Section 1: Scope of the code

This section explains the legal definition of a record and the types of records in scope of the Code.

There are a couple of definitions of a record, which are useful to highlight. The ISO standard ISO 15489-1:2016 defines a record as:

"Information created, received, and maintained as evidence and as an asset by an organisation or person, in pursuance of legal obligations or in the transaction of business."

Section 205 of the Data Protection Act 2018 defines a health record as a record which:

• consists of data concerning health
• has been made by or on behalf of a health professional in connection with the diagnosis, care or treatment of the individual to whom the data relates

The guidelines in this code apply to NHS and adult social care records.

This includes:

• records of patients treated by NHS organisations
• records of patients treated on behalf of the NHS in the private healthcare sector
• records of private patients treated on NHS premises
• records created by providers contracted to deliver NHS services (for example, GP services)
• adult service user records who receive social care support
• jointly held records
• records held as part of a Connecting Care Records programme
• records held by local authorities such as public health records, contraceptive and sexual health service records
• staff records
• complaints records
• corporate records - administrative records relating to all functions of the organisation

The Code does not cover children's social care records. These are within the remit of the Department for Education.

Whilst not strictly covered by this guide, private providers can also use this Code for guidance in relation to their records management. The Health and Social Care Act 2008 provides a legal framework for private providers to manage their records.

There are a number of smaller health and care providers that this Code will apply to, for example, dental practices or independent care providers providing an element of NHS or nursing care. For some aspects of this Code, these small organisations should take a pragmatic approach to, for example, the application of security classifications.

The guidelines apply regardless of the media on which the records are held. Usually these records will be on paper or digital. However, some specialties will include physical records, such as physical moulds made from plaster of Paris, refer to Appendix III.

Examples of records that should be managed using the guidelines in this Code include:

• health and care records
• registers - for example, birth, death, Accident and Emergency, theatre, minor operations
• administrative records, for example, personnel, estates, financial and accounting records, notes associated with complaint-handling
• X-ray and imaging reports, output and images
• secondary uses records (such as records that relate to uses beyond individual care), for example, records used for service management, planning, research

Examples of record formats that should be managed using the guidelines from this code:

• digital
• paper
• photographs, slides, and other images
• microform (microfiche or microfilm)
• physical records (records made of physical material such as plaster, gypsum and alginate moulds)
• audio and video tapes, cassettes, CD-ROM etc
• emails
• computerised records
• scanned records
• text messages (SMS) and social media (both outgoing from the NHS and incoming responses from the patient or service user) such as Twitter and Skype
• metadata added to, or automatically created by, digital systems when in use - content can sometimes be of little value if it is not accompanied by relevant metadata
• websites and intranet sites that provide key information to patients or service users and staff

Appendix III provides further details about managing specific types of records, for example, complaints records.