Records Management Strategy, Policy & Standards

This is the approved Records Management Strategy, Policy and Standards guidance for the NHS Counter Fraud Authority.

Published: 28/07/2022

Version: 3.0

Contents

Part Two - Records Management Policy

Part Three - Standards

Part One - Records Management Strategy

Introduction

This document sets out an overarching framework for improving the quality, availability and effective use of records in the NHS Counter Fraud Authority (NHSCFA), in addition to providing a strategic framework for all records management activities. This will enable the coordination of all records management activities and ensure alignment with NHSCFA’s business strategies.

Scope

This strategy relates to all operational records held in any format by the NHSCFA which includes but is not limited to:

  • paper records, reports, registers etc.
  • computerised records (including cloud-based systems)
  • scanned images
  • emails
  • social media
  • microform (i.e. microfiche and microfilm)
  • web and intranet sites
  • audio and video media (tapes, CD, DVD, flash drive etc.)

Aims

The aims of the NHSCFA’s records management strategy are to ensure:

  • a systematic and planned approach to records management covering records from creation to disposal
  • efficiency and best value through improvements in the quality and flow of information and greater coordination of records and storage systems
  • compliance with legislative requirements
  • awareness of the importance of records management and the need for responsibility and accountability at all levels
  • appropriate archiving of important records.

Key elements

The records management strategy is comprised of the following key elements:

Responsibility and accountability

It is important that all individuals within the organisation appreciate the need for responsibility and accountability in the creation, amendment, management, access and storage of all NHSCFA records. One of its major aims is to have a clear chain of managerial responsibility and accountability for all records created by the NHSCFA, which is a prerequisite for an effectively coordinated records management strategy.

Record quality

NHSCFA records should be accurate and complete, in order to facilitate audit, fulfil the NHSCFA’s responsibilities and protect its legal and other rights. Records should show proof of their validity and authenticity so that any evidence derived from them is clearly credible and authoritative.

Management

To provide systematic and consistent creation, retention, appraisal and disposal procedures for records throughout their lifecycle. Record-keeping systems should be easy to understand, be clear and efficient in terms of minimising staff time and optimising where there are constraints, the use of space for storage.

Security

To provide systems which maintain appropriate security, integrity and confidentiality of the records used and stored. Records must be kept securely to protect the confidentiality and authenticity of their contents and to provide further evidence of their validity in the event of legal challenge.

Access

To provide clear and efficient access for those with a legitimate right of access to NHSCFA records and to ensure compliance with data protection and freedom of information legislation. Access is a key part of any records management strategy, with fast and efficient access to records providing prompt access to information.

Audit

To audit and measure the implementation of the records management strategy against agreed standards.

Training

To provide training and guidance on operational best practice and the legal and ethical responsibilities for all staff involved in records management. Training and guidance enables staff to understand and implement policies and facilitate the efficient implementation of good record keeping practices.

Review

This strategy will be reviewed annually or sooner where new legislation, codes of practice or national standards are introduced.

NHS Digital’s IGA Records Management: NHS Code of Practice for Health and Social Care 2016

Part Two - Records Management Policy

Records Management Policy Introduction

This policy promotes the effective management and use of information, recognising its value and importance as a resource for delivering the NHS Counter Fraud Authority’s (NHSCFA) objectives.

The NHSCFA’s records are its corporate memory, providing evidence of decisions and actions and representing a vital asset to support daily functions and operations. Records support policy formation and managerial decision-making, protect the interests of the NHSCFA and the rights of staff, stakeholders and members of the public. They support consistency, continuity, efficiency and productivity and help deliver services in a consistent and equitable way.

The NHSCFA has a legal obligation to comply with all appropriate legislation in respect of managing records. It also has a duty to comply with guidance issued by NHS Digital, NHS England, other nationally recognised advisory groups as well as those issued by professional regulatory bodies.

Scope

This policy applies to all employees, Directors, temporary staff, contractors and agents working for or on behalf of the NHSCFA. This group will be collectively referred to as ‘staff’ throughout the remainder of the document.

Records created by the NHSBSA for and on behalf of NHSCFA, whilst adhering to NHSBSA’s own governing documents should also align with the principles of this policy.

The policy applies to all records whether internally or externally generated, in whichever format or media type and all actions relating to those records, including the records:

  • creation
  • retention
  • maintenance (including tracking or recording movements)
  • access and disclosure
  • appraisal
  • archiving and disposal

Objectives

The objectives of this policy are to:

  • assist compliance with the General Data Protection Regulation (GDPR) 2016 and information access legislation such as the Data Protection Act (DPA) 2018, the Freedom of Information Act (FOI) 2000, Environmental Information Regulations 2004 and applicable NHS Standards
  • ensure better use of physical and electronic records storage
  • enable better use of staff time
  • provide improved control of valuable information resources

Expected outcomes

To ensure that records will be kept no longer than necessary to meet business and legislative requirements.

