Health and social care - records management: code of practice

Section 3 - Responsibilities

65 The records management function should be recognised as a specific corporate responsibility within every organisation. It should provide a managerial focus for records of all types in all formats, throughout their lifecycle, from planning and creation through to ultimate disposal. It should have clearly defined responsibilities and objectives, and necessary resources to achieve them.

66 All individuals who work for an NHS Board, Local Authority or organisation contracted to deliver a service on their behalf are responsible for any records that they create or use in the performance of their duties.

67 The NHS Board and the Local Authority are responsible for ensuring they meet their legal responsibilities.

68 The Integration Joint Board is responsible, for the strategic planning of the Health Board and Local Authority functions delegated to it and for ensuring the delivery of those functions through the directions issued by it under section 25 of the Public Bodies (Joint Working) (Scotland) Act 2014. The Integration Joint Board will also have an operational role as described in the locally agreed operational arrangements set out within their integration scheme^[16].

3.1 Responsibilities

69 There are a number of records management responsibilities which should be allocated to roles within organisations. The following roles are examples of how the responsibilities can be allocated however the roles may have different titles and may not be allocated to separate individuals.

70 The Chief Executive has overall independent responsibility for records management. As accountable officer they are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity. This overall responsibility is delegated to the Senior Information Risk Owner (SIRO).

71 The Senior Information Risk Owner (SIRO) oversees the identification, assessment, and treatment of information risks within the organisation. Those are risks related to information and information technologies, including records and records management information systems. They should sit at director level or equivalent and must provide the Accounting Officer and Executive Board with assurance that information risk is being managed appropriately and effectively across the organisation and its services providers. Furthermore, they play a crucial role in recognising opportunities stemming from information and information technologies, thereby facilitating informed decision-making processes, and fostering a culture of innovation and growth driven by information and related technologies. This strategic position requires a comprehensive understanding of the organisation’s objectives, coupled with the ability to align risk management, information and information technologies strategies with overarching business goals.

72 The Caldicott Guardian provides advice within health organisations regarding the ethical use of patient data and the application of the Duty of Confidentiality. They act as the “conscience of the organisation” reflecting patients' interests regarding the use of patient identifiable information.

73 The Data Protection Officer (DPO) holds a key advisory and monitoring role in relation to the use and management of personal data. Their role and responsibilities are defined under UK GDPR and Data Protection Act 2018. The key tasks all DPOs must undertake as part of their role includes:

• informing and advising the controller or the processor, and their employees, of their obligations under data protection legislation;
• monitoring compliance with the UK GDPR and other data protection laws, through implementation of data protection policies, managing internal data protection activities; raising awareness of data protection issues, training staff, and conducting internal audits;
• providing advice, where required, on data protection impact assessments and monitor compliance with this requirement;
• act as point of contact for the Information Commissioners Office (ICO) for matters relating to data protection legislation and to co-operate with the ICO as required;
• to keep documentation on at least the name of the data flows, the purpose of the processing, the types of subjects and data, the security and privacy risks and the time limits for data erasure (according to Article 30). Likewise, they must monitor personal data breaches and responses to the supervisory authority (ICO).

74 The Records Manager has the lead responsibility for the overall development and maintenance of records management within the organisation. They are responsible for embedding records management into day to day practices to support the delivery of services, compliance with legislation and the efficient, safe, appropriate, timely retrieval/disposal of records. They will:

• provide strategic direction and advice on matters concerning records;
• develop policies, guidance, and training at all stages of the records lifecycle - creation, use, maintenance, review and disposal;
• work closely with manager(s) responsible for other information governance work areas;
• work closely with colleagues within IT, ensuring that they are involved in projects regarding the development/implementation of new systems or the upgrade of current ones;
• work closely with colleagues involved in estate management with regards to the physical storage of records.

75 Within public authorities, this role will be responsible for the compliance with the Public Records (Scotland) Act 2011 and should be named at Element 2 of the organisation’s RMP as required under Part 1 Section 1(2)(a)(ii) of the PRSA. This role should be formally acknowledged, outlined in job descriptions, and communicated throughout the organisation.

76 Within a large organisation the Records Manager should be a designated member of staff of appropriate seniority, ideally with suitable records management qualifications. Within, for example a territorial NHS Board, the responsibility should be split into health records manager and corporate records manager.

77 Within a smaller organisation the role could be undertaken by a Care Home Manager or Practice Manager who could take on a records management lead capacity.

78 As records management activities are undertaken throughout the organisation, mechanisms must be in place to enable the records manager to exercise an appropriate level of management of this activity, even where there is no direct reporting line. This might include cross-departmental records and information working groups or individual information and records champions or coordinators who may also be Information Asset Owners.

