Contents
Need for guidance
Most records arise organically as part of the business process and therefore do not need to be formally created as the process happens; the exception to this includes things likes ‘meeting minutes’ (where an individual is designated to create a record) or certain kinds of meetings with staff (such as a disciplinary, grievance or union negotiation meetings).
Once records are created, they are likely to be re-used for a variety of different reasons and therefore they should share certain common characteristics. These characteristics as laid out in the International Standard on Records Management is that the record:
- is authentic - that it is what it says it is
- is reliable - it can be trusted as an accurate record
- has integrity - it has not been altered since finalised
- is usable - it can be retrieved, read, understood and used for as long as it is required.
The NHSCFA’s policy on records management includes statements indicating the organisation’s commitment to creating appropriate and complete records of its business transactions, these records being appropriately managed following their creation through to their disposal.
This guidance is concerned primarily with reliability and ensuring that the NHSCFA’s records are full and accurate and in accordance with the Lord Chancellor’s Code of Practice on Records Management, which recommends the development of business rules to decide what records are to be kept. It is intended to ensure that all staff are aware of what is meant by a complete record and what factors need to be considered when ensuring that NHSCFA’s business records have the required characteristics.
Business recordkeeping environment
An organisation does not create documents and records as an activity in itself, but rather expects that its information will support its business aims and responsibilities, as well as support compliance with legislation and advice. It is by assessing these requirements that an organisation can determine what kind of records it needs to create, what are the business and legislative requirements for use, and what is an appropriate retention period for records. The records required by the NHSCFA are determined by the requirements of:
- legislation and guidance
- governance and transparency
- maintenance of its authority and assets
- good and effective business management
This means that for a record to be considered ‘adequate’ it must support the NHSCFA’s business aims and responsibilities in all of these areas. A record must also support the organisation’s compliance with (and must itself be compliant with) legislation and common law principles to which the organisation is subject. This includes but is not limited to the:
- Public Records Acts 1958
- Freedom of Information Act 2000
- Data Protection Act 2018
- General Data Protection Regulations 2016
- Health and Safety At Work etc. 1974
- Copyright, Designs and Patents Act 1988
Where the organisation is not bound by legislation, there may be bodies whose advice and guidance are relevant to the NHSCFA. These include but are not limited to the:
- Department of Health and Social Care
- NHS Digital
- NHS England
- Information Commissioners Office
- Crown Prosecution Service
- Ministry of Justice
- National Archives
NHSCFA is subject to both external and internal audit and must be able to account for its decisions and actions. It must be able to defend its rights to take certain actions; these rights will on occasions be given in general national laws and in others be based on the organisation’s establishment documents. It must also be able to manage and defend its assets, whether these are physical (e.g. property) or intangible (e.g. intellectual property). The NHSCFA has a responsibility for undertaking its business activities in as efficient and cost-effective way as possible. This include the way in which it manages its information assets and requires the organisation to ensure that its information is clearly identified, availabel and accurate.
Business rules in a records management context
The rules outlined in this policy document applies to all records, in all formats, including e-mail. Records that are transitory in nature (having little or no legal, evidential or historical value) should still meet the basic requirements in this guidance. There are other records management documentation (such as the retention schedule and accompanying policy) which will provide more specific procedural guidance on how to implement the requirements.
These business rules are intended as a guide to the corporate responsibility to create and maintain good quality records of business activity. It is intended that this guidance be supported by local guides and e-learning modules on recordkeeping, which contain further advice on specific issues mentioned in these rules.
Organisations such as the NHSCFA have been creating adequate records for a significant period of time and many of these characteristics and requirements of these Rules, are already in place or are part of the assumed current staff processes. However, it is important that the characteristics of records be articulated given the pace of change in electronic environments in which records are created, managed and maintained.
The aim of the business rules is to enable NHSCFA to produce and maintain adequate records of its internal and external business activities. Adequate records are those that:
- are reliable and credible and whose reliability can be demonstrated
- were created by individuals with first-hand experience or knowledge of the activity being recorded or by systems routinely used for creating such records
- are created as a by-product of the activity
- are demonstrably authentic
- have demonstrably been kept secure from alteration and therefore have integrity
- can be located, within their original context together with related records, over as long a period of time as has been considered necessary.
Full and Accurate records
When and what records should be created?
In organisations such as the NHSCFA, there are many types of records created both in structured and unstructured environments; however, there is a core set of business records that should always be availabel. The NHSCFA should always be able to provide adequate and reliable records as evidence of:
- policy
- decisions (and their rationale)
- business actions/activities and the procedures underlying these
- compliance with relevant legislation, standards etc.
Ensuring that these areas have adequate records means that the organisation can manage audit and potential litigation. It also improves business performance as there is information availabel internally about what has been done in the past and how, ensuring that current activities can be managed and tracked, that work is not unnecessarily repeated and business experiences are availabel for later exploitation.