NHSCFA will have due regard to the information rights of staff, stakeholders and members of the public, thereby maintaining a good reputation in its handling of the large volumes of personal information it processes.

NHSCFA will be able to make use of information records in a timely manner to ensure business operational information needs are met.

NHSCFA will seek to avoid regulatory enforcement action together with any associated complaints, negative publicity, the cost of modifying work practices and any potential fines or compensation claims.

Principles

NHSCFA aims to be open and transparent when processing and using personal and sensitive data, by ensuring that it adheres to the data protection principles of good handling as described in Article 5 of the GDPR:

  • all NHSCFA’s records are retained for a minimum period of time for legal and operational reasons. The length of time for retaining records will depend on the type and context of the record and its importance to the NHSCFA’s business functions.
  • records which contain identifiable personal data will be kept no longer than necessary for its authorised business purposes; ensuring compliance with the storage limitation principle under GDPR is met.

A Data Retention Schedule will be maintained to record business decisions of how long records will have to be retained and confirm when records will be disposed of.

All record management systems will be managed in accordance with recognised record management standards.

NHSCFA will annually audit its records management and recording-keeping practices to ensure compliance with its policy and strategy.

Note:

Records kept by NHSBSA for and on behalf of NHSCFA, will principally be governed by the Memorandum of Understanding for shared services.

The security of records will be governed by the organisation’s Information Security Policy.

Security classification of information

Information created and received by NHSCFA should be classified according to the sensitivity of its contents. Classification and controls should take account of the organisation’s needs for sharing or restricting information, together with any associated impacts and risks such as unauthorised access or damage to the information.

The classification scheme is part of the overall concept of NHSCFA Information Security and its proper use is essential to the proper conduct of document movement. A failure to accord a document the appropriate classification could result in the compromise of NHSCFA assets or operations and a misuse of resources.

It is the responsibility of the person producing the document to assign a classification level. This person is known as the ‘Originator’ and is usually the author of the document. The Originator decides on the appropriate classification level for the document based upon an assessment of the sensitivity of its content and the impact of its compromise.

The single protective marking should be clearly given ideally at the top and bottom of every page of every document. It should be positioned in the centre of the page and should be in BLOCK CAPITALS.

If documents are page numbered and the page number is positioned at the bottom of the page which is also has a protective marker in the footer, it should be placed above the protective marking. For a document with a centre positioned page number, the footer will look as follows:

(page number #)

PROTECTIVE MARKING

The classification used within the NHSCFA for all information is OFFICIAL. Information classified as OFFICIAL includes non-sensitive information, such as the following non-exhaustive list:

  • routine correspondence where there is no confidentiality requirement.
  • circulars
  • bulletins
  • guidance
  • news/press releases

There may occasionally be a requirement to protect the integrity and the availability of information, such as transactional information - one-off exchanges with third parties including members of the public, which may include personal, commercial or financial information.

There is a requirement to protect the confidentiality, integrity and availability of this type of information to avoid disruption to service delivery, commercial or financial impact. For example routine NHSCFA business such as:

  • routine correspondence with third parties and members of the public which may contain some personal or commercial information
  • non person-identifiable information
  • inter-office memoranda
  • Internal phone directories

There is also a legal requirement to protect person identifiable and sensitive information as defined by the GDPR and the DPA 2018.

Consequences if OFFICIAL information is mishandled:

  • Unauthorised disclosure would not significantly impact NHSCFA or any of its stakeholders, including members of the public, or employees.
  • Protective Marking - while there is no requirement to explicitly mark routine OFFICIAL information, it is standard practice for the organisation to do.

There is a subset of information handled by the NHSCFA where the inappropriate use of the information could have damaging consequences for the organisation, for an individual (or groups), or other organisations. This information, which is caveated OFFICIAL-SENSITIVE, includes:

  • personal and/or patient identifiable information
  • staff personnel file and/or Electronic Staff Records (ESR)
  • staff pay and expenses
  • antecedent records
  • information about investigations, civil or criminal proceedings that could compromise enforcement activities or prejudice court cases
  • legal advice/opinions
  • risk registers
  • extremely sensitive NHSCFA corporate or operational information, such as major security or business continuity issues

Consequences if OFFICIAL-SENSITIVE information is mishandled:

  • Unauthorised disclosure likely to result in significant adverse impact, embarrassment to its stakeholders, members of the public or penalties to NHSCFA and /or its employees.
  • Protective Marking - where there is a clear and justifiable requirement to reinforce a “need to know” basis, information should be conspicuously marked OFFICIAL-SENSITIVE.

