Health and social care - records management: code of practice

Guide to the required standards of practice in the management of data, information and records for those who work within or under contract to NHS organisations in Scotland. It is based on current legal requirements and professional best practice.


Section 2 - Context

2.1 Definitions

21 Data is defined as raw, unprocessed information which requires to be organised.

22 Information is data that has been processed, structured, and given meaning.

23 Records are specific recognised types of collated and organised information and data created, received, and maintained as evidence by an organisation for reference in the transaction of business or pursuance of legal obligations. This definition extends to the archive role, particularly in recording corporate memory.

24 Health records consist of information and data relating to the physical or mental health or condition of an individual which have been made by or on behalf of a health professional in connection with the care of that individual.

25 Social work records include the records held by a Local Authority in connection with its social services functions under the Social Work (Scotland) Act 1968.

26 Integrated care records include information that is provided, accessed, updated, and relied upon, by multiple organisations. The agencies involved may use the records for different purposes, and they will have an arrangement(s) in place that sets out their different roles and responsibilities, including any obligations under the Public Records (Scotland) Act 2011 and the UK General Data Protection Regulation.

27 The Code of Practice adopts the approach with the Public Records (Scotland) Act 2011, Part 1 Section 13(1) which states that “record” means anything in which information is recorded in any form. Hereafter, any reference made to ‘records’ will be the overarching term used for all records, information and data held by health care organisations regardless of type and format. Of note this is also the approach taken in BS 10025[2].

Figure 1 – Data, Information, Records Process

  • Data
    • Collected
    • Verified
  • Information
    • Processed
    • Structured
    • Acted upon
  • Records
    • Updated
    • Referred to
    • Evidence

Enable decisions and actions

28 Records management is the systematic control of an organisation's records, throughout their life cycle, in order to meet operational business needs, statutory and fiscal requirements, and community expectations. Effective management of corporate information allows fast, accurate and reliable access to records, ensuring the timely destruction of redundant information and the identification and protection of vital and historically important records.[3] (National Records of Scotland).

29 Records management forms part of the organisation’s functions related to governance and assurance. It is the professional discipline associated with managing and governing data, information and records from the point of creation throughout the lifecycle to their final disposal. The activities include identifying, classifying, storing, securing, retrieving, tracking, archiving and destroying records. Fundamentally records management is concerned with knowing what information you hold, where it is and how long you are required to retain it, either in relation to business or regulatory/legislative requirements.

30 Archive (noun), is a physical or digital collection of records of continuing value, either for historical research, corporate memory or accountability purposes. In the context of health care, records are generally transferred to an external archival facility, operated by the National Records of Scotland, a University, Local Authority or sometimes an internal archive. These facilities are referred to as a permanent place of deposit. An archive must meet strict operational and environmental standards in order to preserve and maintain the integrity, accessibility and availability of the records for a significant number of years or indefinitely.

31 Archive (verb) is used to describe the action of transferring records to an archival facility for permanent preservation. The term archive is often incorrectly used to describe the ongoing storage of ‘inactive’ records physically or digitally within an organisation without the appropriate preservation standards in place. Therefore this document will refer to ‘transfer to the permanent place of deposit’ rather than archive to be clear on the action being described/recommended.

32 Data Sharing is the process where information or records are shared between organisations (for example patient details provided by NHS to a Local Authority to progress hospital discharge) and that information becomes part of the records held and managed by the recipient organisation and the recipient organisation becomes the owner of their copy. The organisations may work together; however, they manage their records separately.

33 Data Processing is where information is processed on behalf of another organisation under contract. Records management arrangements should be outlined under contract when data processing agreements are entered into.

34 Joint Data Processing is where arrangements create a ‘Joint Controller’ relationship, and joint data processing, where information flows between organisations in a manner which is different to data sharing. This may result in joint records being created. Steps should be taken to ensure that all individual organisations document the arrangements in place so that records are managed in accordance with their relevant statutory obligations. An example of such arrangements is the integrated services within Health and Social Care Partnerships which were created as a result of the Public Bodies (Joint Working) (Scotland) Act 2014.

2.2 Business Requirement for Managing Records

35 Records are vital assets of an organisation, and therefore it is essential that effective records management systems and practices are implemented.

36 Effective records management supports operational efficiency and delivery of services by reducing the time taken to identify and locate information, minimising duplication of records and confusion over version control, and offering significant savings in physical and digital space. It also supports better decision making and reduction in error when staff are accessing up to date, accurate and relevant information.

