Records Management Strategy, Policy & Standards
This is the approved Records Management Strategy, Policy and Standards guidance for the NHS Counter Fraud Authority.
Published: 28/07/2022
Version: 3.0
Published: 28/07/2022
Version: 3.0
This document sets out an overarching framework for improving the quality, availability and effective use of records in the NHS Counter Fraud Authority (NHSCFA), in addition to providing a strategic framework for all records management activities. This will enable the coordination of all records management activities and ensure alignment with NHSCFA’s business strategies.
This strategy relates to all operational records held in any format by the NHSCFA which includes but is not limited to:
The aims of the NHSCFA’s records management strategy are to ensure:
The records management strategy is comprised of the following key elements:
It is important that all individuals within the organisation appreciate the need for responsibility and accountability in the creation, amendment, management, access and storage of all NHSCFA records. One of its major aims is to have a clear chain of managerial responsibility and accountability for all records created by the NHSCFA, which is a prerequisite for an effectively coordinated records management strategy.
NHSCFA records should be accurate and complete, in order to facilitate audit, fulfil the NHSCFA’s responsibilities and protect its legal and other rights. Records should show proof of their validity and authenticity so that any evidence derived from them is clearly credible and authoritative.
To provide systematic and consistent creation, retention, appraisal and disposal procedures for records throughout their lifecycle. Record-keeping systems should be easy to understand, be clear and efficient in terms of minimising staff time and optimising where there are constraints, the use of space for storage.
To provide systems which maintain appropriate security, integrity and confidentiality of the records used and stored. Records must be kept securely to protect the confidentiality and authenticity of their contents and to provide further evidence of their validity in the event of legal challenge.
To provide clear and efficient access for those with a legitimate right of access to NHSCFA records and to ensure compliance with data protection and freedom of information legislation. Access is a key part of any records management strategy, with fast and efficient access to records providing prompt access to information.
To audit and measure the implementation of the records management strategy against agreed standards.
To provide training and guidance on operational best practice and the legal and ethical responsibilities for all staff involved in records management. Training and guidance enables staff to understand and implement policies and facilitate the efficient implementation of good record keeping practices.
This strategy will be reviewed annually or sooner where new legislation, codes of practice or national standards are introduced.
NHS Digital’s IGA Records Management: NHS Code of Practice for Health and Social Care 2016
This policy promotes the effective management and use of information, recognising its value and importance as a resource for delivering the NHS Counter Fraud Authority’s (NHSCFA) objectives.
The NHSCFA’s records are its corporate memory, providing evidence of decisions and actions and representing a vital asset to support daily functions and operations. Records support policy formation and managerial decision-making, protect the interests of the NHSCFA and the rights of staff, stakeholders and members of the public. They support consistency, continuity, efficiency and productivity and help deliver services in a consistent and equitable way.
The NHSCFA has a legal obligation to comply with all appropriate legislation in respect of managing records. It also has a duty to comply with guidance issued by NHS Digital, NHS England, other nationally recognised advisory groups as well as those issued by professional regulatory bodies.
This policy applies to all employees, Directors, temporary staff, contractors and agents working for or on behalf of the NHSCFA. This group will be collectively referred to as ‘staff’ throughout the remainder of the document.
Records created by the NHSBSA for and on behalf of NHSCFA, whilst adhering to NHSBSA’s own governing documents should also align with the principles of this policy.
The policy applies to all records whether internally or externally generated, in whichever format or media type and all actions relating to those records, including the records:
The objectives of this policy are to:
To ensure that records will be kept no longer than necessary to meet business and legislative requirements.
NHSCFA will have due regard to the information rights of staff, stakeholders and members of the public, thereby maintaining a good reputation in its handling of the large volumes of personal information it processes.
NHSCFA will be able to make use of information records in a timely manner to ensure business operational information needs are met.
NHSCFA will seek to avoid regulatory enforcement action together with any associated complaints, negative publicity, the cost of modifying work practices and any potential fines or compensation claims.
NHSCFA aims to be open and transparent when processing and using personal and sensitive data, by ensuring that it adheres to the data protection principles of good handling as described in Article 5 of the GDPR:
A Data Retention Schedule will be maintained to record business decisions of how long records will have to be retained and confirm when records will be disposed of.
All record management systems will be managed in accordance with recognised record management standards.
NHSCFA will annually audit its records management and recording-keeping practices to ensure compliance with its policy and strategy.
Note:
Records kept by NHSBSA for and on behalf of NHSCFA, will principally be governed by the Memorandum of Understanding for shared services.
The security of records will be governed by the organisation’s Information Security Policy.
Information created and received by NHSCFA should be classified according to the sensitivity of its contents. Classification and controls should take account of the organisation’s needs for sharing or restricting information, together with any associated impacts and risks such as unauthorised access or damage to the information.
The classification scheme is part of the overall concept of NHSCFA Information Security and its proper use is essential to the proper conduct of document movement. A failure to accord a document the appropriate classification could result in the compromise of NHSCFA assets or operations and a misuse of resources.
It is the responsibility of the person producing the document to assign a classification level. This person is known as the ‘Originator’ and is usually the author of the document. The Originator decides on the appropriate classification level for the document based upon an assessment of the sensitivity of its content and the impact of its compromise.
The single protective marking should be clearly given ideally at the top and bottom of every page of every document. It should be positioned in the centre of the page and should be in BLOCK CAPITALS.
If documents are page numbered and the page number is positioned at the bottom of the page which is also has a protective marker in the footer, it should be placed above the protective marking. For a document with a centre positioned page number, the footer will look as follows:
(page number #)
PROTECTIVE MARKING
The classification used within the NHSCFA for all information is OFFICIAL. Information classified as OFFICIAL includes non-sensitive information, such as the following non-exhaustive list:
There may occasionally be a requirement to protect the integrity and the availability of information, such as transactional information - one-off exchanges with third parties including members of the public, which may include personal, commercial or financial information.
