Publication - Advice and guidance

Scottish Government Records Management: NHS Code Of Practice (Scotland) Version 2.1 January 2012

Published: 11 Jan 2012
Part of:
Health and social care

A guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in Scotland

Scottish Government Records Management: NHS Code Of Practice (Scotland) Version 2.1 January 2012


9. The guidelines draw on advice and published guidance available from the Scottish Government Freedom of Information Unit and the National Records of Scotland, such as the section 61 Code of Practice on Records Management, and also from best practices followed by a wide range of organisations in both the public and private sectors. The guidelines provide a framework for consistent and effective records management that is standards based and fully integrated with other key information governance work areas.

10. This is an overarching Code of Practice on records management for Scottish NHS organisations. It incorporates references and links to previously published guidance and also takes cognisance of the recommendations accepted by the Cabinet Secretary for Health and Wellbeing in October 2008 following publication of the NHSQIS (now Healthcare Improvement Scotland) report in response to reports that person identifiable information had been found in disused buildings on the former Strathmartine Hospital in Tayside.

11.NHS managers should demonstrate active progress in enabling staff to conform to the standards, identifying resource requirements and any related areas where organisational or systems changes are required. Information Governance performance assessment and management arrangements need to facilitate and drive forward the required changes. Those responsible for monitoring NHS performance, ( e.g. Healthcare Improvement Scotland) will play a key role in ensuring that effective systems are in place.

12. The NHS is provided with support to deliver change through:

  • Information Governance materials available via the IG Knowledge Network; and
  • Policy advisers in the Scottish Government eHealth Team.

General Context

13. All NHS organisations are public authorities under Schedule 1 of the Freedom of Information (Scotland) Act 2002, and the records they create are subject to the Public Records (Scotland) Act 2011. Scottish Ministers and all NHS organisations are obliged under Data Protection, Freedom of Information legislation, and the Environmental Information (Scotland) Regulations 2004, to make arrangements for the safe keeping and eventual disposal of all types of their records. This is carried out under the overall guidance and supervision of the Keeper of the Records of Scotland, who is answerable to the Scottish Parliament. Whilst this Code of Practice is based on the Scottish Government's understanding of the relevant law in Scotland, as at the date of publication it is not, and should not be read as, a statement of the definitive legal position on any matter. NHS organisations should consult their own legal advisors for advice on any legal issues that arise regarding the matters covered in this Code of Practice.

14.NHS organisations should seek advice from their Board's own archivist on the management of records, particularly in relation to the permanent preservation of records. Where organisations do not have access to their own archivist, advice may be sought from the NHSScotland archivists, or the National Records of Scotland.

15. Part one of the Freedom of Information (Scotland) Act 2002 Code of Practice on Records Management states:

"Records management should be recognised as a specific corporate function within the authority and should receive the necessary levels of organisational support to ensure effectiveness. It should bring together responsibilities for all records held by the authority, throughout their lifecycle, from planning and creation through to ultimate disposition. It should have clearly defined responsibilities and objectives, and the resources to achieve them. It is desirable that the person, or persons, responsible for the records management function should also have either direct responsibility for, or a formal working relationship with, the person(s) responsible for freedom of information, data protection and other information management issues."

16. The Chief Executive has overall accountability for ensuring that records management operates legally within the Board. The Caldicott Guardian works in liaison with the organisation's Health Records Manager(s), Corporate Records Manager(s), Information and Communications Technology (eHealth) Manager(s), Information Governance Manager(s) and others with similar responsibilities, to ensure there are agreed systems for records management including managing the confidentiality and security of information and records within their organisation. NHS organisations are also required to take positive ownership of, and responsibility for, the records legacy of predecessor organisations and/or obsolete services.

17.NHS organisations need robust records management procedures to meet the requirements set out under the Data Protection Act 1998, the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004. In addition they will be required to produce and implement a records management plan under the terms of the Public Records (Scotland) Act 2011.

18. Records are a valuable resource because of the information they contain. High quality information underpins the delivery of high quality evidence based health care, accountability, clinical and corporate governance and many other key service deliverables. Information has most value when it is accurate, up to date and accessible when it is needed. An effective records management service ensures that information is properly managed and is available whenever and wherever there is a justified need for information, and in whatever media it is held or required to:

  • support patient care and continuity of care;
  • support day to day business which underpins the delivery of care;
  • support evidence based clinical practice;
  • support sound administrative and managerial decision making, as part of the knowledge base for NHS services;
  • meet legal requirements, including requests from patients or other individuals made through provisions of the Data Protection Act 1998 or Freedom of Information (Scotland) Act 2002 legislations;
  • assist clinical and other audits;
  • support improvements in clinical effectiveness through research and also support archival functions by taking account of the historical importance of material and the needs of future research; and
  • support patient choice and control over treatment and services designed around patients.

19. Effective records management also supports operational efficiency by reducing the time taken to identify and locate information, minimising duplication of records and confusion over version control, and offering significant savings in physical and electronic space.

20. This Code of Practice, together with the supporting Annexes identifies the specific actions, managerial responsibilities, and recommended retention periods (in line with the 5th principle of the Data Protection Act 1998) for the effective management of all NHS records, from creation, as well as day-to-day use of the record, storage, maintenance and ultimate disposal.

21. All individuals who work for an NHS organisation are responsible for any records that they create or use in the performance of their duties. Furthermore, any record that an individual creates is subject to the Public Records (Scotland) Act 2011, and the information contained in such records is subject to the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004. There is a specific requirement under Regulation 4 of the Regulations on a public authority to take reasonable steps to organise and keep up to date the environmental information relevant to its functions which it holds and at least the types of information detailed in Reg 4 (2). Further information on legal and professional obligations is available on the Information Governance section of The Knowledge Network at

Legal and Professional Obligations

22. A key statutory requirement for compliance with records management principles is the Data Protection Act 1998. It provides a broad framework of general standards that have to be met and considered in conjunction with other legal obligations. The Act regulates the processing of personal data, held manually and on computer. It applies to personal information generally, not just to health records. Therefore the same principles apply to personal data relating to staff, contractors, volunteers, students and other individuals who work in or have dealings with NHSScotland.

23. Personal data is defined as data relating to a living individual that enables him/her to be identified either from that data alone or from that data in conjunction with other information in the data controller's possession. It therefore includes such items of information as name, address, age, race, religion, gender and physical, mental or sexual health.

24. Processing includes everything done with that information, i.e. holding, obtaining, recording, using, disclosure, sharing, disposal, transfer or destruction.

25. A summary of legislation relating to personal and corporate information and the records management function generally can be found at Additionally, clinicians are under a duty to meet record keeping standards set by their regulatory and professional bodies.

NHSScotland eHealth Strategy

26. The eHealth programme aims to ensure a complete health record is available at the point of need in NHSScotland. The success of this will depend on many factors, and good records management will be essential to ensure paper and electronic records are managed consistently. The eHealth Strategy 2011-17 is the key document governing this area of work.

Social Care Records

27. Social Care Records Management is outside the scope of this Code of Practice. However, with greater integration and joint working between health and social care, this Code of Practice is generally applicable to all organisations, and colleagues from social care organisations are encouraged to adopt similar standards of practice.