37 Records are a valuable resource because of the information they contain. High quality information underpins the delivery of first-class evidence-based care, accountability, governance, and many other key service deliverables. Information has most value when it is accurate, up to date and easily accessible when it is needed. Effective records management ensures that information is properly managed and is available whenever and wherever there is a justified need for information, and in whatever media it is held to:

  • support the delivery of integrated health and social care;
  • support day to day business which underpins the delivery of care;
  • support evidence-based clinical and social care practice;
  • support sound administrative and managerial decision making, as part of the knowledge base for health and social care services;
  • meet legal requirements, including requests from patients/services users and customers or other individuals made through provisions of legislations;
  • assist clinical and business audits;
  • support improvements in health and social care effectiveness through research;
  • support archival functions by taking account of the historical importance of material and the needs of future research;
  • support patient/service user choice and control over treatment and services designed around them;
  • support patient/service user safety and safeguarding;
  • support accountability and transparency in the provision and management of services.

2.3 Regulatory Framework: Legal and Professional Obligations

38 This Code of Practice does not constitute legal advice. Organisations should consult their own legal advisors for advice on any legal issues that arise regarding the matters covered in this Code of Practice.

39 Organisations across the health and social care sector may be subject to the following legislation:

  • Public Records (Scotland) Act 2011
  • Access to Health Records Act 1990
  • Freedom of Information (Scotland) Act 2002
  • Environmental Information (Scotland) Regulations 2004
  • UK General Data Protection Regulation/Data Protection Act 2018
  • Inquiries Act 2005
  • Network and Information System Regulations 2018/Scottish Public Sector Cyber Resilience Framework

40 Health and social care organisations and professionals have a common law duty of confidentiality to patients/service users. Their employees, contractors and volunteers also have a duty to maintain professional ethical standards of confidentiality; this duty continues after leaving the organisation. Obligations around confidentiality remain even after the death of a patient/service user.

2.3.1 Public Records (Scotland) Act 2011[4]

41 The Public Records (Scotland) Act 2011 (PRSA) places an obligation on named public authorities to:

  • prepare, implement, and keep under review a Records Management Plan (RMP) which sets out proper arrangements for the management of their records (see Section 4.1);
  • identify individual(s) who are responsible for management of the authority’s records and for ensuring compliance with the plan;
  • outline the procedures to be followed in managing the authority’s public records, specifically around maintaining the security of information and the archiving and destruction or disposal of records.

42 Under Part 1, Section 3(1) of the Act public records are defined as:

a) records created by or on behalf of the authority in carrying out its functions,

b) records created by or on behalf of a contractor in carrying out the authority’s functions,

c) records created by any other person that have come into the possession of the authority or a contractor in carrying out the authority’s functions.

43 Named authorities are obliged under Section 3 of the PRSA to safeguard public records being created on their behalf by third parties when contracted to deliver one or more of a public authority’s functions. An authority’s expectations for the management of its public records created or held by the third party should be detailed within standard contract terms and conditions as required under Part 1 Section 3(1)(b) of the PRSA and Element 15 of the Keeper’s Model RMP.

2.3.2 Access to Health Records Act 1990[5]

44 The Access to Health Records Act 1990 provides certain individuals a right to see the health records relating to a deceased patient. These individuals are defined under section 3(1)(f) of that Act as:

i. the deceased's personal representatives (both executors or administrators) to enable them to carry out their duties; and

ii. anyone who has a claim resulting from the death.

45 However, this is not a general right of access, it is a restricted right, and the following circumstances could limit the applicant's access:

  • if there is evidence that the deceased did not wish for any or part of their information to be disclosed; or
  • if disclosure of the information would cause serious harm to the physical or mental health of any person; or
  • if disclosure would identify a third party (i.e. not the patient nor a healthcare professional) who has not consented to that disclosure;
  • it applies only to records created on or after 1 November 1991.

46 It is important that organisations put processes in place to verify the identity of the applicant and have procedures to enable the efficient and effective retrieval of records within the timescales specified by the Act. Organisations should take steps to ensure that where required, consideration is given as to whether a medical professional is required to screen the notes before release.

2.3.3 Freedom of Information (Scotland) Act 2002[6] and Environmental Information (Scotland) Regulations 2004[7]

47 All records and information held by named public authorities are requestable under Freedom of Information (Scotland) Act 2002 (FOISA) and Environmental Information (Scotland) Regulations 2004 (EIR), subject to applicable exemptions. FOISA was designed to create transparency in Government and allow anyone to know about the provision of public services through the right to submit a request for information. EIR was designed to provide citizens with the right to request environmental information held by Scottish public authorities.

48 These rights are only as good as the ability of those organisations to supply information through best practice records management programmes. Under Section 61 of FOISA, Scottish Ministers have published a Code of Practice on Records Management for Scottish Public Authorities. The Code of Practice sets out the acceptable standards for the management of records to support compliance with FOISA. Under Regulation 4 of EIR there is a specific requirement on a public authority to take reasonable steps to organise and keep up to date environmental information relevant to its functions.

2.3.4 Data Protection Laws[8]

49 The Data Protection Act (DPA) 2018 is the principal legislation governing how organisations process and handle personal data, including special categories of data, such as health-related data. The UK General Data Protection Regulation and the Data Protection Act 2018 provide the legal framework[9] for processing personal data, including that contained within health and social care records. Records containing personal data must be managed in accordance with the requirements of this legislation.

