Business rules record management
Guidance on how we create reliable and accurate records.
Most records arise organically as part of the business process and therefore do not need to be formally created as the process happens; the exception to this includes things likes ‘meeting minutes’ (where an individual is designated to create a record) or certain kinds of meetings with staff (such as a disciplinary, grievance or union negotiation meetings).
Once records are created, they are likely to be re-used for a variety of different reasons and therefore they should share certain common characteristics. These characteristics as laid out in the International Standard on Records Management is that the record:
The NHSCFA’s policy on records management includes statements indicating the organisation’s commitment to creating appropriate and complete records of its business transactions, these records being appropriately managed following their creation through to their disposal.
This guidance is concerned primarily with reliability and ensuring that the NHSCFA’s records are full and accurate and in accordance with the Lord Chancellor’s Code of Practice on Records Management, which recommends the development of business rules to decide what records are to be kept. It is intended to ensure that all staff are aware of what is meant by a complete record and what factors need to be considered when ensuring that NHSCFA’s business records have the required characteristics.
An organisation does not create documents and records as an activity in itself, but rather expects that its information will support its business aims and responsibilities, as well as support compliance with legislation and advice. It is by assessing these requirements that an organisation can determine what kind of records it needs to create, what are the business and legislative requirements for use, and what is an appropriate retention period for records. The records required by the NHSCFA are determined by the requirements of:
This means that for a record to be considered ‘adequate’ it must support the NHSCFA’s business aims and responsibilities in all of these areas. A record must also support the organisation’s compliance with (and must itself be compliant with) legislation and common law principles to which the organisation is subject. This includes but is not limited to the:
Where the organisation is not bound by legislation, there may be bodies whose advice and guidance are relevant to the NHSCFA. These include but are not limited to the:
NHSCFA is subject to both external and internal audit and must be able to account for its decisions and actions. It must be able to defend its rights to take certain actions; these rights will on occasions be given in general national laws and in others be based on the organisation’s establishment documents. It must also be able to manage and defend its assets, whether these are physical (e.g. property) or intangible (e.g. intellectual property). The NHSCFA has a responsibility for undertaking its business activities in as efficient and cost-effective way as possible. This include the way in which it manages its information assets and requires the organisation to ensure that its information is clearly identified, available and accurate.
The rules outlined in this policy document applies to all records, in all formats, including e-mail. Records that are transitory in nature (having little or no legal, evidential or historical value) should still meet the basic requirements in this guidance. There are other records management documentation (such as the retention schedule and accompanying policy) which will provide more specific procedural guidance on how to implement the requirements.
These business rules are intended as a guide to the corporate responsibility to create and maintain good quality records of business activity. It is intended that this guidance be supported by local guides and e-learning modules on recordkeeping, which contain further advice on specific issues mentioned in these rules.
Organisations such as the NHSCFA have been creating adequate records for a significant period of time and many of these characteristics and requirements of these Rules, are already in place or are part of the assumed current staff processes. However, it is important that the characteristics of records be articulated given the pace of change in electronic environments in which records are created, managed and maintained.
The aim of the business rules is to enable NHSCFA to produce and maintain adequate records of its internal and external business activities. Adequate records are those that:
In organisations such as the NHSCFA, there are many types of records created both in structured and unstructured environments; however, there is a core set of business records that should always be available. The NHSCFA should always be able to provide adequate and reliable records as evidence of:
Ensuring that these areas have adequate records means that the organisation can manage audit and potential litigation. It also improves business performance as there is information available internally about what has been done in the past and how, ensuring that current activities can be managed and tracked, that work is not unnecessarily repeated and business experiences are available for later exploitation.
The same way staff within NHSCFA have individual responsibility to ensure that their activities are appropriately recorded, they have an equal responsibility to ensure that they do not create inappropriate records. The NHSCFA is responsible for all the information that it holds. This includes informal or private documents and emails which were not intended as formal records. All information can be requested under the Freedom of Information Act 2000 and although there are permissible exemptions (acceptable reasons for refusing disclosure) it is not legitimate to refuse to disclose because the information was ‘private’, ‘informal’ or sent from a personal email account or because disclosure would be embarrassing.
The NHSCFA does permit a certain amount of private use of e-mail and other applications by staff. However, it is the responsibility of individual members of staff to ensure that they:
Where staff create personal documents including emails, they should ensure they are clearly marked as ‘personal’ or alternatively ensure that they are deleted when no longer required. If you have a personal opinion which you would not be happy to see published do not commit it to record.
The point of a record is to provide reliable and available information about business activity and business decisions. The characteristics of an adequate record relate to:
The requirements of content and metadata for particular record types (e.g. minutes, references) depend on the nature of the business activity and the evidential value of the record. Some records (e.g. legal records) will have very specific requirements for the information which needs to be included, and some records have specific requirements as to metadata (e.g. some financial records may need one or more authorised signatures).
In practice, the nature of the activity and the evidential value are reasonably easy to assess. Many business activities are either process-driven by use of forms or are managed within a structured technical environment (i.e. a business application) which will prompt for the required information.
Formal activities and ones where the record may have high evidential value, may not be managed through an application but will nonetheless have clearly defined and well-known procedures which will include provision for what information is to be included in the record.
Some simple activities can be recorded in one record whereas more complicated activities may need several, so the file will become ‘the record’. This is the situation with, for example fraud case files.
