Date of review: Information Governance Group January Policy Category: CONTENT SECTION DESCRIPTION PAGE

Transcription

1 Title: Date Approved: January 2015 Division/Department: Corporate Services Corporate Records Policy Approved by: Date of review: Information Governance Group January 2016 Author (post-holder): Interim Information Governance Manager Policy Category: Policy Ref: Corporate Sponsor (Director): Director of Corporate Services Issue: 1 CONTENT SECTION DESCRIPTION PAGE 1 Introduction 2 Policy statement 3 Definitions 4 Role and responsibilities 5 Scope of Policy 6 Consultation 7 Narrative 8 Evidence base 9 Monitoring compliance 10 Training Requirements 11 Distribution 12 Communication 13 Author and Review Details 14 Appendices The issue of this page is the overall issue of this procedure. The current issue of individual pages are as follows: PAGE ISSUE DATE

2 1 INTRODUCTION The Trust is dependent on its records to operate efficiently and account for its actions. This policy defines a structure for Sherwood Forest NHS Foundation Trust (SFHFT), which supports the Department of Health: Records Management NHS Code of Practice to ensure adequate records are maintained and that they are managed and controlled effectively and at best value, commensurate with legal, operational and information needs. Our Trust s records are our corporate memory, providing evidence of actions and decisions and representing a vital asset to support our daily functions and operations. They support policy formation and managerial decision-making, protect the interests of the Trust and the rights of patients, staff and members of the public who have dealings with the Trust. They support consistency, continuity, efficiency and productivity and help us deliver our services in consistent and equitable ways. Records management, through the proper control of the content, storage and volume of records, reduces vulnerability to legal challenge or financial loss and promotes best value in terms of human and space resources through greater co-ordination of information and storage systems. Information is of greatest value when it is accurate, up to date and accessible when needed. An effective corporate records management service ensures that information is properly managed and available to those with a legitimate need. The Freedom of Information Act places strict obligations on public authorities to allow external access to recorded information. Effective access can only occur when records are being managed in a consistent and coherent way. Although corporate records do not contain patient identifiable information, they may contain confidential, sensitive or personal information about the business of the Trust and its people. All NHS records are classified as public records under the Public records Act Schedules 3(1) (2) they must be kept in accordance with statutory and NHS guidelines including: Public Records Act 1958 Data Protection Act 1998 Freedom of Information Act 2000 Department of Health Records management Code of Practice 2006 Parts 1 and 2 Caldicott 2 Review of Patient Identifiable Information Common Law duty of confidentiality NHS litigation Authority standards This policy is issued and maintained by the Chief executive (the sponsor) on behalf of the trust, at the issue defined on the front sheet, which supersedes and replaces all previous versions. 2 POLICY STATEMENT The SFHFT acknowledges the importance of records and is committed to create, keep, maintain Page 2 of 18

3 and dispose of records, including electronic records, commensurate with legal, operational and information leads. The Trust is committed to ensuring that none of its policies, procedures and guidelines discriminate against individuals directly or indirectly on the basis of gender, colour, race, nationality, ethnic or national origins, age, sexual orientation, marital status, disability, religion, beliefs, political affiliation, trade union membership, and social and employment status. An equality impact assessment (EIA) of this policy has been conducted by the author using the EIA tool developed by the diversity and inclusivity committee. The score of this policy when assessed by the tool was rated as Low. 3 DEFINITIONS For the purpose of this policy, a document becomes a record when it has been finalised and becomes part of the *corporate information. This policy relates to records held in any format, both paper and electronic including s. It does not relate to health records or patient case notes; these should be managed in accordance to the relevant procedures. *Corporate information refers to information generated by the Trust, other than clinical or patient information. Corporate information describes the records generated by an organisation s business activities and therefore will include records from the following areas of the Trust, but are not restricted to: Estates Facilities Finance Procurement ICT and Information Governance Human Resources, organisational development and training Performance management Clinical Governance Health care quality and clinical audit Commissioning and contracts Strategic Planning and Commercial Development Complaints, compliments and Patient Advisory Liaison Service Commercial and communications activities Trust Board business Examples of corporate information are not restricted to but include: Policies and procedures Strategies and action plans Minutes and agendas Reports (e.g. annual, accounting, Board) Financial Standing Orders Public consultations Databases Spread sheets Contracts In this policy: Administrative records : means all records completed and held in respective of the Page 3 of 18

