Principle: E4 Records management

Overview

To meet the requirements of this contributing outcome, your organisation must assure that it manages records in accordance with its professional responsibilities and the law. This includes all the types of records which are defined as being covered in the scope of the Records Management Code of Practice 2021.

Mapping to the 23-24 DSPT framework

Under the previous 23-24 Data Security and Protection Toolkit (DSPT) framework, your organisation was required to perform activities that help meet the expectations of this contributing outcome.

For more detail on what these activities were, see the mapping exercise published by NHS England and Department of Health and Social Care (DHSC).

Managing records appropriately

The Records Management Code of Practice 2021 will support you in developing a policy and managing records appropriately. It provides a framework for consistent and effective records management based on established standards. It covers organisations working within, or under contract to the NHS in England. The Code also applies to adult social care and public health functions commissioned or delivered by local authorities.

Record locations

You should ensure that your organisation has technical and organisational measures in place to protect the integrity of records over their period of use and retention. These should reduce the possibility of misfiles and records being held in the wrong locations. These may include:

• technical controls to prevent unauthorised access and alteration
• training to make staff aware of the potential for error and their professional obligations when accessing and filing records
• lessons learned activities following records integrity breaches to raise awareness and address problem processes 

Records appraisal

Appraisal is the process of distinguishing records of continuing value from those of no further value, and disposing of the latter. Appraising records at the end of their retention periods will support organisational accountability measures and help you maintain the efficiency of your records management systems by limiting records held to only those of value.

You should have a realistic plan for appraising and removing records which reflects your organisation taking reasonable efforts to remove data which is no longer necessary. A practical way of achieving this is outlined below.

Records can be categorised into suitable groups according to the systems and storage solutions where they are held (your information asset register may be a useful starting point for this), for example: 

• physical clinical records
• records stored on EPR
• corporate records held in cloud storage (generated through Microsoft Office 365 services, for example)
• health records held in cloud storage (generated through Microsoft Office 365 services, for example)
• patient data held on bespoke clinical systems

For each record group, an appraisal approach can be outlined which takes into account the:

• technical capabilities of storage solutions and systems for removal
• staff resources available for manual review and removal of records wherever this would be needed
• risk of retaining the records 

Your organisation’s approach to appraisal and removal for each records group could then be documented, signed off by the relevant committee, and any residual risks associated with ongoing retention of records which may have elapsed their retention periods accepted by your SIRO to demonstrate achievement of the outcome.

Records disposal

There are several ways you might dispose of records after appraisal, depending on how they have been stored by your organisation:

• destruction of paper records – paper records selected for destruction can be destroyed, subject to following ISO 15489-1:2016. Destruction can be conducted in-house or under contract with an approved offsite company
• destruction of digital records - destruction implies a permanent action. Any destruction of hardware, hard drives or storage media must be auditable in respect of the information they hold. For further information including on the standards for secure sanitisation. please see B3.e media/equipment sanitisation and National Cyber Security Centre guidance
• putting records beyond use - if a system doesn’t allow permanent deletion, then reasonable efforts should be made to remove the record from normal daily use. It should be marked in such a way that anyone accessing the record can recognise it as a dormant or archived record
• transferring to national archives - some records will have historical or archival value, and so will need to be transferred to your nearest Place of Deposit. Your records manager or lead should build up a relationship with the Place of Deposit, who can provide advice on what records to permanently preserve, and to arrange transfer at a suitable time

For more information on disposal methods, view the Records Management Code of Practice 2021.

Destruction via third party suppliers

If your organisation uses third parties to dispose of (destroy by any means, including incineration) or archive personal data, there should be a contract in place which requires the third party to have appropriate security measures in place in compliance with data protection law.

Your third-party supplier should record each item that has been disposed of on a destruction certificate. This can be one certificate per item, or multiple items on one certification. It's important that these items are known and can be referenced individually.

A destruction certificate with the following line item is not acceptable given that items have not been referenced individually and they are untraceable:

• 50 x SATA mixed sized hard drive destroyed 

Whereas a destruction certificate such as the below, where items are individually referenced and the disposal method is specified, would be acceptable:

• Hitachi (HGST) 500gb 500 GB 2.5 Inch 5400 RPM Sata Hard Drive (s/n 999787989ui9) status shredded
• Western Digital Scorpio Blue 500GB Sata 8MB Cache 2.5 Inch Internal Hard Drive (s/n WD21377878nh98) status shredded

See ‘B3.e Media/equipment sanitisation’ for more information relating to reuse, repair, disposal or destruction of devices, equipment and removable media. 

Supporting evidence

To support your response, you can review and upload (or link to) evidence which best demonstrates your achievement of the contributing outcome. Examples include: 

• records management policy or equivalent 
• record keeping system 
• retention and disposal process 
• documented evidence of records disposed of 

This is not an exhaustive list. You're welcome to provide other types of evidence if you feel they are relevant to the contributing outcome.

Your supporting statement should cross-reference how each piece of evidence provides justification for your achievement of the contributing outcome, including relevant page numbers where appropriate.

Interpreting indicators of good practice

Additional guidance

For additional guidance, see:

NHS England | Records Management Code of Practice

Mapping to other cyber frameworks

NHS England and DHSC have produced a mapping document showing where the requirements of the CAF-aligned DSPT overlap with those of other cyber frameworks. New frameworks will be added to this document over the course of the year.

Overview

This contributing outcome relates to your organisation evaluating and improving its coded clinical data.

Mapping to the 23-24 DSPT framework

Under the previous 23-24 Data Security and Protection Toolkit (DSPT) framework, your organisation was required to perform activities that help meet the expectations of this contributing outcome.

For more detail on what these activities were, see the mapping exercise published by NHS England and Department of Health and Social Care (DHSC).

Data quality

You should have regard to relevant information standards, data quality sources and related resources to inform your internal policies, processes and procedures for data quality. 

This is important to ensure that collection of data is consistent throughout the NHS and other care providers. It also supports the flow and quality of information used, so that health and care professionals are presented with the relevant information where and when it's required to provide effective care and treatment to service users.

See detailed data quality guidance for more information. 

Clinical coding

Organisations depend on clear, accurate coded clinical data to provide a true picture of patient hospital activity and the care given by clinicians.

Coded clinical data is important for:

• monitoring provision of health services across the UK
• research and monitoring of health trends
• NHS financial planning and payment
• clinical governance

See detailed clinical coding guidance for more information.

Training

Training for clinical coding has set standards for:

• the time frame in which it's completed
• the materials used to support it
• who is eligible to undertake national courses

See detailed clinical coding training guidance for more information.

Audit

There are established procedures in place at acute and mental health trusts for regular quality inspections of the coded clinical data for inpatient and day case episodes. These are undertaken by approved clinical coding auditors using and applying the latest version of the ‘Terminology and Classifications Delivery Service’ Clinical Coding Audit Methodology to demonstrate compliance with the clinical classifications OPCS-4 and ICD-10.

See detailed clinical coding guidance for more information.

Supporting evidence

The documents which may be appropriate to review and upload in support of your response to this contributing outcome could include:

• Clinical coding policy 
• Clinical coding practices 
• Clinical coding audit documentation 

This is not an exhaustive list. You're welcome to provide other types of evidence if you feel they are relevant to the contributing outcome.

Your supporting statement should cross-reference how each piece of evidence provides justification for your achievement of the contributing outcome, including relevant page numbers where appropriate.

Mapping to other cyber frameworks

NHS England and DHSC have produced a mapping document showing where the requirements of the CAF-aligned DSPT overlap with those of other cyber frameworks. New frameworks will be added to this document over the course of the year.