50 The Data Protection Principles state that personal data shall be

a. processed lawfully, fairly and in a transparent manner;

b. collected for specified, explicit and legitimate purposes;

c. adequate, relevant, and limited to what is necessary;

d. accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;

f. processed in a manner that ensures appropriate security of the personal data.

51 In addition organisations have an accountability principle which requires organisations to take responsibility for how they process and manage personal data and how they comply with the other principles.

52 The Act also provides exemptions with regards to Research and Statistics – Schedule 2 Part 6 Paragraph 27 and Archiving in the public interest – Schedule 2 Part 6 Paragraph 28(1). Further supporting guidance on archiving has been produced by The National Archives[10].

53 Handling records in a way that complies with these principles, as well as the many rights conferred on individuals by the legislation, is not only good records management, but is also necessary for data protection legal compliance.

54 Data protection legislation provides people with information rights over the health and social care data processed about them. However, controller organisations are obliged to consider the requirements of this Code of Practice when considering information rights requests made by citizens, in particular the right to object.

2.3.5 Inquiries Act 2005[11]

55 The Inquiries Act is intended to provide a comprehensive statutory framework for Ministers to set up formal, independent inquiries relating to particular events which have caused or have potential to cause public concern, or where there is public concern that particular events may have occurred. Of note:

  • Section 21 of the Act provides inquiries with statutory powers to compel evidence.
  • Section 35(1) of the Act makes it an offence to fail, without a reasonable excuse, to comply with a formal notice requiring attendance at the inquiry or the production of evidence. Subsections (2) and (3) go wider, making it an offence to deliberately distort or conceal relevant evidence.

56 The Inquiries Act 2005 is supplemented in Scotland with The Inquiry (Scotland) Rules 2007.

57 If an Inquiry is conducted, which covers health care organisations within Scotland, they must take action to identify and protect records which may be relevant to the inquiry. Records form an important part of the evidence in inquiries. What is required can vary by Inquiry; however organisations will need to consider what information may be relevant based on the terms of reference for the Inquiry. It is an offence to fail to provide evidence (which is held by the organisation) required by the Inquiry, therefore organisations must put in place the appropriate measures to ensure as far as reasonably possible that information and records are prevented from alteration or deletion and are easily retrievable should they be requested.

58 At the time of writing there are four independent Inquiries which impact on health and social care organisations in Scotland:

  • Scottish Child Abuse Inquiry
  • UK Infected Blood Inquiry
  • Scottish Hospitals Inquiry
  • UK Covid-19 Inquiry and the Scottish Covid-19 Inquiry

59 Other legislation requires information to be held as proof of an activity against the eventuality of a claim (e.g. Prescription and Limitation (Scotland) Act 1973 or the Consumer Protection Act 1987).

2.3.6 Network and Information System Regulations 2018[12] / Scottish Public Sector Cyber Resilience Framework (version 2)[13]

60 The Network & Information Systems Regulations 2018 (NIS Regulations) provide legal measures to improve the level of security (both cyber & physical resilience) of network and information systems for the provision of essential services and digital services. Scotland’s devolved health and water sectors are legally required to comply with the NIS Regulations. In Scotland the main Operators of Essential Services (OES) are considered to be Scottish Water (with the Drinking Water Quality Regulator for Scotland as the Competent Authority) and all NHS Scotland Health Boards (with the Scottish Ministers as the Competent Authority).

61 All OES must comply with the standards set out in the NIS Regulations. These standards cover managing security risk, defending systems against cyber-attack, detecting cyber security events and minimising the impact of cyber security incidents. Complying with the standards includes the Health Boards reporting improvements to resilience and capabilities to the Scottish Health Competent Authority (SHCA)[14] through NIS regulatory audits. In doing so, the SHCA is able to monitor continual improvements by NHS Scotland Health Boards against the 427 controls in the Public Sector Cyber Resilience Framework (PSCRF).

62 Local Authorities are currently not classed as OES under the NIS Regulations. So therefore aren't legally required to comply and don't report into any Competent Authority. However, they must comply with the PSCRF and look to achieve Tier 1 controls as a minimum. SG Cyber Resilience Unit carry out annual cyber surveys which includes all Local Authorities.

2.3.7 Professional Obligations

63 Staff who are registered to a professional regulatory body are required to adhere to record keeping standards defined by their registrant body. This is designed to guard against professional misconduct and to provide high quality care in line with the requirements of professional bodies. Further information about professional standards for records can be obtained from relevant professional bodies:

64 Health and social care staff may also wish to consult the Professional Records Standards Body, which produces care record standards to improve the safety and quality of health and social care; and ensure that the right information is recorded correctly and can be accessed easily.[15]

Contact

Email: DHCIG@gov.scot

Back to top