Skip to main content

Part of Objective E – Using and sharing information appropriately

Principle E4: Records management

Previous Chapter

Principle E3: Using and sharing information

Current Chapter

Current chapter – Principle E4: Records management

View all
Page contents

The organisation manages records in accordance with its professional obligations and the law.

E4.a Managing records

Description

You manage records in accordance with your organisation's professional obligations and the law.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. Some records are not in the locations indicated on the record keeping system.

NA#2. You do not have an approved process for disposing of records or it is not routinely followed.

NA#3. You are keeping data that identifies individuals for longer than it is needed.

NA#4. Your standards for record keeping are not in alignment with the Records Management Code of Practice.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. Your organisation understands legal and professional obligations for records management.

A#2. You have a record keeping system implemented at the organisational level which covers every stage of the information lifecycle and arranges records into an appropriate classification scheme.

A#3. Records are appraised at the end of their retention period and disposed of when appropriate.

A#4. Data destruction can be evidenced via destruction certificates or equivalent.

A#5. Your organisation has a robust process to ensure that data that identifies individuals is not kept for longer than necessary.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing

1. Records management policy - obtain and inspect the records management policy (or equivalent), and assess whether it contains:

  1. A list of professional and legal obligations for records management. (A#1)
  2. The stages of the information management’s lifecycle, including generation and collection, classification, processing, archiving and disposal. For each stage, the policy should clearly document the responsibilities of each stakeholder including patients. (A#2)
  3. A defined classification scheme, which is based on the type of data (for example, financial data or patient data), the sensitivity of data and the volume of data. (A#2)
  4. A clear retention period, with ownership for disposal being clearly assigned. (A#3)
  5. A disposal process, including ownership, and the information and evidence which should be retained by the organisation relating to records disposal. (A#4)

2. Record locations - verify how the organisation reduces the probability of records being filed and held in incorrect locations. (A#2)

3. Appraisal process - obtain and inspect evidence of the organisation’s process for appraising and removing records. Verify that:

  1. It clearly outlines how the organisation takes reasonable efforts to remove data which is no longer necessary. (A#3) (A#5) 
  2. It is realistic and takes into account practical limitations of the organisation’s storage solutions, systems and staff resources for performing manual reviews. (A#3) (A#5)
  3. It ensures that where records are disposed of, evidence of the disposal is retained by the organisation. (A#3) (A#5)
  4. It identifies risks associated with records the organisation has chosen to retain, which have been signed off by an appropriate senior member of staff. (A#3) (A#5)

4. Data destruction via third parties - if the organisation uses a third party for data destruction, select a sample from the disposal list and confirm there is valid destruction certificates or equivalent evidence for all included in the sample. (A#4) 

5. Record keeping system - verify what practical measures the organisation has in place via its record keeping system to ensure that:

  1. Records can be easily located and retrieved when needed. (A#2)
  2. The organisation can audit records access, creation of records, amendments to records or deletion of records when needed. (A#2)

Suggested documentation

Suggested documentation includes: 

  • records management policy or equivalent
  • evidence of processes in place to reduce the probability of records being filed in incorrect locations
  • record keeping system
  • retention and disposal process
  • documented evidence of records disposed of

E4.b Clinical coding

Description

You are committed to regularly evaluating and improving your organisation's coded clinical data.

The expectation for this contributing outcome is Achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. Your clinical coding practices are not compliant with current national clinical coding standards for the ICD-10 and OPCS-4 classifications.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. Your clinical coding practices are compliant with current national clinical coding standards for the ICD-10 and OPCS-4 classifications.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework.

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing

1. Clinical coding policy - obtain and inspect the clinical coding policy or equivalent, and assess whether its requirements align with current national clinical coding standards for the ICD-10 and OPCS-4 classifications. (A#1)

2. Clinical coding implementation - obtain and inspect evidence that coding practices are aligned with the clinical coding policy. (A#1) 

3. Clinical coding audit documentation - obtain and inspect evidence of clinical coding audit documentation, to ascertain if these have been undertaken in line with guidance. (A#1)

4. Staff training - obtain and inspect evidence that staff which require clinical coding training have completed training within expected timeframes. (A#1)

Suggested documentation

Suggested documentation includes: 

  • clinical coding policy
  • clinical coding practices
  • clinical coding audit documentation

Last edited: 5 March 2025 9:56 am

Chapters

  1. Objective E – Using and sharing information appropriately
  2. Principle E1: Transparency
  3. Principle E2: Upholding the rights of individuals
  4. Principle E3: Using and sharing information
  5. Principle E4: Records management