We are testing a new beta website for gov.scot go to new site

Records Management: NHS Code of Practice (Scotland) Version 1.0



Management and Organisational Responsibility

25. The records management function should be recognised as a specific corporate responsibility within every NHS organisation. It should provide a managerial focus for records of all types in all formats, including electronic records, throughout their life cycle, from planning and creation through to ultimate disposal. It should have clearly defined responsibilities and objectives, and necessary resources to achieve them.

26. Designated members of staff of appropriate seniority ( i.e. Board level or reporting directly to a Board member) should have lead responsibility for corporate and health records management within the organisation. The model within each Health Board may differ dependent on local accountability. This lead role should be formally acknowledged and made widely known throughout the organisation.

27. The manager, or managers, responsible for the records management function should be directly accountable to, or work in close association with the manager or managers responsible for Freedom of Information, Data Protection and other information governance issues.

28. All staff, whether clinical or administrative, must be appropriately trained so that they are fully aware of their responsibilities as individuals with respect to record keeping and management, and that they are competent to carry out their designated duties. This should include training for staff in the use of electronic records systems. It should be done through both generic and specific training programmes, complemented by organisational policies and procedures and guidance documentation. For example, Health Records Managers who have lead responsibility for personal health records and the operational processes associated with the provision of a comprehensive health record service should have up-to-date knowledge of, or access to expert advice on, the laws, guidelines, standards and best practice relating to records management and informatics.

Policy and Strategy

29. Each NHS organisation should have in place an overall policy statement, endorsed by the Board and made readily available to staff at all levels of the organisation on induction and through regular update training, on how it manages all of its records, including electronic records.

30. The policy statement should provide a mandate for the performance of all records and information management functions. In particular, it should set out an organisation's commitment to create, keep and manage records and document its principal activities in this respect.

31. The policy should also:

  • outline the role of records management within the organisation, and its relationship to the organisation's overall strategy;
  • define roles and responsibilities within the organisation including the responsibility of individuals to document their actions and decisions in the organisation's records, and to dispose of records appropriately when they are no longer required;
  • provide a framework for supporting standards, procedures and guidelines; and
  • indicate the way in which compliance with the policy and its supporting standards, procedures and guidelines will be monitored and maintained.

32. The policy statement should be reviewed at regular intervals (at least once every 2 years) and, if appropriate, it should be amended to maintain its currency and relevance.

Record Creation

33. Each operational unit ( e.g. Finance, Estates, IT, Direct patient care) of an NHS organisation should have in place a process for documenting its activities. This process should take into account the legislative and regulatory environment in which the unit operates.

34. Records of operational activities should be complete and accurate in order to allow employees and their successors to undertake appropriate actions in the context of their responsibilities, to facilitate an audit or examination of the organisation by anyone so authorised, to protect the legal and other rights of the organisation, its patients, staff and any other people affected by its actions, and provide authenticity of the records so that the evidence derived from them is shown to be credible and authoritative. Appropriate version control arrangements that support the management of multiple revisions to the same document should be in place.

35. Records created by the organisation should be arranged in a record-keeping system that will enable the organisation to obtain the maximum benefit from the quick and easy retrieval of information while having regard to security.

36. Not all documents created or received by NHS employees in the course of their work needs to be held in the record-keeping system. For example, many emails are of only passing value and can be deleted as soon as they have been read or actioned. (emails, which contain significant information or instructions, should be retained as appropriate within the record-keeping system.) Many circulars and routine correspondence can be destroyed once read.

Information Quality Assurance

37. It is important that all NHS organisations train staff appropriately and provide regular update training. Training and guidance in record-keeping should be an integral part of the procedures, induction and ongoing training for each role. In the context of records management and information quality, organisations need to ensure that their staff are fully trained in record creation and maintenance, including having an understanding of:

  • what they are recording and how it should be recorded;
  • why they are recording it;
  • how to validate information with the patient or carers or against other records - so staff are recording the correct data;
  • how to identify and correct errors - so that staff know how to correct errors and how to report errors if they find them; and
  • the use of information - so staff understand what the records are used for (and therefore why accuracy is so important);
  • how to update information and add in information from other sources.

Record Keeping

38. Implementing and maintaining an effective records management service depends on knowledge of what records are held, where they are stored, who manages them, in what form(s) they are made accessible, and their relationship to organisational functions ( e.g. Finance, Estates, IT, Direct patient care). An information survey or record audit is essential to meeting this requirement. The survey will also help to promote control over the records, and provide valuable data for developing records appraisal and disposal policies and procedures.

39. Paper and electronic record keeping systems should contain descriptive and technical documentation to enable the system to be operated efficiently and the records held in the system to be understood. The documentation should provide an administrative context for effective management of the records.

40. The record keeping system, whether paper or electronic, should include a documented set of rules for referencing, titling, indexing and, if appropriate, the protective marking of records. These should be easily understood to enable the efficient retrieval of information when it is needed and to maintain security and confidentiality.