There is a requirement to protect the confidentiality, integrity and availability of this type of information to avoid disruption to service delivery, commercial or financial impact. For example routine NHSCFA business such as:
There is also a legal requirement to protect person identifiable and sensitive information as defined by the GDPR and the DPA 2018.
Consequences if OFFICIAL information is mishandled:
There is a subset of information handled by the NHSCFA where the inappropriate use of the information could have damaging consequences for the organisation, for an individual (or groups), or other organisations. This information, which is caveated OFFICIAL-SENSITIVE, includes:
Consequences if OFFICIAL-SENSITIVE information is mishandled:
See Appendix 1.
The originator is responsible for giving a document its protective marking and the responsibility for changing that marking lies solely with the originator. Recipients must not re-grade a document without reference to, and the agreement of, the originator. Should a recipient wish to challenge a document’s protective marking, they should approach the originator.
Where it is agreed to re-grade a document, all recipients of the document should be informed of the re-grading. This will avoid different offices holding copies of the same document with different protective markings.
If the original originator is not available (due to staff changes, etc.) the request for down/re-grading should be sent to the originating office. Compliance with the business unit’s SOPs together with a clear rationale for the reclassification of a document should be included in the ‘Version Control’ comments section.
Internal and external access to information held by the NHSCFA and to the systems within which they are held is governed by the security classification of the information.
Where access to Official-Sensitive information has been authorised, use of such data shall be limited to the purpose required to perform NHSCFA business.
Where a member of staff who has access to Official-Sensitive information either leaves the organisation’s employ or has their authorisation removed e.g. as a result of a secondment or a change of role, their access status must be updated accordingly as soon as practicable.
The distribution of documents should be confined to those who have a clear need-to-know. Where appropriate, documents should contain a distribution list, detailing whether it has been made available internally, externally or both.
Information and data can be transferred and exchanged in a variety of ways, directly and indirectly. These may include:
Information must only be transferred to persons who are authorised to have access to it and there should be adequate security measures in place at the virtual or physical destination. Where Official-Sensitive information is being transferred, Information Asset Owners should seek additional assurances around the security measures in place.
Official-Sensitive information should not be sent or physically taken off-site without appropriate authorisation by the Information Asset Owner (or their delegated deputy) and appropriate security measures in place, such as encryption where applicable.
The recommended use of the various methods of transferring information is set out in the NHSCFA Data Classification Matrix, which should be adhered to at all times.
See Appendix 2
The transfer and exchange of information concerning identifiable living persons will additionally be subject to NHSCFA’s GDPR - Data Protection Policy.
Information in all formats should be stored throughout its existence in an environment suited to its format and security classification, to protect it from threats to its physical integrity through unnecessary wear and tear, physical harm, specific risks such a fire, flooding or extreme environmental fluctuations and security from loss or unauthorised access.
Information whether original or duplicate, should never be kept outside of corporate systems, such as on personal drives or other removable media, except where necessary for example a temporary off-line copy because of a business need to work off-site or off-line or for an authorised transfer.
Information should be stored in systems and according to classifications, frameworks and procedures that enable it to be readily identified and retrieved throughout its existence.
Information held in digital formats should be managed and stored in such a way as to ensure usability and accessibility throughout its lifetime. This may involve migration of information between environments and systems, conversion to updated software versions, or from obsolete to current formats.
Protection from unauthorised access may require mechanisms such as password-protection or encryption of digital files and data or sign-in request sheets for access to non-digital information.
Where information is stored on a mobile device (PDA, laptop, USB drive), special care must be taken to ensure that the device is protected from theft, loss, or damage, particularly if it is transferred or used away from NHSCFA sites.
Physical access to information should be appropriately restricted by securing it in rooms, cabinets, drawers or other storage areas and by ensuring that files and computer monitors are not left open and unsecured to general or casual view.
Individuals are personally responsible for those documents in their care.
The Board is ultimately responsible for ensuring that the organisation meets its legal responsibilities and the adoption of internal and external governance requirements. These responsibilities include maintaining standards of information governance which ensure the quality of record keeping and record management.
The Board will be informed of any issues via the Board Assurance Framework report, which the areas the Information Governance Lead is responsible for feeds into.
The Chief Executive has overall responsibility for records management in the organisation. As accountable officer they are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity.
Operational responsibility for information governance is delegated by the Chief Executive to the Information Governance Lead.
NHSCFA’s Caldicott Guardian has particular responsibility regarding the use of person identifiable information. The organisation’s Guardian has overall responsibility for ensuring person identifiable information is shared in an appropriate and secure manner.
The duties and responsibilities of the Caldicott Guardians are outlined in NHSCFA’s Caldicott Guardian Policy
Their responsibilities include:
All IAOs are directly responsible for:
See Appendix 3
Are directly responsible for:
Any incident involving the suspected loss or compromise of any protectively marked material (including incorrectly unmarked material) or person-identifiable data must be reported immediately, in accordance with the NHSCFA’s Information Breach Reporting policy.
This policy follows the NHSCFA’s:
The NHSCFA policy and guidance documents governed by or related to this policy are the:
Any member of staff who violates the Records Management Policy may be subject to disciplinary (see also NHSCFA HR Disciplinary Policy), criminal and/or civil action.
This standard supports and acts as a measure of compliance with the NHS Counter Fraud Authority’s (NHSCFA) Records Management Policy.
The NHSCFA’s Records Management Systems will ensure that records:
The NHSCFA Records Management Systems comply with the legal and professional obligations set out in the Records Management: NHS Code of Practice and in particular:
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.