Records Management Code of Practice

Introduction

The Records Management Code of Practice for Health and Social Care (from this point onwards referred to as the Code) is a guide for you to use in relation to the practice of managing records. It is relevant to organisations working within, or under contract to, the NHS in England. The Code also applies to adult social care and public health functions commissioned or delivered by local authorities.

The Code provides a framework for consistent and effective records management based on established standards. It includes guidelines on topics such as legal, professional, organisational and individual responsibilities when managing records. It also advises on how to design and implement a records management system including advice on organising, storing, retaining and deleting records. It applies to all records regardless of the media they are held on. Wherever possible organisations should be moving away from paper towards digital records.

The Code is accompanied by a number of important appendices:

• Appendix I refers to information on public inquiries
• Appendix II is a retention schedule for different types of records
• Appendix III is detailed advice on managing different types and formats of records such as integrated care records and staff records.

All organisations and managers need to enable staff to conform to the standards in this Code. This includes identifying organisational changes or other requirements needed to meet the standards, for example, the people, money and correct tools required. Information governance performance assessments, such as the Data Security and Protection Toolkit, and your own organisation management arrangements will help you identify any necessary changes to your current records management practices. Those who have responsibilities for monitoring overall performance, like NHS England and the Care Quality Commission (CQC), help ensure effective management systems are in place. An example is by inspecting sites as part of their key lines of enquiry and statutory powers.

The guidelines in this Code draw on published guidance from The National Archives and best practice in the public and private sectors. It is informed by lessons learnt and it will help organisations to implement the recommendations of the Mid Staffordshire NHS Foundation Trust Public Inquiry relating to records management and transparency.

This Code must also be read in conjunction with the following:

• Professional Records Standards Body (PRSB) structure and content of health and care records standards
• Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 (FOIA)

This latest revision was conducted by NHSX (now the Transformation Directorate of NHS England). It reflects feedback following a consultation which 50 organisations responded to including national stakeholders and local organisations. The Code replaces previous guidance listed below:

• Records Management: NHS Code of Practice: Parts 1 and 2: 2006, revised 2009 and 2016
• HSC 1999/053: For the Record - managing records in NHS Trusts and health authorities
• HSC 1998/217: Preservation, Retention and Destruction of GP General Medical Services Records Relating to Patients (Replacement for FHSL (94) (30))
• HSC 1998/153: Using Electronic Patient Records in Hospitals: Legal Requirements and Good Practice

Standards and practice covered by the Code will change over time so this document will be reviewed and updated as necessary. In particular, it should be noted that at the time of writing there are a number of on-going public inquiries including the Infected Blood Public Inquiry (IBI) and the UK COVID-19 Inquiry. This means that records must not be destroyed until guidance is issued by the inquiry. Future public inquiries may lead to specific records management requirements. Where that happens, the Inquiry will publish additional guidance on its website. NHS England may also issue guidance to the health and care system relating to the inquiry.

Section 1: scope of the code

1.1 Overview

This section explains the legal definition of a record and the types of records in scope of the Code.

1.2 What is a record?

There are a couple of definitions of a record, which are useful to highlight. The ISO standard ISO 15489-1:2016 defines a record as:

"Information created, received, and maintained as evidence and as an asset by an organisation or person, in pursuance of legal obligations or in the transaction of business."

Section 205 of the Data Protection Act 2018 defines a health record as a record which:

• consists of data concerning health
• has been made by or on behalf of a health professional in connection with the diagnosis, care or treatment of the individual to whom the data relates.

1.3 Scope of records covered by the code

The guidelines in this code apply to NHS and adult social care records.

This includes:

• records of patients treated by NHS organisations
• records of patients treated on behalf of the NHS in the private healthcare sector
• records of private patients treated on NHS premises
• records created by providers contracted to deliver NHS services (for example, GP services)
• adult service user records who receive social care support
• jointly held records
• records held as part of a Connecting Care Records programme
• records held by local authorities such as public health records, contraceptive and sexual health service records
• staff records
• complaints records
• corporate records - administrative records relating to all functions of the organisation

The Code does not cover children's social care records. These are within the remit of the Department for Education.

Whilst not strictly covered by this guide, private providers can also use this Code for guidance in relation to their records management. The Health and Social Care Act 2008 provides a legal framework for private providers to manage their records.

There are a number of smaller health and care providers that this Code will apply to, for example, dental practices or independent care providers providing an element of NHS or nursing care. For some aspects of this Code, these small organisations should take a pragmatic approach to, for example, the application of security classifications.

1.4 Type of records covered by the code

The guidelines apply regardless of the media on which the records are held. Usually these records will be on paper or digital. However, some specialties will include physical records, such as physical moulds made from plaster of Paris, refer to Appendix III.

Examples of records that should be managed using the guidelines in this Code include:

• health and care records
• registers - for example, birth, death, Accident and Emergency, theatre, minor operations
• administrative records, for example, personnel, estates, financial and accounting records, notes associated with complaint-handling
• X-ray and imaging reports, output and images
• secondary uses records (such as records that relate to uses beyond individual care), for example, records used for service management, planning, research

Examples of record formats that should be managed using the guidelines from this code:

• digital
• paper
• photographs, slides, and other images
• microform (microfiche or microfilm)
• physical records (records made of physical material such as plaster, gypsum and alginate moulds)
• audio and video tapes, cassettes, CD-ROM etc
• emails
• computerised records
• scanned records
• text messages (SMS) and social media (both outgoing from the NHS and incoming responses from the patient or service user) such as Twitter and Skype
• metadata added to, or automatically created by, digital systems when in use - content can sometimes be of little value if it is not accompanied by relevant metadata
• websites and intranet sites that provide key information to patients or service users and staff

Appendix III provides further details about managing specific types of records, for example, complaints records.

Section 2: records management obligations

2.1 Overview

All health and care employees are responsible for managing records appropriately. Records must be managed in accordance with the law. Health and care professionals also have professional responsibilities, for example, complying with the Caldicott Principles and records keeping standards set out by registrant bodies. Whilst every employee has individual responsibilities, each organisation should have a designated member of staff who leads on records management. Each organisation should also have a policy statement on records management which is made available to staff through induction and training. Organisations may be asked for evidence to demonstrate they operate a satisfactory records management regime.

2.2 Legal obligations

Public Records Act 1958 and Local Government Act 1972

The Public Records Act 1958 is the principal legislation relating to public records. Records of NHS organisations are public records in accordance with Schedule 1 of the Act. This means that employees are responsible for any records that they create or use in the course of their duties. This includes records controlled by NHS organisations under contractual or other joint arrangements, or as inherited legacy records of defunct NHS organisations. The Act applies regardless of the format of the records. The Secretary of State for Health and Social Care and all NHS organisations have a duty under the Act to make arrangements for the safekeeping and eventual disposal of all types of records. This is carried out under the overall guidance and supervision of the Keeper of Public Records who reports annually on this to the Secretary of State for Culture, Media and Sport who is accountable to parliament.

Public health and social care records, where a local authority is the provider (or the provider is contracted to provide services to a local authority), must be managed in accordance with the requirement to make proper arrangements under Section 224 of the Local Government Act 1972. This states that proper arrangements must be in place with respect to any documents that belong to or are in the custody of the council or any of their officers.

Where health and social care records are created as a joint record or part of a system where local health and care organisations can see the records of other local health and care organisations, then these records would be managed in line with the requirements of the Public Records Act 1958 where one or more of the bodies that created the joint record is a public record body.

The NHS Standard Contract notes a contractual requirement on organisations which are not bound by either the Public Records Act 1958 or the Local Government Act 1972 to manage the records they create. There are also statutory requirements affecting both private and voluntary care providers as set out in the Health and Social Care Act 2008.

Freedom of Information Act 2000

The Freedom of Information Act (FOIA) governs access to and management of non-personal public records. The FOIA was designed to create transparency in government and allow any citizen to know about the provision of public services through the right to submit a request for information. This right is only as good as the ability of those organisations to supply information through good records management programmes. Records managers should adhere to the code of practice on record keeping issued by the Secretary of State for Culture, Media and Sport, under section 46 of the FOIA. The section 46 Code of Practice is used as a statutory statement of good practice by the regulator and the courts.

UK GDPR and Data Protection Act 2018

The UK GDPR is the principal legislation governing how records, information and personal data are managed. It sets in law how personal and special categories of information may be processed. The Data Protection Act 2018 principles are also relevant to the management of records. Under the UK GDPR, organisations may be required to undertake Data Protection Impact Assessments (DPIA) as set out in Section 3 of this Records Management Code.

The UK GDPR also introduces a principle of accountability. The Information Commissioner’s Office (ICO) Accountability Framework can support organisations with their obligations. Good records management will help organisations to demonstrate compliance with this principle.

Health and Social Care Act 2008

Regulation 17 under the Health and Social Care Act 2008 requires that health and care providers must securely maintain accurate, complete and detailed records for patients or service users, employment of staff and overall management. The CQC are responsible for regulating this and have issued guidance on regulation 17. The CQC may have regard to the Code when assessing providers’ compliance with this regulation.

Other relevant legislation

Other legislation requires information to be held as proof of an activity against the eventuality of a claim. Examples of legislation include the Limitation Act 1980 or the Consumer Protection Act 1987. The Limitation Act sets out the length of time you can bring a legal case after an event and sets it at six years. This forms the basis for some of the retention periods set out in Appendix II.

2.3 Professional obligations

Staff who are registered to a professional body, such as the General Medical Council (GMC), Nursing and Midwifery Council (NMC) or Social Work England will be required to adhere to record keeping standards defined by their registrant body. This is designed to guard against professional misconduct and to provide high quality care in line with the requirements of professional bodies.

The Academy of Medical Royal Colleges (AoMRC) generic medical record keeping standards were prepared for use in the NHS, primarily in acute settings but the standards are useful for all health and care settings. The AoMRC notes that a medical record, whether paper or digital, must adhere to certain record keeping standards. The Royal College of Nursing has produced guidance on abbreviations and other short forms in patient or client records.

Further information about professional standards for records can be obtained from your relevant professional body. The main standard setting bodies in health and social care in England are:

• Academy of Medical Royal Colleges
• British Medical Association
• General Medical Council
• Health and Care Professions Council
• Royal College of Midwives
• Royal College of General Practitioners
• Royal College of Nursing
• Royal College of Obstetricians & Gynaecologists
• Royal College of Pathologists
• College of General Dentistry
• Pharmaceutical Services Negotiating Committee
• Royal College of Physicians
• Social Work England

There are also organisations that provide advice specifically to records managers and archivists. These are:

• The Federation for Informatics Professionals
• The National Archives
• The Archives and Records Association
• The Institute of Health Records and Information Management
• Information and Records Management Society

Caldicott principles

The Caldicott principles outline eight areas that all health and social care staff are expected to adhere to in addition to the UK GDPR.

