Introduction

This policy sets out the intentions of Penrose Health (hereafter referred to as ‘the Practice) to manage all the information within its remit to the standards required by law and regulations. In doing so, it supports high quality healthcare through accurate, accessible and appropriately governed information and helps to maintain patient trust. The Practice has put this policy in place to ensure members of staff are fully aware of their information management responsibilities.

All reference to information in this document encompasses information and data.  This includes information which is personal, financial or falls within any other category.

It is important to ensure information and records are:

• Processed in line with patient’s expectations to ensure the duty of confidentiality is met
• Available when needed so that events or activities can be followed through and reconstructed as necessary
• Processed in line with legal, NHS and Policy requirements
• Accessible, located and displayed in a way consistent with their initial use, with the original or current version being identified where multiple versions exist
• Able to be interpreted and set in context: who created or added to the record and when, during which business process, and how the record is related to other records
• Trustworthy and hold integrity, reliably recording the information that was used in, or created by, the business process
• Maintained over time, irrespective of any changes of format so that they are available, accessible, able to be interpreted and trustworthy
• Secure from unauthorised or inadvertent alteration or erasure, with access and disclosure being properly controlled with audit trails tracking use and changes
• Held in a robust format which remains readable for as long as the information is required
• Retained and disposed of appropriately using documented retention and disposal procedures (and in accordance with the Records Management Code of Practice for Health and Social Care 2020), which include provision for retrieving and permanently preserving records with particular archival value.

Compliance with all organisational policies is a condition of employment. A breach of policy may result in disciplinary action.

This policy and commitment extends to the services the Practices are commissioned to provide, ensuring the appropriate use and control of information to deliver high quality healthcare to support patients and the organisation.

This policy is part of the suite related to information governance which set out the expected standards and controls around its use. They are: Information Governance, Information Quality, Information Management and Information Security.  The overarching document which sets out the Practice’s approach to Information Governance is the Information Governance Framework. The concepts and standards throughout the suite of policies are interrelated. It is important to consider all of the practice’s obligations and intentions across the suite of policies.

Scope

This policy applies to all information (paper, electronic or in other formats) that is received, created, or held (processed) in the course of the Practice’s business. It must be adhered to by all permanent, contract, interim and temporary staff and any organisation or body acting as agents or on behalf of the Practice.

The Practice is committed to ongoing improvement of its information management systems as it believes that it will gain a number of organisational benefits from doing so. These include:

• Provide a paperless and clear desk environment (see the policy statement below), where paper records are held by exception, out of sight and securely locked away when not in use, with a justification for holding hard copies of documents
• Better use of staff time
• Improved control of valuable information resources
• Compliance with legislation, regulations and standards
• Reduced costs

Objectives

The key objectives of this policy and supporting guidance are to:

• Facilitate and effectively record all the Practice’s operations, business and policy decisions
• Model best practice in information management and record keeping, including operating a Clear Desk Policy (see below)
• Demonstrate compliance with relevant legislation and regulations
• Raise the minimum standard of records management practice in the Practice to the specified standard in the Data Security and Protection Toolkit (DSPT)
• Ensure that records are protected, complete, accessed and managed in line with information classification and handling arrangements
• Ensure official records of historical and evidential significance are identified and held securely
• Define clear responsibilities for managers and staff

Equality Analysis

This document demonstrates the organisation’s commitment to creating a positive culture of respect for all individuals, including staff, patients, their families and carers as well as community partners. The intention is, as required by the Equality Act 2010, to identify, remove or minimise discriminatory practice in the nine named protected characteristics of age, disability, sex, gender reassignment, pregnancy and maternity, race, sexual orientation, religion or belief, and marriage and civil partnership. It is also intended to use the Human Rights Act 1998 to promote positive practice and value the diversity of all individuals and communities.

Definitions

A list of key information management definitions is contained in Annex A.

Responsibilities

Information Governance responsibilities are outlined within the Accountability and Governance Structure section within the Information Governance Framework.

Information Management

The Practice utilises four main principles in the management of information:

Principle 1

The Practice will create, capture, use, manage, store and destroy or preserve its records in accordance with all statutory, business and historical requirements. This includes complying with the Records Management Code of Practice for Health and Social Care 2020. It will ensure that the appropriate technical, organisational and human resource elements exist to make this possible. The primary location for the Practice’s information will be cloud storage on the NHS SharePoint.