4 Trust s business that do not contain information relating to health, and described in section 5.1 below. Administrative records include both paper based and electronic records. Governance manual : SIRO : Records manager: IAO : IAA : Staff : means the manual of governance documents, including the standing orders, standing financial instructions and scheme of delegation. means Senior Information Risk Owner; responsible for leading and implementing the information risk management process and providing Board assurance. means a member of staff designated by the Divisional Directors/Managers of Operations to coordinate compliance with this policy. means Information Asset Owner; responsible for understanding and assessing the information they own and providing the SIRO with assurance in relation to the security of that asset. means Information Asset Administrator; responsible for providing support to their IAOs in ensuring that IG policies are followed and that information risks and incidents are documented and escalated according means all employees of the Trust including those managed by a third party organisation on behalf of the Trust. The PRA : means the Public Records Act The DPA : means the Data Protection Act The policy : The Trust : IG : means the Corporate Records Management Policy means Sherwood Forest Hospitals NHS Foundation Trust. means Information Governance. 4. ROLE AND RESPONSIBILITIES Statutory Responsibility: The Secretary of State for Health and all NHS organisations have a duty under the Public Records Act 1958 (PRA) to make arrangements for the safe keeping and eventual disposal of all types of their records. This is carried out under the overall guidance and supervision of the Keeper of Public records who is answerable to parliament. Chief Executives and Senior managers of all NHS organisations are personally accountable for records management within their organisations. Managerial Responsibility: Trust Board has responsibility, in compliance with the Trusts Governance manual, to ensure and gain assurance that the Trust has in place robust arrangements for the management of records and that such arrangements are complied with Chief Executive -Has overall responsibility to implement robust and appropriate records management arrangements in accordance with National and statutory requirements to ensure that records are managed responsibly within the Trust. Page 4 of 18

5 Executive Directors, Divisional Directors and other Senior Managers - Records management responsibilities will be written into all accountable individuals job descriptions and clear procedures for retention of key records issued. They are also responsible for ensuring that this policy is implemented in their individual departments. They will nominate departmental representatives, who will liaise with the Information Governance team on the management of records in that directorate/ speciality/department. Information Governance Manager - Will provide support and guidance to nominated departmental representatives. 5 SCOPE OF POLICY This policy relates to the management of all administrative records of the Trust, as detailed in section 3 above, including but not limited to: Accounting records and budgetary information; Board, committee, sub-committee and all other meeting minutes; Contracts; Diaries; Invoices; The contents of Personnel files; Payroll / PAYE records; Litigation dossiers, including complaints, claims and inquest files; Policy and procedure manuals; Software licences; VAT records; 5.2 All records created in the course of the business of the Trust are public records under the terms of the PRA. 5.3 This policy does not address the retention and ultimate destruction (or permanent preservation) of records. These matters are covered by a separate complementary Retention and Destruction of Records Policy. 5.4 This policy does not address the management of health records. These records are covered by the separate complementary policy Health Records Management Policy. 6. CONSULTATION Information Governance Group 7 NARRATIVE Aims and Objectives of the Policy Objectives The main objectives of the policy are to ensure: Page 5 of 18