41. Where records are kept in electronic form, wherever possible they should be held within an Electronic Document and Records Management System ( EDRMS) which conforms to the standards of the European Union "Model Requirements" (MoReq). Find more details here

42. Records should be structured within an organisation-wide corporate "Fileplan" which reflects the functions and activities of the organisations and facilitates the appropriate sharing and effective retrieval of information.

43. Where an EDRMS is not yet available, electronic documents should be stored on shared, network servers in a clear and meaningful folder structure or "Fileplan" which represents the functions and activities of the organisation or unit. The server should be subject to frequent back-up procedures in line with the NHS Information Security policy. Users should apply the functionality of the relevant software to protect electronic documents against inappropriate amendment (for example, by password protecting documents.) Please note: It is almost impossible to fully protect documents in a non- EDRMS environment, or provide full audit and authenticity evidence.

Record Maintenance

44. The movement and location of records should be controlled to ensure that a record can be easily retrieved at any time, that any outstanding issues can be dealt with, and that there is an auditable trail of record transactions. The record-keeping system should also address the management of emails, including aspects such as the titling of emails and the handling of email attachments.

45. Storage accommodation for current paper records should be clean and tidy, should prevent damage to the records and provide a safe working environment for staff.

46. For records in digital format, maintenance in terms of back-up and planned migration to new platforms should be designed and scheduled to ensure continuing access to accurate, reliable and readable records.

47. Equipment used to store current records on all types of media should provide storage that is safe and secure from unauthorised access and meets health and safety and fire regulations, but which also allow maximum accessibility to the information commensurate with its frequency of use.

48. When paper records are no longer required for the conduct of current business, their placement in a designated secondary storage area may be a more economical and efficient way to store them. Procedures for handling records should take full account of the need to preserve important information and keep it confidential and secure. There should be policies and procedures in place for managing the lifestyles of both paper and electronic records.

49. A contingency or business continuity plan should be in place to provide protection for all types of records that are vital to the continued functioning of the organisation. Key expertise in relation to environmental hazards, assessment of risk, business continuity and other considerations is likely to rest with information security staff and their advice should be sought on these matters.


50. NHS organisations may consider the option of scanning into electronic format records, which exist in paper format, for reasons of business efficiency. Where this is proposed, the factors to be taken into account include:

  • the costs of the initial and then any later media conversion to the required standard, bearing in mind the length of the retention period for which the records are required to be kept
  • the need to consult in advance with NHS archivists or the National Archives of Scotland with regard to records which may have archival value, as the value may include the form in which it was created; and
  • the need to protect the evidential value of the record by copying and storing the record in accordance with British Standards, in particular the "Code of Practice for Legal Admissibility and evidential weight of information stored electronically" ( BIP 0008) and the Document Scanning: Guide to Scanning Business Documents ( PD 00 16) which provides guidance to evaluate scanners to user requirements.

51. In order to fully realise business efficiency, organisations should consider securely disposing of paper records that have been copied into electronic format and stored in accordance with appropriate standards and the need to dispose of records in accordance with the retention schedule. Advice should be sought from the organisation's records managers or information governance manager, NHS Scotland archivists or the National Archives for Scotland.

Disclosure and Transfer of Records

52. There are a range of statutory provisions that limit, prohibit or set conditions in respect of the disclosure of records to third parties, and similarly, a range of provisions that require or permit disclosure. The key statutory requirements can be found in Annex C.

53. In particular, information relating to living individuals is covered by the principles of Data Protection. In addition the Freedom of Information (Scotland) Act 2002 confers a statutory right of access to deceased person's health records only after a period of 100 years. Notwithstanding, it may be possible to put in place mechanisms that both safeguard patient confidentiality and enable controlled access to health records of the deceased within this 100-year time limit. In general confidentiality of records particularly relating to patients, staff or students should be maintained for 75 years (100 years for minors) from the beginning of the calendar year following the date of the last entry of the record.

54. In Health Boards the Caldicott Guardian, supported by the Health Records Manager and Data Protection Officer should be involved in any proposed disclosure of confidential patient information, informed by the Scottish Government Health Directorates publication 'Code of Practice on Protecting Patient Confidentiality'. In GP surgeries, the responsibility for making decisions about disclosure ultimately rests with the GP. For patients, a leaflet has been produced by Health Rights Information Scotland ( HRIS) called 'How to see your Health Records'. It provides patients with information on how to make a subject access request to view their health records. The leaflet can be downloaded here

55. The mechanisms for transferring records from one organisation to another should also be tailored to the sensitivity of the material contained within the records and the media on which they are held. Information Security staff should be able to advise on appropriate safeguards. The NHS Scotland Information Security policy and standards sets out the requirements for the storage and transmission of corporate and personal records.

