
This document sets out a framework within which the staff responsible for managing the organisations records can develop specific policies and procedures to ensure that records are managed and controlled effectively, and at best value, commensurate with legal, operational and information needs.
2. Purpose
This policy relates to all clinical and non-clinical operational records held in any format by the organisation. These include:
• All administrative records (e.g. personnel, estates, financial and accounting records, notes associated with complaints); and
• All patient health records (for all specialties and including private patients, including x-ray and imaging reports, registers, etc.)
Records Management is a discipline which utilises an administrative system to direct and control the creation, version control, distribution, filing, retention, storage and disposal of records, in a way that is administratively and legally sound, whilst at the same time serving the operational needs of the organisation and preserving an appropriate historical record.
The key components of records management are:
• Record creation
• Record keeping
• Record maintenance (including tracking of record movements)
• Access and disclosure
• Closure and transfer
• Appraisal
• Archiving; and
• Disposal
The aims of our Records Management System are to ensure that:
• Records are available when needed - from which the organisation is able to form a reconstruction of activities or events that have taken place
• Records can be accessed - records and the information within them can be located and displayed in a way consistent with its initial use, and that the current version is identified where multiple versions exist
• Records can be interpreted - the context of the record can be interpreted: who created or added to the record and when, during which business process, and how the record is related to other records
• Records can be trusted – the record reliably represents the information that was actually used in, or created by, the business process, and its integrity and authenticity can be demonstrated
• Records can be maintained through time – the qualities of availability, accessibility, interpretation and trustworthiness can be maintained for as long as the record is needed, perhaps permanently, despite changes of format;
• Records are secure - from unauthorised or inadvertent alteration or erasure, that access and disclosure are properly controlled and audit trails will track all use and changes. To ensure that records are held in a robust format which remains readable for as long as records are required
• Records are retained and disposed of appropriately - using consistent and documented retention and disposal procedures, which include provision for appraisal and the permanent preservation of records with archival value; and
• Staff are trained - so that all staff are made aware of their responsibilities for record-keeping and record management
3. Definitions
The term Records Life Cycle describes the life of a record from its creation/receipt through the period of its ‘active’ use, then into a period of ‘inactive’ retention (such as closed files which may still be referred to occasionally) and finally either confidential disposal or archival preservation.
In this policy, Records are defined as ‘recorded information, in any form, created or received and maintained by the organisation in the transaction of its business or conduct of affairs and kept as evidence of such activity’.
Information is a corporate asset. Provide Group records are important sources of administrative, evidential and historical information. They are vital to the organisation to support its current and future operations (including meeting the requirements of Freedom of Information legislation as defined under Provide Group contracts with its NHS Commissioners), for the purpose of accountability, and for an awareness and understanding of its history and procedures.
4. Duties
Chief Executive
Overall responsibility for records management in Provide Group. As Accountable Officer, the Chief Executive is responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity. Records management is key to this as it will ensure appropriate, accurate information is available as required.
Provide Group
Provide Group has a particular responsibility for ensuring that it corporately meets its legal responsibilities, and for the adoption of internal and external governance requirements.
Caldicott Guardian
Particular responsibility for reflecting patients’ interests regarding the use of patient identifiable information. The Caldicott Guardian is responsible for ensuring patient identifiable information is shared in an appropriate and secure manner.
Information Governance and IT Projects Manager
Responsible for the overall development and maintenance of health records management practices throughout the organisation, in particular for drawing up guidance for good records management practice and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of patient information.
Data Protection Officer (DPO)
The Data Protection Officer (DPO) advises Provide Group on the management of personal information, compliance with data protection legislation, and good practice.
Local Service managers
Overall responsibility for the management of records generated by their activities, i.e. for ensuring that records controlled within their service are managed in a way which meets the aims of Provide Group records management policies.
All Staff
Whether clinical or administrative, staff who create, receive and use records have records management responsibilities. In particular all staff, including those working to service level agreements, must ensure that they keep appropriate records of their work in the organisation and manage those records in keeping with this policy and with any guidance subsequently produced.
5. Training
All Provide Group staff will be made aware of their responsibilities for record-keeping and record management through generic and specific training programmes and guidance.
All staff will receive training through Corporate Induction and any updates annually through the IG Training. Additional training requirements will be identified through staff Performance Development Review.
