Section 4: records storage for operational use

This section covers how to store records for operational use. It includes considerations relating to both paper and digital records including the challenge of ensuring digital records remain authentic and usable over time and the management of off-site storage. Further information about the management of specific formats of records (for example, cloud-based records and records created on personally owned computers and equipment) are in Appendix III.

Wherever possible, organisations should be moving to digital records. The original paper record guarantees the authenticity of the record. However, it can make it hard to audit access to the record, depending on where this is stored, because paper records do not have automatic audit logs. Storage of paper records also will incur costs, whether in-house or offsite. This cost will only increase as the size of the holding or length of time they are stored, increases.

Where possible, paper records management processes should be as environmentally friendly as possible. This will help contribute towards the NHS target to reduce its carbon footprint and environmental impact. Examples include the shredding of paper records and the end product used for recycling purposes instead of burning records in industrial furnaces.

Digital records offer many advantages over paper records. They can be accessed simultaneously by multiple users, take up less physical storage space and enable activities to be carried out more effectively, for example, through the use of search functions and digital tools.

Digital information must be stored in such a way that, throughout its lifecycle, it can be recovered in an accessible format in addition to providing information about those who have accessed the record.

The European Commission has produced an overarching standard in this area. (Further information is available on the DLM forum foundation). The authenticity of a record is dependent on a number of factors:

• sufficient metadata to allow it to remain reliable, integral and usable (refer to section 3)
• the structure of the record
• the business context
• links between other documents that form part of the transaction the record relates to

The management of digital records requires constant, continual effort, and should not be underestimated. Failure to properly maintain digital records can result in doubt being raised over the authenticity of the digital image. Examples include:

• a record with web links that do not work once they are converted to another format, loses integrity
• a record with attachments, such as hyperlinks or embedded documents that do not migrate to newer media, are not complete or integral
• an email message that is not stored with the other records related to the transaction, is not integral as there are no supporting records to give it context

Digital information presents a unique set of issues which must be considered and overcome to ensure that records remain:

• authentic
• reliable
• retain their integrity
• retain usability

Digital continuity refers to the process of maintaining digital information in such a way that the information will continue to be available as needed despite advances in digital technology and the advent of newer digital platforms. Digital preservation ensures that digital information of continuing value remains accessible and usable.

The amount of work required to maintain digital information as an authentic record must not be underestimated. For example, the information recorded on an electronic health record system may need to be accessible for decades (including an audit trail to show lawful access and maintain authenticity) to support continuity of care. Digital information must not be left unmanaged in the hope a file can be used in the future. The National Archives has produced a variety of technical and role-based guidance and useful checklists to support this management process.

As there are no digital records in existence today that are of such an age, it is difficult to even plan continued access in an authentic form over such a timeframe. For example:

• paper records can deteriorate over time - so can digital media as the magnetic binary code can de-magnetise in a process called "bit rot" leading to unreadable or altered information, thus reducing its authenticity
• software upgrades can leave other applications unusable as they may no longer run on updated operating systems
• media used for storage may become obsolete or degrade, and the technology required to read them may not be commercially available
• file formats become obsolete over time as more efficient and advanced ones are developed

There are several strategies that can be adopted to ensure that digital information can be kept in an accessible form over time. Among the most common strategies adopted are:

• migration to the new systems (retaining existing formats - this is the preferred method)
• emulation (using software to simulate the original application)
• preservation of host system
• conversion to a standard file format (or a limited number of formats)

The Digital Preservation Coalition has produced a Digital Preservation Handbook that will help organisations understand some of the issues associated with retaining digital records for long periods of time.

The UK government National Cyber Security Centre (NCSC) provides good practice guidelines on forensic readiness and defines it as:

"the achievement of an appropriate level of capability by an organisation in order for it to be able to collect, preserve, protect and analyse digital evidence so that this evidence can be effectively used in any legal matters, in security investigations, in disciplinary matters, in an employment tribunal or in a court of law".

The NCSC notes that "it is important for each organisation to develop a forensic readiness of sufficient capability and that it is matched to its business need". Forensic readiness involves:

• specification of a policy that lays down a consistent approach to digital records
• detailed planning against typical (and actual) case scenarios
• identification of (internal or external) resources that can be deployed as part of those plans
• identification of where and how the associated digital evidence can be gathered that will support case investigation
• a process of continuous improvement that learns from experience

In many organisations, forensic readiness is managed by information security or informatics staff, but records managers need to ensure that they input to policy development and feed in case scenarios as necessary.

Where possible, electronic records management processes should be as environmentally friendly as possible to help contribute towards the NHS target to reduce its carbon footprint and environmental impact. An example would be to replace outdated IT servers with up to date energy efficient systems, reducing the amount of energy required for the solution.

It is vital to highlight the importance of actively managing records stored offsite. This applies to both paper records and records stored in cloud-based solutions (refer to Appendix III for further information about cloud-based records). Managing off-site records effectively will ensure that:

• there is a full inventory of what is held offsite
• retention periods are applied to each record
• a disposal log is kept
• there is evidence of secure disposal of records and information

The National Archives has produced guidance to identify and support the requirements for selecting and transferring paper records and further guidance on identifying and specifying requirements for offsite storage of physical records. It is a best practice benchmark for all organisations creating or holding public records and provides advice and guidance on the tracking of records at all stages of the information lifecycle up to disposal. The National Archives does not provide guidance on onsite storage of operational and live records. This should be determined by the local organisation in line with this Code.

When considering using offsite storage, organisations should consider the following:

• Instruction - the controller must provide clear instructions relating to all processing of offsite records including destruction of the records.
• Access to site - access to the storage site should be possible to be able to exercise due diligence, and conduct site visits if necessary.
• Retrieval - organisations will need to agree how their records will be retrieved and what timeframe they will be returned. An example would be to ensure that you can respond to subject access and FOI requests or retrieve them to dispose of when the minimum retention period has been reached.

You must conduct a DPIA if you are looking to start storing records offsite. This is because it will be a new process for handling potentially high volumes of personal data with increased risk. A DPIA must be completed:

• at the outset of entering an offsite storage contract
• if you have not completed one before on the service (even if it has been established for a number of years)
• if you change service provider
• if you change how you manage your contract or elements of it (for example, change from destruction by pulping to destruction by shredding)
• if you end the service by bringing it in-house

If offsite storage is currently operated by your organisation it may be worth conducting a DPIA to ensure current measures guard against risks to privacy. A DPIA is also evidence of due diligence, providing the outcomes are actioned.