2.4 Management responsibilities

Records management should be recognised as a specific corporate responsibility within every organisation. It should provide a managerial focus for records of all types, in all formats throughout their lifecycle, from creation through to ultimate disposal. The records management function should have clear responsibilities and objectives and be adequately resourced to achieve them.

A designated member of staff of appropriate seniority, ideally with suitable records management qualifications, should have lead responsibility for records management within the organisation. This could be a care home manager or practice manager or in a larger organisation, a staff member reporting directly to a board member. This lead role should be formally acknowledged, included in relevant job descriptions and communicated throughout the organisation. It is essential that the managers responsible for the records management function is directly accountable to or works in close association with the managers responsible for other information governance work areas. When new IT projects or upgrades are introduced, the person responsible for records management should be closely involved.

As records management activities are undertaken throughout the organisation, mechanisms must be in place to enable the designated corporate lead to exercise an appropriate level of management of this activity, even where there is no direct reporting line. This might include cross-departmental records and information working groups or individual information and records champions or coordinators who may also be information asset owners.

All staff, whether working with clinical or administrative records, must be appropriately trained so that they are competent to carry out their designated duties and fully aware of their personal responsibilities in respect of record keeping and records management. No patient or service users' records or systems should be handled or used until training has been completed. Training must include the use of electronic records systems. It should be done through generic and organisation-wide training programmes which can be department or context specific. Training should be complemented by organisational policies, procedures and guidance documentation.

2.5 Organisational policy

Each organisation must have an overall policy statement on how it manages all of its records. This may be a standalone policy or part of the overall suite of IG policies. The policy should include details of how the organisation will use the records it creates. For example, as well as records being used to plan and deliver care, they will also be used for service improvement and research.

This statement must be endorsed by the Operational Management Team, board (or equivalent) and made available to all staff at induction and through regular updates and training.

The policy statement should provide a mandate for the performance of all records and information management functions. In particular, it should set out an organisational commitment to create, keep, manage, and dispose of records and document its principal activities in this respect. The policy should also:

• outline the role of records management within the organisation and its relationship to the organisation’s overall strategy
• define roles and responsibilities within the organisation in relation to records, including the responsibility of individuals to document their actions and decisions - an example is, who is responsible for the disposal of records
• assign responsibility for the arrangements for records appraisal, selection and transfer for the permanent preservation of records (as required by section 3 (1) of the Public Records Act 1958)
• provide a framework for supporting standards, procedures and guidelines and regulatory requirements (such as CQC and the Data Security and Protection Toolkit)
• indicate the way in which compliance with the policy and its supporting standards, procedures and guidelines will be monitored and maintained
• provide the mandate for final disposal of all information by naming the committee or group that oversees the processes and procedures
• provide instruction on meeting the records management requirements of the FOIA and the UK GDPR

The policy statement should be reviewed at regular intervals (at least once every two years) and if appropriate should be amended to maintain its relevance. The policy is also an important component of the organisation’s information governance arrangements and should be referenced in the organisation’s IG policies or framework.

Organisations must also conduct an annual survey to understand the extent of their records management responsibilities and to help inform future work-plans. It will aid organisations to know:

• what series of records it holds (and potential quantities)
• the format of its records
• the business area that created the record (and potential Information Asset Owner)
• disposal potential for the coming year

Information Asset Management systems may support this process. They can help identify where records are held and whether they are being held under the correct security conditions, and in the case of health and care records, remain confidential. The process can also be used as an opportunity for asset owners to identify how long their records need to be held. The process will identify business critical assets and ensure that there are adequate business continuity measures in place to assure access.

2.6 Monitoring records management performance

Organisations may be asked for evidence to demonstrate they operate a satisfactory records management regime. There is a range of sanctions available if satisfactory arrangements are not in place. Sanctions vary in their severity for both organisations and the individual. They may include:

• formal warning
• professional de-registration: temporary suspension or permanent
• regulatory intervention: leading to conditions being imposed upon an organisation, or monetary penalty issued by the ICO

Section 3: organising records

3.1 Overview

As set out in section two, each organisation must have a policy for managing records. This section describes how to design and implement a records management scheme, decide what a record is and arrange records. It includes information about the importance of metadata and security classifications.

3.2 Designing a records keeping system

A record keeping system should be implemented at organisational level and within departmental standard operating procedures as appropriate. The records lifecycle, or the information lifecycle, is a term that describes a controlled regime in which information is managed from the point that it is created to the point that it is either destroyed or permanently preserved as being of historical or research interest.

A records management system should cover each stage of the lifecycle:

• creation: create and log quality information
• using: use or handle
• retention: keep or maintain in line with NHS recommended retention schedule
• appraisal: determine whether records are worthy of archival preservation
• disposal: dispose appropriately according to policy

Designing and Implementing Record Keeping Systems (DIRKS) is a manual which led to the creation of ISO 15489-1:2016 Information and documentation - Records Management. This standard, published by the International Organization for Standardization (ISO), focuses on the business principles behind records management and how organisations can establish a framework to enable a comprehensive records management programme. The standard is an eight-stage process and can be summarised as:

1. conduct preliminary investigation
2. analyse business activity
3. identify requirements for records
4. assess existing systems
5. identify strategies to satisfy requirement
6. design records system
7. implement records systems
8. conduct post implementation review

The standard also describes the characteristics of a record.

These characteristics allow strategies, policies and procedures to be established that will enable records to be authentic, reliable, integral and usable throughout their lifecycle.

In terms of ensuring a record is reliable, where an organisation realises that inaccurate information is being held about its patient or service users, then it should take steps to rectify the situation and make records as accurate as they can.

There are a series of other British and international standards that are used to produce record keeping systems. These all interrelate and work within the same guiding principles and where possible use the same terminology. They all rely upon defining roles and responsibilities, processes, measurement, evaluation, review and improvement.

3.3 Conducting a Data Protection Impact Assessment

Under UK GDPR, organisations are required to conduct Data Protection Impact Assessments (DPIAs) where there is a new or change in use of personal data and a potentially high risk to privacy (a DPIA template can be found on NHS England Transformation Directorate’s IG portal). Some uses require a mandatory DPIA (where processing is large scale or introduces new technologies). If you are looking to establish a new records management function, then it will be vitally important to complete a DPIA. This will highlight potential risks to privacy and data protection, allowing you to action, mitigate or eliminate that risk. This must be conducted prior to any processing being carried out.

When you are looking to amend a record’s function, you should check with the person responsible for records management first, for example, your record manager or your data protection officer. DPIA completion in this circumstance will depend on the amendments you are looking to make. For example, if you intend to add three racking shelves for paper HR files to the existing twenty shelves you would probably not complete a DPIA. If you were looking to send your records offsite for scanning or destruction you must complete a DPIA, as this is a new process and the risk is greater.

3.4 Declaring a record

Within the record keeping system, there must be a method of deciding:

• what is a record
• what needs to be kept

This process is described as "declaring a record". A record can be declared at the point it is created or it can be declared at a later date. The process of declaring a record must be clear to staff. A declared record is then managed in a way that will fix it in an accessible format until it is appraised for further value or disposed of, according to retention policy that has been adopted. Some activities will be pre-defined as creating a record that needs to be kept, such as health and care records or the minutes and papers of board meetings. Other records will need to fulfil the criteria as being worth keeping, such as unique instances of a business document or email. Datasets may also be declared as records and managed accordingly.

Declared records can be held in the "business as usual" systems or they can be moved into a protected area such as an Electronic Document and Records Management System (EDRMS) depending on the record keeping system in use. Organisations' teams should only hold the records they need to conduct business locally.

Records and information relating to closed cases may be kept locally for a short period of time (such as a year). This is in case a patient or service user re-presents or is re-referred. After that time, they should be moved to long-term storage for the rest of their retention period. For digital records, a system may already be set up whereby records no longer required for current business are stored (such as a dedicated network drive or space on a drive). Records should be moved there keeping operational space free for current cases or work. This will also restrict unnecessary access to non-current personal or sensitive data. Your organisation’s records management policy should cover what you need to do locally in this circumstance.

Key legislation, such as the UK GDPR or FOIA, applies to all recorded information of the types covered by these Acts, whether declared as a formal record or not. However, declaration makes it easier to manage information in accordance with the legislation and business needs. Requests for information made under this legislation are easier to find in a logical filing system. Accumulations of informally recorded information, which can be difficult to find, should therefore be minimised.

3.5 Organising records

Record keeping systems must have a means of physically or digitally organising records. This is often referred to as a file plan or business classification scheme. In its most basic form, a business classification scheme is a list of activities (for example, finance or HR) arranged by business functions, however, it is often linked to an organisation’s hierarchical structure.

Records should be arranged into a classification scheme, as required by ISO 15489 and the Section 46 Code of Practice. At the simplest level, the business classification scheme can be anything from an arrangement of files and folders on a network to an EDRMS. The important element is that there is an organised naming convention, which is logical, and can be followed by all staff. The scheme can be designed in different ways. Classification schemes should try to classify by function first. Once a recommended functional classification has been selected, the scheme can be further refined to produce a classification tree based on function, activity and transaction, for example:

Function: corporate governance

Activity: board minutes and associated papers

Transaction: April 2018 to March 2019

The transaction can then be assigned a rule (such as retention period), a security status or other action based on the organisational policy. The scheme will enable appropriate management controls to be applied and support more accurate retrieval of information from record systems.

3.6 Using metadata to organise and find records

Metadata is "data about data" or structured information about a resource. The Cabinet Office e-Government Metadata Standard (PDF) states that:

"metadata makes it easier to manage or find information, be it in the form of webpages, electronic documents, paper files or databases and for metadata to be effective, it needs to be structured and consistent across organisations."

The standard sets out 25 metadata elements, which are designed to form the basis for the description of all information. The standard lists four mandatory elements of metadata that must be present for any piece of information. A further three elements are mandatory if applicable and two more are recommended.

Where there is sufficient metadata it can be possible to arrange records by their metadata alone, however, a business classification scheme would always be recommended. Records arranged by their metadata rather than into a classification scheme often lack context. This reduces the ability to produce an authentic record. Finding records arranged in this way is often reliant on a powerful search tool used to "mine" the data or use a process called "digital archaeology". This is not recommended because it is so time-consuming to determine authenticity, but it has been included in this Code as legacy record keeping systems may not have been organised logically.

3.7 Applying security classifications

The NHS has developed a protective marking scheme for the records it creates. It is based on the Cabinet Office Government Security Classifications defined protective marking scheme which is used by both central and local government. Under the NHS Protective Marking Scheme 2014, patient data is classed as "NHS Confidential’"

There is no expectation that a security classification must be applied or used by all health and care organisations. For example, it would be disproportionate for a small care home or dental practice to apply NHS or government security classifications to a small cohort of records. Whereas a large NHS Trust may want to use the NHS classification scheme.

Section 4: records storage for operational use

4.1 Overview

This section covers how to store records for operational use. It includes considerations relating to both paper and digital records including the challenge of ensuring digital records remain authentic and usable over time and the management of off-site storage. Further information about the management of specific formats of records (for example, cloud-based records and records created on personally owned computers and equipment) are in Appendix III.