6 Accountability That adequate records are maintained to account fully and transparently for all actions and decisions, in particular: To protect legal and other rights of staff or those affected by any such actions; To facilitate audit or examination; To provide credible and authoritative evidence if required by law; Quality That records are complete and accurate and the information they contain is reliable, relevant, fit for purpose and its authority can be guaranteed. Accessibility That records, and the information they contain can be efficiently retrieved by those with a legitimate right of access, for as long as the records are held. Training That all staff members are made aware of their record-keeping responsibilities, through generic and IG specific mandatory training programmes and guidance. Security That records will be kept secure from unauthorised or inadvertent alteration or erasure, that access and disclosure will be properly controlled and audit trails will track all use and changes. Records will be held in a robust format that remains readable for as long as the records are required. A robust tracking system will be maintained to ensure that when records are passed to a third party, the whereabouts of the records is known. Performance Measurement That the application of record management procedures are regularly monitored against agreed indicators and action taken to improve standards as necessary Record Management Procedures A number of procedures covering specific aspects of records management have been included with this policy. These procedures form part of the policy and all staff are expected to be aware of the procedures and adhere to them. Procedures and Appendices contained within this policy A Principles of records management B Best Practice principles for naming and filing electronic records C Records manager responsibilities D Physical security of records E Transfer of records F Data Protection Act principles G Freedom of Information Act overview H Delegated responsibilities 5 EVIDENCE BASE The Public Records Act 1958 The Freedom of Information Act 2000 Page 6 of 18

7 Secretary of State for Constitutional Affairs' Code of Practice on the discharge of public authorities' functions under Part I of the Freedom of Information Act 2000, published 2004 Records management: NHS code of practice Part 1 and part 2 The Lord Chancellor s Code of Practice on the Management of Records, issued under section 46 of the Freedom of Information Act 2000, published 2002 Information Governance Toolkit NHS Litigation Authority standards This policy is to be used in conjunction with the following complementary policies: Retention and destruction of records policy Information security policy Information governance policy Internet and policy Freedom of Information policy Information Governance Management Framework 9 MONITORING COMPLIANCE Monitoring of this policy will form part of the inventory of corporate records as required by IG Toolkit requirement 604 and forms part of the Information Lifecycle and Records Management implementation plan. The following bodies monitor NHS performance in respect of records management: The HSCIC through the annual completion of the Information Governance Toolkit, reviews the status of records management with the Trust; The Trust s Information Governance Manager monitors the corporate records management policy and procedures. This will ensure that records management operates in alignment with Data Protection, Freedom of Information and other Information Governance areas. The monitoring will include service performance, annual audit and a review of all reported incidents of missing records. The Trust s Information Governance Manager will report regularly to the Information Governance Group. 10 TRAINING REQUIREMENTS All staff members receive records management training as part of their IG mandatory annual update, so that they are fully aware of their responsibilities in respect of record keeping and management. Updates to training packages will be implemented when the policy is amended. New staff induction programmes will include basic records management training. All staff members are mandated to undertake IG training on an annual basis, which will also include best practice regarding records management. Records Managers are to ensure specific training is given to all staff. Staff transferring between divisions or Directorates will require additional induction training to familiarise themselves with new records and filing systems. Page 7 of 18

8 Nominated Records Managers will require training appropriate to their specific needs. The Information Governance Manager will co-ordinate training activities and highlight any gaps in training that need to be addressed. 11 DISTRIBUTION The policy, once approved, will be included within the governance policy section of the Trust s intranet website. 12 COMMUNICATION All Executive Directors and Divisional Directors will be informed of the policy and will be asked to ensure that their Records Managers are provided with access to the policy for implementation. 13 AUTHOR AND REVIEW DETAILS Date issued: Date to be reviewed by: To be reviewed by: Executive Sponsor: The date that the policy is issued Normally a year from issue. The author The executive director who is the sponsor 14 APPENDICES The following Appendices form part of the Policy: Appendix A Principles of records management Appendix B Best Practice principles for naming and filing electronic records Appendix C Records manager responsibilities Appendix D Physical security of records Appendix E Transfer of records Appendix F Data Protection Act principles Appendix G Freedom of Information overview Page 8 of 18

