Records Management Code of Practice for Health and Social Care

Section 4 - Data, Information and Records Lifecycle Management

92 This section provides organisations with guidance regarding how to manage records throughout their lifecycle. As outlined in Section 2.1, this Code of Practice adopts the approach with the Public Records (Scotland) Act 2011 (PRSA), Part 1 Section 13(1) which states that “record” means anything in which information is recorded in any form. Here after, any reference made to ‘records’ will be the overarching term used for all records, information and data held by organisations regardless of type and format.

4.1 Records Management Plan/Framework

93 Section 1 of the PRSA requires every public authority to prepare a “Records Management Plan” (RMP), setting out proper arrangements for the management of their public records throughout its lifecycle.

94 The Keeper’s Model RMP^[17] provides public authorities with a framework to set out how their records are being managed. It is separated into 15 elements and each public authority is required to report on their status for each element to the Keeper of the Records of Scotland and provide evidence to demonstrate this. The elements are as follows:

Figure 2 Records Management Plan Elements

1. Senior Management Responsibility

2. Records Manager Responsibility

3. Records Management Statement

4. Business Classification

5. Retention Schedule

6. Destruction Arrangements

7. Archiving and Transfer Arrangements

8. Information Security

9. Data Protection

10. Business Continuity and Vital Records

11. Audit Trail

12. Competency Framework for Records

Management Staff

13. Review and Assessment

14. Shared Information

15. Public records created or held by third

parties

95 Health and social care organisations working within the private, third party or voluntary sectors should ensure that they manage the records in line with the contracting organisation’s Records Management Plan.

4.1.1 ISO 15489 Information and Documentation

96 Organisations should refer to ISO 15489 Information and Documentation - Records Management Standard ^[18]which focuses on the business principles behind records management and how organisations can establish a framework to enable a comprehensive records management programme. This can be used to support the implementation of the organisation’s Records Management Plan.

97 The standard describes the characteristics of a record (authenticity, reliability, integrity, and usability). These characteristics allow strategies, policies, and procedures to be established that will enable records to be authentic, reliable, integral, and usable throughout their lifecycle. It is essential that a records management process is designed that will allow records to possess these characteristics. To ensure that these characteristics are maintained, sufficient persistent metadata (see section 4.7.2) must be attached to each record.

98 The industry standard for the design and implementation of records management, as given in the ISO standard ISO15489, is an eight-stage process that can be summarised as follows.

Figure 3 Implementation of record keeping process

• Conduct preliminary investigation
• Analyse business activity
• Identify requirements for records
• Assess existing systems
• Identify strategies to satisfy requirement
• Design records system
• Implement records systems
• Conduct post implementation review.

99 In addition to the stages outlined above, in most cases an information risk assessment should also be conducted. The risk assessment should include identified privacy risks in compliance with the Information Commissioners Office Data Protection Impact Assessment Guidelines.

100 To support implementation of ISO 15489, the British Standards Institution developed BS 10025:2021 – Management of Records Code of Practice. It which sets out recommended good practices for organisations to follow, in the management of their records to support the implementation of principles detailed in ISO 15489 in practice.

4.2 Records Survey

101 Implementing and maintaining an effective records management system depends on knowledge of what records are held, where they are stored, who manages them, in what form(s) they are made accessible, and their relationship to organisational functions (e.g. Finance, Estates, IT, Direct Patient Care etc.) and how the records link to the organisational Business Classification Scheme. An information survey or record audit is essential to meet this requirement to ensure control over the records and provide valuable data to inform future workplans and for developing records appraisal/disposal policies and procedures.

102 It will aid organisations to know:

• what series of records it holds (and potential quantities)
• the location of its records (outlining security/access measures)
• the format of its records
• the business area that created the record
• the information Asset Owner (responsible manager)
• disposal potential for the coming year.

103 The process can also be used as an opportunity to support asset owners with their records management responsibilities.

104 Organisations should annually audit their records management practices as part of its existing audit activity. This can include checking for adherence with this Code of Practice. Results of audits should be reported through the appropriate governance routes and updated on the organisation’s RMP. For public authorities this is a requirement under Part 1 Section 5(1)(a) of the PRSA and Element 13 or the Keepers Model RMP.

105 This audit must be extended to all organisations processing information on behalf of NHS Boards.

4.3 Managing Records

106 Records are required to be managed throughout their ‘lifecycle’. This ‘lifecycle’ starts at creation or receipt of the record (information or data) in the organisation and continues throughout the period of its use, storage, review, and concludes with either confidential destruction or transfer to a designated place of deposit for archival preservation. All records in any format, (paper, digital files, emails, and data held within digital systems or databases) should be managed through each stage of the lifecycle regardless of whether its lifespan is a single day or a lifetime. Organisations should ensure that they have policies and procedures in place to manage records through each stage of the lifecycle, which supports compliance with Part 1 Section 1(2)(b)(i) of the PRSA and Element 3 or the Keepers Model RMP. The stages are shown in Figure 4 and described as follows.

107 Stage 1 – Create

This stage refers to the creation or receipt of records by an organisation. It is important that careful consideration is given to the purpose of the record, how it will be identifiable in the future, how long it will require to be retained and the storage and security measures required. At this stage, it may be possible to determine if the record needs to be defined as a master copy of a record. See section 4.5.

Figure 4 The Information (Records) Lifecycle

• Create
• Use
• Maintain
• Review
• Dispose

108 Stage 2 – Use

Stage two reflects the point at which the record is in active use by the organisation. Active use can refer to the records being updated regularly, being referenced, used in the delivery of services or to inform decision making. This may also involve sharing of this record with other functional areas or organisations. During this stage it is important that; the record is reviewed to ensure it meets its intended purpose, security/access is monitored to ensure it is only accessible by those who have a justified need to access, and version control is utilised to ensure points of change can be identified.