4.2 Management and storage of paper records

Wherever possible, organisations should be moving to digital records. The original paper record guarantees the authenticity of the record. However, it can make it hard to audit access to the record, depending on where this is stored, because paper records do not have automatic audit logs. Storage of paper records also will incur costs, whether in-house or offsite. This cost will only increase as the size of the holding or length of time they are stored, increases.

Where possible, paper records management processes should be as environmentally friendly as possible. This will help contribute towards the NHS target to reduce its carbon footprint and environmental impact. Examples include the shredding of paper records and the end product used for recycling purposes instead of burning records in industrial furnaces.

4.3 Management and storage of digital records

Digital records offer many advantages over paper records. They can be accessed simultaneously by multiple users, take up less physical storage space and enable activities to be carried out more effectively, for example, through the use of search functions and digital tools.

Digital information must be stored in such a way that, throughout its lifecycle, it can be recovered in an accessible format in addition to providing information about those who have accessed the record.

The European Commission has produced an overarching standard in this area. (Further information is available on the DLM forum foundation). The authenticity of a record is dependent on a number of factors:

• sufficient metadata to allow it to remain reliable, integral and usable (refer to section 3)
• the structure of the record
• the business context
• links between other documents that form part of the transaction the record relates to

The management of digital records requires constant, continual effort, and should not be underestimated. Failure to properly maintain digital records can result in doubt being raised over the authenticity of the digital image. Examples include:

• a record with web links that do not work once they are converted to another format, loses integrity
• a record with attachments, such as hyperlinks or embedded documents that do not migrate to newer media, are not complete or integral
• an email message that is not stored with the other records related to the transaction, is not integral as there are no supporting records to give it context

Digital information presents a unique set of issues which must be considered and overcome to ensure that records remain:

• authentic
• reliable
• retain their integrity
• retain usability

Digital continuity refers to the process of maintaining digital information in such a way that the information will continue to be available as needed despite advances in digital technology and the advent of newer digital platforms. Digital preservation ensures that digital information of continuing value remains accessible and usable.

The amount of work required to maintain digital information as an authentic record must not be underestimated. For example, the information recorded on an electronic health record system may need to be accessible for decades (including an audit trail to show lawful access and maintain authenticity) to support continuity of care. Digital information must not be left unmanaged in the hope a file can be used in the future. The National Archives has produced a variety of technical and role-based guidance and useful checklists to support this management process.

As there are no digital records in existence today that are of such an age, it is difficult to even plan continued access in an authentic form over such a timeframe. For example:

• paper records can deteriorate over time - so can digital media as the magnetic binary code can de-magnetise in a process called "bit rot" leading to unreadable or altered information, thus reducing its authenticity
• software upgrades can leave other applications unusable as they may no longer run on updated operating systems
• media used for storage may become obsolete or degrade, and the technology required to read them may not be commercially available
• file formats become obsolete over time as more efficient and advanced ones are developed

There are several strategies that can be adopted to ensure that digital information can be kept in an accessible form over time. Among the most common strategies adopted are:

• migration to the new systems (retaining existing formats - this is the preferred method)
• emulation (using software to simulate the original application)
• preservation of host system
• conversion to a standard file format (or a limited number of formats)

The Digital Preservation Coalition has produced a Digital Preservation Handbook that will help organisations understand some of the issues associated with retaining digital records for long periods of time.

The UK government National Cyber Security Centre (NCSC) provides good practice guidelines on forensic readiness and defines it as:

"the achievement of an appropriate level of capability by an organisation in order for it to be able to collect, preserve, protect and analyse digital evidence so that this evidence can be effectively used in any legal matters, in security investigations, in disciplinary matters, in an employment tribunal or in a court of law".

The NCSC notes that "it is important for each organisation to develop a forensic readiness of sufficient capability and that it is matched to its business need". Forensic readiness involves:

• specification of a policy that lays down a consistent approach to digital records
• detailed planning against typical (and actual) case scenarios
• identification of (internal or external) resources that can be deployed as part of those plans
• identification of where and how the associated digital evidence can be gathered that will support case investigation
• a process of continuous improvement that learns from experience

In many organisations, forensic readiness is managed by information security or informatics staff, but records managers need to ensure that they input to policy development and feed in case scenarios as necessary.

Where possible, electronic records management processes should be as environmentally friendly as possible to help contribute towards the NHS target to reduce its carbon footprint and environmental impact. An example would be to replace outdated IT servers with up to date energy efficient systems, reducing the amount of energy required for the solution.

4.4 Managing offsite records

It is vital to highlight the importance of actively managing records stored offsite. This applies to both paper records and records stored in cloud-based solutions (refer to Appendix III for further information about cloud-based records). Managing off-site records effectively will ensure that:

• there is a full inventory of what is held offsite
• retention periods are applied to each record
• a disposal log is kept
• there is evidence of secure disposal of records and information

The National Archives has produced guidance to identify and support the requirements for selecting and transferring paper records and further guidance on identifying and specifying requirements for offsite storage of physical records. It is a best practice benchmark for all organisations creating or holding public records and provides advice and guidance on the tracking of records at all stages of the information lifecycle up to disposal. The National Archives does not provide guidance on onsite storage of operational and live records. This should be determined by the local organisation in line with this Code.

When considering using offsite storage, organisations should consider the following:

• Instruction - the controller must provide clear instructions relating to all processing of offsite records including destruction of the records.
• Access to site - access to the storage site should be possible to be able to exercise due diligence, and conduct site visits if necessary.
• Retrieval - organisations will need to agree how their records will be retrieved and what timeframe they will be returned. An example would be to ensure that you can respond to subject access and FOI requests or retrieve them to dispose of when the minimum retention period has been reached.

You must conduct a DPIA if you are looking to start storing records offsite. This is because it will be a new process for handling potentially high volumes of personal data with increased risk. A DPIA must be completed:

• at the outset of entering an offsite storage contract
• if you have not completed one before on the service (even if it has been established for a number of years)
• if you change service provider
• if you change how you manage your contract or elements of it (for example, change from destruction by pulping to destruction by shredding)
• if you end the service by bringing it in-house

If offsite storage is currently operated by your organisation it may be worth conducting a DPIA to ensure current measures guard against risks to privacy. A DPIA is also evidence of due diligence, providing the outcomes are actioned.

Section 5: management of records when the minimum retention period is reached

5.1 Overview

This section covers the management of records once their business need has ceased and the minimum retention period has been reached. A detailed retention schedule is set out in Appendix II. This section includes information on the destruction and deletion of records, reviewing records for continued retention once their minimum period for retention has expired, and the selection of records for permanent preservation. It also includes information and advice about the transfer of records to Place of Deposits (PoD). Appendix I relating to public Inquiries should also be considered before destroying any records.

5.2 Appraisal

Appraisal is the process of deciding what to do with records once their business need has ceased and the minimum retention period has been reached. This can also be known as the disposition of records. The National Archives has produced guidance on appraisal.

Appraisal must be defined in a policy and any decisions must be documented and linked to a mandate to act (derived from the board). Any changes to the status of records must also be reflected in your organisation’s Record of Processing Activity. In no circumstances should a record or series be automatically destroyed or deleted.

When appraising records that have come to the end of their minimum retention period, you should consider the following:

Ongoing use

You might need to keep the record for longer than the minimum period for care, legal or audit reasons. In these cases, you can set an extension to the minimum period, provided it is justified and approved.

Classification of diseases (based on ICD10 code)

Some health conditions may lend themselves towards a longer, or extended, retention period.

Operational delivery

The way a service was delivered may have been pioneering or innovative at the time, which may justify an extended retention period or long-term archival preservation.

The way care is delivered

The records may be reflective of health or care policy at the time.

Series growth

If the records are part of a series that will be added to (type of record rather than additional content into existing records), you need to consider space issues in your local records store or organisation archive. For example, continued expansion of a series that is hardly recalled would not justify an extension to the retention period.

Recall rates

If a series of records is routinely accessed to retrieve records, then there may be justification for extending the retention period due to ongoing use. Whereas, for a series of records that has a very low recall rate, continued retention may be harder to justify.

Historical value

If the record has potential historical or social value (for example, innovative new service or treatment or care delivery method), then consider retaining for longer. It would also be helpful to have early discussions with your local PoD about potential accession, even if the record has ceased to be of operational value or use. PoDs will not normally accession records before 20 years retention has passed, unless there are exceptional circumstances for early transfer. The PoD must agree to the transfer PRIOR to it occurring. If early discussion with the PoD indicates the record (or series) will not be accessioned, and you have no ongoing operational use for the record or series, then you must securely destroy the record, and obtain evidence of destruction (for example, destruction certificate).

Previous deposits

The records you hold may be a continuation of a series that has historically been accessioned by a local PoD. It is important to find out what has historically been accessioned from your organisation to the PoD, so that a series of records remains complete. It is likely that records that add to an already accessioned series will continue to be taken by the PoD.

This list is not exhaustive, and organisations may have bespoke issues to consider as well.

Digital records can be appraised if they are:

• arranged in an organised filing system
• differentiated by the year of creation
• organised by year of closure
• clear about the subject of the record

If digital records have been organised in an effective file plan or an electronic record keeping system, this process will be made much easier. Decisions can then be applied to an entire class of records rather than reviewing each record in turn.

There will be one of three outcomes from appraisal:

• destroy or delete
• continued retention – this will require justification and documented reasons
• permanent preservation

All appraisal decisions need to be justified, follow policy or guidance, and be documented and approved by the relevant board, committee or group of the organisation.

5.3 Destroying and deleting records

If as a result of appraisal, a decision is made to destroy or delete a record, there must be evidence of the decision. It is good practice to get authorisation for destruction or deletion from an appointed committee or group with a designated function to appraise records, working to a policy or guidelines. Where the destruction or deletion process is new, or there is a change in the destruction process (such as a change of provider, or the method used), a DPIA must be completed and signed off by the organisation.

Destruction of paper records

Paper records selected for destruction can be destroyed, subject to following ISO 15489-1:2016. Destruction can be conducted in-house or under contract with an approved offsite company. If an offsite company is used, the health or care organisation, as the controller, is responsible for ensuring the provider chosen to carry out offsite destruction meets the necessary requirements and can evidence this. This evidence should be checked as part of due diligence (for example, if the provider says they have the ISO accreditation, then ask for evidence of this). Other diligence activities, such as a site visit to the contractor, should also be carried out. Destruction provider companies must provide a certification of destruction for the bulk destruction of records. This certification must be linked to a list of records, so organisations have clear evidence that particular records have been destroyed.

Records that do not contain personal data or confidential material can be destroyed in a less secure manner (such as confidential waste bins that do not provide certificates of destruction). If in doubt, material should be treated as confidential and evidentially destroyed. Do not use the domestic waste or put records on a rubbish tip to destroy identifiable, confidential material, because they remain accessible to anyone who finds them. The British Security Industry Association (BSIA) has provided a guide on information destruction.