See Appendix 1.

Downgrading/Re-grading document

The originator is responsible for giving a document its protective marking and the responsibility for changing that marking lies solely with the originator. Recipients must not re-grade a document without reference to, and the agreement of, the originator. Should a recipient wish to challenge a document’s protective marking, they should approach the originator.

Where it is agreed to re-grade a document, all recipients of the document should be informed of the re-grading. This will avoid different offices holding copies of the same document with different protective markings.

If the original originator is not available (due to staff changes, etc.) the request for down/re-grading should be sent to the originating office. Compliance with the business unit’s SOPs together with a clear rationale for the reclassification of a document should be included in the ‘Version Control’ comments section.

Information access

Internal and external access to information held by the NHSCFA and to the systems within which they are held is governed by the security classification of the information.

  • Official information is either generally available to the public or all staff on a need-to-know basis, as determined by their line manager.
  • Official-Sensitive information should only be available to staff who have a business need for the information and such access rights should be capable of being monitored and revised.

Where access to Official-Sensitive information has been authorised, use of such data shall be limited to the purpose required to perform NHSCFA business.

Where a member of staff who has access to Official-Sensitive information either leaves the organisation’s employ or has their authorisation removed e.g. as a result of a secondment or a change of role, their access status must be updated accordingly as soon as practicable.

The distribution of documents should be confined to those who have a clear need-to-know. Where appropriate, documents should contain a distribution list, detailing whether it has been made available internally, externally or both.

Transfer and exchange of information

Information and data can be transferred and exchanged in a variety of ways, directly and indirectly. These may include:

  • spoken word
  • post, or e-mail
  • internet or intranet
  • magnetic media (including but not limited to CDs, DVDs, Memory Sticks)
  • electronic file transfers and document sharing
  • web portals (i.e. NHSCFA web-enabled applications)

Information must only be transferred to persons who are authorised to have access to it and there should be adequate security measures in place at the virtual or physical destination. Where Official-Sensitive information is being transferred, Information Asset Owners should seek additional assurances around the security measures in place.

Official-Sensitive information should not be sent or physically taken off-site without appropriate authorisation by the Information Asset Owner (or their delegated deputy) and appropriate security measures in place, such as encryption where applicable.

The recommended use of the various methods of transferring information is set out in the NHSCFA Data Classification Matrix, which should be adhered to at all times.

See Appendix 2

The transfer and exchange of information concerning identifiable living persons will additionally be subject to NHSCFA’s GDPR - Data Protection Policy.

Storage and protection of information

Information in all formats should be stored throughout its existence in an environment suited to its format and security classification, to protect it from threats to its physical integrity through unnecessary wear and tear, physical harm, specific risks such a fire, flooding or extreme environmental fluctuations and security from loss or unauthorised access.

Information whether original or duplicate, should never be kept outside of corporate systems, such as on personal drives or other removable media, except where necessary for example a temporary off-line copy because of a business need to work off-site or off-line or for an authorised transfer.

Information should be stored in systems and according to classifications, frameworks and procedures that enable it to be readily identified and retrieved throughout its existence.

Information held in digital formats should be managed and stored in such a way as to ensure usability and accessibility throughout its lifetime. This may involve migration of information between environments and systems, conversion to updated software versions, or from obsolete to current formats.

Protection from unauthorised access may require mechanisms such as password-protection or encryption of digital files and data or sign-in request sheets for access to non-digital information.

Where information is stored on a mobile device (PDA, laptop, USB drive), special care must be taken to ensure that the device is protected from theft, loss, or damage, particularly if it is transferred or used away from NHSCFA sites.

Physical access to information should be appropriately restricted by securing it in rooms, cabinets, drawers or other storage areas and by ensuring that files and computer monitors are not left open and unsecured to general or casual view.

Individuals are personally responsible for those documents in their care.

Responsibilities

The Board

The Board is ultimately responsible for ensuring that the organisation meets its legal responsibilities and the adoption of internal and external governance requirements. These responsibilities include maintaining standards of information governance which ensure the quality of record keeping and record management.

The Board will be informed of any issues via the Board Assurance Framework report, which the areas the Information Governance Lead is responsible for feeds into.

Chief Executive

The Chief Executive has overall responsibility for records management in the organisation. As accountable officer they are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity.

