This Appendix provides detailed advice on records management relating to specific types of records. These are presented in alphabetical order.
It also provides advice on managing certain formats of records, for example, emails, cloud-based records and scanned records.
Type of record
Audio and visual records
Audio and visual records can take many forms such as using a dictaphone (digital or analogue) to record a session or conducting a care interaction using videoconferencing technologies.
The following needs considering when interactions are captured in this way:
- Appropriateness: Organisations should decide when it is appropriate to use audio or visual methods for the provision of care. This should be documented in organisational policies and understood by the relevant care professionals.
- Retention: If the recording is going to be kept elsewhere (for example, as part of the care record) then there is no reason to keep the original recording provided the version in the main record is the same as the original or there is a summary into words which is accurate and adequate for its purpose. If the recording is the only version or instance of the interaction, then it must be kept for the relevant retention period outlined in this Code.
- Digital continuity: You must consider the medium on which the recording is made and ensure that it is available throughout its retention period (for example, if the system or file format is becoming obsolete, then you will need to migrate it to a newer platform or format to ensure availability). If it is a digital recording and you are looking to store it in the care record, ensure the transfer process captures the authenticity of the recording kept.
- Storage: Ensure your recordings are stored on systems you control or are provided to you under contract. If stored with the product provider, you must give them (as controller) clear instructions on the storage and retention of those images (for example, delete one month after the date of the recording because it has been summarised into the main care record, or retain for 8 years from consultation with the service user, then destroy). Providers acting under contract to a controller are obliged to carry out their written instruction.
- Transparency: You must be transparent with the people who use your services regarding the use of audio and visual technology, and associated records, so that they have a reasonable understanding of how they will be used, why, and what will happen with the recording after the interaction. For example, it would be unfair to tell participants that the recordings are deleted if they are not.
Complaints records
Where a person complains about a service, it is necessary to keep a separate file relating to the complaint and subsequent investigation. Detailed complaint information should never be recorded in the care record. A complaint may be unfounded or involve third parties and the inclusion of that information in the care record will mean that the information will be preserved for the life of the record and could cause detrimental prejudice to the relationship between the cared for person and the Care Team. In some cases, it may be appropriate to share details of the complaint with the care professional involved in providing individual care in order to make improvements in care delivery. However, there may also be times where the complaint is about an individual but not care related and it might not be appropriate to share details of the complaint with that person, in case further action is required. The Complaints Team should review each complaint on a case-by-case basis.
Where multiple teams are involved in the complaint handling, all the associated records must be brought together to form a single record. This will prevent the situation where one part of the organisation does not know what the other has done. A complaint cannot be fully investigated if the investigation is based on incomplete information.
Care organisations should have a local policy to follow with regards to complaints, covering how information will be used once any complaint is raised, and after the complaint has been investigated, regardless of outcome. The ICO has also issued guidance on complaints files and who can have access to them, which will drive what must be stored in them.
Contract change records
Once a contract ends, any service provider still has a liability for the work they have done and, as a general rule, at any change of contract the records must be retained until the time period for liability has expired.
When a service is taken over by a new provider, the records of the service (current and discharged cases) all transfer to the new provider (unless directed otherwise by the commissioner of the service). This is to ensure that the records for the service remain complete and enable service users to obtain their record if they so request it. It also makes the records easier to locate if they are required for other purposes. This will also stop the fragmentation of the archive records for the service and make it much easier to retrieve records.
It is vital to highlight the importance of actively managing records, which are stored in offsite storage (refer to section three of The Code for further information on offsite storage).
Evidence required for courts
In UK Law, the civil procedure rules allow evidence to be prepared for court and, as part of this, the parties in litigation can agree what documents they will disclose to the other party and, if required, dispute authenticity. The disclosure of digital records is referred to as E-Disclosure or E-Discovery. The relevant part for disclosure and admissibility of evidence is given in the Ministry of Justice’s Civil Procedure Rules – Part 3. If records are arranged in an organised filing system, such as a business classification scheme, or all the relevant information is placed on the client file, providing records as evidence will be much easier. Further advice on electronic records and evidential weighting can be found in BIP10008: Evidential Weight and Admissibility of Electronic Information.
