Section 2: records management obligations

All health and care employees are responsible for managing records appropriately. Records must be managed in accordance with the law. Health and care professionals also have professional responsibilities, for example, complying with the Caldicott Principles and records keeping standards set out by registrant bodies.

Whilst every employee has individual responsibilities, each organisation should have a designated member of staff who leads on records management. Each organisation should also have a policy statement on records management which is made available to staff through induction and training.

Organisations may be asked for evidence to demonstrate they operate a satisfactory records management regime.

Public Records Act 1958 and Local Government Act 1972

The Public Records Act 1958 is the principal legislation relating to public records. Records of NHS organisations are public records in accordance with Schedule 1 of the Act. This means that employees are responsible for any records that they create or use in the course of their duties. This includes records controlled by NHS organisations under contractual or other joint arrangements, or as inherited legacy records of defunct NHS organisations. The Act applies regardless of the format of the records. The Secretary of State for Health and Social Care and all NHS organisations have a duty under the Act to make arrangements for the safekeeping and eventual disposal of all types of records. This is carried out under the overall guidance and supervision of the Keeper of Public Records who reports annually on this to the Secretary of State for Culture, Media and Sport who is accountable to parliament.

Public health and social care records, where a local authority is the provider (or the provider is contracted to provide services to a local authority), must be managed in accordance with the requirement to make proper arrangements under Section 224 of the Local Government Act 1972. This states that proper arrangements must be in place with respect to any documents that belong to or are in the custody of the council or any of their officers.

Where health and social care records are created as a joint record or part of a system where local health and care organisations can see the records of other local health and care organisations, then these records would be managed in line with the requirements of the Public Records Act 1958 where one or more of the bodies that created the joint record is a public record body.

The NHS Standard Contract notes a contractual requirement on organisations which are not bound by either the Public Records Act 1958 or the Local Government Act 1972 to manage the records they create. There are also statutory requirements affecting both private and voluntary care providers as set out in the Health and Social Care Act 2008.

The Freedom of Information Act (FOIA) governs access to and management of non-personal public records. The FOIA was designed to create transparency in government and allow any citizen to know about the provision of public services through the right to submit a request for information. This right is only as good as the ability of those organisations to supply information through good records management programmes. Records managers should adhere to the code of practice on record keeping issued by the Secretary of State for Culture, Media and Sport, under section 46 of the FOIA. The section 46 Code of Practice is used as a statutory statement of good practice by the regulator and the courts.

The UK GDPR is the principal legislation governing how records, information and personal data are managed. It sets in law how personal and special categories of information may be processed. The Data Protection Act 2018 principles are also relevant to the management of records. Under the UK GDPR, organisations may be required to undertake Data Protection Impact Assessments (DPIA) as set out in Section 3 of this Records Management Code.

The UK GDPR also introduces a principle of accountability. The Information Commissioner’s Office (ICO) Accountability Framework can support organisations with their obligations. Good records management will help organisations to demonstrate compliance with this principle.

Regulation 17 under the Health and Social Care Act 2008 requires that health and care providers must securely maintain accurate, complete and detailed records for patients or service users, employment of staff and overall management. The CQC are responsible for regulating this and have issued guidance on regulation 17. The CQC may have regard to the Code when assessing providers’ compliance with this regulation.

Other legislation requires information to be held as proof of an activity against the eventuality of a claim. Examples of legislation include the Limitation Act 1980 or the Consumer Protection Act 1987. The Limitation Act sets out the length of time you can bring a legal case after an event and sets it at six years. This forms the basis for some of the retention periods set out in Appendix II.

Staff who are registered to a professional body, such as the General Medical Council (GMC), Nursing and Midwifery Council (NMC) or Social Work England will be required to adhere to record keeping standards defined by their registrant body. This is designed to guard against professional misconduct and to provide high quality care in line with the requirements of professional bodies.

The Academy of Medical Royal Colleges (AoMRC) generic medical record keeping standards were prepared for use in the NHS, primarily in acute settings but the standards are useful for all health and care settings. The AoMRC notes that a medical record, whether paper or digital, must adhere to certain record keeping standards. The Royal College of Nursing has produced guidance on abbreviations and other short forms in patient or client records.