6. Legal and Professional Obligations
All NHS records and most information are Public Records under the Public Records Acts. Provide Group will take actions as necessary to comply with the legal and professional obligations set out in the Information Security Management: NHS Code of Practice.
The key statutory requirement for NHS compliance with Information Security Management principles, is the Data Protection Act 2018. The organisation has legal obligations to maintain security and confidentially, in particular in accordance with the following:
• General Data Protection Regulations (GDPR)
• Data Protection Act (2018)
• Copyright Patents and Designs Act (1988)
• Computer Misuse Act (1990)
• Public Records Act (1958)
• Freedom of Information Act (2000)
• Common Law Duty of Confidentiality
• NHS Digital code of practice on Confidential Information
• NHS Information Governance: Guidance on Legal and Professional Obligations (2007)
• Any new legislation affecting records management as it arises
7. Records Creation
Both health and corporate records, whether in paper or electronic format, must be created in line with Provide Group procedures for their format and content. (IGSOP07 Record Retention & Disposal Procedure)
All staff are responsible for the security, integrity and accountability of patient records in either paper or electronic format. All records series must conform to approved standards in terms of structure, format, content and data quality. New records series should only be set up in consultation with the records management lead and with the approval of the appropriate committee.
When creating information in the first instance, the following should be adhered to. The information must be:
• Available when needed - to enable a reconstruction of activities or events that have taken place
• Accessible to all members of staff that require access in order to enable them to carry out their day to day work - the information must be located and displayed in a way consistent with its initial use and that the current version is clearly identified where multiple versions exist
• Interpretable, clear and concise - the context of the information must be clear and be able to be interpreted appropriately, i.e. who created or added to the record and when, during which business process and how the record is related to other records
• Trusted, accurate and relevant - the information must reliably represent the initial data that was actually used in, or created by, the business process whilst maintaining its integrity. The authenticity must be demonstrable and the content relevant; and
• Secure - the information must be secure from unauthorised or inadvertent alteration or erasure. Access and disclosure must be properly controlled and audit trails used to track all use and changes. The information must be held in a robust format which remains readable for as long as the information is required / retained
Staff should also consider the following when creating information:
• What they are recording and how it should be recorded
• Why they are recording it
• How to validate information (with the patient or carers or against other records) to ensure they are recording the correct data
• How to identify and correct errors and how to report errors if they find them
• How to use information and understand what the records are used for (and therefore why timeliness, accuracy and completeness of recording is so important)
• How to update information and how to add in information from other sources; and
• When and how to incorporate document and version control
8. Clinical Templates
All clinical templates to be added to existing records or which will form the base for new records, must be tested for clinical effectiveness following consultation with the appropriate individual specialists and appropriate groups.
All SystmOne templates must be submitted to the SystmOne Template Governance User Group for review and ratification.
9. Records Management
All information needs to be maintainable through time. The qualities of availability, accessibility, interpretation and trustworthiness must be maintained for as long as the information is needed, perhaps permanently, despite changes in the format. The use of standardised filenames and version control methods should be applied consistently throughout the organisation and the life of the information.
All staff have a duty for the maintenance and protection of records they use or manage.
Any risk management incidents relating to records need be reported by following the organisation’s Incident Reporting & Management Policy
The identification and safeguarding of vital records necessary for business continuity should be included in any Business Continuity and Disaster Recovery plans.
10.Amendments to Records
Any amendments made retrospectively to a record must clearly indicate that the additional entry was made as an addition to the earlier record. At no point should an attempt be made to alter or delete the earlier record.
The Health Record Keeping Policy must be followed for amendments to Clinical Records.
The following systems are in place to prevent retrospective alteration of a record and there are audit trails that will highlight when an attempt has been made to alter the record.
TPP SystmOne
Access to TPP SystmOne is via the use of a smartcard. SystmOne has built in controls that highlight any attempts at alteration of a record and issues a warning should such an attempt be made.
Windip
The system by default is set up to block any attempt to edit or delete records that have been scanned into the system. Where services are granted to make changes to their scanned documents these are fully auditable.
SharePoint
The organisation’s SharePoint document management and storage system have been set up with different levels of access. Folders within SharePoint must be restricted to appropriate staff. Definitive documents within these folders should be protected by limiting the read/ write access to these documents.