Integrated records
Since 2013, there has been an increase in the number of initiatives promoted and launched that involve integrated records. There has also been recognition nationally that joined up delivery of health and care services can increase the quality of care delivered, and also deliver those services more efficiently. Examples include:
- Sustainability and Transformation Plans (STPs)
- Integrated Care Systems (ICSs)
- Shared Care Record Programme (ShCR)
Depending on the agreements under which integrated records are established these may be subject to the Public Records Act. Generally, if an NHS body is at least partly responsible for the creation and control of the record, it will normally be considered a public record to be managed in accordance with the Act. If in doubt, consult with The National Archives.
The options for organisations will depend on what local architecture and systems are already in use. There are three types of retention for integrated records, and suggested retention periods for each.
- All organisations contribute to a single record, creating the only record for that service user. Consideration must be given to how this is managed in practice (for example, some records will be retained for 8 years and some for 20 years but they will look the same at face value) (retain for the longest specialty period involved).
- All organisations pool their records into a single place but keep a level of separation between each type of record (retain for each specialty as applicable – because they are not merged)
- All organisations keep their own records, but allow others to view their records, but not amend or add to (retain for each specialty as applicable – because they are not merged)
Where organisations are looking to create integrated records, they must enter into a joint controller arrangement, which detail the purpose and method of integrated records. It should also set out how disputes between controllers may be resolved. Information materials for service users must also reflect how their records are used.
The Transformation Directorate of NHS England has published an Information Governance Framework for Shared Care Records, which provides further guidance.
Occupational health (OH) records
Occupational health records are not part of the main staff record and for reasons of confidentiality they are held separately. It is permitted for reports or summaries to be held in the main staff record where these have been requested by the employer and agreed by the staff member. When occupational health records are outsourced, the organisation must ensure that:
- staff are aware of the outsourcing and how their information may be used for OH purposes
- the contractor can comply as necessary with data protection and confidentiality requirements
- there is a contract in place with the outsourced provider that has legally binding clauses in relation to data protection and confidentiality
- the contractor can retain records for the necessary period after the termination of contract for purposes of adequately recording any work-based health issues and is able to present them to the organisation if required.
Pandemic records
Health and care organisations will create records as part of a response to a global pandemic. Pandemic events are rare but will nevertheless create records that need to be managed.
Both patient and service user records will be created that detail the care given to people affected by the pandemic. Corporate records will also be created which record business decisions, policies and processes that were taken in response to a pandemic.
These records should be managed in accordance with the retention schedules set out in this Code. Organisations should be mindful of the COVID-19 public Inquiry. The NHS England Transformation Directorate has produced guidance and FAQs on the COVID-19 public Inquiry.
If organisations have created records specifically in response to a pandemic, these should not be destroyed when they have reached their minimum retention period, unless the public inquiry has ended, or the Inquiry has provided guidance on what type of records it will be interested in. Any guidance or advice issued by The National Archives or your local Place of Deposit (PoD) in relation to the preservation of pandemic records should be followed.
Staff records
Staff records should hold sufficient information about a staff member for decisions to be made about employment matters. The core of any staff file will be the information collected through the recruitment process and this will include the job advert, application form, evidence of the right to work in the UK, identity checks and any correspondence relating to acceptance of the contract. The central HR file must be the repository for this information, regardless of the media of the record.
It is common practice in some care organisations for the line manager to hold a truncated record, which contains portions of an employee’s employment history. This can introduce risk to personal information (as it is duplicated), but also potentially expedient to do so. Organisations considering whether to use, or discontinue using, local HR files, should complete a risk assessment.
Information kept in truncated staff files should be duplicates of the original held in the central HR file. If local managers are given originals as evidence (such as a staff member bringing in a certificate of competence) they should take a copy for local use and the original should be kept with the main HR file. It is important that there is a single, complete employment record held centrally for reference and probity.
Some organisations operate a weeding system, whereby staff files are culled of individual record types that are now time expired (such as timesheets). Others have just kept the whole file as is and archived it away until 75th birthday. It is not recommended to change your system from one to the other because:
- the effort involved would be disproportionate to the end result
- if you begin to weed files, you would need to do this retrospectively to all files, to avoid having two types of central HR file
- you cannot reverse the weeding process – if you decide to keep full records, it is impossible to remake historically weeded files complete again.
Both systems are acceptable, regardless of media. It is noted that organisations may have a hybrid system of paper historical staff files and digital current staff files. If possible, organisations should consider moving all their files into one format to create consistency.
