Records Management Policy
Document Reference RECORDS MANAGEMENT POLICY Version 4.0 FINAL Purpose To outline the policy, procedures and quality standards which
must be used by all YAS staff with patient contact, when completing the clinical records.
Document Author (Name/Title) Julie Barber – Project Manager Directorate Lead (Name/Title) David Johnson – Assistant Director of ICT Responsible Committee Integrated Governance Committee Approved by Information Governance Group Date Approved 7th March 2011 Ratified By Integrated Governance Committee Date Ratified 5th February 2010 Date Issued 14th March 2011 Review Date February 2012 Target Audience Accountability – Directors
Responsibility – Authors of policy documentation and supporting plans Implementation – Directors, Assistant Directors and Senior Managers Awareness – All Trust staff responsible for generating and/or handling Trust records
Review Responsibility (Name/Title)
David Johnson – Assistant Director of ICT
Equality impact assessed (Yes/No)
Yes
Confidentiality Unrestricted
Records Management Policy 4.0 FINAL
Page 2 of 57
Contents
1. Introduction .................................................................................................... 4
2. Purpose .......................................................................................................... 5
3. Scope .............................................................................................................. 5
4. Duties ............................................................................................................. 7
4.1. Duties within the Organisation ..................................................... 7
4.2. Consultation and Communication with Stakeholders ................ 7
5. Equality Impact Assessment of this Policy ................................................. 8
6. Review and Revision Arrangements for this Policy ................................... 8
7. Dissemination of this Policy ......................................................................... 8
8. Monitoring Compliance and Effectiveness of this Policy .......................... 8
9. Legal Obligations .......................................................................................... 9
9.1 Freedom of Information Act 2000 ....................................................... 9
9.2 Data Protection Act 1998 ................................................................... 10
9.3 Confidentiality Code of Conduct ...................................................... 10
10. Glossary of Terms ....................................................................................... 11
11. Creating Records ......................................................................................... 12
11.1 How to Version Control a Document .............................................. 14
11.2 Data Quality ...................................................................................... 14
12. Retaining Records ....................................................................................... 15
13. Maintenance of Records ............................................................................. 15
14. Use of Records ............................................................................................ 15
14.1 Use of Electronic Records .............................................................. 16
14.2 Transferring Electronic Person Identifiable Information .............. 16
14.3 Tracking Electronic Records .......................................................... 17
14.4 Example of a Manual Audit Trail for Electronic and/or Paper Records..................................................................................................... 17
14.5 Retrieving Electronic Records ........................................................ 18
14.6 Use of Paper Records ...................................................................... 18
14.7 Tracking Paper Records .................................................................. 18
14. 8 Retrieving Archived Paper Records in Storage ........................... 19
14.9 Tracking Paper Patient Report Forms (PRFs) ............................... 19
14.10 Retrieving Paper Patient Report Forms - Requests for Information by External Third Parties .................................................... 19
14.11 Retrieving Paper Patient Report Forms - Requests for Information by Internal YAS Staff ........................................................... 21
15. Disposing of Records ................................................................................. 22
15.1 How to Arrange Secure Destruction of Records ........................... 22
Records Management Policy 4.0 FINAL
Page 3 of 57
15.2 Records with Archival Value ........................................................... 23
16. Appendix A1 – Complete List of Information Asset Owners (IAOs) ....... 24
17. Appendix A2 – List of YAS Authorised Users who Manage the Boxes in Store with Squirrel ....................................................................................... 25
18. Appendix A3 – How to Manage the Squirrel Authorised Users ............... 27
19. Appendix B1 – Process Flow Detailing the Step by Step Guide to Creating Clinical Records ........................................................................... 28
20. Appendix B2 – Process Flow Detailing the Step by Step Guide to Creating Corporate Records ....................................................................... 29
21. Appendix C1 – Process Flow for Retaining Records ............................... 30
22. Appendix C2 – Table Detailing the Retention Periods for each Record Type .............................................................................................................. 31
23. Appendix D1 – Process Flow for Tracking Records ................................. 50
24. Appendix D2 - Process Flow for Retrieving Archived Paper Records in Storage ......................................................................................................... 51
25. Appendix D3 – Process Flow for Tracking Paper Patient Report Forms 52
26. Appendix D4 - Process Flow for Retrieving Paper Patient Report Forms 53
27. Appendix E1 - Process Flow for a Step by Step Guide to Disposing of Records ........................................................................................................ 54
28. Appendix E2 - Copy of the Form to Request Authorisation to Dispose of Records ........................................................................................................ 55
29. References ................................................................................................... 57
Version Control
Version Dated Review Date Status / Notes 2.0 FINAL 9th Sept 2008 Sept 2009 Released.
2.1 draft Jan 2010 n/a In draft, not approved, presented to IGG for approval/feedback.
2.2 draft Feb 2010 n/a Incorporated IGG feedback. Presented to IGG for final approval.
3.0 FINAL 5th Feb 2010 Feb 2011 Released.
3.1 draft Aug 2010 n/a
Update to add a reference section, updates to appendix D4 and add new appendix A2.
3.2 draft Sept 2010 n/a Update to add further appendix A3. Presented to IGG for approval.
3.3 draft Feb 2011 n/a
Updated to reflect changes in processes over the last 12 months. Presented to IGG for approval 7th Mar 2011.
4.0 FINAL Feb 2011 Feb 2012 Released.
Records Management Policy 4.0 FINAL
Page 4 of 57
1. Introduction
This Yorkshire Ambulance Service NHS Trust (the organisation, or YAS) policy sets out the processes and best practice for the management of all the organisation’s records that contain clinical, non-clinical and person identifiable information (PII). This policy aims to provide guidance to all YAS employees for the handling and management of all types of information throughout its complete lifecycle. The lifecycle of all information covers five phases; creation, retention, maintenance, use and disposal. The best practice guidance in this policy is taken from the Department of Health “Records Management: NHS Code of Practice” which is based on current legal requirements and includes the professional required standards of practice in the management of records for those who work within, or under contract to, NHS organisations in England. All records (manual or electronic) containing personal data are also covered by the Data Protection Act 1998 and consequently the provisions of the Act apply to all of the organisation’s records containing PII. Records are required for a number of reasons and essential to the organisation, some examples of why records are needed are detailed below: To support patient care and continuity of care To support the day to day business and the delivery of care To support evidence based clinical practice To support sound administrative and managerial decision making, as part of
the knowledge base for NHS services To meet legal requirements, including requests from patients under subject
access provisions of the Data Protection Act and/or the Freedom of Information Act
To assist clinical and other types of audits To support improvements in clinical effectiveness through research and also
to support archival functions by taking account of the historical importance of material and the needs of future research
To support patient choice and control over treatment and services designed around patients.
Records Management Policy 4.0 FINAL
Page 5 of 57
2. Purpose
The purpose of this policy is to provide clear guidance to all YAS employees for the handling and management of all records, regardless of the media on which they are stored. It details the minimum retention periods that must be adhered to for each of the different record types held by the organisation. Please refer to the table in Appendix C2 for further details of the specific retention periods for each of the different types of records. This policy also supports the following: Connecting for Health Information Governance Toolkit requirements; 8-400,
402 & 404 NHS Litigation Authority - Risk Management Standards for Ambulance Trusts;
1.1.8 Care Quality Commission; Outcome 21 Auditors Local Evaluation 5.3.11.
3. Scope
This policy covers all record types that contain all types of information, stored on any type of media, some examples include: Patient clinical records (electronic or paper based) *Corporate records Photographs, slides and other images Microform (i.e. microfiche/microfilm) Audio and video tapes, cassettes, CD-ROM etc e-mails Message books Staff diaries Computerised records Scanned records Text messages (both outgoing from the NHS and incoming responses from
the patient) Computer database outputs, disks and all other electronic records Material intended for short term or transitory use, including notes and copies
of documents.