Destruction of digital records

Destruction implies a permanent action. For digital records "deletion" may not meet the ISO 27001 standard as the information can or may be able to be recovered or reversed. Destruction of digital information is therefore more challenging. If an offsite company is used, the health and care organisation as the controller should check with the ISO whether the provider meets the necessary requirements, similar to the process for the destruction of paper records.

One element of records management is accounting for information, so any destruction of hardware, hard drives or storage media must be auditable in respect of the information they hold. An electronic records management system will retain a metadata stub which will show what has been destroyed.

The ICO guidance Deleting personal data sets out that if information is deleted from a live environment and cannot be readily accessed then this will suffice to remove information for the purposes of UK GDPR. Their advice is to only procure systems that will allow permanent deletion of records to allow compliance with the law.

Electronic systems will vary in their functionality. They may have the ability to permanently delete records from the system or not. Where a record that has reached its retention period and has been approved for destruction, then the record should be deleted if the system allows that function. A separate record should be kept of what record has been deleted.

If a system doesn’t allow permanent deletion, then all reasonable efforts must be made to remove the record from normal daily use. It should be marked in such a way that anyone accessing the record can recognise it as a dormant or archived record. All activity in electronic systems must be auditable, and (where appropriate) local policies and procedures should cover archived digital records.

In relation to FOIA, the ICO guidance Determining whether information is held advises that once the appropriate limit for costs incurred for that FOI has been reached, there are no more requirements to recover information held. The only exemption to this would be where the organisation is instructed by a court order.

The following are examples of when information cannot be destroyed or disposed of:

• If it is subject to a form of access request, for example, Subject Access Request (SAR), FOIA request.
• If it is required for notified legal proceedings, for example, a court order, or where there is reasonable prospect of legal proceedings commencing (an impending court case). This information will possibly be required for the exercising or defending of a legal right or claim
• If it is required for a coroner’s inquest.
• If it is of interest to a public inquiry, for example, who will issue guidance to organisations on what kind of records they may require as part of the inquiry. Once notified, organisations can re-commence disposal, taking into account what records are required by the inquiry. If in doubt, check with the inquiry team.

5.4 Continued retention

The retention periods given in Appendix II are the minimum periods for which records must be retained for health and care purposes. In most cases, it will be appropriate to dispose of records once this period has expired, unless the records have been selected for permanent preservation.

Organisations must have procedures and policies for any instances where it is necessary to maintain specifically identified individual records, or group of records (clinical or otherwise) for longer than the stated minimum, including:

• temporary retention
• public inquiries
• ongoing access request, for example, where the ongoing processing of an access request cuts over the minimum retention period - it would not be acceptable to dispose of a record that is part way through being processed for an access request because the minimum retention period has been reached
• where there is a continued business need beyond the minimum retention period, and this is documented in local policy

There will be occasions where care specialties will create digital records that have different retention periods. For example, a radiology scan might need to be kept for the minimum of 8 years, and then destroyed as the record is no longer required. Yet a different image for a similar case may need to be kept for longer due to the nature of that particular case. In these situations, organisations can apply different retention times and this should be picked up at the review stage once the 8 years has expired.

Where records contain personal data, the decision to retain must comply with UK GDPR. Decisions for continued retention beyond the periods laid out in this Code must be recorded, made in accordance with formal policies and procedures by authorised staff and set a specific period for further review.

Generally, where there is justification, records may be retained locally from the minimum period set in this Code, for up to 20 years from the last date at which content was added.

NHS individual staff and patient records

For NHS individual staff and patient records that have a recommended retention period beyond 20 years (for example, maternity records), these can be retained for longer as specified in Appendix II, in this case for 25 years. The Secretary of State for Science, Innovation and Technology has approved the retention of NHS individual staff and patient records up to 20 years where this is necessary for continued NHS operational use. This may be reflected in an extended retention period beyond 20 years being mandated by the Code (such as with the maternity records). Where organisations use this provision locally to retain records for longer than 20 years, this must be documented in published policies.

It must be remembered that in some cases of health and social care, there may be gaps between episodes of care. If a patient or service user begins a new episode of care whilst their previous record is still within agreed retention periods, then these episodes of care will link, and the retention period will begin again at the end of the current episode. This may mean that some or all of the information from the previous episode will go over a 20-year retention mark, but this is acceptable as it links to a more recent care episode.

Other types of records

For records that are not staff or patient records, for example, board minutes, a different arrangement is in place. Where an organisation needs to keep any other type of record beyond 20 years, then approval must be sought separately from the Secretary of State for Science, Innovation and Technology. This is the case even where the recommended retention period is longer in the Code.

The only exceptions to this are records which mainly relate to information on (i) controlling asbestos including air monitoring records and (ii) ionising radiation including radioactive waste records. These types of records can be kept for the minimum retention period set out in Appendix 2 without needing approval.

Organisations should always check current legislation. Any applications for approval should be made to The National Archives in the first instance (asd@nationalarchives.gov.uk).

5.5 Records for permanent preservation

The Public Records Act 1958 requires organisations to select records for permanent preservation. Selection for transfer under this Act is separate to the operational review of records to support current service provision. It is designed to ensure the permanent preservation of a small core (typically 2-5%) of key records, which will:

• enable the public to understand the working of the organisation and its impact on the population it serves
• preserve information and evidence likely to have long-term research or archival value

Records for preservation must be selected in accordance with the guidance contained in this Code. Any supplementary guidance issued by The National Archives and local guidance from the relevant PoD should always be consulted in advance of any possible accession. This is to ensure it is appropriate to transfer the records selected. As a rule, national organisations, such as NHS England, will accession their records to The National Archives, and local NHS and social care organisations will accession their records to the local PoD, as appointed by the Secretary of State for Science, Innovation and Technology.

Selection may take place at any time in advance of transfer. However, the selection and transfer must take place at or before records are 20 years old. Records may be selected as a class (for example, all board minutes) or at lower levels down to individual files or items.

Records can be categorised as follows:

• transfer to PoD: this class of records should normally transfer in its entirety to the PoD – trivial or duplicate items can be removed prior to transfer
• consider transfer to PoD: all, some or none of this class may be selected (as agreed with the PoD)
• no PoD interest

Other records should not normally be selected for transfer. Whilst there may be occasions where records to support research are transferred (for example, to support research into rare conditions), records should not be transferred just because they relate to research or with the sole purpose of preservation in case they could be used for future research. The Public Records Act 1958 is not designed to support the routine archival of research records. Records should not be transferred unless they specifically meet the criteria below. If in doubt, it is recommended to check with the local PoD.

Where it is known that particular records will be transferred to PoDs routinely, this should be noted in the records management policy (or equivalent) alongside the reason for the routine transfer. Likewise, one-off transfers should also be noted for reference. It is not practical to update local policies each time a transfer is made. If a particular type becomes a regular transfer, this could be added to the next update of the records management policy. It may be sufficient to publish a link to the PoD's public catalogue or The National Archives Discovery Catalogue to which data for transferred records is added annually. Where it is known a record will form part of the public record at creation, it must be preserved locally until such time it can be transferred. PoDs will know which types of records they will always take (such as board minutes).

The Tavistock and Portman NHS Foundation Trust has a policy for the selection of material for permanent preservation: a method for selecting the works of eminent clinicians’ work and a panel for selecting historical records. Where a clinician has amassed a lifetime of research or important cases these may be identified and retained.

Patient or service user records for permanent preservation

Records of individual persons may also be selected and transferred to the PoD provided this is necessary and proportionate in relation to the broadly historical purposes of the Public Records Act 1958 and PoD agreement. For example, individual patient files relating to a hospital that is now closed and the files are coming to the end of their retention. In West Yorkshire, a hospital, which opened in 1919, closed in 1995 and in 2011 patient files were still being transferred to the local PoD to finish the series. All patient records for the hospital are now at the PoD.

Patient or service user confidentiality will normally prevent use for many decades after transfer and the physical resource will be substantial (for example, x number of archive boxes) therefore the transfer of patient or service users records should only be considered where one or more of the factors listed below apply:

• The organisation has an unusually long or complete run of records of a given type.
• The records relate to population or environmental factors peculiar to the locality.
• The records are likely to support research into rare or long-term conditions.
• The records relate to an event or issue of significant local or national importance.
• The records relate to the development of new or unusual treatments or approaches to care, or the organisation is recognised as a national or international leader in the field of medicine or care concerned.
• The records throw particular light on the functioning, or failure, of the organisation, or the NHS or social care in general.
• The records relate to a significant piece of published research.

Any policy to select patient or service user records should only be agreed after consultation with appropriate clinicians, the group or committee responsible for records management and (if necessary), the Caldicott Guardian. This decision, and the reasoning behind the decision, should be published in the minutes of the meeting at which this decision is taken. Routine transfers of patient or service user records to a PoD can be included in the records management policy of the organisation or its equivalent.

Any records selected should normally be retained within the NHS or social care (under the terms of Retention Instrument 122) until the patient or service user is deceased, or reasonably assumed to be so and then can subsequently be transferred. Records no longer required for current service provision may be temporarily retained pending transfer to a PoD. Records containing sensitive or confidential information should not normally be transferred early, unless in agreement with the PoD. If a patient or service user expresses a wish that they do not want their health or care record transferred to a PoD, this must be respected unless the transfer is required by law.

Transfers of records to the Place of Deposit

Records selected for permanent preservation should be transferred to the relevant PoD appointed by the Secretary of State for Science, Innovation and Technology. PoDs are usually public archive services provided by the relevant local authority. Current contact details of PoDs and the organisations which should transfer to them can be found on The National Archives website. As a general rule, national public sector organisations will deposit with The National Archives, while local organisations will deposit with a local PoD. For example, NHS England will deposit with The National Archives, whereas a local NHS body or local authority will deposit with the local PoD. This could be the county record office, or a specialised facility run by local authorities for the county.

There will be a mandatory requirement to transfer some types of records whereas others will be subject to local agreement. The retention schedule included with this Code identifies records which should be transferred to the locally approved PoD when business use has ceased. There may also be records of local interest which need to be accessioned to the PoD (such as a continuation of a series already accessioned). Prior to any transfer being made, a discussion must be had with the local PoD to enable agreement on which records will be transferred and the process for doing so. (Also refer to Appendix I, which provides information about public inquiries that may impact upon the selection of records for transfer).

Transferred records should be in good condition and appropriately packed, listed and reviewed for any FOIA exemptions. Records selected for transfer to a PoD (after appraisal) may continue to be exempt from public access for a specified period after transfer in accordance with Section 66 of FOIA. For more detail on the transfer process and sensitivity review refer to The National Archives guidance.