109 Stage 3 – Maintain

At this stage the record has fulfilled its intended purpose and becomes inactive, whereby the content is no longer altered but the record continues to be stored by the organisation. The record should be ‘closed’ (see section 4.11) and consideration given as to whether the retention period can be triggered. It is essential that the record is stored appropriately in order that: it continues to be visible to the ‘owner’, it can be identified when requested and it is managed through the final stages of its lifecycle. Access should continue to be monitored and any change to the storage or format of the record should be carefully considered. A further consideration is that at this point the records may be re-used for another purpose, for example for research, service improvement or as evidence in an investigation where a copy may be taken to form part of a new record.

110 Stage 4 – Review

At this stage of the lifecycle some records require to be reviewed and considered for continued retention, transfer to long term or offline storage, transfer to a permanent preservation facility or destruction. It is crucial at this stage that the ‘owner’ of the record has oversight of this decision making and that decisions are based upon business use, legislative requirements, and the organisations retention schedule. For some records, especially those in digital systems, automated deletion functionality may have been applied to appropriate record types which negates for the manual review of these record types. See 4.12 for further information.

111 Stage 5 – Dispose

The final stage of the lifecycle is the disposal of the record, either through transfer to the organisation’s designated permanent place of deposit or by confidential destruction, so that the record is put beyond any possible reconstruction. Organisations should put in place robust procedures to ensure the secure and confidential destruction of records containing personal data. They should also record the disposal (destruction or deposit) of records on disposal logs and/or obtain destruction certificates where required, and particularly in the event of the destruction of personal data.

4.4 Creating Records

112 Organisational units/departments should have in place procedures for documenting their activities. This process should consider the legislative and regulatory environment in which the department operates.

113 At the point of creation, consideration should be given as to the purpose of the record and how it should be constructed in order to fulfil this purpose.

114 Records of organisational activities should adhere to the following records management principles as defined by the National Records of Scotland:^[19]

Authentic

It must be possible to prove that records are what they purport to be and who created them, by keeping a record of their management through time. Where information is later added to an existing document within a record, the added information must be signed and dated. With digital records, changes and additions must be identifiable through audit trails.

Accurate

Records must accurately reflect the activities and transactions that they document.

Accessible

Records must be readily available when needed.

Complete

Records must be sufficient in content, context, and structure to reconstruct the relevant activities and transactions that they document.

Comprehensive

Records must document the complete range of an organisation’s business.

Compliant

Records must comply with any record keeping requirements resulting from legislation, audit rules and other relevant regulations.

Effective

Records must be maintained for specific purposes and the information contained in them must meet those purposes. Records will be identified and linked to the business process to which they are related.

Secure

Records must be securely maintained to prevent unauthorised access, alteration, damage or removal. They must be stored in a secure environment, the degree of security reflecting the sensitivity and importance of the contents. Where records are migrated across changes in technology, the evidence preserved must remain authentic and accurate.

115 This is in order to:

• allow employees to undertake appropriate actions in the context of their responsibilities;
• facilitate an audit or examination of the organisation by anyone so authorised;
• protect the legal and other rights of the organisation, its patients, staff, and any other people affected by its actions;
• ensure the authenticity of the records so that the evidence derived from them is shown to be credible and authoritative.

116 When creating and/or collating personal data in the formation of records, organisations must ensure that the collection of this data is necessary, justified, and proportionate, in support of data protection principles and therefore supporting compliance with Element 9 – Data Protection of the Keeper’s Model RMP.

4.5 Defining Records

117 Within the organisation, there should be guidance to provide staff with a clear understanding of what constitutes a record and what records require to be kept. Organisations should adopt a master record approach, where a primary instance of the record is held. Master copies should be retained in line with the organisation’s retention schedule. A master copy of a record should be managed in a way that will fix it in an accessible format until it is appraised for further value or disposed of, in line with the retention schedule. Some activities will be pre-defined as creating records which require to be kept, such as health records or minutes and papers of board meetings. Other records will need to fulfil the criteria as being worth keeping, such as unique instances of a business document, emails, or datasets.

4.5.1 Duplicate Records

118 Duplicate copies of records should be marked as such (preferably with the identification of the original IAO) to prevent being used as a master record in error. Copies of records are not usually required to be retained in line with the original retention period. They may be able to be held for a short period of time and disposed of once the business purpose for the record has ceased. However in some cases they may subsequently form part of a different record type, for example evidence in an investigation file or as part of a multi-agency record, and may require to be retained for longer.

119 Where data is duplicated, either due to data warehousing or backup systems, the organisation must be in a position to comply with current legislation, particularly in terms of data quality and accuracy, implementation of rights to deletion, withdrawal of consent for processing personal data and retention schedules across all instances. Information Asset Registers must hold information about data replicated in other systems. Master data management tools must be used where possible to support master data management, removing duplicates and incorporating data rules and standardisation controls to produce an authoritative source of master data. The controls are applicable to any record regardless of format.

4.5.2 Transient Information

120 Transient information is that which is deemed to be temporary, superseded or of little value, which would not be declared as a record itself. Examples include:

• A blood pressure results written on a post-it note which is transferred into the digital patient health record (superseded);
• A telephone message passed from one staff member to another (temporary);
• A draft document superseded by a final version (superseded);
• An email outlining that someone will be late for a meeting (temporary);
• Notes in a paper or digital notebook (temporary);
• Communications making arrangements for lunch (little value).

121 This information once transferred to the appropriate record, acted upon, or superseded should be held for a minimum amount of time, if at all. Individual employees do not need formal authorisation (from the IAO or line manager) to destroy transient information, so long as the records are not needed for an investigation or to respond to a request for information and the destruction is carried out in a secure manner. However, employees sometimes need help in determining whether information is transient or not and such queries should be referred to the organisation's Records Manager.

122 Transient information can be in paper or digital format. Across organisations there are a range of digital portals. These technologies generate transient records which are still subject to records management and information governance, particularly in terms of security measures and access controls. Any decisions made in relation to health and social care interactions using information that is accessed from digital portals must be recorded within the health or social care or social work record. Audit Logs showing the information/documents that were accessed must therefore be retained.. If transient information is recorded on hard paper copy the information must be transcribed into the record before the paper version is destroyed.