Records Management Policy 4.0 FINAL
Page 6 of 57
*Corporate information refers to all information generated by the organisation, other than clinical or patient information. Corporate information refers to the records generated by an organisation’s business activities and includes records from the following (and other) areas of YAS: Estates and Fleet Finance and Procurement ICT and Information Governance Human Resources and training Performance management Integrated Governance Health care quality and clinical audit Complaints and compliments Communications and Patient Advisory Liaison Service Trust Board business.
Some examples of corporate information are: Policies and procedures Strategies and action plans Minutes and agendas Reports (e.g. annual, accounting, Board) Financial Standing Orders Invoices Public consultations Databases Contracts.
The table in Appendix C2 details the minimum retention period for each type of record. Records (whatever the media) may be retained for longer than the minimum period, however, records should not ordinarily be retained for more than 30 years The National Archives should be consulted where a longer retention period than 30 years is required, or for any records that pre date 1948.
Records Management Policy 4.0 FINAL
Page 7 of 57
4. Duties
4.1. Duties within the Organisation The Trust Board has overall responsibility for records management within the organisation with the Chief Executive being ultimately accountable for the proper management of all records within the organisation. The Directors are accountable for the quality of records management within each of their Directorates and all line managers and supervisors ensure that their staff are adequately trained and apply the appropriate guidelines on a day to day basis. The Information Governance Group (IGG) has delegated responsibility from the Integrated Governance Committee (IGC) to ratify and approve all information governance related policies and procedures. The Clinical Documentation Group has delegated responsibility from the Clinical Governance Committee for the management, control and production of the specific clinical documentation used throughout the organisation. The management of clinical documentation, including revisions to existing documentation, the release of new documentation, and staff guidance on quality of completion of the clinical documentation is the responsibility of this Group. The organisation’s Caldicott Guardian is responsible for approving and ensuring that national and local guidelines and protocols regarding the handling and management of confidential patient information are implemented and adhered to. The Information Asset Owners (IAOs) are senior staff members (most typically of Assistant Director level) who take direct responsibility for the information held in their work area, including the integrity, safe storage and quality of that information. The IAOs provide direct support to the Senior Information Risk Owner (the ICT Director) and are also responsible for identifying, managing and mitigating information risks. A complete list of all the organisation’s IAOs can be found in Appendix A. Under the Public Records Act, each employee is responsible for any records they create or use. This responsibility is established at, and defined by, the law. Furthermore, as employees of the NHS, any records which they create are public records.
4.2. Consultation and Communication with Stakeholders
Each of the key stakeholder groups are represented in the IGG and this policy was reviewed and approved by that Group. Following the approval by the IGG the policy was presented for ratification to the IGC before being issued and disseminated to all staff.
Records Management Policy 4.0 FINAL
Page 8 of 57
5. Equality Impact Assessment of this Policy
The organisation aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce whilst ensuring that none are placed at a disadvantage over others. A full equality impact assessment was carried out for this policy and the results and a copy of the equality impact assessment can be found on the YAS intranet. Please go to the Document Library, Equality Impact Assessments.
6. Review and Revision Arrangements for this Policy
This policy will be reviewed by all the stakeholders detailed in section 4.2 on an annual basis and the authors of the policy will be responsible for initiating this review and the collation of all changes and revisions. The ratification and approval will be carried out annually by the IGG. The dates of each version and the corresponding dates for each approval can be found in the version control table which follows the contents page, on page 3.
7. Dissemination of this Policy
Following approval and ratification the policy will be available on the YAS intranet in the document library and in the Records Management section, under Tools and Resources. A copy will be sent to all staff, via the weekly staff bulletin “Operational Update”. Further copies will also be sent to key managers and team leaders, via email.
8. Monitoring Compliance and Effectiveness of this Policy
To ensure that all staff adhere to the processes and guidance contained within this policy, the IGG will receive six monthly and annual reports from all the nominated IAOs. The reports will contain details of any data quality issues and plans that are in place to rectify those issues. The report template is called “DQ and Info Risk Mgt_REPORT into IGG.xls”. Any deficiencies will be noted in the minutes of the IGG and relevant remedial actions agreed and implemented accordingly. The IAOs will also report all information risks through the organisation’s existing risk management process which are escalated, where appropriate, to the SIRO. The IAOs will carry out monthly checks of the records under their responsibility, to ensure that all records are kept accordance with this policy, throughout each phase of the records’ lifecycle. Any problems that cannot be rectified at the departmental level where appropriate, will be raised as a risk and managed through the risk management process, or reported into the IGG for guidance. Periodic spot checks on staff practices, against the guidance in this policy and the staff handbooks, will be carried out by the appropriate line managers. The results of those checks will be submitted to the relevant IAO for inclusion in their six monthly and annual reports into the IGG.
Records Management Policy 4.0 FINAL
Page 9 of 57
9. Legal Obligations
The organisation has a common law duty of confidence to all our patients and a duty to maintain professional ethical standards of confidentiality. Everyone working for, or with the organisation, who records, handles, stores, or otherwise comes across patient information has a personal common law duty of confidence to the patients, and to the organisation. The duty of confidence continues even after the death of the patient, and/or after an employee or contractor has left the organisation. Any personal information given or received in confidence for one purpose, may not be used for a different purpose, or passed to a third party without the consent of the provider of that information. This duty of confidence is long established at common law, however, it is not an absolute duty and can be subject to an overriding public interest. There are other statutory restrictions on the disclosure of information:
The NHS (Venereal Diseases) Regulations 1974 and the NHS Trusts (Venereal Diseases) Directions 1991
The Human Fertilisation and Embryology Act 1990, as amended by the Human Fertilisation and Embryology (Disclosure of Information) Act 1992
Public Records Acts 1958 and 1967 Health and Safety at Work Act 1974 (and related regulations) Unfair Contract Terms Act 1977 Limitation Act 1980 Companies Acts 1985 and 1989 Financial Services Act 1986 Latent Damage Act 1986 Consumer Protection Act 1987 Copyright, Designs and Patents Act 1988 Value Added Tax Act 1994 Civil Evidence Act 1995 Data Protection Act 1998 Human Rights Act 1998 Freedom of Information Act 2000 Access to Health Records Act 1990.
9.1 Freedom of Information Act 2000 The Freedom of Information Act 2000 has lead to greater openness concerning NHS administrative records and the organisation has to meet and follow legal requirements which include requests from patients and/or members of the public. Please refer to the Freedom of Information Publication Scheme on the YAS intranet: http://www.yas.nhs.uk/
Records Management Policy 4.0 FINAL
Page 10 of 57
9.2 Data Protection Act 1998 All records (manual or electronic) are covered by the Data Protection Act 1998 and consequently the provisions of the Act apply to all YAS records containing personal data. Requests from patients under subject access are dealt with according to the Data protection Act 1998. Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with your rights Secure Not transferred to other countries without adequate protection.
9.3 Confidentiality Code of Conduct All YAS employees are bound by a legal duty of confidence to protect personal information that they may come into contact with during the course of their work. This is not only a contractual requirement, but also a requirement of the Data Protection Act 1998. For health and other professionals it is also part of their own profession’s code of conduct. This means that employees must keep any person-identifiable information strictly confidential eg patient and employee records. In addition, employees coming into contact with important non person-identifiable information should treat it with the same degree of care and confidentiality. When dealing with confidential information please follow these guidelines: Keep all person-identifiable information with you at all times. Do not leave confidential or person-identifiable information on printers, photocopiers or fax machines or on your desk for others to view. It is your responsibility to remove it from the printer, photocopier or fax machine. If faxing confidential information mark the fax header ‘private and confidential’ and request a receipt. Follow up with a phone call to make sure the information has been received. If you require further information, please contact the Information Governance Coordinator Michelle Power, email: [email protected]
Records Management Policy 4.0 FINAL
Page 11 of 57
10. Glossary of Terms
Clinical Records / Health Records – A single record with a unique identifier containing information relating to the physical or mental health of a given patient who can be identified from that information and which has been recorded by, or on behalf of, a health professional, in connection with the care of that patient. This may comprise text, sound, image and/or paper and must contain sufficient information to support the diagnosis, justify the treatment and facilitate the ongoing care of the patient to whom it refers. Corporate Records – Records (other than health records) that are of, or relating to, an organisation’s business activities covering all the functions, processes, activities and transactions of the organisation and of its employees. Information Asset Owner (IAO) – Is a senior staff member (most typically of Assistant Director level) who takes direct responsibility for the information held in their work area, including the integrity, safe storage and quality of that information. The IAOs provide direct support to the Senior Information Risk Owner (the ICT Director) and are also responsible for identifying, managing and mitigating information risks. A complete list of all the organisation’s IAOs can be found in Appendix A. Information Lifecycle – the five distinct phases that all information will follow. The five phases are; creation, retention, maintenance, use and disposal. For further details on each phase please refer to sections 11 to 15. Person Identifiable Information (PII) – Information (or data) relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. Information that can be used to uniquely identify, contact, or locate a single person, or can be used with other sources to uniquely identify a single individual. Record – Information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations, or in the transaction of business. An NHS record is anything which contains information (in any media) which has been created or gathered as a result of any aspect of the work of NHS employees, including consultants, agency or casual staff.