Requests to access records held in the Place of Deposit (PoD)

Once transferred to the PoD, records will still be owned by the organisation transferring them and all relevant laws will apply. Individual records deposited with PoDs are still protected by the UK GDPR, FOIA and duty of confidentiality. Where records are kept for permanent preservation for reasons other than care, consideration should be given to preserving the records in an anonymised way to protect confidentiality. Where this is not possible, then consider removing as many identifiers as possible. If you are looking to preserve a record because the treatment provided was innovative or highlights new ways of working, then the identity of the patient is not required. For individual care, it would be required, as the record may need to be retrieved.

Where a local PoD (PDF) holds records and access is requested, the PoD will liaise with the depositing organisation before releasing any information (including any checks for SARs required by UK GDPR and any exemptions under FOIA). This allows for a check for any harmful information that may be in the record or if there are other grounds on which to withhold the record. Where a public interest test is required, the transferring organisation must carry this out and inform the PoD of the result. The depositing organisation must make a decision on what information to release and where information is withheld, explain the reason why (except in exceptional circumstances, for example, a court order to the PoD).

Unless there are exceptional circumstances, PoDs will not normally continue to apply FOI exemptions to records more than 100 years old.

Where a patient or service user has died the UK GDPR no longer applies but FOIA applies regardless (PDF) as to whether the individual is alive or not. The Section 41 (confidence) exemption of FOIA and the duty of confidence remain relevant so records cannot be accessed by anyone who does not have a lawful basis to view a record. FOIA decisions indicate that, in general, health and social care information will remain confidential after death.

The duty of confidence does diminish over time, but it is recommended that at least 10 years should have passed after a person's death before reviewing the consequences of relaxing disclosure controls on information about a person previously regarded as confidential. This review should consider the potential harm or distress to surviving family members of disclosing information that might be regarded as particularly sensitive or likely to attract publicity, and the risks that the disclosure might undermine public trust in the health and care system. When a person is deceased, the Access to Health Records Act 1990 may enable access to the health record for a limited purpose by specified individuals (such as the Personal Representative and those with a claim arising out of the death of the person). The Transformation Directorate of NHS England has produced guidance on access to records of deceased individuals.

Appendix I: public and statutory inquiries

Records form an important part of the evidence in inquiries. Inquiries take into account a huge range of records and what is required can vary by inquiry. When an inquiry is conducted, the inquiry team will issue detailed guidance setting out what types of records they are interested in. If you have any records that an inquiry requests, you must produce them or explain why you cannot produce them.

Before any records relating to inquiries are destroyed, you must check with the inquiries team that they are no longer required. If you are in doubt regarding records that may or may not be of use for an inquiry, you must retain them until there is clear instruction from the inquiry.

Before considering the selection of records for permanent preservation under the Public Records Act 1958 (refer to section 5), you should discuss any inquiries with the relevant PoD to take account of exceptional local circumstances and defunct record types not listed here.

At the time of writing there are four ongoing or imminent Inquiries which health and social care organisations need to be aware of as they may request records and information:

• The Infected Blood Inquiry - further information about the records required can be found on their website
• The COVID-19 Inquiry - The Transformation Directorate of NHS England has produced some guidance and FAQs on this Inquiry
• Lucy Letby Inquiry – the government has announced in August 2023 that there will be a statutory Inquiry into Lucy Letby’s actions, following the conclusion of her trial
• Independent Inquiry into the issues raised by the David Fuller case – there is an ongoing independent inquiry into the actions of David Fuller. This was established in November 2021

Appendix II: retention schedule

This appendix sets out the retention period for different types of records relating to health and care. Where indicated, Appendix III should also be referred to. This sets out further detail relating to the management of specific types and formats of records.

Search the retention schedule table

The table below sets out the retention periods for different types of records relating to health and care. The retention periods listed in this retention schedule must always be considered the minimum period.   

You can browse down all the records in the retention schedule or use the search box and category filter to find specific records relevant to your work.

Appendix III: how to deal with specific types of records

This Appendix provides detailed advice on records management relating to specific types of records for example, transgender records, protected persons health records and adopted persons records. These are presented in alphabetical order. It also provides advice on managing certain formats of records, for example, emails, cloud-based records and scanned records.

Adopted persons health records

Notwithstanding any other centrally issued guidance by the Department of Health and Social Care or Department for Education, the records of adopted persons can only be placed under the new last name when an adoption order has been granted. Before an adoption order is granted, an alias may be used but more commonly the birth names are used.

Depending on the circumstances of the adoption there may be a need to protect from disclosure any information about a third party. Additional checks before any disclosure of adoption documentation are recommended because of the heightened risk of accidental disclosure.

It is important that any new records, if created, contain sufficient information to allow for a continuity of care. At present the GP would initiate any change of NHS number or identity if it were considered appropriate to do so following the adoption.

Ambulance service records

Ambulance service records will contain evidence of clinical interventions delivered and are therefore clinical records. This means that they must be retained for the same time as other acute or mental health clinical records depending on where the person is taken to for treatment. Where ambulance service records are not clinical in nature, they must be kept as administrative records. There is a distinction between records of patient transport and records of clinical intervention. If the ambulance clinical record is handed over to another service or NHS trust, there must be a means by which the ambulance trust can obtain them again if necessary. Alternatively, they can be copied and only the copy transferred, providing this is legible.

Asylum seeker records

Records for asylum seekers must be treated in exactly the same way as other care records, allowing for clinical continuity and evidence of professional conduct. Organisations may decide to give asylum seekers patient or service user-hold records (section below) or hold them themselves. Patient or service user held records should be subject to a risk assessment because the record legally belongs to the organisation, and if required, they must be able to get it back. There is a risk that patient or service user held records could be tampered with or altered in an unauthorised way so careful consideration needs to be given to this decision.

Audio and visual records

Audio and visual records can take many forms such as using a dictaphone (digital or analogue) to record a session or conducting a health or care interaction using videoconferencing technologies.

The following needs considering when patient or service user interactions are captured in this way:

Clinical appropriateness

Organisations should decide when it is appropriate to use audio or visual methods for the provision of health or care. This should be documented in organisational policies and understood by the relevant health and care professionals.

Retention

If the recording is going to be kept elsewhere (for example, as part of the health and care record) then there is no reason to keep the original recording provided the version in the main record is the same as the original or there is a summary into words which is accurate and adequate for its purpose. If the recording is the only version or instance of the interaction, then it must be kept for the relevant retention period outlined in this Code (for example, adult, child health or mental health retention periods). Some recordings may have archival value (although this is unlikely), and this should be considered on a case-by-case basis.

Digital continuity

You must consider the medium on which the recording is made and ensure that it is available throughout its retention period (for example, if the system or file format is becoming obsolete, then you will need to migrate it to a newer platform or format to ensure availability). If it is a digital recording and you are looking to store it in the health and care record, ensure the transfer process captures the authenticity of the recording kept.

Storage

Ensure your recordings are stored on systems you control or are provided to you under contract. If stored with the product provider, you must give them (as controller) clear instructions on the storage and retention of those images (for example, delete one month after the date of the recording because it has been summarised into the main health and care record, or retain for 8 years from consultation with the patient or service user, then destroy). Providers acting under contract to a controller are obliged to carry out their written instruction.

Transparency

You must be transparent with patients and service users regarding the use of audio and visual technology, and associated records, so that they have a reasonable understanding of how they will be used, why, and what will happen with the recording after the interaction. For example, it would be unfair to tell participants that the recordings are deleted if they are not.

Child school health records

Similar to family records, each child should have their own school health record rather than a record for the school (with consecutive entries) or per year intake. If a child transfers to a school under a different local authority, then the record will also need to be transferred to the new school health service provider. This must only be done once it is confirmed the child is now resident in the new location. The record must be transferred securely. The recipient of the record should contact the sender to confirm receiving the record (if appropriate). If the records are kept on school premises, then access must be restricted to health staff delivering care or other staff who have a legitimate reason to access them.

Local organisations may operate a paper or digital system. Records from other child health teams, following a referral, must be accepted by the receiving organisation regardless of format. This is due to safeguarding risks.

Complaints records

Where a patient or service user complains about a service, it is necessary to keep a separate file relating to the complaint and subsequent investigation. Detailed complaint information should never be recorded in the health and care record. A complaint may be unfounded or involve third parties and the inclusion of that information in the health or care record will mean that the information will be preserved for the life of the record and could cause detrimental prejudice to the relationship between the patient or service user and the health and care team. In some cases, it may be appropriate to share details of the complaint with the health and care professional involved in providing individual care in order to make improvements in care delivery. However, there may also be times where the complaint is about an individual but not care related and it might not be appropriate to share details of the complaint with that person, in case further action is required. The complaints team should review each complaint on a case-by-case basis.

Where multiple teams are involved in the complaint handling, all the associated records must be brought together to form a single record. This will prevent the situation where one part of the organisation does not know what the other has done. A complaint cannot be fully investigated if the investigation is based on incomplete information. It is common for the patient or service user to ask to see a copy of their complaint file and it will be easier to deal with if all the relevant material is in one file. Where complaints are referred to the Ombudsman Service, a single file will be easier to refer to.

Health and care organisations should have a local policy to follow with regards to complaints, covering how information will be used once any complaint is raised, and after the complaint has been investigated, regardless of outcome. The ICO has also issued guidance on complaints files and who can have access to them, which will drive what must be stored in them.

Contract change records

Once a contract ends, any service provider still has a liability for the work they have done and, as a general rule, at any change of contract the records must be retained until the time period for liability has expired.

In the standard NHS contract there is an option to allow the commissioner to direct a transfer of care records to a new provider for continuity of service and this includes third parties and those working under any qualified provider contracts. This will usually be to ensure the continuity of service provision (for current cases) upon termination of the contract. It is also the case that after the contract period has ended, the previous provider will remain liable for their work. In this instance there may be a need to make the records available for continuity of care or for professional conduct cases.

When a service is taken over by a new provider, the records of the service (current and discharged cases) all transfer to the new provider (unless directed otherwise by the commissioner of the service). This is to ensure that the records for the service remain complete and enable patients or service users to obtain their record if they so request it. It also makes the records easier to locate if they are required for other purposes. This will also stop the fragmentation of the archive records for the service and make it much easier to retrieve records.

Where legislation creates or disbands public sector organisations, the legislation will normally specify which organisation holds liability for any action conducted by a former organisation. This may also include consideration of the identity of the legal entity, which must manage the records.

In some cases, records may end up orphaned. This may happen where the organisation that created them is being disbanded and there is no successor organisation to take over the service or provision. In these cases, orphaned records need to be retained by the highest level commissioner of that service or provision. For example, if a GP practice closes, patients will be offered the choice to register with another nearby practice. When they register with the new practice, the record will follow the patient to that new practice. However, if a practice closes, and the patient does not re-register elsewhere, the record will transfer to NHS England, who commission primary care services in England for ongoing management.

Where the content of records is confidential, for example, health and care records, it will be necessary to inform the individuals concerned about the change. Where there is little impact upon those receiving care, it may be sufficient to use posters and leaflets to inform people about the change, but more significant changes will require individual communications. Although the conditions of UK GDPR may be satisfied, in many cases there is still a duty of confidentiality which may require a patient or service user (in some cases) to agree to the transfer, dependent upon the legal basis and the implications of their choice discussed with them. If the new provider has a statutory duty to provide the service, then consent does not need to be sought. If there is no statutory duty, then consent would need to be sought to satisfy the common law duty of confidentiality.

