Section 3: organising records

As set out in section two, each organisation must have a policy for managing records. This section describes how to design and implement a records management scheme, decide what a record is and arrange records. It includes information about the importance of metadata and security classifications.

A record keeping system should be implemented at organisational level and within departmental standard operating procedures as appropriate. The records lifecycle, or the information lifecycle, is a term that describes a controlled regime in which information is managed from the point that it is created to the point that it is either destroyed or permanently preserved as being of historical or research interest.

A records management system should cover each stage of the lifecycle:

• creation: create and log quality information
• using: use or handle
• retention: keep or maintain in line with NHS recommended retention schedule
• appraisal: determine whether records are worthy of archival preservation
• disposal: dispose appropriately according to policy

Designing and Implementing Record Keeping Systems (DIRKS) is a manual which led to the creation of ISO 15489-1:2016 Information and documentation - Records Management. This standard, published by the International Organization for Standardization (ISO), focuses on the business principles behind records management and how organisations can establish a framework to enable a comprehensive records management programme. The standard is an eight-stage process and can be summarised as:

1. conduct preliminary investigation
2. analyse business activity
3. identify requirements for records
4. assess existing systems
5. identify strategies to satisfy requirement
6. design records system
7. implement records systems
8. conduct post implementation review

The standard also describes the characteristics of a record.

These characteristics allow strategies, policies and procedures to be established that will enable records to be authentic, reliable, integral and usable throughout their lifecycle.

In terms of ensuring a record is reliable, where an organisation realises that inaccurate information is being held about its patient or service users, then it should take steps to rectify the situation and make records as accurate as they can.

There are a series of other British and international standards that are used to produce record keeping systems. These all interrelate and work within the same guiding principles and where possible use the same terminology. They all rely upon defining roles and responsibilities, processes, measurement, evaluation, review and improvement.

Under UK GDPR, organisations are required to conduct Data Protection Impact Assessments (DPIAs) where there is a new or change in use of personal data and a potentially high risk to privacy (a DPIA template can be found on NHS England Transformation Directorate’s IG portal). Some uses require a mandatory DPIA (where processing is large scale or introduces new technologies). If you are looking to establish a new records management function, then it will be vitally important to complete a DPIA. This will highlight potential risks to privacy and data protection, allowing you to action, mitigate or eliminate that risk. This must be conducted prior to any processing being carried out.

When you are looking to amend a record’s function, you should check with the person responsible for records management first, for example, your record manager or your data protection officer. DPIA completion in this circumstance will depend on the amendments you are looking to make. For example, if you intend to add three racking shelves for paper HR files to the existing twenty shelves you would probably not complete a DPIA. If you were looking to send your records offsite for scanning or destruction you must complete a DPIA, as this is a new process and the risk is greater.

Within the record keeping system, there must be a method of deciding:

• what is a record
• what needs to be kept

This process is described as "declaring a record". A record can be declared at the point it is created or it can be declared at a later date. The process of declaring a record must be clear to staff. A declared record is then managed in a way that will fix it in an accessible format until it is appraised for further value or disposed of, according to retention policy that has been adopted. Some activities will be pre-defined as creating a record that needs to be kept, such as health and care records or the minutes and papers of board meetings. Other records will need to fulfil the criteria as being worth keeping, such as unique instances of a business document or email. Datasets may also be declared as records and managed accordingly.

Declared records can be held in the "business as usual" systems or they can be moved into a protected area such as an Electronic Document and Records Management System (EDRMS) depending on the record keeping system in use. Organisations' teams should only hold the records they need to conduct business locally.

Records and information relating to closed cases may be kept locally for a short period of time (such as a year). This is in case a patient or service user re-presents or is re-referred. After that time, they should be moved to long-term storage for the rest of their retention period. For digital records, a system may already be set up whereby records no longer required for current business are stored (such as a dedicated network drive or space on a drive). Records should be moved there keeping operational space free for current cases or work. This will also restrict unnecessary access to non-current personal or sensitive data. Your organisation’s records management policy should cover what you need to do locally in this circumstance.

Key legislation, such as the UK GDPR or FOIA, applies to all recorded information of the types covered by these Acts, whether declared as a formal record or not. However, declaration makes it easier to manage information in accordance with the legislation and business needs. Requests for information made under this legislation are easier to find in a logical filing system. Accumulations of informally recorded information, which can be difficult to find, should therefore be minimised.

Record keeping systems must have a means of physically or digitally organising records. This is often referred to as a file plan or business classification scheme. In its most basic form, a business classification scheme is a list of activities (for example, finance or HR) arranged by business functions, however, it is often linked to an organisation’s hierarchical structure.

Records should be arranged into a classification scheme, as required by ISO 15489 and the Section 46 Code of Practice. At the simplest level, the business classification scheme can be anything from an arrangement of files and folders on a network to an EDRMS. The important element is that there is an organised naming convention, which is logical, and can be followed by all staff. The scheme can be designed in different ways. Classification schemes should try to classify by function first. Once a recommended functional classification has been selected, the scheme can be further refined to produce a classification tree based on function, activity and transaction, for example:

Function: corporate governance

Activity: board minutes and associated papers

Transaction: April 2018 to March 2019

The transaction can then be assigned a rule (such as retention period), a security status or other action based on the organisational policy. The scheme will enable appropriate management controls to be applied and support more accurate retrieval of information from record systems.

Metadata is "data about data" or structured information about a resource. The Cabinet Office e-Government Metadata Standard (PDF) states that:

"metadata makes it easier to manage or find information, be it in the form of webpages, electronic documents, paper files or databases and for metadata to be effective, it needs to be structured and consistent across organisations."

The standard sets out 25 metadata elements, which are designed to form the basis for the description of all information. The standard lists four mandatory elements of metadata that must be present for any piece of information. A further three elements are mandatory if applicable and two more are recommended.

The following provides a practical example of the metadata standard being used to produce a label to be placed on the side of a box of paper records, which are ready to archive:

Where there is sufficient metadata it can be possible to arrange records by their metadata alone, however, a business classification scheme would always be recommended. Records arranged by their metadata rather than into a classification scheme often lack context. This reduces the ability to produce an authentic record. Finding records arranged in this way is often reliant on a powerful search tool used to "mine" the data or use a process called "digital archaeology". This is not recommended because it is so time-consuming to determine authenticity, but it has been included in this Code as legacy record keeping systems may not have been organised logically.

The NHS has developed a protective marking scheme for the records it creates. It is based on the Cabinet Office Government Security Classifications defined protective marking scheme which is used by both central and local government. Under the NHS Protective Marking Scheme 2014, patient data is classed as "NHS Confidential’"

There is no expectation that a security classification must be applied or used by all health and care organisations. For example, it would be disproportionate for a small care home or dental practice to apply NHS or government security classifications to a small cohort of records. Whereas a large NHS Trust may want to use the NHS classification scheme.