2.1 Overview
All care employees are responsible for managing records appropriately. Records must be managed in accordance with the law. Care professionals also have professional responsibilities. Whilst every employee has individual responsibilities, each organisation should have a designated member of staff who leads on records management. Each organisation should also have a policy statement on records management which is made available to staff through induction and training. Organisations may be asked for evidence to demonstrate they operate a satisfactory records management regime.
2.2 Legal obligations
UK GDPR and Data Protection Act 2018
The UK GDPR is the principal legislation governing how records, information and personal data are managed. It sets in law how personal and special categories of information may be processed. The UK GDPR also introduces a principle of accountability. The Information Commissioner’s Office (ICO) Accountability Framework can support organisations with their obligations. Good records management will help organisations to demonstrate compliance with this principle. Digital Care Hub has produced guidance and a series of templates to help care providers create the records that you need to keep to comply with data protection law.
Health and Social Care Act 2008
Regulation 17 under the Health and Social Care Act 2008 requires that care providers must securely maintain accurate, complete and detailed records for the people they support, employment of staff and overall management. The CQC are responsible for regulating this and have issued guidance on regulation 17. The CQC may have regard to The Code when assessing providers’ compliance with this regulation.
Where social care records are created as a joint record or part of a system where local health and care organisations can see the records of other local health and care organisations, then these records would be managed in line with the requirements of the Public Records Act 1958 where one or more of the bodies that created the joint record is a public record body.
The NHS Standard Contract notes a contractual requirement on organisations which are not bound by either the Public Records Act 1958 or the Local Government Act 1972 to manage the records they create.
Other relevant legislation
Other legislation requires information to be held as proof of an activity against the eventuality of a claim. Examples of legislation include the Limitation Act 1980 or the Consumer Protection Act 1987. The Limitation Act sets out the length of time you can bring a legal case after an event and sets it at six years. This forms the basis for some of the retention periods set out in Appendix II.
2.3 Professional obligations
Staff who are registered to a Professional body, such as the General Medical Council (GMC), Nursing and Midwifery Council (NMC) or Social Work England will be required to adhere to record keeping standards defined by their registrant body. This is designed to guard against professional misconduct and to provide high quality care in line with the requirements of professional bodies.
2.4 Management responsibilities
Records management should be recognised as a specific corporate responsibility within every organisation. It should provide a managerial focus for records of all types, in all formats throughout their lifecycle, from creation through to ultimate disposal. The records management function should have clear responsibilities and objectives and be adequately resourced to achieve them.
A designated member of staff of appropriate seniority should have lead responsibility for records management within the organisation. This could be a registered manager or in a larger organisation, a staff member reporting directly to a board member. This lead role should be formally acknowledged, included in relevant job descriptions and communicated throughout the organisation.
All staff, whether working with care records or administrative records, must be appropriately trained so that they are competent to carry out their designated duties and fully aware of their personal responsibilities in respect of record keeping and records management. No records or systems should be handled or used until training has been completed. Training must include the use of electronic records systems. It should be done through generic and organisation-wide training programmes which can be department or context specific. Training should be complemented by organisational policies, procedures and guidance documentation.
2.5 Organisational policy
Each organisation must have an overall policy statement on how it manages all of its records. This may be a standalone policy or part of the overall suite of Information Governance (IG) policies. The policy should include details of how the organisation will use the records it creates. Digital Care Hub has a Record Keeping Policy template that you can download and adapt for your organisation.
The policy statement should provide a mandate for the performance of all records and information management functions. In particular, it should set out an organisational commitment to create, keep, manage, and dispose of records and document its principal activities in this respect. The policy should also:
- outline the role of records management within the organisation.
- define roles and responsibilities within the organisation in relation to records, including the responsibility of individuals to document their actions and decisions. An example is, who is responsible for the disposal of records.
- provide a framework for supporting standards, procedures and guidelines and regulatory requirements (such as CQC and the Data Security and Protection Toolkit).
- provide the mandate for final disposal of all information.
- provide instruction on meeting the records management requirements of the UK GDPR.
The policy statement should be reviewed at regular intervals (at least once every two years) and if appropriate should be amended to maintain its relevance. The policy is also an important component of the organisation’s information governance arrangements and should be referenced in the organisation’s IG policies or framework.