It is vital to highlight the importance of actively managing records, which are stored in offsite storage (refer to section three of the Code for further information on offsite storage including the importance of completing a DPIA).

These principles and guidance can also apply to non-clinical situations as well, such as when health or care organisations merge, or a new organisation is created.

Annex 1 of this appendix summarises the considerations and actions required relating to various contract change situations.

Continuing healthcare (CHC) records

NHS Continuing healthcare (CHC) records can be split into two parts:

Care record

The care record is the information relating to a patient or service user’s care that is provided to the CHC Multi-Disciplinary Team (MDT) to determine their eligibility for CHC, based on an assessment of their care needs. It is not the original care record created by the health and care organisation providing direct care to the individual. This can be provided directly by the patient or service user or obtained from health and care providers as part of the CHC assessment process. The CHC assessment process is set out in the National Framework for NHS Continuing Healthcare and NHS-funded Nursing Care.

Administrative record

The administrative record is the information generated as a result of a patient or service user’s undergoing a CHC assessment process - an example being appointment letters asking the patient or service user to attend a meeting or receiving the outcome letter for their application.

Integrated Care Boards (ICBs) require access to health and care information to determine a patient or service user’s entitlement to CHC (once the ICB has been notified of this potential entitlement).

The ICBs duty to assess a patient or service user for CHC assessment is covered by law in the NHS Commissioning Board and Clinical Commissioning Groups (Responsibilities and Standing Rules) Regulations 2012. These regulations create a legal requirement to share confidential patient information (where necessary and relevant) for CHC eligibility assessments. This means that confidential patient information can be shared for CHC eligibility assessments without breaching data protection laws. The statutory requirement to share information also means that the common law duty of confidentiality is overridden, so consent from an individual to use their information as part of the eligibility assessment is not required.

ICBs will need to have systems in place to allow for the safe and secure sharing of patient or service user information with relevant partners as necessary, and to inform patient or service users of how their data will be used as part of this process. Digital viewing and sharing of records may be preferable to paper copies being printed and used for CHC, due to the risk of accidental loss or disclosure.

CHC records should be kept for the same period of time as adult and child health records, from the date the case is decided by the CHC panel - including any subsequent appeal of a panel decision. Where CHC cases relate to mental health, these should be kept for the same period of time as mental health records.

Controlled drugs regime

NHS England, in conjunction with the NHS Business Services Authority, has established procedures for handling information relating to controlled drugs. This guidance includes conditions for storage, retention and destruction of information. Where information about controlled drugs is held please refer to CQC guidance.

Duplicate records

The person or team to which the record relates will normally hold the original record however occasionally duplicates may be created for legitimate business purposes. It is not necessary to keep duplicates of the same record unless it is used in another process and is then a part of a new record. Where this is not required, the original should be kept, and the duplicate destroyed. For example, incident forms, once the data is entered into the risk information system, the paper is now a duplicate, and so can be destroyed. Some clinical systems allow printouts of digital records. Where printouts are used, these must be marked as duplicates or copies to help prevent them from being used as the primary record.

Evidence required for courts

In UK Law, the civil procedure rules allow evidence to be prepared for court and, as part of this, the parties in litigation can agree what documents they will disclose to the other party and, if required, dispute authenticity. The disclosure of digital records is referred to as E-Disclosure or E-Discovery. The relevant part for disclosure and admissibility of evidence is given in the Ministry of Justice's Civil Procedure Rules - Part 31. If records are arranged in an organised filing system, such as a business classification scheme, or all the relevant information is placed on the patient or client file, providing records as evidence will be much easier. Further advice on electronic records and evidential weighting can be found in BIP10008: Evidential Weight and Admissibility of Electronic Information.

Family records

Family records used to be common within health visiting teams, amongst others, where a whole family view was needed to deliver care. Whilst these records should no longer be created, they are included here for legacy reasons.

Due to changes in the law and best practice, it is not advisable to create a single paper or digital record that contains the care given to all family members. Each person is entitled to privacy and confidentiality, and having all a person’s records in one place could result in a health professional or family member accessing confidential information of another family member accidentally or otherwise.

Good practice would be to create an individual file for each person but with cross references to other family members. This means that each individual has their own record, but health and care professionals can see who else is related to that person, and so can check these records where necessary. Single records also help to protect privacy and confidentiality and (if digital) keep an audit trail of access.

General Practitioner records

It is important to note that the General Practitioner (GP) record, usually held by the General Practice, is the primary record of care and the majority of other services must inform the GP through a discharge note or a clinical correspondence that the patient has received care. This record is to be retained for the life of the patient plus at least ten years after death. The GP record transfers with the individual as they change GP throughout their lifetime. Where the patient has de-registered, records should be kept for 100 years since de-registration.

Current guidance advises that the content of paper Lloyd George records should only be destroyed once they have been scanned to the required standard and quality assurance of the scanned images has been completed, confirming that they are a like for like copy of the original paper records. The Lloyd George envelope itself should not be destroyed at the current time and must be kept to meet with the requirements for patient record movement. NHS England undertook a project to cease the creation of Lloyd George envelopes for all new entrants to the NHS which was implemented in January 2021 (except in limited circumstances). They are also looking at ways to enable destruction of existing Lloyd George envelopes, though this aspect may have a longer implementation timeframe. This Code will be updated as the programme develops.

Individual funding requests (IFRs)

Similar to CHC, IFR cases are mainly administrative records, but also contain large amounts of personal or confidential patient information and as such, should be treated in the same way as CHC records.

As IFRs are unique to an individual, it may be that the care package given to the patient or service user is unique and bespoke to that person. This could mean that the record may have long-term archival value, due to the uniqueness of the care given in this way, and so potentially may be of interest to The National Archives. Local discussions should be held with the PoD to determine the level of local interest, although they would not normally get involved at this level of discussion. It would be a joint discussion on the principle and agreement to archive this type of record and then the responsibility of the health and care organisation to choose individual records that meet this criteria.

Integrated records

Since 2013, there has been an increase in the number of initiatives promoted and launched that involve integrated records. There has also been recognition nationally that joined up delivery of health and care services can increase the quality of care delivered, and also deliver those services more efficiently. Examples include:

• Sustainability and Transformation Plans (STPs)
• Integrated Care Systems (ICSs)
• Connecting Care Records programme (ConCR)

Depending on the agreements under which integrated records are established these may be subject to the Public Records Act. Generally, if an NHS body is at least partly responsible for the creation and control of the record, it will normally be considered a public record to be managed in accordance with the Act. The relevant PoD should be notified that this is the case. If in doubt, consult with The National Archives.

The options for organisations will depend on what local architecture and systems are already in use. There are three types of retention for integrated records, and suggested retention periods for each.

1. All organisations contribute to a single record, creating the only record for that patient or service user. Consideration must be given to how this is managed in practice (for example, some records will be retained for 8 years and some for 20 years but they will look the same at face value) (retain for the longest specialty period involved).
2. All organisations pool their records into a single place but keep a level of separation between each type of record (retain for each specialty as applicable - because they are not merged)
3. All organisations keep their own records, but allow others to view their records, but not amend or add to (retain for each specialty as applicable - because they are not merged)

Where organisations are looking to create integrated records, they must enter into a joint controller arrangement, which detail the purpose and method of integrated records. It should also set out how disputes between controllers may be resolved. Information materials for patient or service users must also reflect how their records are used.

Increasingly, where organisations are using this type of system, the information contained within has the potential to be used for purposes other than individual care, such as Population Health Management (PHM). PHM is a tool that is increasingly being used to help plan and prepare care provision in a particular geographical area or specialty. See also the section on Integrated viewing technology and record keeping in the format section below.

The Transformation Directorate of NHS England has published an Information Governance Framework for Shared Care Records, which provides further guidance.

Occupational health (OH) records

Occupational health records are not part of the main staff record and for reasons of confidentiality they are held separately. It is permitted for reports or summaries to be held in the main staff record where these have been requested by the employer and agreed by the staff member. When occupational health records are outsourced, the organisation must ensure that:

• staff are aware of the outsourcing and how their information may be used for OH purposes
• the contractor can comply as necessary with data protection and confidentiality requirements
• there is a contract in place with the outsourced provider that has legally binding clauses in relation to data protection and confidentiality
• the contractor can retain records for the necessary period after the termination of contract for purposes of adequately recording any work-based health issues and is able to present them to the organisation if required

Pandemic records

Health and care organisations will create records as part of a response to a global pandemic. Pandemic events are rare but will nevertheless create records that need to be managed.

Both patient and service user records will be created that detail the care given to people affected by the pandemic. Corporate records will also be created which record business decisions, policies and processes that were taken in response to a pandemic.

These records should be managed in accordance with the retention schedules set out in this Code. Organisations should be mindful of the COVID-19 public Inquiry. The NHS England Transformation Directorate has produced guidance and FAQs on the COVID-19 public Inquiry.

If organisations have created records specifically in response to a pandemic, these should not be destroyed when they have reached their minimum retention period, unless the public inquiry has ended, or the Inquiry has provided guidance on what type of records it will be interested in. These specific records may have historical value, so discussions should take place with your local PoD. A policy on how to manage a new admission to a care home of an individual with a coronavirus diagnosis may be of interest to the PoD, whereas the care record might not have the same value and should be managed as a health and care record. Any guidance or advice issued by The National Archives or your local PoD in relation to the preservation of pandemic records should be followed.

Patient or service user held records

Some clinical or care services may benefit from the patient or service user holding their own record, for example, maternity services. Where this is considered to be the case a risk assessment should be carried out by the organisation. Where it is decided to leave records with the individual who is the subject of care, it must be indicated on the records that they remain the property of the issuing organisation and include a return address if they are lost. Upon the discharge of the patient or service user, the record must be returned to the health or care organisation involved in the person’s care.

Organisations must be able to produce a record of their work, which includes services delivered in the home where the individual holds the record. Upon the termination of treatment, where the records are the sole evidence of the course of treatment or care, they must be recovered and given back to the issuing organisation.

A copy can be provided if the individual wishes to retain a copy of the records through the SAR process. In cases where the individual retains the actual record after care, the organisation must be satisfied it has a record of the contents.

Patient or service user portals

Organisations may implement products that provide patients and service users with access to their records. Access may be either online or via an app or portal. There are increasing numbers of commercial organisations that are providing these products.

The provision of these products must comply with data protection legislation. Health and care organisations must conduct a DPIA if they are considering using such a product. Health and care organisations must remain controller for the patient or service user’s information. In most cases, the supplier of the product or system will be a processor as the product facilitates access to the information held by health and care organisations.

