Developing a Records Management SOP - Minimum Requirements

A list of Minimum requirements to be met by the SOP

Information Asset Register (IAR) alignment - An IAR is a formal inventory of information assets which helps the organisation better manage the information records they possess and mitigate the associated risks. Business units by ensuring their information asset register entries are up to date will through their SOPs be able to better protect and comply with the organisation’s record management requirements.

Storage control and access - How and where documents are stored is as important as who has access to them. Once the best method of storage has been determined a Standard Operating Procedure (SOP) needs to be put into place that clearly states how files can be retrieved and by whom (where appropriate restrictions apply).

Security and privacy - Where security practices are lax, data can become vulnerable to breach. A data breach, as well as potentially having financial repercussions can also result in reputational implications for the organisation as a whole. It is therefore incumbent upon business units to ensure that it safeguards its records and treats personal information with the level of security it deserves. Processes and safeguards should also be in place to prevent any unauthorised or accidental destruction or deletion of records.

Record, track and monitor - Records move around all the time, between colleagues, business units and/or external Departments and storage facilities. Document mismanagement is a key contributor to poor record keeping and can easily impede an organisation’s compliance with legislative requirements. Without a suitable recording or monitoring system in place it is easy for documents to go missing or be unaccounted for and could result in the organisation’s inability to fulfil its Freedom of Information or Data Protection Act obligations.

Retention and disposal procedures - Every record containing person identifiable information will have its own appropriate lifespan. It will be necessary to ensure that each type of record generated by business units is correctly retained and disposed of in accordance with the law and the parameters stipulated by the business unit, in line with the organisation’s Data Retention Schedule. Business Unit SOPs should (where appropriate) include details of:

  • the medium in which they are to be retained
  • the review process and frequency of review
  • how it should be destroyed; and
  • who has responsibility for a particular record set?

Destroy or delete - When records do come to the end of their lifecycle they need to be destroyed securely. Business Unit SOPs should align with the organisational policy for the destruction of confidential and personal business records. It should also include a general ‘good housekeeping’ plan for the destruction of non-critical or non-sensitive information to free up office and digital storage space.

Regular review - Compliance is never a ‘once and done’ activity especially when it comes to records and information management. SOPs should include reviews to ensure any changes to actual unit practices are captured and reflected and that it aligns with organisational policy.

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.

Close

Thanks for the feedback!

Close