4.6 Registering Records

123 Organisations should maintain a register of information assets, commonly known as an Information Asset Register (IAR). It should contain details of the records (regardless of format) stored and maintained by the organisation, including any risks associated with them and should be reviewed annually.

124 Assets should be registered at record collection level. Information Asset Registers should contain the following details of each asset:

• the name, purpose and description
• the IAO and Information Asset Administrator (IAA)
• its format, location and the security applied
• its corresponding function in the Business Classification Scheme
• the retention period which should be applied
• any identified risks and mitigations.

125 When creating a new type of record, an initial information risk assessment should be conducted in conjunction with those responsible for records management information security and data protection. An IAO should be designated and they are responsible for conducting the information risk assessment. Any new information asset (e.g. a new type of record) should be registered. Of note one single system may have more than one information asset with different IAOs, e.g. clinical data vs. operational logs may have different IAOs.

126 The UK General Data Protection Regulation (UK GDPR) requires organisations to maintain a record of processing activities (ROPA) under its responsibility. This also fulfils part of the requirements under Element 9 – Data Protection of the Keeper’s Model RMP. The ROPA can be linked to or detailed within an Information Asset Register providing it contains details of the information processed by the organisation (digital or otherwise), the sensitivity and classification, the information risk, groups of users and who the information is shared with.

4.7 Identifying Records

127 Records must be easily identifiable using naming conventions and metadata. The naming or labelling of digital or paper files must clearly identify the contents of the file, the time period which it relates to and the version number where applicable. Information Asset Registers should allow the identification of IAOs.

4.7.1 Naming Conventions

128 Organisations must have guidance for naming conventions of digital records (files and folders); this helps identify records using common terms and titles. They also enable users to distinguish between similar records to determine a specific record when searching the file system. Naming conventions need not be overly prescriptive or formalised, but they must be clear and well defined. Without naming conventions there is a significant risk of records being destroyed or lost within the file system.

129 Equivalent conventions must exist for use of ‘Subject’ fields in email systems, adding relevant tags for the classification of the information.

130 National Records of Scotland guidance states: “A document name should be made up of the following components:

Description - the topic and subject matter. This component may be used numerous times as documents are created and saved relating to the same subject. This should adequately describe the contents out with the folder structure.

Type - the document type e.g. letter, report, minutes, etc. Not to be confused with format e.g. Excel spreadsheet

Date, if appropriate - the date of, publishing/approval, or of an event, meeting and used to distinguish the document from others on the same topic. The most practical format for dates is YYYY-MM-DD or YYYYMMDD as per ISO8601^[20] Date and Time Format. This allows for easier searching and sorting.

Version Number - used to keep track of changes made to the document. Not applicable to emails.”

4.7.2 Metadata

131 Metadata is structured information that enables us to describe, locate, control, and manage other data/information/records throughout its lifecycle. Metadata can be broadly defined as "data about data". Metadata is defined in ISO 15489 as: data describing context, content and structure of records and their management through time. It refers to the searchable definitional data that provides information about or documentation of other data managed within an application or environment. For example, a library catalogue, which contains data about the nature and location of a book, is descriptive metadata about the book but is not the book itself.

132 Organisations should therefore ensure that metadata includes as a minimum, elements such as the title, subject and description of a record, the creator and any contributors, the date and format. For patient health records, organisations must also ensure that they use the appropriate DST Code as outlined within the Scottish Clinical Indexing Standards^[21] and the patient’s CHI number where appropriate.

133 The UK Government Central Digital and Data Office states within its Metadata Standards for Sharing and Publishing data guidance^[22] that the Open Standards of Schema.org^[23] and Dublin Core^[24] that are both recommended for government^[25] use.

4.7.3 Version Control

134 Organisations should include details of the current and previous versions of the record in the metadata and/or using naming conventions for such purpose. Appropriate version control arrangements that support the management of multiple revisions to the same document should be in place, to ensure that the most up to date versions are being referred to by staff or to ensure that the record which was in place at a certain point in time is easy to identify. To assist with version control for an organisation’s controlled documents e.g. policies, guidelines, procedures, it is recommended that document control forms are also in place, which detail the version history and changes applied. Some systems automatically generate version histories for example within SharePoint; however, this can result in a new version being ‘logged’ each time a change is made and may not reflect the version history for long-standing documents which have been migrated into the system.

4.8 Storing Records

135 Records created by organisations should be arranged in a record management system that will enable the organisation to obtain the maximum benefit from the quick and easy retrieval of records whilst also having regard to security frameworks.

136 Paper and digital record management systems should include descriptive, contextual, and technical documentation and metadata to enable the system to be operated efficiently, and to allow the records held in the system to be easily understood. It should be clear from this documentation the administrative history and context of the records. The systems should also enable clear rules for the labelling and protective marking of records to maintain security and confidentiality, whilst aiding efficient record retrieval.

4.8.1 Structuring Records

137 Records should be structured within an organisation-wide corporate ‘file plan’ or Business Classification Scheme which reflects the functions and activities of the organisation and facilitates the appropriate sharing and effective retrieval of records. This supports the organisation’s requirements under Element 4 of the Keeper’s Model RMP and the requirements of ISO 15489.

138 The Business Classification Scheme can be implemented as the structure of files and folders in a paper filing system, on a network shared drive or as metadata/labelling/tagging within an Electronic Document and Records Management System (EDRMS). Classification schema should be structured by function and then further refined to produce a classification tree based on function, activity, and transaction. The transaction can then be assigned a rule (such as retention period), a security status or other action based on the organisational policy. The scheme will enable appropriate management controls to be applied and support more accurate retrieval of information from record systems. A Business Classification Scheme should not be based on organisational/departmental structure as this is subject to periodic change.

Figure 5 Business Classification Scheme

• Function
• Workforce
  • Activity
  • Recruitment
    • Transaction
    • Job Advert
    • Transaction
    • Application Forms
    • Transaction
    • References

4.8.2 Securing Records

139 Records must be stored in a secure environment to prevent unauthorised access, alteration, damage, or removal. The level of security should reflect the sensitivity and importance of the information.