A record of a business activity, however transient the record, should include in its content:
Each record should include, as a minimum, in its metadata (these will usually be generated automatically by the electronic systems used):
The ‘name’ should make sense to other people. The ‘location’ of electronic records will automatically be attributed based on where on the server it is saved, hence it is important to give logical names to each level of file.
The majority of the NHSCFA’s records are digital-born. Although electronic systems all provide a “search and retrieve” facility, this is a limited instrument for making the most of the business’ information assets. Records should be correctly filed, which means that they should be filed in a way that keeps them in the context in which they were created and in association with other records relevant to the same activity. This is particularly important for unstructured records, where staff take decisions as to which folder will hold the record.
All activities, whether internal administrative functions or outward-facing business functions, will be covered by Protective Marking Classification. Using a standard classification makes it easier to protect records as well as make it easier for all staff to find their way around the organisation’s information asset without needing an unreasonable amount of local business knowledge to do so.
Records should be managed as actively as possible. This is greatly facilitated by the provision of procedural guidance. Records should be created contemporaneously or as soon as possible after, the business activity to which they relate and all filing, both electronic and hard copy, should be done as soon as possible. Staff should actively manage the maintenance of files, by closing and disposing of completed files, undertake weeding on a regular basis, and having established routines and documentation for the disposal or transfer of records.
Staff must be aware of any need to limit access to files and are responsible for ensuring that these limitations are enforced. Access limitations will apply to hard-copy as well as to electronic records. The guidelines laid out in the Information Security Policy and advice available from the Information Governance team will be relevant resources in this regard.
When a record or file is no longer actively required for business purposes, action needs to be taken with it. This will either be that the file is disposed of, or that it is retained for a specified period of time. Staff must be familiar with the relevant sections of the retention schedule, so that responsible decisions about disposal can be taken. It is also the responsibility of staff to notify their business lead if there is a change in the business use of a record, as this may mean that a longer or shorter retention period applies.
Since the NHSCFA is subject to the Public Records Act, all disposal activity (whether destruction or transfer to storage) should be recorded so that it is auditable. Files that are managed within an application may be able to provide such lists as part of its function. The easiest way to manage files outside of a structured environment is to maintain a file or series list, which will identify each of the business activities and all of the files that are generated, detailing the dates on which files were either destroyed or were transferred to storage.
The NHSCFA is subject to the General Data Protection Regulation 2016 and the Data Protection Act 2018; the legislation is concerned with the way in which organisations collect, hold, use and dispose of personal information about living, identifiable individuals. Further guidance on how compliance is to be achieved and the restrictions placed by this legislation on information use, can be sought from the Information Governance team.
Personal information can be of any kind but will include name, address, contact details, references or employment history etc. Sensitive personal information includes but is not limited to information on a person’s ethnic or racial origin, gender, marital status or criminal convictions.
It is necessary for some business purposes to collect personal, and sometimes sensitive personal information about individuals. However, it is important that this information is only collected when it is necessary, that it is only used for the purposes for which it was collected and that it is disposed of appropriately, once that business use has ended. Personal information should be disposed of as soon as practicable after the process for which it was required has been completed.
Emails can be records like any other document, but they often require more attention that other types of records, because:
Organisations are dynamic and their business activities, environment and responsibilities can change. The requirements for good records management does not change and organisations therefore have to take steps to ensure that when records are created as part of business activity in the future, they still comply with business rules, policy and procedure.
All new staff should receive training in addition to being provided with the standard operating procedures for recordkeeping for their business area, records management requirements for the organisation and be made aware of their individual responsibilities in relation to these.
Decisions about filing, naming and location should not simply be left to individual members of staff. Each area of activity should have written procedures and guidance document (Standard Operating Procedure (SOP) for creating and keeping records, based on corporate guidance so that records can be managed in a particular way. Each area should have a member of staff whose responsibilities include the maintenance of this guidance to ensure that it remains relevant to their business activity and also remains in line with corporate policy and advice.
It is important to remember that while the rules apply to records currently generated by current systems and applications, they must also be planned for when introducing new activities, making new policy decisions on information management, and especially when considering new software applications or information technology solutions.
Any new activity within the organisation will create records, some of which can be quickly disposed of, and some of which may require longer retention. Part of recordkeeping responsibilities for staff is to ensure that records management requirements for new records are identified and administered. This will include:
Additional attention may need to be paid to the requirements of records which arise from collaborative work. This includes collaborative work between staff groups, across business units or between the NHSCFA and external organisations. The person (or organisation) responsible for creating, managing, maintaining and eventually disposing of the records of that business activity, needs to be identified early in the project. They need to know not only that they have this responsibility, but also what the responsibility involves and how they are to ensure that they create appropriate records and manage them adequately.
Where collaboration occurs the person, team or organisation which is leading the work (the project lead), should assume responsibility for the records. They will create them in accordance with agreed standards and are responsible for ensuring that they are correctly identified, kept safe, managed correctly and disposed of appropriately.
Others involved in the collaborative work may keep local copies, but these should be disposed of once they are no longer required. There may be some circumstances in which a formal agreement about the management and especially the disposal of records is appropriate, in order to protect the intellectual property, commercial or other professional privileges associated with a record’s content.
Where the NHSCFA is in collaboration with an outside body and is the project lead, it should assume responsibility for the records; which should be created, managed, used and disposed of in accordance with the standards, set out in the records management policy and associated guidance.
The NHSCFA supports its staff in meeting the organisation’s records management requirements by providing guidance and training in all component activities. The internal documents that accompany this document are:
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.