Controllers must consider what is relevant and proportionate to include in this type of record. Some information may not be appropriate to add to the portal, for example, harmful information a patient does not know yet because the intention is to let them know in person during a consultation.

Information about the patient or service user must not be uploaded into the product until there is a clear legal basis for doing so, for example, patient consent. Individuals must be provided with information materials so that they can make an informed choice as to whether or not to sign up. The materials should also make it clear what information patients and service users can upload themselves directly to the portal if this is an option. It should also be clear to the patient or service user who controls the information.

Information stored in a product like this should be retained in line with the retention schedules outlined in this Code (for example, adult health records for 8 years after last seen).

Pharmacy held patient records

These are the records of patients that the pharmacy has dispensed medications to or had some other form of clinical interaction with (for example, given a flu jab) - similar to a hospital or care home patient record.

Records of prescriptions dispensed will be kept by NHS BSA so there is no need to keep a copy of the prescription locally except for audit purposes.

Other elements of the pharmacy record, for example, vaccinations provided, should be viewed in the same way as a patient record, and should be destroyed 8 years after the last interaction with the patient. However, if there is a need to keep the record for longer, then this can be extended up to 20 years, provided there is a justified, documented and approved reasons for doing so. Information materials for patients should also be reflective of the organisation’s retention period.

Prison health records

In 2013 responsibility for offender health in HM Prison Service transferred from the Ministry of Justice to NHS England. A national computer-based record was created to facilitate the provision of care and the transfer of care records associated with inmate transfers throughout imprisonment.

A significant number of paper records remain, and some offender health services operate a mix of paper and digital records. Prison records should be treated as hospital episodes and may be disposed of after the appropriate retention has been applied. The assumption is that a discharge note has been sent to the GP.

Where a patient or service user is sent to prison the GP record (or social care record) must not be destroyed but held until the patient is released or normal retention periods of records have been met.

Prison health records may have archival value, but this is the exception rather than rule. Records should be kept in line with the same period as for de-registered GP records, with a view to further retention (with justification) and a potential transfer to a PoD, subject to their approval.

Private patients treated on NHS premises

Where records of individuals who are not NHS or social care funded are held in the record keeping systems of NHS or social care organisations, they must be kept for the same minimum retention periods as other records outlined in this Code. The same levels of security and confidentiality will also apply.

Public health records

A local authority normally hosts public health functions, but the functions still involve the handling of health and care information. For this reason, public health functions are in the scope of this Code. Where clinical information is being processed by the public health function it is expected to comply with the Code of Practice for Confidential Information.

Records relating to sexually transmitted diseases

Organisations that provide care and support under the NHS Trusts and Primary Care Trusts (Sexually Transmitted Disease) Directions 2000 must be aware of the additional obligations to confidentiality these impose on employees and trustees of organisations. These organisations include NHS Trusts, Local Authority Public Health teams, and those providing services under NHS contracts.

This obligation differs from the duty of confidentiality generally because it prohibits some types of sharing but enables sharing where this supports treatment of patient or service users. For this reason, it is common for services dealing with sexually transmitted diseases to partition their record keeping systems to comply with the directions and more generally to meet patient or service users’ expectations that such records should be treated as particularly sensitive.

Secure units for patients detained under the Mental Health Act 1983

Mental health units operate on a low, medium and high-risk category basis. Not all patients on these units will have been referred via the criminal justice system. Some patients may be deemed a risk under the Mental Health Act and will need to be accommodated accordingly. Some patients may be high-risk due to the nature of a crime they have committed because of their mental health and therefore will need to be treated in a high secure hospital, such as Broadmoor. As such, their records should be treated in the same way as other mental health records including retention periods (20 years, and longer if justified and permitted) and final disposal. A long retention time may also help staff at these units deal with subsequent long-term enquiries from care providers.

Sexual assault referral centres

Sexual assault referral centres (SARCs) are highly specialised forensic and health services co-commissioned by Police and Crime Commissioners and NHS England. SARCs support the physical, mental health and wellbeing of service users and collect forensic evidence pertaining to alleged sexual offences. Records generated may include forensic medical examination notes, body maps, photographic records, and DNA intelligence. Reports or statements on these records may be required as evidence in a court of law, and the records management process must facilitate this. Based on relevant guidance, legal and regulatory obligations, a minimum retention period of 30 years for SARC records has been applied by NHS England. This retention period reflects the severity of the alleged offence; the length of time for the potential bringing of criminal justice proceedings and right to appeal; and the potential for cold case review. Retaining records beyond 30 years is acceptable provided there is ongoing justification and the decision is documented and approved by the relevant committees responsible for the SARCs operational delivery.

Specimens and samples

The retention of human material is covered by this Code because some specialities will include physical human material as part of the patient or service user record (or linked to it). The record may have to be retained longer than the sample because the sample may deteriorate over time. Relevant professional bodies such as the Human Tissue Authority or the Royal College of Pathologists have issued guidance on how long to keep human material. Physical specimens or samples are unlikely to have historical value, and so are highly unlikely to be selected for permanent preservation.

The human material may not be kept for long periods, but that does not mean that the information or metadata about the specimen or sample must be destroyed at the same time. The information about any process involving human material must be kept for continuity of care and legal obligations. The correct place to keep information about the patient is the clinical record and although the individual pathology departments may retain pathology reports, a copy must always be included on the patient record. Physical specimens or samples do not have to be stored within the clinical record (unless designed to do so) but can be stored where clinically appropriate to keep the material, with a clear reference or link in the clinical file, so both the material and the clinical record can be joined together if necessary.

Staff records

Staff records should hold sufficient information about a staff member for decisions to be made about employment matters. The nucleus of any staff file will be the information collected through the recruitment process and this will include the job advert, application form, evidence of the right to work in the UK, identity checks and any correspondence relating to acceptance of the contract. The central HR file must be the repository for this information, regardless of the media of the record.

It is common practice in some health and care organisations for the line manager to hold a truncated record, which contains portions of an employee’s employment history. This can introduce risk to personal information (as it is duplicated), but also potentially expedient to do so. Organisations considering whether to use, or discontinue using, local HR files, should complete a risk assessment.

Information kept in truncated staff files should be duplicates of the original held in the central HR file. If local managers are given originals as evidence (such as a staff member bringing in a certificate of competence) they should take a copy for local use and the original should be kept with the main HR file. It is important that there is a single, complete employment record held centrally for reference and probity.

Upon termination of contract (for whatever reason), records must be held up to and beyond the statutory retirement age. Staff records may be retained beyond 20 years if they continue to be required for NHS or organisational business purposes, in accordance with Retention Instrument 122. Usually this relates to inpatient ward areas, where the ward manager will keep a small file relating to the training and clinical competencies of ward staff. Where there is justification for long retention periods or protection is provided by the Code, this will not be in breach of GDPR Principle 5. (Refer to section 5 of the Code for further information about retention of records).

Some organisations operate a weeding system, whereby staff files are culled of individual record types that are now time expired (such as timesheets). Others have just kept the whole file as is and archived it away until 75th birthday. It is not recommended to change your system from one to the other because:

• the effort involved would be disproportionate to the end result
• if you begin to weed files, you would need to do this retrospectively to all files, to avoid having two types of central HR file
• you cannot reverse the weeding process - if you decide to keep full records, it is impossible to remake historically weeded files complete again

Both systems are acceptable, regardless of media. It is noted that organisations may have a hybrid system of paper historical staff files and digital current staff files. If possible, organisations should consider moving all their files into one format to create consistency.

Where an organisation decides to use a summary, it must contain as a minimum:

• a summary of the employment history with dates
• pension information including eligibility
• any work-related injury
• any exposure to asbestos, radiation and other chemicals which may cause illness in later life
• professional training history and professional qualifications related to the delivery of care
• list of buildings where the member of staff worked, and the dates worked in each location

Disciplinary case files should be held in a separate file so they can be expired at the appropriate time and do not clutter up the main file. That does not mean that there should be no record that the disciplinary process has been engaged in the main record, as it may be pertinent to have an indication to the disciplinary case, but the full details and file must be kept separately from the main file.

With regards to staff training records, it can be difficult to categorise them to determine retention requirements but keeping all the records for the same length of time is also hard to justify. It is recommended that:

• clinical training records are retained until 75th birthday or six years after the staff member leaves, whichever is the longer
• statutory and mandatory training records are kept for ten years after training is completed
• other training records are kept for six years after the training is completed

The Chartered Institute for Personnel and Development, and the ICO have provided further information and advice on the retention of HR records (PDF, 2,717KB).

Transgender patients' records

Sometimes patients change their gender and part of this may include medical care. Records relating to these patients or service users are often seen as more sensitive than other types of medical records. While all health and care records are subject to confidentiality restrictions, there are specific controls for information relating to patients or service users with a Gender Recognition Certificate. The use and disclosure of the information contained in these records is subject to the Gender Recognition Act 2004, (GRA) which details specific restrictions and controls for these records. The GRA is clear that it is not an offence to disclose protected information relating to a person if that person has agreed to the disclosure. The GRA is designed to protect trans patient and service user data and should not be considered a barrier to maintaining historic medical records where this is consented to by the user.

There are established processes in place for patients undergoing transgender care in relation to the NHS number and the closing and opening of new Spine records. In practice, nearly all actions relating to transgender records will be based on explicit consent. Discussions will take place between the GP and the patient regarding clinical care, what information in their current record can be moved to their new record and any implications this decision may have (for example, they may not be called for a gender specific screening programme). Patients should be offered ways to maintain their historical records. This could include editing previous entries and removing references containing previous names and gendered language. Any decisions made regarding their record must be respected and the records actioned accordingly.

Any patient or service user can request that their gender be changed in a record by a statutory declaration, but the Gender Recognition Act 2004 provides additional rights for those with a GRC. The formal legal process (as defined in the Gender Recognition Act 2004) is that a Gender Reassignment Panel issues a Gender Reassignment Certificate. At this time a new NHS number can be issued, and a new record can be created, if it is the wish of the patient or service user. It is important to discuss with the patient or service user what records are moved into the new record and to discuss how to link any records held in any other health or care settings with the new record, including editing previous records to remove names, gender references or details. The content of the new record will be based on explicit consent under common law.

However, it is not essential for a transgender person to have a GRC in order to change their name and gender in their patient record and receive a new NHS number. They do not need to have been to a Gender Identity Clinic, taken any hormones, undergone any surgery, or have a Gender Recognition Certificate.

Under the Equality Act (2010), Transgender people share the protected characteristic of "gender reassignment". To be protected from gender reassignment discrimination, an individual does not need to have undergone any specific treatment or surgery to change from their birth sex to their preferred gender. This is because changing physiological or other gender attributes is a personal process rather than a medical one. An individual can be at any stage in the transition process – from proposing to reassign their gender, to undergoing a process to reassign their gender, or having completed it.

Protected persons health records

Where a record is that of someone known to be under a protected person scheme, the record must be subject to greater security and confidentiality. It may become apparent (via accidental disclosure) that the records are those of a person under the protection of the courts for the purposes of identity. The right to anonymity extends to health and care records. For people under certain types of protection, the individual will be given a new name and NHS Number, so the records may appear to be that of a different person.