Operational responsibility for information governance is delegated by the Chief Executive to the Information Governance Lead.

Caldicott Guardian

NHSCFA’s Caldicott Guardian has particular responsibility regarding the use of person identifiable information. The organisation’s Guardian has overall responsibility for ensuring person identifiable information is shared in an appropriate and secure manner.

The duties and responsibilities of the Caldicott Guardians are outlined in NHSCFA’s Caldicott Guardian Policy

Information Governance Lead

Their responsibilities include:

  • all the responsibilities detailed in the Information Governance Policy
  • to ensure the NHSCFA has an appropriate strategy in place to effectively manage corporate records
  • to ensure the implementation and application of the NHSCFA’s Data Handling & Retention policy and schedule
  • to provide guidance and advice on records management issues to NHSCFA staff
  • agree changes to record retention periods
  • appropriately delegate these responsibilities to the Information Governance Team

Information Asset Owner (IAO)

All IAOs are directly responsible for:

  • all responsibilities detailed in the Information Governance Policy
  • the creation of appropriate ‘Standard Operating Procedures (SOPs), that will ensure that records created within their units are managed in a way which meets the aims of the organisation’s record management policy

    • See Appendix 3

  • ensuring their staff are adequately trained in records management and ensure compliance with the data handling policy and associated good practice guidance
  • ensuring the implementation and application of the NHSCFA’s Data Handling & Retention policy and schedule
  • being fully aware of which records are vital to the continuation of their business service and take appropriate measures to ensure their continued availability in a business continuity scenario
  • involve the Information Governance Team at an early stage in assessing the impact of any changes in the management of records
  • appropriately delegate these responsibilities to their staff

All staff

Are directly responsible for:

  • meeting the responsibilities and principles detailed in the Information Governance Policy
  • managing all records, they use or create in the course of their duties to ensure they meet the requirements of this policy and any guidance provided.
  • ensuring that they do not create information outside of NHSCFA authorised systems and equipment
  • not recording business information in systems that do not allow a record to be kept or accessed at a later date
  • being aware that it is a criminal offence to:
  1. alter, deface, block, erase, destroy or conceal any personal data to prevent disclosure of information held by NHSCFA (see also NHSCFA Acceptable Use Policy)
  2. to seek to re-identify individuals from anonymised information without authorisation from NHSCFA or the relevant stakeholder.
  3. to knowingly or recklessly misuse personal information (e.g. retaining personal information they had access to in their role after leaving NHSCFA’s employ).

Reporting of incidents

Any incident involving the suspected loss or compromise of any protectively marked material (including incorrectly unmarked material) or person-identifiable data must be reported immediately, in accordance with the NHSCFA’s Information Breach Reporting policy.

This policy follows the NHSCFA’s:

The NHSCFA policy and guidance documents governed by or related to this policy are the:

  • Information Security Policy
  • Data Handling and Retention Policy
  • Data Retention Schedule

Sanctions

Any member of staff who violates the Records Management Policy may be subject to disciplinary (see also NHSCFA HR Disciplinary Policy), criminal and/or civil action.

Part Three - Standards

Records Management Standard

This standard supports and acts as a measure of compliance with the NHS Counter Fraud Authority’s (NHSCFA) Records Management Policy.

The NHSCFA’s Records Management Systems will ensure that records:

  • Are available when needed

    - from which the organisation is able to form a reconstruction of activities or events that have taken place

  • Can be accessed

    - records and the information within them can be located and displayed in a way consistent with its initial use and that the current version is identified where multiple versions exist

  • Can be interpreted

    - the context of the record can be interpreted: who created or added to the record and when, during which business process, and how the record is related to other records

  • Can be trusted

    - the record reliably represents the information that was actually used in, or created by, the business process and its integrity and authenticity can be demonstrated

  • Can be maintained through time

    - the qualities of availability, accessibility, interpretation and trustworthiness can be maintained for as long as the record is needed, despite changes of format

  • Are secure

    - from unauthorised or inadvertent alteration or erasure, that access and disclosure are properly controlled and audit trails can track all use and changes. To ensure that records are held in a robust format which remains readable for as long as records are required

  • Are retained and disposed of appropriately

    - using consistent and documented retention and disposal procedures; this includes annual checks to ensure records that require manual destruction have been disposed of appropriately; and

  • Staff are trained

    - so that all staff are made aware of their responsibilities for record-keeping and record management.

The NHSCFA Records Management Systems comply with the legal and professional obligations set out in the Records Management: NHS Code of Practice and in particular: