Scottish Government Records Management: NHS Code of Practice (Scotland) Version 2.0

Records Management Code of Practice


SECTION 2 - INTRODUCTION

6. The guidelines draw on advice and published guidance available from the Scottish Government Freedom of Information Unit and the National Archives of Scotland, and also from best practices followed by a wide range of organisations in both the public and private sectors. The guidelines provide a framework for consistent and effective records management that is standards based and fully integrated with other key information governance work areas.

7. This is an overarching Code of Practice on records management for Scottish NHS organisations. It incorporates references and links to previously published guidance and also takes cognisance of the recommendations accepted by the Cabinet Secretary for Health and Wellbeing in October 2008 following publication of the NHSQIS report in response to reports that person identifiable information had been found in disused buildings on the former Strathmartine Hospital in Tayside

8.NHS managers must demonstrate active progress in enabling staff to conform to the standards, identifying resource requirements and any related areas where organisational or systems changes are required. Information Governance performance assessment and management arrangements need to facilitate and drive forward the required changes. Those responsible for monitoring NHS performance, ( e.g.NHS Quality Improvement Scotland - NHSQIS) will play a key role in ensuring that effective systems are in place.

9. The NHS is provided with support to deliver change through:

  • Information Governance Standards, which can be viewed on the Specialist e-Library here;
  • Information Governance Toolkit;

NHS Scotland Information Governance Team and policy advisers in the Scottish Government eHealth Directorate. Further information on the above can be found in Annex B.

General Context

10. All NHS organisations are public authorities under Schedule 1 of the Freedom of Information (Scotland) Act 2002, and the records they create are subject to the Public Records (Scotland) Act 1937 (as amended). Scottish Ministers and all NHS organisations are obliged under Data Protection and Freedom of Information legislation to make arrangements for the safe keeping and eventual disposal of all types of their records. This is carried out under the overall guidance and supervision of the Keeper of the Records of Scotland who is answerable to the Scottish Parliament. Whilst this Code of Practice is based on the Scottish Government's understanding of the relevant law in Scotland as at the date of publication, it is not, and should not be read as, a statement of the definitive legal position on any matter. NHS organisations should consult their own legal advisors for advice on any legal issues, which arise regarding the matters covered in this Code of Practice.

11.NHS organisations should seek advice from their Board's own archivist on the management of records, particularly in relation to the permanent preservation of records. Where organisations do not have access to their own archivist, advice may be sought from the NHS Scotland archivists, or the National Archives of Scotland (see Annex B for further information).

12. Part one of the Freedom of Information (Scotland) Act 2002 Code of Practice on Records Management states:

"Records management should be recognised as a specific corporate function within the authority and should receive the necessary levels of organisational support to ensure effectiveness. It should bring together responsibilities for all records held by the authority, throughout their life cycle, from planning and creation through to ultimate disposition. It should have clearly defined responsibilities and objectives, and the resources to achieve them. It is desirable that the person, or persons, responsible for the records management function should also have either direct responsibility for, or a formal working relationship with, the person(s) responsible for freedom of information, data protection and other information management issues.

Further information can be obtained here.

13. The Chief Executive has overall accountability for ensuring that records management operates legally within the Board. The Caldicott Guardian works in liaison with the organisation's Health Records Manager(s), Corporate Records Manager(s), Information and Communications Technology (eHealth) Manager(s), Information Governance Manager and others with similar responsibilities, to ensure there are agreed systems for records management including managing the confidentiality and security of information and records within their organisation. NHS organisations are also required to take positive ownership of, and responsibility for, the records legacy of predecessor organisations and/or obsolete services.

14. In addition, NHS organisations need robust records management procedures to meet the requirements set out under the Data Protection Act 1998, the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004.

15. Records are a valuable resource because of the information they contain. High quality information underpins the delivery of high quality evidence based health care, accountability, clinical and corporate governance and many other key service deliverables. Information has most value when it is accurate, up to date and accessible when it is needed. An effective records management service ensures that information is properly managed and is available whenever and wherever there is a justified need for information, and in whatever media it is held or required to:

  • support patient care and continuity of care;
  • support day to day business which underpins the delivery of care;
  • support evidence based clinical practice;
  • support sound administrative and managerial decision making, as part of the knowledge base for NHS services;
  • meet legal requirements, including requests from patients or other individuals under subject access legislation or Freedom of Information;
  • assist clinical and other audits;
  • support improvements in clinical effectiveness through research and also support archival functions by taking account of the historical importance of material and the needs of future research;
  • support patient choice and control over treatment and services designed around patients.

16. Effective records management also supports operational efficiency by reducing the time taken to identify and locate information, minimising duplication of records and confusion over version control and significant savings in physical and electronic space.

17. This Code of Practice, together with the supporting Annexes identifies the specific actions, managerial responsibilities, and recommended retention periods (in line with the 5th principle of the Data Protection Act 1998) for the effective management of all NHS records, from creation, as well as day-to-day use of the record, storage, maintenance and ultimate disposal.

18. All individuals who work for an NHS organisation are responsible for any records, which they create, or use in the performance of their duties. Furthermore, any record that an individual creates is subject to the Public Records (Scotland) Act 1937 (as amended), and the information contained in such records is subject to the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004. There is a specific requirement under Regulation 4 of the Act on a public authority to take reasonable steps to organise and keep up to date the environmental information relevant to its functions which it holds and at least the types of information detailed in Reg 4 (2). Annex C contains further information on legal and professional obligations.

Legal and Professional Obligations

19. Another key statutory requirement for compliance with records management principles is the Data Protection Act 1998. It provides a broad framework of general standards that have to be met and considered in conjunction with other legal obligations. The Act regulates the processing of personal data, held manually and on computer. It applies to personal information generally, not just to health records. Therefore the same principles apply to personal data relating to staff, contractors, volunteers, students and other individuals who work in or have dealings with NHS Scotland.

20. Personal data is defined as data relating to a living individual that enables him/her to be identified either from that data alone or from that data in conjunction with other information in the data controller's possession. It therefore includes such items of information as name, address, age, race, religion, gender and physical, mental or sexual health.

21. Processing includes everything done with that information, i.e. holding, obtaining, recording, using, disclosure, sharing, disposal, transfer or destruction.

More information on the application of the Data Protection Act is contained in Annex C

22. Other legislation relating to personal and corporate information and the records management function generally can also be found in Annex C. Additionally, clinicians are under a duty to meet record keeping standards set by their regulatory and professional bodies.

NHS Scotland eHealth Strategy

23. The eHealth programme aims to ensure a complete health record is available at the point of need in NHS Scotland. The success of this will depend on many factors, and good records management will be essential to ensure paper and electronic records are managed consistently. Further information is available here

Social Care Records

24. Social Care Records Management is outside the scope of this Code of Practice. However, the Scottish Government Transformational Technologies Division has developed joint national data standards for use in eCARE. The increase in joint working from this initiative means that although outwith scope this Code of Practice is generally applicable to all organisations, and colleagues from social care organisations are encouraged to adopt similar standards of practice.

Back to top