Records Management Policy 4.0 FINAL
Page 12 of 57
11. Creating Records
All information follows five distinct phases: 1. Creation 2. Retention 3. Maintenance 4. Use 5. Disposal.
This policy covers each of these phases and the YAS employees’ obligations under this policy. Please refer to the process flow in Appendix B1 for a step by step guide to creating clinical records and the process flow in Appendix B2 for a step by step guide to creating corporate records. Note: The checklist referred to in section 8, which is to be used by line managers for spot checks, can be found on the YAS intranet in the Records Management section, under Tools and Resources. This checklist covers all five phases of a records’ lifecycle and should be used by line managers to regularly assess compliance with this policy. It is recommended that spot checks using this checklist should be carried out initially on a monthly basis until a stable position is established. This frequency can then be reduced accordingly, to the minimum of every six months in order to fall in line with the IAO six monthly reports to the IGG. When creating information in the first instance, the following should be adhered to and the information must be:
Available when needed to enable a reconstruction of activities or events that have taken place
Accessible to all members of staff that require access in order to enable them to carry out their day to day work - the information must be located and displayed in a way consistent with its initial use and that the current version is clearly identified where multiple versions exist
Interpretable, clear and concise so the context of the information is clear and be able to be interpreted appropriately, i.e. who created or added to the record and when, during which business process and how the record is related to other records
Trusted, accurate and relevant - the information must reliably represent the initial data that was actually used in, or created by, the business process whilst maintaining its integrity. The authenticity must be demonstrable and the content relevant
Secure from unauthorised or inadvertent alteration or erasure. Access and disclosure must be properly controlled and audit trails used to track all use and changes. The information must be held in a robust format which remains readable for as long as the information is required and/or retained.
Records Management Policy 4.0 FINAL
Page 13 of 57
For reasons of business efficiency or, in order to address problems with storage, consideration should be given to the option of scanning paper format records into electronic format. Where this is proposed, the factors to be taken into account include the:
Costs of the initial (and any later) media conversion to the required standard, bearing in mind the length of the retention period for which the records are required to be kept
Need to consult in advance with the local Place of Deposit or The National Archives with regard to records which may have archival value, as the value may include the format in which it was created
Need to protect the evidential value of the record by copying and storing the record in accordance with British Standards, in particular the ‘Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically’ (BIP 0008).
In order to fully realise the benefits of reduced storage requirements and business efficiency, the Information Asset Owners (IAOs) should consider secure disposal of any paper records that have been copied into electronic format and stored in accordance with appropriate standards. Employees should also consider the following when creating information for the first time:
What is being recorded and how it should be recorded Why is it being recorded How to validate the information (and against what) in order to ensure that
what is being recorded is the correct data How to identify errors and how to report errors and correct them
accordingly The intended use of the information, understand what the records are
used for (and therefore why timeliness, accuracy and completeness of recording is so important)
How to update the information and how to add in information from other sources
When and how to incorporate document and version control. Please refer to the table below for details of how to use version control numbering for a document:
Records Management Policy 4.0 FINAL
Page 14 of 57
11.1 How to Version Control a Document
Stage Version Number
Filename
Initial creation 0.1 APolicyDocument_v0.1 - draft Second draft to include some feedback
0.2 APolicyDocument_v0.2 - draft
Third draft to include changes from stakeholders
0.3 APolicyDocument_v0.3 - draft
All changes included, ready for approval
0.4 APolicyDocument_v0.4 - draft
Approved version – now ready for release
1.0 APolicyDocument_v1.0 - FINAL
DOCUMENT PUBLISHED AND RELEASED
1.0 APolicyDocument_v1.0 - FINAL
Review now due Make amendments on the draft as applicable
1.1 APolicyDocument_v1.1 - draft
Incorporate feedback from stakeholders
1.2 APolicyDocument_v1.2 - draft
Issue for approval 1.3 APolicyDocument_v1.3 - draft Incorporate feedback from the approvers
1.4 APolicyDocument_v1.4 - draft
Re-issue for final approval 1.5 APolicyDocument_v1.5 - draft Approved version – now ready for release
2.0 APolicyDocument_v2.0 - FINAL
DOCUMENT RE-PUBLISHED AND RE-RELEASED
2.0 APolicyDocument_v2.0 - FINAL
11.2 Data Quality All staff must ensure that high standards of data quality are applied at every phase of the records lifecycle, for further detailed guidance regarding the organisation’s data quality policy and procedures please refer to the Data Quality Policy on the intranet in the Document Library under the section; Policies Procedures and Guidance, ICT and Information Governance Policies. For details of the policy, procedures and quality standards which must be used by all YAS staff with patient contact, when completing the clinical records, please refer to the Clinical Record-Keeping Standards Policy available on the YAS intranet.
Records Management Policy 4.0 FINAL
Page 15 of 57
12. Retaining Records
Please refer to Appendix C1 for the process flow for retaining records. Refer to Appendix C2 for the table detailing the retention periods for each record type. The retention period varies dependant on the type of information being stored, clinical records should not ordinarily be retained for more than 30 years and all the organisation’s clinical records can be securely destroyed after 10 years. The information being recorded and retained must be relevant, fit for the purpose it was intended and only retained for as long as it is genuinely required. It is a legal requirement that NHS records which have been selected as archives should be held in a repository that has been approved for the purpose by The National Archives. Where an organisation is already in regular contact with its Place of Deposit, it should consult with it over decisions regarding selection and transfer of records. Where this is not the case, The National Archives should be contacted in the first instance.
13. Maintenance of Records
All information needs to be maintainable through time. The qualities of availability, accessibility, interpretation and trustworthiness must be maintained for as long as the information is needed (perhaps permanently) despite changes in the format. The use of standardised filenames and version control methods should be applied consistently throughout the organisation and the life of the information. Please refer to the table in section 11.1 for guidance on how to version control a document, from the point of its creation, throughout it’s use and maintenance.