9 PRINCIPLES OF RECORDS MANAGEMENT Appendix A A1 A2 A3 A4 A5 What are the principles to follow? Records are valuable because of the information they contain, but the information is only usable if it is correctly and legibly recorded when the record is created, and is then kept up to date, is only accessible to those with a legitimate need and is closed and disposed of when appropriate. Good record keeping ensures that:- Staff can work with maximum efficiency without having to waste time hunting for information; There is an audit trail which enables any record entry to be traced to a named individual at a given date/time with the secure knowledge that all alterations can be similarly traced; Those coming after can see what has been done, or not done, and why; Any decisions made can be justified or recognised at a later date. This is essential in cases such as:- Providing patient care; Clinical liability; Parliamentary accountability; Purchasing and contract or service agreement management; Decisions on service delivery Financial accountability; Disputes or legal action. It is therefore important that you always:- Record all relevant information, making sure that it is complete; Ensure that it is legible so that it can easily be read and reproduced when required; Keep it filed where it can be found when needed; Keep it up to date; Explore alternative secure methods to share information, rather than copying it in order to reduce risks to confidentiality; Suitably dispose of records as soon as possible (subject to national and local retention periods). Remember that the originator is the person who has the ultimate responsibility to retain control over the original document and subsequent amendments. The originator will need to ensure contact details are clear to enable traceability. What needs to be done to achieve the best standards? Managers in all areas need to ensure that staff members are aware of legislative requirements such as the Data Protection Act and the Freedom of Information Act. They should also be aware of the vital role that records play in delivering health care. Each Division should have a comprehensive records management inventory which includes cost- effective management of non-current as well as active Page 9 of 18

10 records, and which takes account of the Trust s Risk Management Policy. Records Managers must ensure that all staff are involved in this work, which should encompass: - Profile raising and publicity; Appropriate resources including training; Review of procedures and implementation plan for specific actions arising; Monitoring individual and operational compliance. APPENDIX B BEST PRACTICE PRINCIPLES FOR NAMING AND FILING ELECTRONIC RECORDS Introduction This document is intended to provide a common set of rules to apply to the naming of electronic documents and records. These conventions are primarily intended for use with Windows based software and documents such as word-processed documents, spread sheets, presentations, s, and project plans. Page 10 of 18

11 Similar conventions will be used for naming the different levels and folders in the Trust s filing system. Naming records consistently, logically and in a predictable way will: Distinguish similar records from one another at a glance; Facilitate the storage and retrieval of records; Enable users to browse file names more effectively and efficiently; Make file naming easier for colleagues because they will not have to re-think the process each time. Summary of the rules The convention includes the following rules: 1) File names should be short but meaningful; 2) Unnecessary repetition and redundancy in file names should be avoided; 3) Capital letters should be used to highlight words, rather than spaces or underscores; 4) When a number is included within a file name, use a two digit number, unless it is a year or another number with more than two digits; 5) When including a date in a file name, use a back to front dating system with YYYYMM DD, no spacing. 6) When including a personal name use the family name first followed by initials 7) Common words like draft or letter should be avoided at the start of files names unless doing so will make retrieval easier; 8) Order the elements of a file name in the most appropriate way to retrieve the record; 9) File names of records relating to recurring events should include the date and a description of the event unless including this information would compromise rule 2 above; 10) File names of correspondence should include the name of the correspondent, an indication of the subject, the date of correspondence, attach and an indication of the number of attachments sent with the covering unless including this information would compromise rule 2 above; 11) File names of attachments should include the name of the correspondent, an indication of the subject, the date of correspondence and if it is incoming or outgoing unless including this information would compromise rule 2 above; 12) Version numbers of the record should be indicated in its file name by the inclusion of v followed by the version number and where applicable draft ; 13) The use of Non-alphanumeric characters should be avoided in file names. RECORDS MANAGER RESPONSIBILITIES Appendix C C1 C2 Each Division/Department Records Manager will:- Assess the current standard of record keeping; Develop professional standards and co-ordinate and liaise with colleagues within the Trust to develop best practice; Conduct a records audit at least once a year(to identify what records collections already exist and why); - how frequently? Establish access controls; Performance manage the records management process. Liaise with appropriate IAAs to ensure that any risks to corporate information are documented and escalated to the appropriate IAO. Rationalise records collections by:- Encouraging users to share records and the information they contain Page 11 of 18