When not to create records
- When there is no activity or decision to record (records should however be kept in cases where the lack of decision arises from discussion, disagreement or dispute)
- When only personal opinion (not professional or expert advice) is being recorded
- When the information already exists with its creator (e.g. retaining a copy of an attachment).
The same way staff within NHSCFA have individual responsibility to ensure that their activities are appropriately recorded, they have an equal responsibility to ensure that they do not create inappropriate records. The NHSCFA is responsible for all the information that it holds. This includes informal or private documents and emails which were not intended as formal records. All information can be requested under the Freedom of Information Act 2000 and although there are permissible exemptions (acceptable reasons for refusing disclosure) it is not legitimate to refuse to disclose because the information was ‘private’, ‘informal’ or sent from a personal email account or because disclosure would be embarrassing.
The NHSCFA does permit a certain amount of private use of e-mail and other applications by staff. However, it is the responsibility of individual members of staff to ensure that they:
- do not inadvertently include casual records in a formal context (e.g. by inadvertently filing informal material along with business records)
- do not make personal or informal comments or observations in documents being used as part of a business process (e.g. in e-mail)
- do not unnecessarily collect or retain personal information
- remember that everything created on NHSCFA equipment on NHSCFA time belongs to the NHSCFA.
Where staff create personal documents including emails, they should ensure they are clearly marked as ‘personal’ or alternatively ensure that they are deleted when no longer required. If you have a personal opinion which you would not be happy to see published do not commit it to record.
What makes an adequate record?
The point of a record is to provide reliable and availabel information about business activity and business decisions. The characteristics of an adequate record relate to:
- content
- associated information about the record (known as metadata)
Names and other metadata
The requirements of content and metadata for particular record types (e.g. minutes, references) depend on the nature of the business activity and the evidential value of the record. Some records (e.g. legal records) will have very specific requirements for the information which needs to be included, and some records have specific requirements as to metadata (e.g. some financial records may need one or more authorised signatures).
In practice, the nature of the activity and the evidential value are reasonably easy to assess. Many business activities are either process-driven by use of forms or are managed within a structured technical environment (i.e. a business application) which will prompt for the required information.
Formal activities and ones where the record may have high evidential value, may not be managed through an application but will nonetheless have clearly defined and well-known procedures which will include provision for what information is to be included in the record.
Some simple activities can be recorded in one record whereas more complicated activities may need several, so the file will become ‘the record’. This is the situation with, for example fraud case files.
A record of a business activity, however transient the record, should include in its content:
- the main activity performed or decision taken
- the names (preferably with job titles) of those involved
- any related or following action or decisions, if relevant.
Each record should include, as a minimum, in its metadata (these will usually be generated automatically by the electronic systems used):
- name of the document or file
- date (including creation date of the file)
- author (including job title)
- location.
The ‘name’ should make sense to other people. The ‘location’ of electronic records will automatically be attributed based on where on the server it is saved, hence it is important to give logical names to each level of file.
Managing current records - Location and filing
The majority of the NHSCFA’s records are digital-born. Although electronic systems all provide a “search and retrieve” facility, this is a limited instrument for making the most of the business’ information assets. Records should be correctly filed, which means that they should be filed in a way that keeps them in the context in which they were created and in association with other records relevant to the same activity. This is particularly important for unstructured records, where staff take decisions as to which folder will hold the record.
All activities, whether internal administrative functions or outward-facing business functions, will be covered by Protective Marking Classification. Using a standard classification makes it easier to protect records as well as make it easier for all staff to find their way around the organisation’s information asset without needing an unreasonable amount of local business knowledge to do so.
Management and access
Records should be managed as actively as possible. This is greatly facilitated by the provision of procedural guidance. Records should be created contemporaneously or as soon as possible after, the business activity to which they relate and all filing, both electronic and hard copy, should be done as soon as possible. Staff should actively manage the maintenance of files, by closing and disposing of completed files, undertake weeding on a regular basis, and having established routines and documentation for the disposal or transfer of records.
Staff must be aware of any need to limit access to files and are responsible for ensuring that these limitations are enforced. Access limitations will apply to hard-copy as well as to electronic records. The guidelines laid out in the Information Security Policy and advice availabel from the Information Governance team will be relevant resources in this regard.
Disposal and documentation
When a record or file is no longer actively required for business purposes, action needs to be taken with it. This will either be that the file is disposed of, or that it is retained for a specified period of time. Staff must be familiar with the relevant sections of the retention schedule, so that responsible decisions about disposal can be taken. It is also the responsibility of staff to notify their business lead if there is a change in the business use of a record, as this may mean that a longer or shorter retention period applies.
Since the NHSCFA is subject to the Public Records Act, all disposal activity (whether destruction or transfer to storage) should be recorded so that it is auditable. Files that are managed within an application may be able to provide such lists as part of its function. The easiest way to manage files outside of a structured environment is to maintain a file or series list, which will identify each of the business activities and all of the files that are generated, detailing the dates on which files were either destroyed or were transferred to storage.