Where an organisation decides to use a summary, it must contain as a minimum:
- a summary of the employment history with dates
- pension information including eligibility
- any work-related injury
- any exposure to asbestos, radiation and other chemicals which may cause illness in later life
- professional training history and professional qualifications related to the delivery of care
- list of buildings where the member of staff worked, and the dates worked in each location.
Disciplinary case files should be held in a separate file so they can be expired at the appropriate time and do not clutter up the main file. That does not mean that there should be no record that the disciplinary process has been engaged in the main record, as it may be pertinent to have an indication to the disciplinary case, but the full details and file must be kept separately from the main file.
With regards to staff training records, it can be difficult to categorise them to determine retention requirements but keeping all the records for the same length of time is also hard to justify. It is recommended that:
- clinical training records are retained until 75th birthday or six years after the staff member leaves, whichever is the longer
- statutory and mandatory training records are kept for ten years after training is completed
- other training records are kept for six years after the training is completed.
The Chartered Institute for Personnel and Development, and the ICO have provided further information and advice on the retention of HR records.
Format of record
Bring your own device (BYOD) created records
Any record that is created in the context of a care business is the intellectual property of the employing organisation and this extends to information created on personally owned computers, mobile phones and other equipment. This in turn extends to emails and text messages sent in the course of business on personally owned devices from personal accounts. They must be captured in the record keeping system if they are considered to fall within the definition of a record.
When an individual staff member no longer works for the employing organisation, any information that staff take away could be a risk to the organisation. If this includes personal data or confidential service user information, it is reportable to the ICO and may be a breach of confidentiality. For this reason, personal/confidential service user information should not be stored on the device unless absolutely necessary and appropriate security is in place. Local care organisations should have a policy on the use of BYOD by staff.
Cloud-based records
Before any cloud-based solution is implemented there are a number of records considerations that must be addressed as set out by The National Archives. The ICO has issued guidance on cloud storage. Organisations must complete a Data Protection Impact Assessment when considering using cloud solutions.
Another important consideration is that at some point the service provider or solution will change and it will be necessary to migrate all of the records, including all the formats, onto another solution. Whilst this may be technically challenging, it must be done, and contract provisions should be in place to do this.
Records in cloud storage must be managed just as records must be in any other environment and the temptation to use ever-increasing storage instead of good records management will not meet the records management recommendations of this Code. For example, if digital care records are uploaded to cloud storage for the duration of their retention period, then they must contain enough metadata to be able to be retrieved and a retention date applied so it can be reviewed and actioned in good time.
Personal data that is stored in the cloud, and then left, risks breaching UK GDPR by being kept longer than necessary. This information would also be subject to Subject Access process, and if not found or left unfound, would be a breach of the service user’s rights.
Email and record keeping implications
Email is widely accepted as the primary communication tool used every day by all levels of staff in organisations. They often contain business information that is not captured elsewhere and so need to be managed just like other records. The National Archives has produced guidance on managing emails.
Email has the benefit of fixing information in time and assigning the action to an individual, which are two of the most important characteristics of an authentic record. However, a common problem with email is that it is rarely saved in the business context.
The correct place to store email is in the record keeping system according to the business classification scheme or file plan activity to which it relates. Solutions such as email archiving and ever-larger mailbox quotas do not encourage staff to meet the standard of storing email in the correct business context and to declare the email as a record.
Instant messaging records
Care services are increasingly using instant messaging apps or platforms to share service user information between care professionals or to contact services users in a transactional way, such as appointment reminders. The Transformation Directorate of NHS England has published guidance on this issue.
Instant messaging apps or platforms should not be used as the main, or primary, record for a person. Where possible, information shared in this way also needs to have a place in the care record of that person. This could be a printout of the exchange; contents transcribed into the record; or a progress note accurately covering the exchange entered into the record. If the app or platform is the only place that information is stored, then it must be managed in line with this Code.
Social media
Organisations must have approved policies and guidance when using social media platforms. It is acknowledged that social media will mainly be used for promoting activities of the organisation, rather than as a way of communicating care issues or interventions with service users. Information posted on social media may also be classed as a corporate record and appropriate retention periods set where applicable.
Information posted on social media (such as details of upcoming meetings, or published policies) will usually be captured elsewhere in an organisation’s corporate records’ function, and where this is the case, there is no value in retaining the information held in the social media platform, as it will be a duplication of the corporate records management function.