56. There are also a range of guidance documents ( e.g. the UK Information Commissioner's Use and Disclosure of Health Information) that interpret statutory requirements and there may be staff within organisations that have special expertise in, or can advise on, particular types of disclosure. In particular, organisations should be aware of the Freedom of Information (Scotland) Act 2002 Code of Practice on Records Management November 2003 (laid before the Scottish Parliament on 10 th November 2003 pursuant to Section 61(6) of the Freedom of Information (Scotland) Act 2002, and prepared in consultation with the Scottish Information Commissioner and the Keeper of the Records of Scotland). Find out more here

Retention and Disposal Arrangements

57. Detailed guidance for retention and disposal of administrative records can be found in NHSHDL (2006) 38 'The Management, Retention and Disposal of Administrative Records', which can be accessed from the following link

58. Detailed guidance for retention and disposal of personal health records can be found in Annex D.

59. It is particularly important under Freedom of Information legislation that the disposal of records - which is defined as the point in their lifecycle when they are either transferred to an archive or destroyed - is undertaken in accordance with clearly established policies which have been formally adopted by the organisation and which are enforced by properly trained and authorised staff.

60. The design of databases and other structured information management systems must include the functionality to dispose of time-expired records. Databases should be subject to regular removal of non-current records in line with the organisation's retention schedule.

Appraisal of Records

61. Appraisal refers to the process of determining whether records are worthy of permanent archival preservation. This should be undertaken in consultation with the organisations own Archivist, or one of the three NHS archivists, or with a local authority or university archive where there is an existing relationship. Alternatively advice can be sought from the National Archives of Scotland.

62. Procedures should be put in place in all NHS organisations to ensure that appropriately trained personnel appraise records at the appropriate time. The purpose of this appraisal process is to ensure that the records are examined at the appropriate time to determine whether or not they are worthy of archival preservation, whether they need to be retained for a longer period as they are still in use, or whether they should be destroyed.

63. Where there are records that have been omitted from the retention schedules, or when new types of records emerge, the Scottish Government eHealth Directorate and/or an NHS archivist should be consulted. The National Archives of Scotland can also provide advice about records requiring permanent preservation.

64. All NHS organisations must have procedures in place for recording the disposal decisions made following appraisal. An assessment of the volume and nature of records due for appraisal, the time taken to appraise records, and the risks associated with destruction or delay in appraisal will provide information to support an organisation's resource planning and workflow. The Records Manager in the NHS organisation should determine the most appropriate person(s) to carry out the appraisal in accordance with the retention schedule. This should be a Manager with appropriate seniority, training and experience who has an understanding of the subject area to which the record relates.

65. Many NHS records, including corporate ones, contain sensitive or confidential information. It is therefore vital that confidentiality is safeguarded at every stage of the lifecycle of the record, including destruction, and that the method used to destroy such records is fully effective and ensures their complete illegibility.

Record Closure

66. Records should be closed ( i.e. made inactive and transferred to secondary storage) as soon as they have ceased to be in active use other than for reference purposes. An indication that a file of paper records or folder of electronic records has been closed together with the date of closure, should be shown on the record itself as well as noted in the index or database of the files/folders. Where possible, information on the intended disposal of electronic records should be included in the metadata when the record is created.

67. The storage of closed records should follow accepted standards relating to environment, security and physical organisation of the files.

Record Disposal

68. Each organisation must have a retention/disposal policy that is based on the retention schedules referred to in paragraphs 57 and 58 of this Code of Practice. The policy should be supported by, or linked to the retention schedules, which should cover all records created, including electronic records. Schedules should be arranged based on series or collection of records and should indicate the appropriate disposal action for all records. Schedules should clearly specify the agreed retention periods, which must be based on the retention schedules referred to in paragraphs 57 and 58 of this Code of Practice, for the organisation.

69. Records selected for archival preservation and no longer in regular use by the organisation should be transferred as soon as possible to an archive. No surviving personal health or administrative record dated 1948 or earlier should be destroyed.

70. Good practice suggests that non-active records should be transferred no later than 30 years from creation of the record, with electronic records being transferred within a shorter period.

71. Records (including copies) not selected for archival preservation and which have reached the end of their administrative life should be destroyed in as secure a manner as is appropriate for the level of confidentiality or protective markings they bear. This can be undertaken on site or via an approved contractor. Confidential records should be destroyed in accordance with BS 8470 "Code of Practice on Secure Destruction of Confidential Material". It is the responsibility of the NHS organisation to ensure that the methods used throughout the destruction process provide appropriate safeguards against the accidental loss or disclosure of the contents of the records. Accordingly, contractors should be required to sign confidentiality undertakings and to produce written certification as proof of destruction.

72. A record of the destruction of records, showing their reference, description and date of destruction should be maintained and preserved by the Records Manager, so that the organisation is aware of those records that have been destroyed and are therefore no longer available. Disposal schedules would constitute the basis of such a record.

73. If a record due for destruction is known to be the subject of a request for information, or potential legal action , destruction should be delayed until disclosure has taken place or, if the authority has decided not to disclose the information, until the complaint and appeal provisions of the Freedom of Information (Scotland) Act have been exhausted or the legal process completed.