140 Information Security, Element 8 of the Keeper’s Model RMP, is a compulsory element under Part 1 Section 1 (2)(b)(ii) of the PRSA. Organisations must ensure that they have appropriate measures in place to protect information and be able to demonstrate this in evidence.

141 The 6^th Data Protection Principle detailed in Article 5(1)(f) of the UK GDPR requires organisations to take reasonable technical and organisational security measures to protect information from unauthorised access, unlawful processing, accidental loss, destruction, or damage.

142 The Public Sector Cyber Resilience Framework supports Scottish public sector organisations to improve their cyber resilience and comply with a range of legislative, regulatory, policy and audit requirements in respect of cyber security. NHS Boards specifically also have to comply with Network and Information Systems Regulations 2018.

143 It is recommended that organisations implement a protective marking scheme. This could, for example be based on the Cabinet Office Government Security Classifications defined protective marking scheme which is used by both central and local government. It is best practice that patient/service user data is classed as ‘Confidential’. For those organisations implementing Microsoft 365, this could be implemented within the ‘Sensitivity Label’ functionality.

144 The paper records management system in place in most organisations is not necessarily an appropriate model for managing digital records. This is because of the nature and volume of digital records, the variety of file formats, the distribution of the storage and duplication (e.g. parallel datasets), the way it is backed up and preserved, and the difficulty to implement retention policies (unless they are embedded in the initial digital infrastructure) must be considered when securing digital records.

145 Digital records management needs to be very carefully considered and structured to ensure the integrity of the records is not compromised upon capture and during storage, so that data remains accessible and understandable for as long as it is required.

146 User access controls provide essential mitigation against the risks to records inherent in many digital systems. These controls include user registration and de-registration, user access provisioning, review of user access rights and the removal or adjustment of access rights. They also include the prohibition of shared accounts and access to information based on a need-to-know basis. Organisations must implement, where possible, monitoring systems to allow automated escalation of access misuse to digital records.

4.8.3 Accessing Records

147 Organisations should have processes, procedures, and technical controls in place to support the business continuity of records to ensure they are readily available when needed. This can be as simple and straight forward as ensuring that users do not store records in places which are not accessible to others; for example their computer desktop or electronic personal drive/OneDrive, or a locked filing cabinet, and can range to organisations having IT disaster recovery plans and back up processes to support the creation and management of records which are required for the operational delivery of services. Organisations are required to detail the measures in place under Element 10 of the Keeper’s Model RMP.

148 Organisations should also ensure that the appropriate access controls are applied to records to ensure that they are not inappropriately accessed. This is particularly important where the records contain business sensitive or personal data. Organisations should ensure that IAOs are aware of their responsibilities in this area and that access controls should be reviewed on a routine basis.

4.8.4 Paper Records Storage

149 It is essential that paper records are stored in the correct environment. Guidance on the requirements can be found in BS 4971:2017 Conservation and care of archive and library collections. Environmental factors can have a significant impact on the structural integrity of the record and could result in significant damage to the paper which could result in the record being unreadable or damaged beyond use.

150 The following factors must be considered when identifying suitable storage for paper records:

• Accessibility to easily identify and retrieve records;
• Security measures to prevent unauthorised access;
• Ability to control environment to prevent against pests, excessive heat/light, mould, dirt, and damp;
• Flood/water ingress prevention;
• Fire protection.

151 Organisations should ensure that appropriate shelving is put in place, as well as identifying suitable packaging and labelling materials which are not subject to deterioration if required for long term storage.

152 Clear guidelines/procedures should be put in place to ensure that departments hold inventories of what records is contained in the storage area. The procedures should also outline the requirement for easy identification of records for disposal via the use of labels which clearly identify the:

• content owner (generally a department/team rather than a person);
• content subject matter;
• date of creation;
• date of destruction or requirement to retain permanently;
• box/file reference number.

4.8.5 Digital Records Storage

153 Where records are kept in digital form, wherever possible they should be held within an Electronic Document and Records Management System (EDRMS) which conforms to the standards of the European Union Model Requirements for the Management of Electronic Documents and Records (MoReq2)^[26].

154 Where an EDRMS is not yet available, digital records should be stored on organisation approved shared network servers or Microsoft SharePoint in a clear and meaningful folder structure. The folder structure and/or associated metadata should reflect the organisation's file plan or Business Classification Scheme, which represents the functions and activities of the organisation. The server should be subject to frequent back-up procedures in line with the Public Sector Cyber Resilience Framework/NIS Regulations 2018. Users should apply the functionality of the relevant software to protect digital records against inappropriate amendment. Of note, it is almost impossible to fully protect documents in a non-EDRMS environment or provide full audit and authenticity evidence.

155 Cloud-based solutions are increasingly being implemented across organisations. The ICO cloud storage guidance must be followed and a data protection impact assessment must be conducted. Where possible, organisations should seek to ensure that their records, especially those which are sensitive, are stored on cloud-based solutions which have servers within the UK. Important considerations are:

• best practice records management must be applied, regardless whether the cloud offers almost unlimited storage capacity. Records must not be kept longer than required;
• changes of cloud solutions or providers may require the transfer of large amounts of records between digital platforms. A risk assessment must be conducted, and future interoperability must be considered prior to commissioning any solution.

4.8.6 Long Term Storage

156 Where records have been identified as inactive and have been closed, in some circumstances, it may be required to move them to long term storage within the organisation until they reach the retention period. This can be due to storage capacity/costs, the requirement to keep them secure or the requirement to protect their authenticity and integrity.

157 The transfer of records to long term storage should only be considered for records which have long retention periods and are not suitable for transfer to a designated place of deposit. For paper records this could mean moving the files from a filing cabinet into boxed storage within a dedicated record store. For records in digital systems this could mean moving the records from a legacy system into a supported platform. When moving digital records, there can be a greater risk to the integrity of the records of moving it than leaving it in situ. This should be considered and file fixity checks carried out for integrity and authenticity of records. The organisation's Records Manager should be involved in these projects.