Principle 2

Information will be created once, stored in one place and will be accessible in a timely fashion to those who need to use the information across the organisation and externally to stakeholders. This will take into account the need for effective security and appropriate confidentiality including restricted access as required.

Principle 3

Information management will be embedded within operational procedures and activities. All staff that create, use, manage or dispose of information have a duty to protect the information and ensure that any information that they add is accurate, complete and necessary in line with the classification scheme (Appendix B and C). This includes identifying where an official record is created, as defined in Appendix A.

Principle 4

The risk to effective information management will be assessed corporately and managed appropriately at strategic and operational levels by the SIRO and supporting Information Governance Team including the Caldicott Guardian and IG lead. Compliance with this policy and associated procedures will be subject to a programme of audit and assurance.

Legislative and Regulatory Environment

The Practice will take actions as necessary to comply with all legal and professional obligations in particular those established by the common law duty of confidentiality and contained in:

Legislation and Regulations

• The Public Records Act 1958;
• Access to Health Records Act 1990;
• Computer Misuse Act 1990;
• Electronic Communications Act 2000;
• Data Protection Act 2018;
• The common law duty of confidentiality;
• Human Rights Act 1998;
• Freedom of Information Act 2000;
• The Protections of Freedoms Act 2012;
• The Re-use of Public Sector Information Regulations;
• The UK General Data Protection Regulation;
• Environmental Information Regulations 2004;
• NHS Act 2006;
• Health and Social Care Act 2012;
• Care Act 2014.

Best Practice Standards

• ISO 15489 - Records Management Standard;
• ISO 27001 – Information Security Standard;
• Department of Health Records Management NHS Code of Practice;
• Department of Health Records Management Roadmap;
• Confidentiality NHS Code of Practice;
• Information Security NHS Code of Practice;
• Lord Chancellor's Code of Practice on the Management of Records Issued under (s.46) of the Freedom of Information Act;
• The National Archive: Essential Records Management;
• NHS Information Governance Toolkit Standards;
• General Medical Council Good Medical Practice;
• General Medical Council Confidentiality: good practice in handling patient information
• Caldicott principles and guidance within Caldicott reports and Department of Health and Social Care response
• Health and Social Care Information Centre Guide to Confidentiality

Information Asset Register

The Practice will establish an inventory of information and systems the information is held on. The inventory of information will facilitate the classification of information, and the identification of information asset owners and administrators.

All records created by the Practice will follow national guidance on protective marking; see Annex B - Classification Marking of NHS Information.

Electronic Filing Structure

Electronic information held by the Practice will be maintained in:

• NHS SharePoint / NHS One Drive
• EMIS (GPIT Software)

Authorisation for access levels will be managed by the relevant Information Asset Owner, with assistance from ICT where required.

The name applied to any file must reflect the file content in terms of the Practice function, activity or transaction it applies to, but must not replicate any tags already applied in the name of the file, i.e. date, name/initials of the author, version number or the tags you are prompted to add before it is uploaded.

Paper Filing Structure

By exception, where paper information is held, it will be maintained in a file structure which follows the principles of functions, activities and transactions of the Practice. This will match the organisational and the electronic file structure which staff in the department can easily navigate to locate files quickly.

Record Disposal and Archiving

All of the Practice’s official records will be retained for a minimum period of time for legal, operational, research and safety reasons in accordance with the requirements of the Records Management Code of Practice for Health and Social Care 2020. The length of time for retaining records will depend on the type of record and its importance to the Practice’s business functions.

The Practice will ensure that it has an appropriate and secure location for the storage of archived records that have an adequate process for retrieval.

The decision to archive an official record must be approved by the Information Asset Owner.

Monitoring and Compliance

This policy and the associated controls will be monitored through the risk management system for the Practice. The Practice’s risk register will be reviewed on a monthly basis and additionally in response to any information incident or enforcement action by the Information Commissioner’s Office.

Failure to comply with the standards and appropriate governance of information as detailed in this policy, supporting protocols and procedures may result in disciplinary action. All staff are reminded that this policy covers several aspects of legal compliance they are individually responsible for. Failure to maintain these standards can result in criminal proceedings against the individual.

Review

Review will take place every three years or earlier until the policy is rescinded or superseded, due to legal or national policy changes.

The audience of this policy should be aware that a physical copy may not be the latest version. The latest version, which supersedes all previous versions, is available in the policy register for the Practice. Those to whom this policy applies are responsible for familiarising themselves periodically with the latest version and for complying with policy requirements at all times.

Appendices