Where changes are required to version-controlled records these should be clearly marked
Inform
Inform is the clinical system used by the Sexual Health teams. Access to Inform is via a username and password. Access is managed by the Provide Group Systems team. There is a full audit trail within Inform should a record be amended.
Priority Digital Me
Priority Digital Me (PrDM) is an Electronic Patient Record system used by the Essex Wellbeing team. Access to PrDM is via a username and password. Every data entry on the system has a name and time log.
11.Record Tracking (Paper Records)
Only authorised staff must have access to records and all services should ensure they have appropriate tracking systems and audit trails in place to monitor the use and movement of records.
One of the main reasons why records get misplaced or lost is because their next destination is not recorded anywhere.
All staff should be made aware of its importance and receive adequate training in its use to ensure that it is kept up to date.
Local service managers are responsible for establishing robust tracking systems and these should be based on one of the following:
• Electronic register. It is recommended that clinical services on TPP SystmOne utilise the record tracking template.
• An electronic register held on a SharePoint accessible to team members
• A paper register – a book or dedicated diary
• An index system with a card for every absent record, held in alphabetical order
Where records have been removed from a file, an absence or tracer card should be put in place and record the following minimum information:
• Name of the record removed from the system
• Name of the recipient of the record, their job title and contact details
• The date of the transfer and the date they should arrive; and
• Confirmation from the recipient that they have arrived
See Appendix 1 for an example Tracer Card.
12.Registration of Record Collections
Provide Group has and maintains a Central Information Asset Register This inventory facilitates:
• The classification of records into series; and
• The recording of the responsibility of individuals creating records
• Identification of any risks and appropriate Business Continuity Plans for each record
The register is reviewed regularly.
13.Record Storage Electronic
Records
The main clinical record for most services is held on TPP SystmOne.
Access to TPP SystmOne is via Smartcard.
Access must be agreed by an RA Sponsor in line with the organisation’s Registration Authority Policy and Procedures.
Records held on other systems (clinical and non-clinical) must be suitably stored so as to protect against unauthorised access, corruption and intentional or unintentional deletion. SharePoint must be set up to allow access to only those who have a need to know. Systems must be protected by either Smartcard or password controls.
Scanned clinical records or images must be stored on BIP 0008 compliant systems only (so that scanned images will be accepted as evidence by the courts) This also applies to any other records that may be used as evidence in disputes inside and outside the legal system. TPP SystmOne and Windip comply with this standard. (See IGSOP08 Record Scanning Procedure for further information about scanning)
Paper Records
When a record is in constant or regular use, or is likely to be needed quickly, it should be kept within the area responsible for the related work. Storage equipment for current records will usually be adjacent to users i.e. their desk drawers or nearby cabinets, to enable information to be appropriately filed so that it can be retrieved when it is next required.
All health records must be stored in lockable cabinets or in a locked environment congruent to the requirements set out in the organisation’s Information Security Policy (IGPOL53)
There is a wide range of suitable office filing equipment available and individual choice should consider the following factors:
• Compliance with Health & Safety regulations (must be the top priority)
• Security (especially for confidential material)
• The user’s needs
• Type(s) of records to be stored
• Size and quantities
• Usage and frequency of retrievals; and
• Suitability, space efficiency and price
Guidance and training on records storage will be provided to all staff during the Provide Group induction programme and through mandatory IG training.
14.Retention & Disposal Schedules
It is a fundamental requirement that all of the organisation’s records are retained for a minimum period of time for legal, operational, research and safety reasons. The length of time for retaining records will depend on the type of record and its importance to Provide Group business functions. (IGSOP07 Record Retention & Disposal Procedure)
The organisation has adopted the retention periods set out in the Record Retention Schedules for Health and Social Care.
The retention schedules can be viewed on the Provide Intranet.
15.Records
Management Systems Audit
The organisation will regularly audit its records management practices for compliance with this framework through the annual record keeping audit, Data Protection and Confidentiality audit and the activities undertaken with regards to the maintenance of the Information Asset Register.
