Skip to main content

Part of Records and document management policy

Legal obligations

Previous Chapter

Roles and responsibilities

Current Chapter

Current chapter – Legal obligations

View all

Next Chapter

Retention and disposal - personal data considerations

NHS Digital is required to fulfil legislative and professional obligations in the management of its records and documents, driven by or in the context of the following, and any new legislation or government initiatives affecting records management as it arises:

  • Public Records Act 1958
  • Data Protection Act 2018
  • General Data Protection Regulation 2016 (GDPR)
  • Freedom of Information Act 2000 (FOIA)
  • The Environmental Information Regulations 2004 (EIR)
  • Health and Social Care Act 2012
  • Computer Misuse Act 1990
  • Health and Safety at Work Act 1974
  • Companies Act 2006
  • Regulation of Investigatory Powers Act 2000
  • Records Management Code of Practice for Health and Social Care 2016
  • NHS Digital Data Security and Protection Toolkit Standard
  • International Standard on Quality Management Systems ISO 9001
  • British Standard on Evidential Weight and Legal Admissibility of Electronic Information BS10008: 2014
  • The National Archives portfolio of records management guidance
  • ISO15489-1:2016 International Standard on Information and Documentation – records management (Part 1: Concepts and principles and Part 2: Guidelines)
  • ISO9001:2015 - International Standard on Quality Management
  • ISO 21965:2019 - Information and documentation — Records management in enterprise architecture
  • ISO 23081-1:2017 – Information and documentation — Records management processes — Metadata for records — Part 1
  • ISO 27017:2015 – Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

GDPR/DPA 2018 requires organisations which hold ‘personal data’ to meet certain minimum standards in the way they process that data. It also permits the individuals who
are the subject of any data ('data subjects') to gain access to that data, although some exemptions may apply.

See NHS Digital’s Data Protection Policy (NHS Digital intranet - only accessible for NHS Digital staff) for further details.

The FOIA and EIR give a general right of access to recorded information held by public authorities, sets out exemptions from that right, and places a number of obligations on public authorities such as NHS Digital. The Section 46 Lord Chancellor’s Code of Practice on Records Management is especially relevant. Further details can be found in NHS Digital’s Freedom of Information Procedure (NHS Digital's intranet accessible only for NHS Digital staff).

This policy and supporting procedural / process guidance will serve, through effective implementation, to mitigate organisational risk in this area and ensure compliance against NHS Digital’s legal obligations.

Last edited: 13 October 2022 3:02 pm

Previous Chapter

Roles and responsibilities

Next Chapter

Retention and disposal - personal data considerations

Chapters

  1. Records and document management policy
  2. Why we need this policy
  3. What this policy covers
  4. Who needs to know this policy and why
  5. Terminology
  6. Policy
  7. What you shall do if you cannot comply with this policy
  8. How we manage, monitor and review the application of this policy
  9. Roles and responsibilities
  10. Legal obligations
  11. Retention and disposal - personal data considerations
  12. Retention and disposal form and destruction certificate