Further information about professional standards for records can be obtained from your relevant professional body. The main standard setting bodies in health and social care in England are:

• Academy of Medical Royal Colleges
• British Medical Association
• General Medical Council
• Health and Care Professions Council
• Royal College of Midwives
• Royal College of General Practitioners
• Royal College of Nursing
• Royal College of Obstetricians & Gynaecologists
• Royal College of Pathologists
• College of General Dentistry
• Pharmaceutical Services Negotiating Committee
• Royal College of Physicians
• Social Work England

There are also organisations that provide advice specifically to records managers and archivists. These are:

• The Federation for Informatics Professionals
• The National Archives
• The Archives and Records Association
• The Institute of Health Records and Information Management
• Information and Records Management Society

The Caldicott principles outline eight areas that all health and social care staff are expected to adhere to in addition to the UK GDPR.

Records management should be recognised as a specific corporate responsibility within every organisation. It should provide a managerial focus for records of all types, in all formats throughout their lifecycle, from creation through to ultimate disposal. The records management function should have clear responsibilities and objectives and be adequately resourced to achieve them.

A designated member of staff of appropriate seniority, ideally with suitable records management qualifications, should have lead responsibility for records management within the organisation. This could be a care home manager or practice manager or in a larger organisation, a staff member reporting directly to a board member. This lead role should be formally acknowledged, included in relevant job descriptions and communicated throughout the organisation. It is essential that the managers responsible for the records management function is directly accountable to or works in close association with the managers responsible for other information governance work areas. When new IT projects or upgrades are introduced, the person responsible for records management should be closely involved.

As records management activities are undertaken throughout the organisation, mechanisms must be in place to enable the designated corporate lead to exercise an appropriate level of management of this activity, even where there is no direct reporting line. This might include cross-departmental records and information working groups or individual information and records champions or coordinators who may also be information asset owners.

All staff, whether working with clinical or administrative records, must be appropriately trained so that they are competent to carry out their designated duties and fully aware of their personal responsibilities in respect of record keeping and records management. No patient or service users' records or systems should be handled or used until training has been completed. Training must include the use of electronic records systems. It should be done through generic and organisation-wide training programmes which can be department or context specific. Training should be complemented by organisational policies, procedures and guidance documentation.

Each organisation must have an overall policy statement on how it manages all of its records. This may be a standalone policy or part of the overall suite of IG policies. The policy should include details of how the organisation will use the records it creates. For example, as well as records being used to plan and deliver care, they will also be used for service improvement and research.

This statement must be endorsed by the Operational Management Team, board (or equivalent) and made available to all staff at induction and through regular updates and training.

The policy statement should provide a mandate for the performance of all records and information management functions. In particular, it should set out an organisational commitment to create, keep, manage, and dispose of records and document its principal activities in this respect. The policy should also:

• outline the role of records management within the organisation and its relationship to the organisation’s overall strategy
• define roles and responsibilities within the organisation in relation to records, including the responsibility of individuals to document their actions and decisions - an example is, who is responsible for the disposal of records
• assign responsibility for the arrangements for records appraisal, selection and transfer for the permanent preservation of records (as required by section 3 (1) of the Public Records Act 1958)
• provide a framework for supporting standards, procedures and guidelines and regulatory requirements (such as CQC and the Data Security and Protection Toolkit)
• indicate the way in which compliance with the policy and its supporting standards, procedures and guidelines will be monitored and maintained
• provide the mandate for final disposal of all information by naming the committee or group that oversees the processes and procedures
• provide instruction on meeting the records management requirements of the FOIA and the UK GDPR

The policy statement should be reviewed at regular intervals (at least once every two years) and if appropriate should be amended to maintain its relevance. The policy is also an important component of the organisation’s information governance arrangements and should be referenced in the organisation’s IG policies or framework.

Organisations must also conduct an annual survey to understand the extent of their records management responsibilities and to help inform future work-plans. It will aid organisations to know:

• what series of records it holds (and potential quantities)
• the format of its records
• the business area that created the record (and potential Information Asset Owner)
• disposal potential for the coming year

Information Asset Management systems may support this process. They can help identify where records are held and whether they are being held under the correct security conditions, and in the case of health and care records, remain confidential. The process can also be used as an opportunity for asset owners to identify how long their records need to be held. The process will identify business critical assets and ensure that there are adequate business continuity measures in place to assure access.

Organisations may be asked for evidence to demonstrate they operate a satisfactory records management regime. There is a range of sanctions available if satisfactory arrangements are not in place. Sanctions vary in their severity for both organisations and the individual. They may include:

• formal warning
• professional de-registration: temporary suspension or permanent
• regulatory intervention: leading to conditions being imposed upon an organisation, or monetary penalty issued by the ICO