79 The Archivist is responsible for collecting, cataloguing, preserving, and managing appropriate access to valuable historical information. Archivists liaise with records managers, data protection officers and other information governance professionals to train staff or users and identify relevant material of historical value ensuring transfer to a designated place of deposit for archival preservation. Note that valuable historical information may be ‘born digital’ and exist as digital files as well as traditional paper archives.

80 The Information Asset Owner (IAO) has responsibility for ensuring information assets (records) are processed in a safe, fair, and lawful manner. They are responsible for managing information risk associated to the Information Assets they are responsible for on behalf of the organisation and providing assurances to the SIRO. IAOs are senior individuals involved in running the relevant business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information assets they ‘own’ and to provide assurance to the SIRO on the management, security and use of the assets. IAOs should recognise records management as a key aspect of most roles and ensure that staff have time and resource to manage records appropriately, including remedial work on their legacy records. In larger organisations, an IAO might be a department head, for example.

81 All staff who create, receive and use data, information and records have records management responsibilities. All staff should ensure that they keep appropriate records of their work and manage those records in keeping with the Code of Practice and the relevant policies and guidance within their organisation. Managers should demonstrate active progress in enabling staff to conform to the Code of Practice, identifying resource requirements and any related areas where organisational or systems changes are required.

82 The Processors and Subcontractors processing data, information and records on behalf of health care organisations must abide by this Code of Practice. Subcontractors may also have their own direct recordkeeping responsibilities as service providers, employers and regulated bodies. Contracts and relationships with third parties must be managed so that other aspects of records management are protected. This includes data protection clauses, provision of clear instruction on expected standards of recordkeeping, returning the data, information or records, or transferring the data, information or records to a new supplier to ensure continuity of service.

83 Data Protection Officers may advise on whether contractual arrangements in place with processors are appropriate and on whether further information must be added to relevant privacy notices.

84 Should a subcontractor close or cease business, a plan to transfer the records to a suitable authority must be put in place. This includes the closure of a GP Practice as per Section 3 of the PRSA.

3.2 Training

85 All staff involved in handling records, should be appropriately trained in their records management responsibilities, and are competent to carry out their designated records management duties. Training should cover paper and digital record formats.

86 Public authorities have a duty to ensure the provision of training for staff regarding records management in support of their compliance with Element 12 of the Keeper’s Model RMP, under PRSA. Specific elements should be included in training programmes to ensure staff understand appraisal and retention of records.

3.3 Policy

87 In support of their compliance with Part 1 Section 1(2)(b)(i) of the PRSA and Element 3 of the Keeper’s Model RMP, public authorities should have in place a records management policy statement, endorsed by the Executive Management Team (or its equivalent), and made readily available to staff at all levels of the organisation.

88 The policy statement should provide a mandate for the performance of all records management functions. It should set out an organisation's commitment to create, keep and manage records and document its principal activities in this respect.

89 The policy should also:

• outline the purpose of records management within the organisation, and its relationship to the organisation's overall strategy;
• define roles and responsibilities within the organisation, including those of individual staff to document actions and decisions in the organisation's records, and to dispose of records appropriately when they are no longer required;·define roles, responsibilities and procedures for safe transfer, storage or confidential disposal of records when staff leave an organisation, or when premises are being decommissioned;
• define the process of managing records throughout their lifecycle, from their creation, usage, maintenance, and storage to their disposal, be it ultimate destruction or archival preservation;
• provide a framework for supporting standards, procedures and guidelines;
• indicate the way in which compliance with the policy and its supporting standards, procedures and guidelines will be monitored and maintained;
• cover all series of records held, in any media, and should state the agreed retention period and disposal action, including, where appropriate, an indication of those records which should be considered for archival preservation.

·define roles, responsibilities and procedures for safe transfer, storage or confidential disposal of records when staff leave an organisation, or when premises are being decommissioned;

90 The policy statement should be reviewed at regular intervals (a minimum of once every three years or sooner if new legislation/codes of practice/national standards are introduced or due to obligations placed on organisations by their auditors) and, if appropriate, it should be amended to maintain its relevance. The policy should be ratified through the appropriate governance route within the organisation with final approval being provided by an appropriate senior group, for example the Information Governance Committee within a large organisation or by the senior executive team within a smaller organisation.

91 To support the implementation of the policy, organisations should develop local guidance outlining how records are managed within their organisation, including what they should contain, what format they should be held in, where they should be stored, what the file structure and naming conventions should be and the security measures which must be put in place to prevent inappropriate access.