4.8.7 Offsite Storage

158 It is vital to highlight the importance of actively managing records which are stored in offsite storage. This applies to both paper records and digital records stored in cloud-based solutions. Organisations should ensure:

• IAOs are identified for the records as with any others, and to work in conjunction with Records Managers to commission new off-site storage – and DPOs for new processing of personal data;
• IAOs work with Records Managers to commission new off-site storage;
• DPOs are involved in commissioning processes where personal data is being processed and a Data Protection Impact Assessment (DPIA) is conducted to document this;
• there is a full inventory of what is held offsite;
• an entry is included in the organisation’s IAR for the record set;
• retention periods are applied to each record;
• a disposal log is provided;
• there is evidence of secure disposal of records;
• they provide clear instructions relating to all processing of offsite records including destruction of the records;
• they can access the storage facility to conduct the appropriate checks when required;
• they have agreed how their records will be retrieved and what timeframe they will be returned, for example to respond to subject access and FOI requests;
• where suppliers/contractors are being used, they are subject to regular monitoring, including at contract reviews as part of healthy supplier relationship management.

159 The National Archives has produced guidance to support organisations with the considerations which need to be taken into account when sourcing offsite storage for paper records. It can be accessed via: Identifying and Specifying Requirements for Offsite Storage of Physical Records.

4.9 Digitising Records

160 Wherever possible, organisations should move to digital records. Although the original paper record guarantees the authenticity of the record, access can be more difficult to audit, there are physical storage implications and the records can be harder to access and share in a timeous manner. However organisations should also be mindful that although there is a cost-saving element associated with digitising records, equally, saving all digital records with no records management controls in place will similarly incur costs and is environmentally unsustainable.

161 Where possible, digital records management processes should be as environmentally friendly as possible to help contribute towards the Scottish Government’s target to reduce its carbon footprint and environmental impact. An example would be to replace outdated IT servers with up-to-date energy efficient systems, reducing the amount of energy required for the solution.

4.9.1 Digitisation

162 Digitisation is the conversion of analogue (paper) to digital format. Digitising records may provide an opportunity to:

• increase efficiency;
• improve service delivery;
• enhance reporting;
• reduce storage space;
• reduce costs.

163 Organisations can digitise records by scanning current records into a digital storage solution or system. They should put in place robust procedures to manage control of access, retrieval, and use of records to ensure continued integrity, reliability, and authenticity of the records as well as their accessibility for the duration of their retention including the time of their disposal or archival preservation.

164 The key considerations an organisation should take into account when digitising records are:

• What information needs to be digitised and why?

Should the records be securely destroyed without being digitised? Do all records require digitisation or just current or active files? There needs to be a clear rationale for digitisation, such as business efficiency, reduction of storage space or improvements in service delivery.

• Are the records suitable for digitisation?

Consider the size and condition of the paper records; how large are they and how the digitised files will be used. For example, would it be feasible for someone to scroll through pages of scanned information to locate what they need without keyword searching? For example, for large files such as patient health records, it is advisable to scan into distinct sections that reflect the paper record structure.

• Who will own/manage the records once digitised?

Information Asset Owners for the records should be identified. It is essential that ownership of the records is outlined to ensure that staff are aware of their responsibility to continue to manage the records.

• How will the records be quality checked?

All digitised records should initially be quality checked, but the number that should be checked can drop incrementally over time. A minimum number, e.g. 5% of digitised records should always be quality assured to ensure:

• Completeness (have all pages been scanned);
• Legibility (can the pages be read/interpreted. Any issues with quality should be noted to indicate original condition; this can be done by utilising poor quality stamps or set scan sheets that state the digitised records are reproductions from poor quality originals);
• Accuracy (is the digitised image an exact replica of the original document);
• Legal admissibility (in accordance with BS 10008: 2020 Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically: 1 & 2).
  • Where will the records be stored?

Consideration is required as to whether there is sufficient space to store large files; will more files be added in the future, and how much more storage will be needed.

• In what format will the records be stored?

Organisations should consider the format in which the records will be stored in the digital solution. For example, PDF/A is specifically designed with long term preservation in mind.

• How will the records be identified?

Organisations should consider what details should be required for the naming convention and/or metadata. They should also consider where the tagging functionality is supported and what tags could be applied alongside naming conventions and metadata to support the quick and accurate identification of information. Where possible it is important that standardised naming conventions/metadata/tagging are applied to specific record types: for example the Scottish Clinical Document Indexing Standard^[27] for health organisations.

• How long should the records be retained?

Paper copies should be kept for a minimum of three months following scanning so that any errors identified through quality checking processes can be rectified. The digitised record takes on the role of master copy and will be then subject to the relevant retention period as outlined in the organisation’s retention schedule. Once digitised and stored, the records will need to be managed in line with records management principles and the records lifecycle (see section 4.3 and 4.4).

• Have information risks been assessed?

For example, has a risk assessment or Data Protection Impact Assessment been undertaken?

165 The Institute of Health Records and Information Management (IHRIM) have produced guidance that can be useful for organisations considering scanning clinical records.^[28]

4.9.2 Digitalisation

166 Distinct from digitising, digitalisation refers to the transformation of business processes or transactions through the use of digital technologies. This could also include the development of new systems or processes or the migration of existing data to a new system or platform.

167 Examples include:

• meetings held remotely by video conference;
• self-service check ins;
• data entry via online form directly into a system;
• implementation of a new clinical system.

168 When records are being moved from one system to another then it is likely that the structures used for the two systems will be different. To minimise risk to the records, organisations should gain an understanding of the following:

• The export and import functionality of both systems.
• The ways that metadata is captured and managed in both systems.
• File and object capture and management across both systems.
• Relationship management between objects, files, metadata, and other record-related relationship management across both systems.
• Any information types or formats that the decommissioning system has which cannot be captured or managed by the other system.

169 In cases where the processing of personal data is involved, a DPIA will be required. To ensure that any impact to records created, used, accessed, or stored by the proposed system or migration, it will be necessary to consider the following:

• Risk
• Ownership
• Record type
• Volume
• File format
• Security/access
• Retention/disposal
• Back-up/recovery
• Source of information
• Link to other information
• Information structure
• Information sharing
• Migration
• Data mapping
• System testing
• System decommissioning

4.10 Sharing Records

170 There are a range of statutory provisions that limit, prohibit, or set conditions in respect of the disclosure of records to third parties and similarly a range of provisions that require or permit disclosure. The key statutory requirements can be found in Section 2.3 Regulatory Framework: Legal and Professional Obligations.