12 (subject to Data Protection and agreed confidentiality guidelines); Ensuring effective cross-referencing or merging. C3 Put the proper controls in place by:- Producing local standards; Communicating the standards by issuing the policy as a reference point for staff; Using the policy as a basis for audit activity. C4 Publicise and promote the local guidelines by :- Implementing a formal training programme to launch and support the records management policy; - should this be done centrally to ensure consistency? Including records management in induction training and staff handbooks; Staging awareness raising sessions using real examples to demonstrate the benefits; Speaking at team briefings and other meetings. C5 And finally, maintain standards by:- Promoting quality through the professional skills and qualifications of key personnel; Monitoring performance through quality control and internal audits; Identifying areas where improvements can be made; Reporting breaches through incident reporting, investigating and improvement Reporting performance standards to the Information Governance Manager and Information Governance Group Undertaking records review at appropriate times to identify records for destruction, permanent preservation or archiving in accordance with the Retention and Destruction of Records Policy. Page 12 of 18

13 PHYSICAL SECURITY OF RECORDS - Appendix D SECURITY OF PAPER AND ELECTRONIC RECORDS D1 D2 D3 D4 D5 D6 D7 D8 D9 At all times, the security and confidentiality of administrative records containing personal, sensitive or confidential information will be observed. Records must be stored securely, but appropriately located so that they can be easily retrieved when needed Records must be stored away from observation by the public. Paper records containing personal, sensitive or confidential information will be stored in locked storage units or cabinets. Administrative records which need to be kept for legislative reasons but no longer need to be referred to may be archived in accordance with the Retention and Destruction of Records Policy. Administration records must not be kept longer than needed or required by legislation. Periodic review and disposal is to be performed in accordance with the Retention and Destruction of Records Policy. COMPUTER SECURITY Each Division must implement and adhere to the Trust s Information Security Policy, which will address the following areas:- Physical security/equipment security; User password management; Computer virus control; Data back-up; Computer network management; Data and software exchange; Use of encryption Information technology is being used increasingly within the NHS, with the majority of information being stored electronically. If electronic documents are to be used in courts, evidence must be produced to show that the computer has not been misused and was operating properly when the document was produced. It is therefore essential that all staff follow the Trust s Information Security Policy and the Policy on the use of Internet and Electronic Mail. Divisional Records Managers will need to ensure that records are stored securely, that access is controlled and that staff receive adequate training in their use. Page 13 of 18

14 TRANSFER OF RECORDS Appendix E E1 Before passing on information to another person or organisation you must:- 1.1 Consult the Information Sharing Protocol and be satisfied that the recipient person or organisation has a legitimate case for holding the information, and that their intended purpose is compatible with the purpose for which the information was collected. 1.2 Ensure that you are passing the information on to the correct person or organisation. 1.3 Ensure that information will be managed appropriately after it has been passed on. 1.4 Assess how much information needs to be passed on, and pass on no more than is necessary. 1.5 Ensure adequate arrangements for the safe transfer of the information, including robust tracking arrangements. 1.6 Take special care when transferring information by (see Internet and Policy). E2 Be satisfied that the recipient has a legitimate case for holding the information:- Since all personal information was originally collected for one or more specific purposes (Section 8 of the Data Protection Act) it cannot be passed on unless the proposed use is also compatible with that original purpose. E3 Ensure that you are passing the information on to the right person or organisation:- Always check the address of the recipient organisation carefully. It is important to confirm the identity of the recipient. Dial back arrangements based on published telephone numbers and caller s name could be considered, especially for uncommon requests. E4 E5 Ensure that information will be managed appropriately after it has been passed on. Before passing personal information on to another person or organisation you must be satisfied that the recipient will treat it with the same care as is afforded by the Trust, and that they understand their responsibilities with regard to storage, management, and onward transmission of the information. Assess how much information needs to be passed on, and pass on no more than is necessary. In the same way that, when collecting information, no more detail should be Page 14 of 18

15 collected than is necessary for the intended purpose, when passing on information to another person or organisation no more information should be passed on than is necessary for their purpose. Personal identifiers should be removed if they are not required for the recipient s purposes. E6 Ensure adequate arrangements for the safe transfer of the information. You must select a mode of transfer that maintains the security and confidentiality of the information. All documents must be packaged so that personal information is not revealed during transportation. The courier or carriage agency must have appropriate standards of security and assurances of confidentiality. You must make sure that the transfer of the document is tracked appropriately so that the Trust knows where the information has been passed to. E7 Take special care when transferring information by E Mail. ing person identifiable / confidential information to organisations external to the Trust is insecure unless encrypted. Please refer to the Trust s Policy on the use of the Internet and Electronic Mail for further guidance. E8 Location. If personal, confidential or sensitive data is stored or held until transferred this must be in a safe and secure environment that is locked when not attended. Page 15 of 18