The audit’s activities will:
• Identify areas of operation that are covered by Provide Group policies and identify which procedures and/or guidance should comply to the policy
• Follow a mechanism for adapting the policy to cover missing areas if these are critical to the creation and use of records, and use a subsidiary development plan if there are major changes to be made
• Set and maintain standards by implementing new procedures, including obtaining feedback where the procedures do not match the desired levels of performance; and
• Highlight where non-conformance to the procedures is occurring and suggest a tightening of controls and adjustment to related procedures.
The results of audits will be reported through the Quality & Safety and Finance and Investment Committee’s.
16.Review
This policy will be reviewed every three years (or sooner if new legislation, codes of practice or national standards are to be introduced).
17.References
Records Management Code of Practice (2023) https://transform.england.nhs.uk/information-governance/guidance/recordsmanagement-code/ (accessed online 01/12/2023)
Data Protection Legislation: https://ico.org.uk/ (accessed online 01/12/2023)
NHS Information Governance: Guidance on Legal and Professional Obligations (2007): https://assets.publishing.service.gov.uk/media/5a7c3bd6e5274a1b0042262b/NHS_In formation_Governance_Guidance_on_Legal_and_Professional_Obligations.pdf (accessed online 01/12/2023)
Appendix 1: Example Tracer Card for Paper Health Records
Surname:
Date of Birth:
(name)
Number:
EQUALITY IMPACT ASSESSMENT
TEMPLATE: Stage 1: ‘Screening’
Name of project/policy/strategy (hereafter referred to as “initiative”):
Records Management Policy
Provide a brief summary (bullet points) of the aims of the initiative and main activities:
The key aims are to ensure that:
• Records can be accessed
• Records can be interpreted
• Records can be Trusted
• Records can be maintained through time
• Records are secure
• Records are retained and disposed of appropriately
• Staff are trained
• Records are available when needed
Project/Policy Manager: IG Manager
Date: 11/09/2023
This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community – i.e. on the grounds of race (incl. religion/faith), gender (incl. sexual orientation), age, disability, or whether it is “equality neutral” (i.e. have no effect either positive or negative). In the case of gender, consider whether men and women are affected differently.
Q1. Who will benefit from this initiative? Is there likely to be a positive impact on specific groups/communities (whether or not they are the intended beneficiaries), and if so, how? Or is it clear at this stage that it will be equality “neutral”? i.e. will have no particular effect on any group.
Neutral
Q2. Is there likely to be an adverse impact on one or more minority/under-represented or community groups as a result of this initiative? If so, who may be affected and why? Or is it clear at this stage that it will be equality “neutral”?
Neutral
Q3. Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed assessment (Stage 2 – see guidance)? If not, will there be monitoring and review to assess the impact over a period time? Briefly (bullet points) give reasons for your answer and any steps you are taking to address particular issues, including any consultation with staff or external groups/agencies.
Positive impact – ensures security, confidentiality, integrity and accessibility of information.
Policy to be monitored through the Provide Group Incident Reporting process and reviewed every 3 years.
Guidelines: Things to consider
Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.
The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.
Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.
Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.
Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?
It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.
It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.
EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage 2:
(To be used where the ‘screening phase has identified a substantial problem/concern)
This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.
Q1. What data/information is there on the target beneficiary groups/communities? Are any of these groups under- or over-represented? Do they have access to the same resources? What are your sources of data and are there any gaps?
N/A
Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? If yes, how? Which are the main groups it will have an impact on?
N/A
Q3. Will the initiative have an adverse impact on any particular group or community/community relations? If yes, in what way? Will the impact be different for different groups – e.g. men and women?
N/A
Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Summarise (bullet points) any important issues arising from the consultation.
N/A
Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact? Are there specific factors which need to be taken into account?
N/A
Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required.
N/A
Guidelines: Things to consider
An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.
It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.
The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.
If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.
Further information:
Useful Websites www.equalityhumanrights.com Website for new Equality agency www.employers-forum.co.uk – Employers forum on disability www.disabilitynow.org.uk – online disability related newspaper www.womenandequalityunit.gov.uk – Gender issues in more depth www.opportunitynow.org.uk - Employer member organisation (gender) www.efa.org.uk – Employers forum on age www.agepositive.gov.uk – Age issues in more depth
© MDA 2007 EQUALITY IMPACT ASSESSMENT TEMPLATE: Stage One: ‘Screening’