171 The mechanisms for transferring records from one organisation to another should also be tailored to the sensitivity of the material contained within them and the media on which they are held.

172 Data Protection Officers and Caldicott Guardians should be able to advise on the appropriateness of disclosing or transferring records which contain personal data and any requirement for gathering further authorisation.

173 Information Security staff should be able to advise on appropriate safeguards. The NIS Regulations and the PSCRF set out the requirements for the safe handling and transmission of records, across a range of media.

174 Modern digital records may have very complex and distributed architectures. Nevertheless, the organisation must be able to comply with current legislation, regardless how distributed the records are. When the record interlinks with sources of data out with the boundaries of the organisation, arrangements must exist between the information sharing partners to ensure compliance and execution of personal rights in a smooth manner along the data flow.

175 Organisations must ensure that they have robust procedures/agreements in place for the sharing of information and that this is clearly documented. They should clearly consider the implication of information sharing on records management and, where personal data is concerned, must take privacy and data protection into account to ensure that sharing is appropriate, safe, and secure. This supports the organisation with Element 14 – Shared Information of the Keeper’s Model RMP.

4.11 Closing Records

176 Records should be closed, i.e. made inactive as soon as they have ceased to be in active use. An indication that a file of paper records or folder of digital records has been closed, together with the date of closure, should be shown on the record itself as well as noted in the index or database of the files/folders. The date of ‘closure’ can be the trigger for the start of the retention period, i.e. closure of investigation, completion of action plan.

177 The storage of closed records should follow accepted standards relating to environment, security, and physical organisation of the files.

4.12 Reviewing Records

178 Reviewing records, also known as appraisal, refers to the process of determining whether records require to be either retained for longer, destroyed as they have reached the end of their retention period, or are worthy of archival preservation. To support staff with the review of records, organisations should put a retention schedule in place, outlining the time period which each record should be retained for – see section 4.14.

179 In some cases the deletion of digital records may be automated within a system or platform such as Microsoft 365, negating the requirement for a review. This would only be applied to records where it is appropriate to set deletion at the end of a retention period without the requirement for further review by a person. However functionality should be put in place to enable organisations to prevent the automated deletion in circumstances when the records require to be retained for longer, for example in the event of investigations or public inquiries. Robust procedures are also required in order to inform information asset owners of circumstances where records require to be retained for additional purposes.

180 At the end of the relevant retention period, one or more of the following actions will apply:

Retain: records may need to be kept for longer than the retention period due to ongoing administrative and or clinical/care need. As part of the review, the organisation should have regard to data protection legislation, which requires that personal data is not kept longer than is necessary. If it is decided that the records should be retained for a longer period, the internal retention schedules will need to be amended accordingly and a further review date set. Otherwise, one of the following will apply:

Transfer: to the organisation’s designated place of deposit or consult an archivist or the National Records of Scotland, if the records have no ongoing administrative value but have, or may have, long term historical or research value. This is a compulsory element under Part 1 Section 1(2)(b)(iii) of the PRSA and Element 7 or the Keepers Model RMP. Organisations that do not have their own archivist should consult an NHS/Local Authority Archivist or the National Records of Scotland for advice;

Destroy: where the records are no longer required to be kept due to statutory requirement or administrative or clinical/care need, and they have no long term historical or research value.

181 Organisations will need to bear in mind the need to retain records where there is any risk that they may be required to consider/defend any legal actions.

182 NHS Boards and GPs as producers of products and equipment are affected by the provisions of the Consumer Protection Act 1987 covering the liability of producers for defective products. They may also be liable in certain circumstances as suppliers and users of products. An obligation for liability lasts for 10 years and within this period the Prescription and Limitation (Scotland) Act 1973, as amended by the Consumer Protection Act 1987, provides that the pursuer must commence any action within three years from the date on which the pursuer was aware of the defect and aware that the damage was caused by the defect. It will be for NHS Boards and GPs to make their own judgement in such cases on whether any health records should be retained for this recommended period in order to defend any action brought under the Consumer Protection Act 1987.

183 Organisations should ensure that they have mechanisms in place to identify records, containing personal data, for which the appropriate retention period has expired, in line with the 5th data protection principle detailed in Article 5(1)(e) of the UK GDPR. It is acknowledged that organisations will have different mechanisms available to them to achieve this, and that these may vary depending on the medium on which the record is held. In relation to paper records, it is acknowledged that organisations may 'batch' records together e.g. on an annual basis, in order to make disposal decisions. In such instances, one approach to the calculation of retention periods would be to base it on the beginning of the year after the last date on the record. For example, a file in which the first entry is in February 2001 and the last in September 2004, and for which the retention period is six years would be kept in its entirety at least until the beginning of 2011.

184 It is important, when reviewing records or setting automated retention in systems, that the long term historical and research value of the records are taken into account. Support can be sought from the organisation’s identified Archivist as per Element 7 of the Keeper’s Model RMP. Records which document the history and development of the organisation and important policy decisions should be considered for archival preservation. In addition, samples of health records and older registers and ward journals may be valuable for historical medical and social research. Note that no surviving personal health or administrative record dated 1948 or earlier should be destroyed.

185 Records which meet the following criteria should also be considered for archival preservation (Note: this is not an exhaustive list and there may be other record types that would fall into this category):

• Board and major Committee minutes;
• Annual reports and accounts;
• Policy and strategy documents;
• Significant departmental reports, reviews, and investigations;
• A change to policy or procedure for delivery of care;
• National public interest;
• Regulatory action or records that document decision-making at a senior level;
• Sustained media attention;
• Serious case reviews e.g. published reports, records created and received in the course of implementing recommendations of serious case reviews;
• Records relating to any inquiry conducted under the Inquiries Act.