14. Use of Records
All information must be used consistently, only for purposes for which it was intended and never for an individual employee’s personal gain or purpose. If in doubt employees should seek guidance from the Information Governance Coordinator in the first instance, who will inform the relevant IAO for the business area concerned. Only the specific information required should be disclosed to authorised parties and always in accordance and with strict adherence to, the Data Protection Act and the Freedom of Information Act. There are a range of statutory provisions that limit, prohibit or set conditions in respect of the disclosure of records to third parties, and similarly, a range of provisions that require or permit disclosure. The key statutory requirements can be found in Annex C of the “Records Management: NHS Code of Practice” (Part 1): http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747
Records Management Policy 4.0 FINAL
Page 16 of 57
14.1 Use of Electronic Records Records held in electronic format are often easier to access and maintain, however staff must always ensure that records are not being accessed unnecessarily, or kept for any longer than reasonably required just because it’s easier to do so. If the records contain information that is person identifiable, personal or of a sensitive nature the eight principles of the Data protection Act must be adhered to. Please refer to section 9.2 for details of the eight principles. 14.2 Transferring Electronic Person Identifiable Information The mechanisms for transferring information from one organisation to another should be tailored to the sensitivity of the material contained within the records and the media on which they are held. Before transferring any information that may be of a confidential nature, and/or include some Person Identifiable Information (PII), please firstly consult with the relevant IAO for the business area concerned. As a minimum, all PII should be transferred in encrypted files using WIN ZIP Version 12. To send PII safely and in accordance with the organisation’s procedures staff must: 1. Email the document as a zipped file with a password. 2. Send the password in a separate email that has also been encrypted or 3. Contact the person who is to receive the file and provide the password verbally (unless the password has already been previously agreed). Under no circumstances must the password and the attachment be sent on the same email. This is a direct breach of the organisation’s current Security Policy and would render the above process useless, should the email and attachment land in the wrong hands. YAS currently uses WIN ZIP Version 12 which encrypts data to the highest available capacity. If staff require a one-off document encrypting they should contact the service desk on 0845 122 0522 and log a call. A member of the helpdesk will be then be in touch to encrypt the document on your behalf, including setting the password specified by the requesting staff member. The information will then be placed on the requestor’s workstation for them to send via their own email account. If staff will be sending information on a regular basis then a licence for the WIN ZIP software will be required. Please follow the usual procurement procedures through your line manager to arrange for a licence to be purchased and installed. Any questions should be directed to the ICT service desk on the above number.
Records Management Policy 4.0 FINAL
Page 17 of 57
14.3 Tracking Electronic Records Please refer to Appendix D1 for the process flow for tracking records. The tracking of electronic records is held automatically in the audit trails of the systems that hold the data. Where this type of audit trail does not exist for some systems, staff must enter a manual audit trail in the record itself that details the full name of the person to last update the record and the date and time the amendment was carried out (please refer to the example in section 14. 4). Depending on the nature of the record, this level of detail may not always be applicable, however best practice is to ensure version control is always applied as a minimum. If a particular record cannot be version controlled, has no automatic system audit trail and a manual audit trail cannot be easily applied directly to the record itself, consideration should be given to a separate document that details the audit of amendments to that particular record. Information held in records should be closed (i.e. made inactive and transferred to a secondary storage) as soon as they have ceased to be in active use, other than for reference purposes. An indication that a file of paper records, or folder of electronic records, has been closed, together with the date of closure, should be shown on the record itself, as well as noted in the index, manual audit trail or database of the files/folders. Where possible, information on the intended disposal of electronic records is included in the metadata when the information is created. The storage of closed records follows accepted standards relating to environment, security and physical organisation of the files. This is handled by the organisation’s third party storage provider which is used for archiving closed paper records and also the secure destruction of the records once the relevant retention period has expired. 14.4 Example of a Manual Audit Trail for Electronic and/or Paper Records Version Number
Date of Change
Time of Change
Full Name Reason for / Type of Change
1.0 31/01/2010 14.30 John Smith To include staff mobile contact numbers.
1.1 28/02/2010 10.00 Joanne Smith Add additional data to include full postal address.
The above table can be less detailed where applicable, for example the time of the change may only be required if a particular record is being updated numerous times during the same working day. Likewise additional columns can be added if further details about the type of change are required. The above manual audit trail can be used for both electronic and paper records.
Records Management Policy 4.0 FINAL
Page 18 of 57
14.5 Retrieving Electronic Records The retrieval of electronic records is also easier to control due to the rights and restrictions that can automatically be applied to individual staff logins for the various systems that hold the records. Managers are responsible for authorising and requesting the appropriate user rights for individual members of staff, however all staff continue to be responsible for security and integrity of the records and information which they record, handle, store, or otherwise comes across during their day to day duties. 14.6 Use of Paper Records Records held in paper format are less easy to access, maintain and control than electronic records due to the very nature of them. Paper based records often only have the one master copy and are difficult to backup easily and cost effectively. Therefore, staff must take additional precautions when safeguarding and filing paper records to ensure that retrievals will be possible, when required at some point in the future. Where possible the filing and archiving of paper based records should provide sufficient information to allow the identification of the records needed. 14.7 Tracking Paper Records Please refer to Appendix D1 for the process flow for tracking records. Paper records do have the facility of an automatic audit trail that electronic systems offer and so staff must enter a manual audit trail in the record itself that details the full name of the person to last update the record and the date and time the amendment was carried out (please refer to the example in section 14. 4). Depending on the nature of the record, this level of detail may not always be applicable, however best practice is to ensure version control is always applied as a minimum. If a particular record cannot be version controlled and a manual audit trail cannot be easily applied directly to the record itself, consideration should be given to a separate document that details the audit of amendments to that particular record. Whilst the organisation is continually making changes to help reduce the amount of paper records produced in the first instance and to also convert some paper based records into electronic format, there is always likely to be the need for some paper based records within the organisation. In the first instance, staff must always look for alternative methods of creating, storing and maintaining records that do not involve the paper based means being the primary source. However, where a suitable electronic alternative is not readily available, staff must always seek to be as efficient as possible, file records in a logical manner to aid future retrieval and avoid making unnecessary duplications to help reduce the risk of data being lost or unlawfully disclosed. Staff must apply clear version control as described in section 11 and manual audit trails in the record itself that details the full name of the person to last update the record and the date and time the amendment was carried out. Please refer to the table 14.4 for an example of how to create a manual audit trail.
Records Management Policy 4.0 FINAL
Page 19 of 57
14. 8 Retrieving Archived Paper Records in Storage Please refer to Appendix D2 for the process flow for retrieving archived paper records in storage. To retrieve paper archived records that have been boxed and stored with the organisation’s external storage supplier, please contact the relevant authorised user for your department. The storage supplier holds the same list of authorised users that can make requests for boxes to be retrieved from store and delivered to designated addresses across the organisation. For details of the authorised users in each department and their levels of permissions, please go to the YAS intranet in the Records Management section, under Tools and Resources: http://intranet.yas.nhs.uk/toolsandresources/Pages/RecordsManagement/default.aspx 14.9 Tracking Paper Patient Report Forms (PRFs) Please refer to Appendix D3 for the process flow for tracking paper patient report forms. YAS are currently piloting an electronic system for capturing clinical information when treating patients and the intention is to move onto this system in the future. In the meantime all staff when treating a patient, continue use the latest paper based versions of the various Patient Report Forms. All paper patient forms (w.e.f. 1st February 2010) across the whole organisation are scanned and verified by one of the two Clinical Audit teams. The paper forms once scanned are retained for one month and then securely destroyed using external suppliers. There are a number of other teams within the organisation that also require access to these forms for a number of reasons. These teams have the required (direct) access to the database, where the scanned copies are held, which has an audit trail automatically generated each time a file is accessed. 14.10 Retrieving Paper Patient Report Forms - Requests for Information by External Third Parties Please refer to Appendix D4 for the process flow for retrieving paper patient report forms. Should members of staff be approached by a third party organisation (or a member of YAS staff) for copies of any information they must refer the request to the appropriate team within the organisation. Under no circumstances should staff divulge any information, however small, to anyone external to the organisation. Staff must direct all such requests immediately to the teams trained to handle and process these requests. These teams take ownership of the request and ensure that it is handled in a consistent manner, whilst also ensuring that any disclosures, when carried out, are in strict accordance with the Data Protection Act.
Records Management Policy 4.0 FINAL
Page 20 of 57
The requests included may be Subject Access Requests, Police and Coroners’ requests or any other type of request where staff are being asked for copies of paper patient report forms (PRFs), copies of calls placed with the Access and Response Communications Centre and any other documentation held by the organisation. Regardless of what is being requested and who the third party making the request is, staff must refer the requestor to the teams listed in the table below. Please refer the requestor to the following teams during Mon to Fri, 9am to 5pm: CBU Name Email Tele. No.