Records and personal information
The NHSCFA is subject to the General Data Protection Regulation 2016 and the Data Protection Act 2018; the legislation is concerned with the way in which organisations collect, hold, use and dispose of personal information about living, identifiable individuals. Further guidance on how compliance is to be achieved and the restrictions placed by this legislation on information use, can be sought from the Information Governance team.
Personal information can be of any kind but will include name, address, contact details, references or employment history etc. Sensitive personal information includes but is not limited to information on a person’s ethnic or racial origin, gender, marital status or criminal convictions.
It is necessary for some business purposes to collect personal, and sometimes sensitive personal information about individuals. However, it is important that this information is only collected when it is necessary, that it is only used for the purposes for which it was collected and that it is disposed of appropriately, once that business use has ended. Personal information should be disposed of as soon as practicable after the process for which it was required has been completed.
Peculiarities of e-mail
Emails can be records like any other document, but they often require more attention that other types of records, because:
- they are created in a separate environment, which means it may not be immediately obvious that there is a connection with another file
- they can sometimes be informal
- the subject of the email can change if it is part of a long email trail. This can cause difficulties because the subject line becomes irrelevant (but may still be the document title)
- the email can contain both formal and informal aspects, the former of which may be a record, the latter of which is not.
- minimising use of email as the sole or major evidence of a business activity
- where it is a component of a record of activity, file it out of the case management system and keep it along with the physical file or files of that activity
- ensure there is clarity about responsibility for the email - the person with responsibility for the activity has responsibility for the record(s), and this includes email (do not assume the recipient will retain a copy).
- ensure that the metadata is correct and reliable (where not automatically assigned to the file).
Future records
Organisations are dynamic and their business activities, environment and responsibilities can change. The requirements for good records management does not change and organisations therefore have to take steps to ensure that when records are created as part of business activity in the future, they still comply with business rules, policy and procedure.
Training and guidance
All new staff should receive training in addition to being provided with the standard operating procedures for recordkeeping for their business area, records management requirements for the organisation and be made aware of their individual responsibilities in relation to these.
Decisions about filing, naming and location should not simply be left to individual members of staff. Each area of activity should have written procedures and guidance document (Standard Operating Procedure (SOP) for creating and keeping records, based on corporate guidance so that records can be managed in a particular way. Each area should have a member of staff whose responsibilities include the maintenance of this guidance to ensure that it remains relevant to their business activity and also remains in line with corporate policy and advice.
Planning and new activities
It is important to remember that while the rules apply to records currently generated by current systems and applications, they must also be planned for when introducing new activities, making new policy decisions on information management, and especially when considering new software applications or information technology solutions.
Any new activity within the organisation will create records, some of which can be quickly disposed of, and some of which may require longer retention. Part of recordkeeping responsibilities for staff is to ensure that records management requirements for new records are identified and administered. This will include:
- clarifying responsibility for creating and maintaining records generated by the new activity
- identifying the best filing context for records, using availabel guidance
- ensuring that the records are adequately represented in corporate guidance (e.g., the retention schedule) and requesting that updates be made if necessary
- ensuring that local guidance (e.g. SOPs) are updated as necessary to reflect new activities and that any changes are communicated to relevant staff.
Collaborative work
Additional attention may need to be paid to the requirements of records which arise from collaborative work. This includes collaborative work between staff groups, across business units or between the NHSCFA and external organisations. The person (or organisation) responsible for creating, managing, maintaining and eventually disposing of the records of that business activity, needs to be identified early in the project. They need to know not only that they have this responsibility, but also what the responsibility involves and how they are to ensure that they create appropriate records and manage them adequately.
Where collaboration occurs the person, team or organisation which is leading the work (the project lead), should assume responsibility for the records. They will create them in accordance with agreed standards and are responsible for ensuring that they are correctly identified, kept safe, managed correctly and disposed of appropriately.
Others involved in the collaborative work may keep local copies, but these should be disposed of once they are no longer required. There may be some circumstances in which a formal agreement about the management and especially the disposal of records is appropriate, in order to protect the intellectual property, commercial or other professional privileges associated with a record’s content.
Where the NHSCFA is in collaboration with an outside body and is the project lead, it should assume responsibility for the records; which should be created, managed, used and disposed of in accordance with the standards, set out in the records management policy and associated guidance.
Other guidance
The NHSCFA supports its staff in meeting the organisation’s records management requirements by providing guidance and training in all component activities. The internal documents that accompany this document are:
- NHSCFA Records Management Strategy, Policy & Standards
- NHSCFA Data Handling, Storage, Retention and Records Management Policy
- NHSCFA Information Governance Policy
- NHSCFA Information Governance Strategy
- NHSCFA Records Retention Schedule