186 In line with the obligation placed upon the Keeper of the Records of Scotland (The Keeper) under PRSA, the National Records of Scotland has issued general guidance regarding public authorities archiving policies and transfer arrangements. This is available within the Keeper’s Model RMP Guidance to Element 7.

187 It is expected that only a small proportion of records will require archival preservation however, appraisal before transfer is essential. For these purposes public authorities should have procedures and staff guidelines in place, written in consultation with the archivist from the designated place of deposit named in Element 7 of the Keeper’s Model RMP as required under Part 1 Section 1(2)(b)(iii) of the PRSA.

4.13 Disposing of Records

188 It is particularly important that the disposal of records – which is defined as the point in their lifecycle (stage 5) when they are either transferred to a permanent place of deposit for preservation or destroyed – is undertaken in accordance with clearly established policies which have been formally adopted by the organisation and which are enforced by properly trained and authorised staff. In addition, the disposal of master copies of records should be clearly documented on a records destruction/transfer log and approved by the appropriate Information Asset Owner.

189 Organisations should develop and implement a retention and disposal policy. The policy should be supported by, or linked to, the retention schedules (see section 4.14), and should cover all records created.

190 Staff in the operational area that ordinarily use the records will usually be able to identify records for disposal and/or destruction, which should be approved by the manager responsible for the area. Operational managers are responsible for making sure that all records are periodically and routinely reviewed to determine what can be disposed of or destroyed in the light of local and national guidance. Where possible, the process of appraisal, review and disposition should be automated, removing the need for staff to undertake the manual review of complex sets of records.

191 Once the appropriate period has expired, the need to retain records further for local use should be reviewed periodically. Because of the sensitive and confidential nature of such records and the need to ensure that decisions on retention balance the interests of professional staff, including any research in which they are or may be engaged, and the resources available for storage, it is recommended that the views of the profession's local representatives should be obtained. For example within a health organisation, clinicians have a responsibility to identify any health records that they would like to be retained longer and this extension needs to be clearly indicated on the patient record system or paper files.

4.13.1 Transfer to Designated Place of Deposit (Archive)

192 Once records are no longer in use by an organisation, have no ongoing administrative value but have, or may have, long term historical, research or corporate memory value they should be selected for archival preservation. They should be transferred to a or designated place of deposit/archive once the business need or retention period has expired. This is a compulsory element under Part 1 Section 1(2)(b)(iii) of the PRSA and is covered within Element 7 – Archiving and Transfer Arrangements of the Keepers Model RMP. Organisations that do not have their own archivist should consult a Local Authority/University Archivist or the National Records of Scotland for advice.

193 Organisations should ensure that they have appropriate processes in place to transfer records of historical value. For health organisations, see sections 5.2 and 5.6 for further information on sampling patient health records for archival preservation.

194 When transferring records containing personal data, organisations must consider a living person’s data protection and confidentiality rights. Data protection legislation contains explicit provision for archiving purposes in the public interest as detailed in the Data Protection Act 2018 Schedule 2 Part 6, Paragraph 28. Organisations should inform archives of the period of time for which records containing personal data should not be available for access by the public, to ensure the data protection rights of the individual are upheld.

195 Best practice suggests that non-active records selected for archival preservation should be transferred as early as practicable and no later than 30 years from creation of the record, with digital records being transferred within a shorter period due to their inherent vulnerability to change or deletion.

196 Organisations should ensure that they have identified points of contact who coordinate the transfer of records. A process for the transfer of records should be agreed by both the organisation and place of deposit. It is also good practice to have transfer registers in place to ensure the organisation has oversight of their deposited records.

4.13.2 Destruction

197 Records (including copies) not selected for archival preservation and which are no longer required due to statutory requirement or administrative or clinical need should be destroyed in a secure manner appropriate for the level of confidentiality or protective markings they bear. This must be approved by a manager and can be undertaken on site or via an approved contractor. Destruction processes and procedures must be clearly defined and documented within the organisation as required under Part 1 Section 1(2)(b)(iii) of the PRSA and Element 6 or the Keepers Model RMP.

198 Confidential records should be destroyed in accordance with BSEN 15713:2023 - Secure Destruction of Confidential Material – Code of Practice. It is the responsibility of the organisation to ensure that the methods used throughout the destruction process provide appropriate safeguards against the accidental loss or disclosure of the contents of the records at every stage. Accordingly, contractors should be required to sign confidentiality undertakings and to produce written certification as proof of destruction for paper, hardware and digital systems. There is a common law duty of confidence to patients, service users and employees as well as a duty to maintain professional ethical standards of confidentiality. This duty of confidence continues after an employee or contractor has left the organisation. Obligations around confidentiality remain even after the death of a patient/service user.

199 It is important to have destruction policies for digital records. The ability to retrieve deleted digital data has inherent dangers for confidential information when hardware and software is discarded. It may also jeopardise the viability of a records management programme if records that are supposedly 'destroyed' can be retrieved from the system. Organisations should put processes are in place to ensure that digital records are destroyed beyond any reasonable reconstruction on hardware. With regards to software, record should be destroyed to the point where they are not retrievable by the user and only retrievable by IT staff within back-ups for a short period of time. Back-ups are for the purposes of business continuity/disaster recovery only, not a ‘just in case’ and therefore should also be purged of destroyed records within an appropriate timescale. If hardware or software is to be discarded, advice must be sought from the relevant IT/Cyber Security Officer.

200 It is essential that the destruction process is documented. The following information should be recorded and preserved by the Records Manager, so that the organisation is aware of those records that have been destroyed and are therefore no longer available:

• description of record;
• reference number if applicable;
• number of records destroyed;
• format of record;
• date of destruction;
• who authorised destruction (Information Asset Owner;
• who carried out the process;
• reason for destruction (this should refer to the retention/disposal policy).

201 Disposal schedules would constitute the basis of such a record.

202 Whenever health records are being destroyed, this should be done with the necessary arrangements made to protect patient confidentiality where appropriate. The relevant Master Patient Index should be updated with the date of destruction so that this is immediately known should the patient present to the service at a later date, make a Subject Access Request or other request for information. It is important that records of destruction of health records contained in this retention schedule are retained permanently. No surviving health record dated 1948^[29] or earlier should be destroyed.