North Yorkshire & Craven
Kath Cullerton (Coroners)
[email protected] or [email protected]
01824 58 4029
Jessica Evans (Police)
01904 66 6002
Hull & East Riding
Julie Button
[email protected] 01482
670 808 Sarah Atkinson
[email protected] 01904
66 6110
Bradford Calderdale & Kirklees and Leeds Wakefield
Kath Cullerton (Coroners)
[email protected] or [email protected]
09124 58 4029
Jessica Evans (Police)
[email protected] 09124
58 4038
South Yorkshire
Carole Pearson
[email protected] 01924
58 4288 Sue Bingham
01924 58 4287
Subject Access Requests
Hayley Forsyth (for all of YAS)
01924 58 4032
Kath Cullerton is the YAS contact for all Coroners and responsible for the collation of all Coroner’s requests into YAS. For requests that must have the information released urgently, i.e. the information must be provided outside of the above hours, please refer the requestor to the following team: Contact Email Tele. No.
Team Leaders [email protected] 01924
58 4977
Records Management Policy 4.0 FINAL
Page 21 of 57
14.11 Retrieving Paper Patient Report Forms - Requests for Information by Internal YAS Staff Please refer to Appendix D4 for the process flow for retrieving paper patient report forms. Should staff be approached to provide copies of records, divulge information verbally or confirm specific details of records to internal YAS staff, this is acceptable providing the member of staff being approached is confident that the member of staff requesting the information is actually a member of YAS staff. Should the staff member be in any doubt, it is acceptable to ask for the request to be emailed in order to verify the requesting staff member’s identity more fully. If there is a problem following the email request then staff should discuss the request with their line manager before disclosing any information. For full details on the procedures for handling requests for information by external third parties and/or internal YAS staff, please refer to the “Procedure for Handling Disclosure Requests” available on the YAS intranet: http://intranet.yas.nhs.uk/departmentsandservices/Pages/CorporateAffairs/CorpAffairsLibrary.aspx
Records Management Policy 4.0 FINAL
Page 22 of 57
15. Disposing of Records
Disposal is defined as the point in the records lifecycle when it is either transferred to an archive, or securely destroyed. It is particularly important under the Freedom of Information legislation that the disposal of records, is undertaken in accordance with this policy, which has been formally adopted by the organisation and which is enforced by authorised staff. No records should be destroyed until the retention period for that particular record type has expired. The specific YAS retention periods for the most frequently used record types are listed in the table in Appendix C2. 15.1 How to Arrange Secure Destruction of Records Please refer to the process flow in Appendix E1 for a step by step guide to disposing of records and use the form “Authorisation for the Destruction of YAS Records” which can be found in Appendix E2. All records that have been retained for the correct period, in accordance with details in the table in Appendix C2, and are now deemed ready for secure destruction should be documented onto the form “Authorisation for the Destruction of YAS Records”. A copy of this form can be found in Appendix E2. Once all the details are of the records that need destroying have been listed, the relevant Director / Assistant Director must authorise the destruction. At no point should any member of staff request destruction of any records without the signed permission of a Director / Assistant Director. In order to help safeguard against the unauthorised destruction of records the organisation’s external supplier, responsible for the storage and secure destruction of paper records, has a list of authorised users that can make such requests. There are a few of those authorised users that have authority to request secure destructions of records. For details of the authorised users in each department and their levels of permissions, please go to the YAS intranet in the Records Management section, under Tools and Resources: http://intranet.yas.nhs.uk/toolsandresources/Pages/RecordsManagement/default.aspx The form in Appendix E2 should also be used for documenting records that are expired, or no longer required but do not need destroying using secure methods. The relevant Director / Assistant Director must still authorise their destruction but the external supplier will not need to be contacted to carry out the destruction. The records can then be disposed of responsibly and where possible, as environmentally friendly as possible. Use this same form for electronic records that require destruction/deletion and contact the ICT department for details of how to ensure that all copies/instances of the records are deleted from any temporary cache or mirrored databases/systems. The form listing the records that were destroyed, can then be retained indefinitely in accordance with the retention period described in the table in Appendix C2.
Records Management Policy 4.0 FINAL
Page 23 of 57
15.2 Records with Archival Value Records of the NHS and its predecessor bodies are subject to the Public Records Act 1958, which imposes a statutory duty of care directly upon all individuals who have direct responsibility for any such records. If the records have no ongoing administrative value but have or may have long-term historical or research value, or they have some administrative value but are more appropriately held as archives. Records with such value must be transferred to the organisation’s approved Place of Deposit. Where the organisation has no existing relationship with a Place of Deposit, The National Archives should be contacted in the first instance. Where an organisation is unsure whether records may have archival value, The National Archives or the Place of Deposit with which the organisation has an existing working relationship should be consulted. Contact National Advisory Services at TNA ([email protected] , 020 8392 5330 x2620). National Advisory Services are also be happy to advise on any other queries regarding the working of the Public Records Act in respect of NHS records. A list of all the current appointed Places of Deposit is available on The National Archives website (see below) http://www.nationalarchives.gov.uk/archives/deposit.htm *The table does not contain all record types, only those records that are used or referred to most frequently in the organisation have been extracted for guidance. If information is required regarding another type of record, not listed in the table, please refer to the code of practice that can be found on the DOH website: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747
Records Management Policy 4.0 FINAL
Page 24 of 57
16. Appendix A1 – Complete List of Information Asset Owners (IAOs)
ICT Director – Senior Information Risk Owner
Information Asset Owners: A&R Head of Service Delivery Assistant Clinical Director Assistant Director ICT Assistant Director of Financial Services Assistant Director of Human Resources Assistant Director of PTS Communications Assistant Director Operations - North Yorks Corporate Communications Manager Executive Officer Head of Corporate Affairs Head of Resource Planning Management Information Manager Named Professional for Safeguarding Vulnerable Groups Patient Services Manager
Records Management Policy 4.0 FINAL
Page 25 of 57
17. Appendix A2 – List of YAS Authorised Users who Manage the Boxes in Store with Squirrel
The following list of users are checked and approved annually by all IAOs and a report submitted to the Information Governance Group. (S) = Supervisor access rights – these users can add/delete new users to this list/system. Please refer to Appendix A3 for the procedures on how to manage the Squirrel authorised users.