Youth offending service records

Due to the nature of youth offending it is common for very short retention periods to be imposed on the general youth offending record. For purposes of clinical liability and for continuity of care the health or social care portion of the record must be retained as specified in this Code. This will generally be until the 25th birthday of the individual concerned.

Format of record

Bring your own device (BYOD) created records

Any record that is created in the context of health and care business is the intellectual property of the employing organisation and this extends to information created on personally owned computers and equipment. This in turn extends to emails and text messages sent in the course of business on personally owned devices from personal accounts. They must be captured in the record keeping system if they are considered to fall within the definition of a record.

When an individual staff member no longer works for the employing organisation, any information that staff take away could be a risk to the organisation. If this includes personal data or confidential patient information, it is reportable to the ICO and may be a breach of confidentiality. For this reason, personal/confidential patient information should not be stored on the device unless absolutely necessary and appropriate security is in place. Local health and care organisations should have a policy on the use of BYOD by staff. Also refer to guidance on BYOD.

Cloud-based records

Use of cloud-based solutions for health and care is increasingly being considered and used as an alternative to manage large networks and infrastructure. NHS and care services have been given approval to use cloud-based solution, provided they follow published guidance and information on GOV.UK.

Before any cloud-based solution is implemented there are a number of records considerations that must be addressed as set out by The National Archives. The ICO has issued guidance on cloud storage. Organisations must complete a DPIA when considering using cloud solutions.

Another important consideration is that at some point the service provider or solution will change and it will be necessary to migrate all of the records, including all the formats, onto another solution. Whilst this may be technically challenging, it must be done, and contract provisions should be in place to do this.

Records in cloud storage must be managed just as records must be in any other environment and the temptation to use ever-increasing storage instead of good records management will not meet the records management recommendations of this Code. For example, if digital health and care records are uploaded to cloud storage for the duration of their retention period, then they must contain enough metadata to be able to be retrieved and a retention date applied so it can be reviewed and actioned in good time.

Personal data that is stored in the cloud, and then left, risks breaching UK GDPR by being kept longer than necessary. This information would also be subject to Subject Access process, and if not found or left unfound, would be a breach of the patient or service user's rights.

Email and record keeping implications

Email is widely accepted as the primary communication tool used every day by all levels of staff in organisations. They often contain business (or in some cases clinical) information that is not captured elsewhere and so need to be managed just like other records. The National Archives has produced guidance on managing emails.

Email has the benefit of fixing information in time and assigning the action to an individual, which are two of the most important characteristics of an authentic record. However, a common problem with email is that it is rarely saved in the business context.

The correct place to store email is in the record keeping system according to the business classification scheme or file plan activity to which it relates. Solutions such as email archiving and ever-larger mailbox quotas do not encourage staff to meet the standard of storing email in the correct business context and to declare the email as a record.

Where email archiving solutions are of benefit is as a backup, or to identify key individuals where their entire email correspondence can be preserved as a public record.

Where email is declared as a record or as a component of a record, the entire email must be kept, including attachments so the record remains integral. For example, an email approving a business case must be saved with the business case file. All staff need to be adequately trained in required email storage and organisations need to:

• undertake periodic audits of working practice to identify poor practice
• have a policy in place that covers email management - including the appraisal, archiving and disposal of emails
• take remedial action where poor practice or compliance is found

Automatic deletion of email as a business rule may constitute an offence under Section 77 of the FOIA where it is subject to a request for information, even if the destruction is by automatic rule. The courts’ civil procedure rules 31(B) also require that a legal hold is placed on any information including email when an organisation enters into litigation. Legal holds can take many forms and records cannot be destroyed if there is a known process or a reasonable expectation that records will be needed for a future legal process such as:

• local inquiries into health or care issues
• national inquiries
• public inquiries
• criminal or civil investigations
• cases where litigation may be reasonably expected, for example, a patient has indicated they will take the organisation to court
• a SAR (known or reasonably expected)
• a FOI request (submitted or reasonably expected)

This means that no record can be destroyed by a purely automated process without some form of review whether at aggregated or individual level for continued retention or transfer to a PoD.

The NHSmail system allows a single email account for every staff member that can follow the individual through the course of their career. When staff transfer from one NHS organisation to another NHS organisation, they must ensure that no sensitive data relating to the former organisation is transferred. It is good practice for staff to purge their email accounts of information upon transfer to prevent a breach of confidence or the transfer of classified information. This is facilitated by staff storing only emails that need to be retained on an ongoing basis.

Emails that are the sole record of an event or issue, for example, an exchange between a clinician and a patient, should be copied into the relevant health and care record rather than being kept on the email system or deleted.

Instant messaging records

Health and care services are increasingly using instant messaging apps or platforms to share patient and service user information between health and care professionals or to contact patients or services users in a transactional way, such as appointment reminders. The Transformation Directorate of NHS England has published guidance on this issue.

Instant messaging apps or platforms should not be used as the main, or primary, record for a person. Where possible, information shared in this way also needs to have a place in the health or care record of that person. This could be a printout of the exchange; contents transcribed into the record; or a progress note accurately covering the exchange entered into the record. If the app or platform is the only place that information is stored, then it must be managed in line with this Code.

Transactional messages, such as GP appointment reminders or pharmacy notifications that your prescription is ready for collection, have a short shelf-life and will no longer be needed once the appointment is attended or prescriptions collected. Organisations that use these systems should keep a record of messages sent to a person, in case they are needed later (such as proof that the patient was reminded of their appointment), but once it is clear that the purpose of the message has been fulfilled, there is no requirement to keep these messages.

Integrated viewing technology and record keeping

Many record keeping systems pool records to create a view or portal of information, which can then be used to inform decisions. This in effect creates a single digital instance of a record, which is only correct at the time of viewing. This may lead to legacy issues, especially in determining the authenticity of a record at any given point in the past. When deciding to use systems that pool records from different sources, organisations must be assured that the system can recreate a record at a given point in time, and not just be able to provide a view at the time of access. This will enable a health or care provider to show what information was available at the time a decision was made.

Consideration should also be given to the authenticity and veracity of the record, particularly if there is conflicting information presented by two or more contributors to the record. Some conflicts may be easier to resolve than others, for example, a person has a different address with two systems), however more complex conflicts would require organisations to have a process or procedure to agree how to resolve these.

Scanned records

This section applies to health and care records as much as it does to corporate records. When looking to scan records, organisations need to consider the following:

• the scanned image can perform equally as well as the original paper
• scanned images can be challenged in court (just as paper can)
• ability to demonstrate authenticity of the scanned image
• ensure technical and organisational measures are in place to protect the integrity, usability and authenticity of the record, over its period of use and retention
• discussions need to take place with the local PoD over records that may be permanently accessioned - they will need input into the format of the transferring record
• where the hard copy is retained, this will be legally preferable to the scanned image

The legal admissibility of scanned records, as with any digital information, is determined by how it can be shown that it is an authentic record. An indication of how the courts will interpret evidence can be found in the civil procedure rules and the court will decide if a record, either paper or digital, can be admissible as evidence.

The British Standards Institution has published a standard that specifies the method of ensuring that electronic information remains authentic. The standard deals with both "born digital" and scanned records. The best way to ensure that records are scanned in accordance with the standard is to use a supplier or service that meets the standard following a comprehensive procurement exercise, which complies with NHS due diligence. Using an BSI10008 accredited supplier, or an in-house accredited service would be seen as best practice.

For local scanning requirements or for those records where there is a low risk of being required to prove their authenticity, organisations may decide to do their own scanning following due diligence and internal compliance processes. This may require a business case to be drawn up and approved, and procurement rules followed to purchase the necessary equipment.

Once scanned records have been digitised and the appropriate quality checks completed, it will then be possible to destroy the paper original, unless the format of the original has historical value, in which case consideration should be given to keeping it with a view to permanent transfer. Where paper is disposed of post-scanning, this decision must be made by the appropriate group or committee. A scan of not less than 300 dots per inch (or 118 dots per centimetre) as a minimum is recommended for most records although this may drop if clear printed text is being scanned. Methods used to ensure that scanned records can be considered authentic are:

• board or committee level approval to scan records
• a written procedure outlining the process to scan, quality check and any destruction process for the paper record
• evidence that the process has been followed
• technical evidence to show the scanning system used was operating correctly at the time of scanning
• an audit trail or secure system that can show that no alterations have been made to the record after the point they have been digitised
• fix the scan into a file format that cannot be edited

Some common mistakes occur in scanning by:

• only scanning one side and not both sides, including blank pages - to preserve authenticity, both sides of the paper record, even if they are both blank, must be scanned (this ensures the scanned record is an exact replica of the paper original)
• scanning a copy of a copy - leading to a degraded image
• not using a method that can show that the scanned record has not been altered after it has been scanned – questions could be raised regarding process and authenticity
• no long-term plan to enable the digitised records to be stored or accessed over the period of their retention

Once you have identified digital records that are suitable for accessioning to your local PoD or The National Archives (for national bodies, it is recommended to follow published The National Archives guidance on the accessioning of digital records.

Social media

Organisations must have approved policies and guidance when using social media platforms. It is acknowledged that social media will mainly be used for promoting activities of the organisation, rather than as a way of communicating care issues or interventions with patients or service users. Information posted on social media may also be classed as a corporate record and appropriate retention periods set where applicable.

Information posted on social media (such as details of upcoming meetings, or published policies) will usually be captured elsewhere in an organisation’s corporate records’ function, and where this is the case, there is no value in retaining the information held in the social media platform, as it will be a duplication of the corporate records management function.

The National Archives have begun to capture social media content of NHS bodies that have a national focus, such as NHS England. Where requested, this can also be extended to local NHS bodies, but this would be the exception not the rule.

Website as a business record

As people interact with their public services, more commonly it is the internet and websites in particular that provide information, just as posters, publications and leaflets once did exclusively. A person’s behaviour may be a result of interaction with a website and it is considered part of the record of the activity.

For this reason, websites form part of the record keeping system and must be preserved. It is also important to know what material was present on the website as this material is considered to have been published. Therefore, the frequency of capture must be adequate or there must be some other method to recreate what the website or intranet visitor viewed. It may be possible to arrange regular crawls of the site with the relevant PoD but given the complexity of sites as digital objects, it may be necessary to use other methods of capture to ensure that this creates a formal record. The UK Government Web Archive (part of The National Archives) undertook two central crawls of all NHS sites in 2011 and 2012 and may have captured some from 2004 onwards but the information captured will not include all levels of the sites or some dynamic content.

National NHS organisations have their websites regularly captured by The National Archives and can (upon request) capture local organisation’s websites, where regional information would be captured that would not necessarily go to the local PoD (such as a CCG closing down). Local authorities’ websites are not routinely captured by the web archive team at The National Archives but they can do so in exceptional circumstances and if requested by the authority.