203 Personal health records should not be destroyed before the end of the period stated in the Code of Practice Retention Schedule. These periods reflect the statutory time limits for legal action to be brought.

204 If a record due for destruction is known to be the subject of a request for information, or potential legal action, destruction should be delayed until disclosure has taken place or, if the organisation has decided not to disclose the information, until the complaint and appeal provisions of the Freedom of Information (Scotland) Act 2002 (FOISA) have been exhausted or the legal process completed. It is important to note that section 65 of FOISA, Regulation 19 of the Environmental Information (Scotland) Regulations 2004 and Section 35(1) of the Inquiries Act 2005 detail that it is a criminal offence to destroy records with the intent to prevent disclosure.

205 Data Protection legislation requires the controller to retain personal data no longer than is necessary for the purpose the information was obtained for. Ensuring personal data is disposed of when no longer needed will reduce the risk that it will become inaccurate, out of date or irrelevant.

206 In complex settings where the information is shared and maintained across different organisations, the retention period should ideally be consistent. Where this is not the case retention periods should be aligned to the longest retention period for that record type specified in the sharing organisations records retention schedule.

207 When digital systems are being designed, thought should be given as to how records can be destroyed within the system. In circumstances when automatic destruction functionality is implemented on a system, the system must also have the ability to place legal holds on records which may require to be retained beyond the defined retention period, for example due to an ongoing investigation or public inquiry.

208 Where a digital system has the capacity to destroy records in line with the retention schedule, and where a metadata stub can remain demonstrating that a record has been destroyed, then the retention schedule should be followed in the same way for digital records as for paper records.

209 Specific management software may be required to allow automated disposal of digital records. Retention schedules are based on the legal, regulatory or business requirement for retaining information, hence the format (paper or digital) should be irrelevant. However this is a very difficult process and currently presents great challenges for organisations, particularly in relation to health records, where due to the dynamic nature of these records a different approach can be required. Wherever possible, a combination of “disposal by design”, semi-automated monitoring and cleansing, and manual guidelines should be applied to dispose of records according to the organisation’s records retention schedule.

210 Whilst there is a recognition that efficient disposal management is very difficult using legacy systems, organisations must demonstrate that disposal management is embedded in their change management processes; data protect by design and by default is a requirement for all organisations processing personal data (UK GDPR). Failure to demonstrate reasonable steps will constitute a breach of data protection legislation.

211 If the system does not have this capacity, then once the records have reached the end of their retention periods, they should be exported and destroyed. Where this is not possible they should be made inaccessible to users of the system and upon decommissioning the entire system should be retained, along with system audit trails, for the retention period of the last entry recorded in the system.

4.14 Retention Schedule

212 A retention schedule sets out the periods for which the various records created within the organisations should be retained either due to their on-going business value or as a result of statutory requirement. It also provides guidance on dealing with records which have on-going research or historical value and should be selected for permanent preservation and transferred to the designated permanent place of deposit. The implementation of a retention schedule is a requirement under Element 5 – Retention Schedule, of the Keeper’s Model RMP. It also supports principle 5 of data protection legislation.

213 Schedules should cover all record types within the organisation, should be arranged based on series or collection of records and should indicate the appropriate disposal action for all records. Schedules should clearly specify the agreed retention periods, which should be based on the retention schedules referred to above, for the organisation. Retention schedules do not provide specific guidelines on determining which documents are retained as part of a record.

214 The baseline retention schedule followed by Local Authorities and third party organisations contracted by them to deliver services on their behalf in relation to social care and social work services has been developed and is maintained by the Scottish Council on Archives. The Scottish Council on Archives Records Retention Schedules (SCARRS) is used by Local Authorities to inform their own record retention schedule, and local adaptations may have been made to suit the operations of the organisation.

215 The retention schedule enclosed within this Code of Practice (Annex B) provides information and advice about all records commonly found within NHS organisations or third party organisations working on their behalf to deliver health care. The retention schedules apply to all the records concerned, irrespective of the format (e.g. paper, databases, emails, X-rays, photographs) in which they are created or held.

216 Whenever the enclosed schedule (Annex B) is used, the guidelines below should be followed:

• The retention periods in this schedule should be adopted. Local business requirements or risk analysis may require some record types to be retained for longer; however, they must never be retained for a shorter retention period than set out in this schedule.
• Retention periods should be calculated from the suggested trigger point.
• The provisions of the FOISA and data protection legislation must be observed. Retention decisions should be made in the light of the need to preserve records that may be in the substantial public interest, or in relation to research purposes. This applies to records whose use cannot be anticipated fully at the present time, but which may be of value to future generations.
• Some classes of record must be permanently preserved and the advice of the NHS Board/Local Authority designated archivist or National Records of Scotland or the Scottish Government Digital Health & Care Directorate regarding the designated permanent place of deposit should be sought. This is a requirement under Part 1 Section 1(2)(b)(iii) of the PRSA and Element 7 of the Keepers Model RMP.
• The selection of records for permanent archival preservation is partly informed by precedent (the establishment of a continuity of selection) and partly by the historical context of the subject (the informed identification of a selection). It is also possible to retain a sample of certain record series. Local procedures should be drafted, using the profile of material that has already been selected, and the history of the institution or organisation (including pioneering treatments and examples of excellence) within the context of its service to the local and wider communities.
• Records which, having been retained for the retention period, are selected for destruction, should be destroyed appropriately, with particular regard being to whether the information contained in them is of a confidential or sensitive nature. Where exportation, deletion or destruction is not technically feasible, due to the age and legacy design of the system, the record should be made permanently inaccessible to all reasonable measures, e.g. deleting encryption keys for that record. The organisation may wish to consider raising a risk in these circumstances due to the impact of retaining information (particularly personal data) for longer than is necessary, for example:
• Unnecessary negative impact on storage and carbon footprint;
• Ongoing resource to manage records which no longer requires to be retained;
• Records continue to be subject to requests under legislation.

Compliance with the 5^th principle of data protection legislation;

-