16 DATA PROTECTION ACT PRINCIPLES Appendix F The Data Protection Act is based on 8 principles. F1 First Principle. Personal data must be processed fairly and legally. 1.1 The data subject must give their permission or the processing is necessary for legal or contractual reasons. 1.2 The data subject should know who the data controller is, why the data is being processed. 1.3 The processing of the data must not lead to any discrimination of any kind. F2 Second Principle. Personal data must only be obtained for specified and legal purposes and must only be processed in a way that is consistent with the specified purpose. 2.1 Data controllers and data users must not collect and use data unless there is a specific and valid reason for doing so. 2.2 The data subject must be told what the information will be used for. 2.3 Personal data collected for one reason must not be used for any other unrelated purpose. F3 Third Principle. Personal data must be adequate, relevant and not excessive for the purpose it is processed for. 3.1 Only data needed for the specific purpose should be asked for or recorded. Information that is not relevant for the purpose must not be collected simply because it might be useful in the future. F4 Fourth Principle. Personal data must be accurate and, where necessary, kept up to date. 4.1 Data users should record data accurately and take reasonable steps to check the accuracy of the information they receive from the data subjects or anyone else. 4.2 Data controllers should scrutinise all storage systems to destroy inaccurate and out-of-date information and correct inaccurate records. F5 Fifth Principle. Personal data processed for any purpose must not be kept longer than is necessary to fulfil that purpose. 5.1 Organisations will need to keep some data on current and past employees to respond to enquiries from new employers or from the Inland Revenue. 5.2 Other types of data may not be relevant for future purposes and Page 16 of 18

17 should not be kept for longer than is necessary. F6 Sixth Principle. Personal data must be processed in line with data subject s rights. 6.1 The right of subject access lets an individual find out what information is held about them. 6.2 Data subjects have rights to prevent processing that is likely to cause damage or distress to themselves or anyone else. They also have the right to claim compensation for damage and distress caused by someone breaking the conditions of the 1998 Act. 6.3 Data controllers must not use personal data for direct marketing purposes. 6.4 Individuals have the right to take action to correct, block, erase or destroy data that is inaccurate or contains opinions that are based on inaccurate data. F7 Seventh Principle. Appropriate security measures must be taken to protect against unauthorised or illegal data processing. 7.1 Data controllers must make sure that security controls are in place and are followed. 7.2 Only employees who need to use personal data to carry out their work should have access to the data. 7.3 Measures to prevent unauthorised access should be implemented. F8 Eighth Principle. Transferring personal data outside the European Economic Area (EEA) is restricted unless the rights and freedom of data subjects are protected. 8.1 Some countries, outside Europe, do not have the same legal requirements to protect information. Page 17 of 18

18 FREEDOM OF INFORMATION OVERVIEW Appendix G G1 G2 G3 G4 G5 G6 Please note that individuals have the right to access their own personal information under the Data Protection Act Access to the health records of deceased persons is governed by the Access to Health Records Act The Freedom of Information Act 2000 provides general rights of access to recorded information held by public authorities. Rights of access to Environmental Information are provided by the Environmental Information Regulations The Trust will provide information in accordance with the Act and Regulations as follows: Any person who makes a request to the Trust for information will be informed whether or not the information exists If the information exists, it will be promptly provided to the applicant (unless an exemption applies) The Trust will maintain publication schemes describing the classes of information that they hold, how they intend to publish the information and any charges that will be made for providing the information The Trust will manage records in consistent and coherent manner, therefore facilitating access. Information will be retained and disposed of commensurate with legal, operational and information needs, as specified in the Retention and Destruction of Records Policy. Information will not be destroyed early, nor will it be retained longer than necessary. Full details regarding the Freedom of Information Act and Environmental Information Regulations can be found in the Freedom of Information Policy. Page 18 of 18