Name Location Alison Helme Fairfields - A&E Ops Angela Brown Northallerton Ambulance Station – Corporate Affairs Anne-Marie Haigh Wakefield HQ - SH1 & 2 - Office Services Beverley Whittleson Rotherham Carol Hill Wakefield HQ - SH1 & 2 - Office Services Carole Taylor (S) Rotherham - Clinical Audit Claire Walker Wakefield - Fleet David Blain (S) Wakefield HQ - SH2 Denise Boulton Elmbank - Training Edward Maaye Redworth House - Payroll Eleri Russell Phoenix House (NHSP) - Wakefield Hayley Forsyth HQ, Corporate Affairs Helen Coleson Fairfields - A&E Ops Helen Goff Burn Hall - Training Ian Lomas Leeds Amb Stn - PTS James Bolton Wakefield HQ - SH1 & 2 - Office Services Jane Webster Halifax Ambulance Station Janet Smith Gildersome Ambulance Station - Supplies Janine Waters Wakefield HQ - SH2 Jean Brennan (S) Brighouse Ambulance Station - Corporate Affairs Jeanne Mitchell Wakefield HQ - SH1 & 2 - Office Services Jenny Haley Wakefield Ambulance Station Jo Clarke Wakefield HQ - SH2 - Access & Response Julie Barber Wakefield HQ - SH1 - Patient Services Julie Button Willerby Ambulance Station Julie Milburn Burn Hall - Clinical Audit Karen Cooper (S) Wakefield HQ - SH1 - Patient Services Karen Mitchell Wakefield HQ - SH2 - Access & Response Kath Cullerton HQ, Corporate Affairs Katrina Hepworth Gildersome Ambulance Station - Supplies Kay Barrs Rotherham - Clinical Audit Kerri Cooper Wakefield HQ - SH1 & 2 - Office Services Kerrie Potter (S) Wakefield HQ - SH1 - Finance Kerry Shore Wakefield HQ - SH2 - Access & Response Kevin Learoyd Redworth House - Payroll Lael Hird Wakefield HQ - SH1 & 2 - Office Services
Records Management Policy 4.0 FINAL
Page 26 of 57
Larissa Porter Wakefield - Fleet Leesa Charlesworth Elmbank - Training Lilian Long Doncaster - Training Linsey Gerrity Gildersome Ambulance Station - Supplies Lisa Selwood Rotherham Louise Pender HQ - SH2 - Corporate Affairs Michelle Cutsforth Fairfields - A&E Ops Maggie Harris HQ - SH1 - Patient Services Marion Gilheaney Phoenix House (NHSP) - Wakefield Martin Johnson HQ - SH2 Matthew Norton Burn Hall - Clinical Audit Mick Kirton Bradford Ambulance Station Naomi Sword (S) Phoenix House (NHSP) - Wakefield Pauline Clegg HQ - SH1 - PTS Comms Rachael Cassar Leeds Ambulance Station - PTS Rachael Martin Bradford Ambulance Station Rachel Dunn Burn Hall - Clinical Audit Rita Kay Wakefield HQ - SH1 & 2 - Office Services Rosamond Lawton Huddersfield Ambulance Station Ruth Wilkinson (S) Wakefield HQ - SH2 - Access & Response Sarah Atkinson Beverley Ambulance Station Sharon Carson Burn Hall - Clinical Audit Steve Parsons Wakefield HQ - SH1 - Finance Sue Walton Elmbank - Training Stephen Williams Barnsley Ambulance Station Susanna Vatta Wakefield - Fleet Tiffany Bentley Phoenix House (NHSP) - Wakefield Vicky Audsley Wakefield - Fleet
Records Management Policy 4.0 FINAL
Page 27 of 57
18. Appendix A3 – How to Manage the Squirrel Authorised Users
Only users with the Supervisor access rights have the functionality to manage the other users who access the Squirrel online system called Filetrak. To add a new user please follow the steps below:
Double check that they are not on the system already as a user Remember to add each user onto all 4 databases Ensure that the W3 database has different permissions to the other 3
databases (to allow for adding new boxes into W3, which is not allowed in the other databases)
Add each new users’ email address onto the existing email distribution list Update the spreadsheet of authorised users as that’s the only complete
record of all users held by YAS that contains what access permissions each user has
Email the online team to replace the current copy of the spreadsheet, on the intranet with the latest copy, it’s currently on the Records Management page at: http://intranet.yas.nhs.uk/workingatyas/Pages/Information_Governance/Records_Management.aspx Or go to Working at YAS / Information Governance / Records Management
Send email [1] to the new user which details their username, some instructions and the user guide
Send the email [2] which contains their default password (this email asks them to change the default password to something only they know, when they login for the first time).
Records Management Policy_v3.2 draft
Page 28 of 57
19. Appendix B1 – Process Flow Detailing the Step by Step Guide to Creating Clinical Records
Records Management Policy_v3.2 draft
Page 29 of 57
20. Appendix B2 – Process Flow Detailing the Step by Step Guide to Creating Corporate Records IC
TY
AS
Sta
ff
Is therecord
to be elec orpaper?
Performs regular backups of the
databases/systems
FINISH
START
Requires information to be
retained and record(s) to be
created
Elec
Paper
Determines the correct version control to be
applied
Determines the correct version control to be
applied
For guidance on how to version control a file/document please refer to section 11.1
Creates the record in accordance with
departmental procedures
Determines the appropriate format in which to create
the record
Creates the record in accordance with
departmental procedures
Saves record in appropriate
shared folder
Saves the record in the appropriate
filing cabinet/location
For guidance on how to version control a file/document please refer to section 11.1
Retains records in line with retention periods in Records
Management Policy
Archives closed records in
accordance with existing process
Retains records in line with retention
periods in Records Management
Policy
Records Management Policy_v3.2 draft
Page 30 of 57
21. Appendix C1 – Process Flow for Retaining Records
START
Determines appropriate retention period in accordance with
Records Management policy
Carries out monthly checks for records that
can be destroyed and / or archived
Creates record in accordance with existing process
Destroy?
Archive?
Follows existing destruction
processYes
No
Yes
No
Maintains the record to ensure availability,
accessibility and version control
Follows existing archiving process
Records Management Policy_v3.2 draft
Page 31 of 57
22. Appendix C2 – Table Detailing the Retention Periods for each Record Type
The retention periods listed in the column “YAS Retention Period” in the following table are the retention periods that staff should refer to and adhere to at all times, the DOH guidance column for is for additional information and reference only. The table below has been taken directly from the DOH document “Records Management: NHS Code of Practice Part 2” (2nd edition dated Jan 2009). The table does not contain all record types, only those records that are used or referred to most frequently in the organisation have been extracted for guidance. If information is required regarding another type of record not listed in the table, please refer to the code of practice that can be found on the DOH website: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747 The main source of patient identifiable records, produced by the organisation, are the paper based patient report forms completed by ambulance crews. Due to the operational constraints regarding the collation, retention, archiving and subsequent retrieval of those paper patient report forms, the organisation cannot segregate records pertaining to different patient types. Therefore, all the organisation’s paper patient report forms fall under the record type “ambulance records” and from February 2010 onwards, are scanned into electronic format, verified and the paper copies securely shredded after one month.
Records Management Policy_v3.2 draft
Page 32 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Clinical Records / Operations:
Ambulance records (patient identifiable component)
Main A3 Patient Report Form Computer Aided Dispatch Record
10 years
10 years - where a patient is transferred to the care of another NHS organisation all relevant clinical information must be transferred to the patients’ health record held at that organisation. Staff must always pass the yellow (bottom) copy of the patient form(s) to the hospital.
Audio tapes of calls requesting care A&R calls
3 years and/or 10 years - see notes in the DOH guidance column.
Retain taped calls for 3 years providing all relevant clinical information has been transferred to the appropriate patient record. Where the information is NOT transferred into a health record, the tapes should be retained for 10 years.
Audit Trails of electronic health records ePRF audit trail Indefinitely. NHS organisations are advised to retain all audit trails until further notice.
Children and young people (all types of records relating to children and young people)
See ‘Ambulance records’ and refer to page 20.
Clinical audit records
Clinical Performance Indicators reports.
5 years
Records Management Policy_v3.2 draft
Page 33 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Controlled drug documentation Drug books
Requisitions – 2 years. Registers and CDRBs – 2 years from last entry.
Please refer to Department of Health http://www.dh.gov.uk/en/index.htm and Royal Pharmaceutical Society of Great Britain http://www.rpsgb.org.uk/ websites for up-to-date information.
Destruction records of individual health records, case notes and other health-related records - paper and/or elec format. (refer to ‘destruction of records (other than health records)’ for corporate record destructions)
Indefinitely.
Electrocardiogram (ECG) records ECG strips 7 years
Each chart should be labelled with the patient’s name and unique identifier (the incident date and number). Any over-sized charts can be stored separately where a report is written into the health records (this must be noted on the main A3 PRF).
Homicide / Serious Untoward Incident records
30 years
Litigation - records/documents related to any litigation
Dependant on the case – see notes in the DOH guidance column
As advised by the organisation’s legal advisor. All records to be reviewed. Normal review period is 10 years after the file is closed.
Records Management Policy_v3.2 draft
Page 34 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Occupational health records (staff)
3 years after termination of employment, unless litigation ensues
Occupationally Related Diseases (e.g. asbestosis, pneumoconiosis, byssinosos)
10 years after date of last entry in the record
(general) Operating Policies and Procedures
3 years retain the current version and previous version for 3 years
From CQC outcome 21 (not the DOH)
Paediatric records See ‘Ambulance records’
Scanned records (relating to patient care)
Electronic scanned copy of a patient report form (originally on paper)
10 years
Risk Assessments Retain the latest risk assessment until a new one replaces it
Voice recordings, video records relating to patient care, videoconferencing records related to patient care, DVD records related to patient care (includes Telemedicine records, Out of hours records, GP cover and NHS Direct records).
8 years
Vulnerable Adults See ‘Ambulance records’
Records Management Policy_v3.2 draft
Page 35 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Corporate Records (administrative and organisational): Accident forms Prism 10 years Accident register (reporting of injuries, diseases and dangerous occurrences register)
Prism 10 years
Agendas of board meetings, committees, sub-committees (master copies including associated papers)
30 years
Agendas (other) 2 years
Records Management Policy_v3.2 draft
Page 36 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Agreements / Contracts Financial contracts:
Approval filesApproved suppliers lists
Non-sealed (property) contracts on termination Non-sealed (other) contracts on termination Sealed contracts (and associated records) Maintenance contracts (routine) Contractual arrangements with hospitals or other bodies outside the NHS, including papers relating to financial settlements made under the contract (e.g. waiting list initiative, private finance initiative)
15 years 11 years 6 years after termination of contract 6 years after termination of contract 15 years (min) 6 years from end of contract 6 years after end of financial year to which they relate
Retain for a minimum of 15 years, after which they should be reviewed.
Ambulance Records – Administrative (records containing non-clinical details only, eg records of journeys)
PTS journey sheets
2 years from the end of the year to which they relate
Annual / corporate reports 3 years Assembly / Parliamentary questions, MP enquiries
10 years
Records Management Policy_v3.2 draft
Page 37 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Audit Records, Internal & External in any format paper, electronic etc
Organisational Audits, Records Audits, Systems Audits
2 years from the date of completion of the audit
Business plans, including local delivery plans
20 years
Catering forms 6 years
Close circuit TV images 31 days and erase permanently
Commissioning decisions, appeal documentation, decision documentation
6 years from date of appeal and/or decision
Complaints (see also litigation & litigation dossiers) Correspondence, investigation and outcomes Returns made to DH
8 years from completion of action Files closed annually and kept for 6 years following closure
Current policy on the handling of complaints is under review by the DOH and further guidance will be issued in due course.
Computer programmes written in-house, related documentation
Lifetime of software
Contracts See ‘Agreements / Contracts’
Copyright declaration forms (Library Service)
6 years
Data Input Forms where the data/information has been input to a computer system
Address notifications from local Councils
2 years
Records Management Policy_v3.2 draft
Page 38 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Destruction of records (other than health records), records documenting the archiving, transfer to public records archive. (refer to ‘destruction records of individual health-related records’ for health record destructions)
30 years
Diaries (office)
1 year after the end of the calendar year to which they refer
Flexi working hours (personal record of hours actually worked)
6 months
Freedom of Information requests
3 years after full disclosure 10 years if information is redacted or not disclosed
Health and safety documentation Prism 3 years History of the organisation or predecessors, its organisation and procedures
Establishment order
30 years
Incident forms Prism 10 years Indices (records management) registry lists of public records marked for permanent preservation, or containing the record of management of public records. File lists and document lists where public records or their management are not covered.
30 years
Records Management Policy_v3.2 draft
Page 39 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Laundry lists and receipts 2 years from completion of audit
Litigation dossiers (complaints including accident/incident reports) Records/documents relating to any form of litigation
Coroners’ requests
10 years Where a legal action has commenced, keep as advised by legal representatives
Manuals – policy and procedure (administrative and clinical, strategy documents)
10 years after life of the system (or superseded) to which the policies or procedures refer
Policy documents may have archival value.
Meetings and minutes papers of major committees and sub-committees (master copies) - 30 years
30 years
Meetings and minutes papers (other, including reference copies of major committees)
2 years
Papers of minor or short-lived importance not covered elsewhere, eg advertising matter, covering letters, reminders, letters making appointments, anonymous or unintelligible letters, drafts, duplicates of documents known to be preserved elsewhere (unless they have important minutes on them) indices and registers compiled for temporary purposes, routine reports, punched cards, other documents that have ceased to be of value on settlement of the matter involved.
2 years after the settlement of the matter to which they relate
Records Management Policy_v3.2 draft
Page 40 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Patient Advice & Liaison Service (PALS) records
10 years after closure of the case
Patient information leaflets 6 years after the leaflet has been superseded
Patient Surveys re access to services etc 2 years Police Statements (made in the context of Accident and Emergency episodes. Statements are requested by the Police to the A&E staff in relation to alleged injuries of, or by, patients coming through A&E)
10 years (congruent retention period as Incident Forms)
Press cuttings 1 year Where bound volumes exist, these may have archival value.
Press releases 7 years Project files (including abandoned or deferred projects):
Over £100,000 on terminationLess than £100,000 on termination
Project team files (summary retained)
6 years 2 years 3 years
Public Consultations eg about future provision of services
5 years
Quality control records:
External
Internal (relating to products)
2 years 10 years
Records Management Policy_v3.2 draft
Page 41 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Quality assurance records eg Healthcare Commission, Audit Commission, King’s Fund Organisational Audit, Investors in People
12 years
Receipts for registered and recorded mail
2 years following the end of the financial year to which they relate
Reports (major) 30 years Requests for access to records (other than Freedom of Information or subject access requests)
6 years after last action
Requisitions 18 months Serious incident files 30 years Software licences Lifetime of software Specifications eg equipment, services 6 years Statistics including Korner returns, contract minimum data set, statistical returns to DOH, patient activity
3 years from date of submission
Subject access requests (DPA and AHR) records of requests
3 years after last action
Time sheets (relating to a Group or Department where the timesheets are kept as a tool to manage resources/staffing levels)
6 months
Estates / Procurement / Supplies records:
Approval files (contracts and purchase orders)
6 years after end of the year the contract expired
Records Management Policy_v3.2 draft
Page 42 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Approved suppliers lists 11 years Buildings, papers relating to occupation of the building (but not health and safety information)
3 years after occupation ceases
Deeds of title
While the organisation has ownership of the building – see notes in the DOH guidance column
Retain while the organisation has ownership of the building unless a Land Registry certificate has been issued, in which case the deeds should be placed in an archive. If there is no Land Registry certificate, the deeds should pass on with the sale of the building.
Delivery notes
2 years after end of financial year to which they relate
Drawings, plans and buildings (architect signed, not copies)
Lifetime of the building to which they relate
Engineering works, plans and building records
Lifetime of the building to which they relate
Equipment records of non-fixed equipment, including specification, test records, maintenance records and logs
11 years
If the records relate to vehicles (ambulances, responder cars, fleet vehicles etc) and where the vehicle no longer exists, providing there is a record that it was scrapped, the records can be destroyed.
Inspection reports eg boilers, lifts Lifetime of installation
If there is any measurable risk of a liability in respect of installations beyond their operational lives, the records should be retained indefinitely.
Records Management Policy_v3.2 draft
Page 43 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Inventories of furniture, medical and surgical equipment not held on store charge and with a minimum life of 5 years Inventories of plant and permanent or fixed equipment
Keep until next inventory 5 years after date of inventory
Leases, the grant of leases, licences and other rights over property
Period of the lease plus 12 years
Photographs of buildings 30 years Plans, building (as built) Lifetime of building May have historical value. Purchase Orders – see ‘Approval Files’ above
Stock control reports - 18 months Stores records:
Major (eg stores ledgers)
Minor eg requisitions, issue notes, transfer vouchers, goods received books
6 years 18 months
Structure plans, organisational charts i.e. the structure of the building plans
Lifetime of building
Supplies records eg invitations to tender and inadmissible tenders, routine papers relating to catering and demands for furniture, equipment, stationery and other supplies
18 months
Surveys, building and engineering works Lifetime of building or installation
Records Management Policy_v3.2 draft
Page 44 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Tenders / Purchase Orders / Quotations:
Successful
Unsuccessful
Tender period plus 6 year limitation period 6 years
Financial / Accounting records: Accounts, annual (final, one set only) 30 years Accounts, minor records; pass books, paying-in slips, cheque counterfoils, cancelled/discharged cheques, accounts of petty cash expenditure, travel and subsistence accounts, minor vouchers, duplicate receipt books, income records, laundry lists and receipts
2 years from completion of audit
Accounts, working papers 3 years from completion of audit
Advice notes, payment 18 months Audit reports, internal and external including management letters, value for money reports and system/final accounts memoranda
2 years after formal completion by statutory auditor
Bank statements 2 years from completion of audit
Banks Automated Clearing System (BACS) records
6 years after year end
Bills, receipts and cleared cheques 6 years
Records Management Policy_v3.2 draft
Page 45 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Budgets including working papers, reports, virements and journals
2 years from completion of audit
Cash sheets
6 years after end of financial year to which they relate
Estimates, including supporting calculations and statistics
3 years after end of financial year to which they relate
Expense claims, including travel and subsistence claims, and claims and authorisations
5 years after end of financial year to which they relate
Fraud case files/investigations 6 years Fraud national proactive exercises 3 years
Invoices, capital paid invoices, cash books
6 years after end of financial year to which they relate
PAYE records 6 years after termination of employment
Payments 6 years after year end
Payroll list of staff in the pay of the organisation
6 years after termination of employment
Destroy under confidential conditions. For superannuation purposes, organisations may wish to retain such records until the subject reaches benefit age.
Records Management Policy_v3.2 draft
Page 46 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Receipts
6 years after end of financial year to which they relate
Salaries See ‘Wages / salaries’ Superannuation accounts and registers 10 years Tax forms 6 years
Transport (staff pool car documentation) 3 years unless litigation ensues
VAT records
6 years after end of financial year to which they relate
Wages / salaries 10 years after termination of employment
Human Resources / Personnel records: CVs for non-executive directors:
Successful applicants
Unsuccessful applicants
5 years following term of office 2 years
Industrial relations, not routine staff matters, including industrial tribunals
10 years
Job advertisements - 1 year 1 year
Records Management Policy_v3.2 draft
Page 47 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Job applications:
Successful
Unsuccessful
3 years following termination of employment 1 year
Job descriptions 3 years
Leavers’ dossiers
6 years after individual has left Summary to be retained until individual’s 70th birthday (or until 6 years after cessation of employment if aged over 70 years at the time) – see notes in the DOH guidance column.
The summary should contain everything except attendance books, annual leave records, duty rosters, clock cards, timesheets, study leave applications, training Plans. The 6 year retention period is to take into account any ET claims, or EL claims that may arise after the employee leaves NHS employment, requests for information from the NHS pensions agency etc. Claims of this nature can include periods of up to 6 years or more, prior to the claim and where evidence could be needed from a number of sources, it is appropriate to retain as much as possible from the original file.
Records Management Policy_v3.2 draft
Page 48 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Letters of appointment
6 years after employment has terminated or until 70th birthday, whichever is later.
Pension Forms (all) 7 years
Personnel / human resources records, major, eg personal files, letters of appointment, contracts, references and related correspondence, registration authority forms, training records, equal opportunity monitoring forms (if retained))
6 years after individual has left Summary to be retained until individual’s 70th birthday (or until 6 years after cessation of employment if aged over 70 years at the time) – see notes in the DOH guidance column
The summary should contain everything except attendance books, annual leave records, duty rosters, clock cards, timesheets, study leave applications, training Plans. The 6 year retention period is to take into account any ET claims, or EL claims that may arise after the employee leaves NHS employment, requests for information from the NHS pensions agency etc. Claims of this nature can include periods of up to 6 years or more, prior to the claim and where evidence could be needed from a number of sources, it is appropriate to retain as much as possible from the original file.
Records Management Policy_v3.2 draft
Page 49 of 57
Record Type (in alphabetical order) Example(s)
YAS Retention Period (from the date of creation unless otherwise stated)
DOH Guidance / Notes
Personnel / human resources, minor, eg attendance books, annual leave records, duty rosters i.e. duty rosters held on the individual’s record not the organisation or departmental rosters, clock cards, timesheets (relating to individual staff members)
2 years after the year to which they relate
Staff car parking permits 3 years Study leave applications 5 years
Timesheets (for individual members of staff)
2 years after the year to which they relate
Training plans 2 years
Records Management Policy_v3.2 draft
Page 50 of 57
23. Appendix D1 – Process Flow for Tracking Records Y
AS
Sta
ffF
INIS
H
Records Management Policy_v3.2 draft
Page 51 of 57
24. Appendix D2 - Process Flow for Retrieving Archived Paper Records in Storage Y
AS
Sta
ffF
INIS
H
Records Management Policy_v3.2 draft
Page 52 of 57
25. Appendix D3 – Process Flow for Tracking Paper Patient Report Forms
Records Management Policy_v3.2 draft
Page 53 of 57
26. Appendix D4 - Process Flow for Retrieving Paper Patient Report Forms
Records Management Policy_v3.2 draft
Page 54 of 57
27. Appendix E1 - Process Flow for a Step by Step Guide to Disposing of Records
START
Link is:http://intranet.yas.nhs.uk/toolsandresources/Pages/RecordsManagement/default.aspx Checks intranet for
latest copy of Records Management Policy
Logs onto on-line system to extract
catalogue details of boxes to be destroyed
Have theCorrect
retention periodsbeen adhered
to?
Records are due for destruction
Yes
Request authorisation from appropriate
Director / Assistant Director
Not Sure
Completes “Authorisation for
Destruction of YAS Records” form using
catalogue details
No
No
Yes
Records OK to destroy?
Yes
Retains for longer period in accordance
with Records Management Policy
Notifies requestor that secure destruction is
completed successfully
Follows existing destruction
process
Signs authorisation form
Passes unsigned form back and specifies corrective action
Records listedare OK todestroy?
Logs onto on-line system to request
destruction of relevant boxes
Takes appropriate corrective action
Notes details and files form and
certificate
Records Management Policy_v3.2 draft
Page 55 of 57
28. Appendix E2 - Copy of the Form to Request Authorisation to Dispose of Records
Authorisation for Destruction of YAS Records
Use this form to obtain Director / Assistant Director level authorisation to securely destroy Yorkshire Ambulance Service NHS Trust’s records. This form can be used for records that:
Are of a confidential nature and require secure destruction Contain person identifiable data and require secure destruction Have expired and been retained for the correct period for the type of record involved (please refer to the Records Management
Policy for details of how long to retain each different type of record) and can now be securely destroyed and require secure destruction
Are no longer required and do not need to be destroyed using secure destruction methods Are not confidential, do not contain PII and/or do not need to be destroyed using secure destruction methods.
Secure Destruction Required? Yes or No
(please indicate accordingly) Once authorisation from the relevant Director has been obtained, for records containing sensitive, personal or person identifiable data the actual destruction of the records should be carried out securely and by the designated external company that YAS use to destroy records. Please refer to the YAS intranet for details of the supplier and how to contact them to arrange collection and secure destruction. If secure destruction is not required please dispose of the records responsibly and where possible, as environmentally friendly as possible.
Ref Number Description of Records Dates
(from & to)
Reason for Destruction (Expired / NLR / Other, please state)
Records Held by Storage Company
(Y / N?)
Records Management Policy_v3.2 draft
Page 56 of 57
YAS member of staff requesting the destruction: Authorising YAS Director or Assistant Director: Print Name: Print Name: ________________________________ _______________________________ Signed: Signed: ________________________________ _______________________________ Department Name: Department Name: ________________________________ ________________________________ Date: Date: _______________ _______________
Records Management Policy_v3.2 draft
Page 57 of 57
29. References
Document Title Version / Date DOH Records Management: NHS Code of Practice Part 1 / March 2006 DOH Records Management: NHS Code of Practice Part 2 / January 2009 / 2nd Edition CFH Information Governance Toolkit Version 8.0 BSI Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically
BIP 0008: 2004
Care Quality Commission 2010/11