Records Management Policy v4.0 FINAL · Records Management Policy Document Reference RECORDS MANAGEMENT POLICY Version 4.0 FINAL Purpose To outline the …

Records Management Policy

Document Reference RECORDS MANAGEMENT POLICY Version 4.0 FINAL Purpose To outline the policy, procedures and quality standards which

must be used by all YAS staff with patient contact, when completing the clinical records.

Document Author (Name/Title) Julie Barber – Project Manager Directorate Lead (Name/Title) David Johnson – Assistant Director of ICT Responsible Committee Integrated Governance Committee Approved by Information Governance Group Date Approved 7th March 2011 Ratified By Integrated Governance Committee Date Ratified 5th February 2010 Date Issued 14th March 2011 Review Date February 2012 Target Audience Accountability – Directors

Responsibility – Authors of policy documentation and supporting plans Implementation – Directors, Assistant Directors and Senior Managers Awareness – All Trust staff responsible for generating and/or handling Trust records

Review Responsibility (Name/Title)

David Johnson – Assistant Director of ICT

Equality impact assessed (Yes/No)

Yes

Confidentiality Unrestricted

Records Management Policy 4.0 FINAL

Page 2 of 57

Contents

1. Introduction .................................................................................................... 4

2. Purpose .......................................................................................................... 5

3. Scope .............................................................................................................. 5

4. Duties ............................................................................................................. 7

4.1. Duties within the Organisation ..................................................... 7

4.2. Consultation and Communication with Stakeholders ................ 7

5. Equality Impact Assessment of this Policy ................................................. 8

6. Review and Revision Arrangements for this Policy ................................... 8

7. Dissemination of this Policy ......................................................................... 8

8. Monitoring Compliance and Effectiveness of this Policy .......................... 8

9. Legal Obligations .......................................................................................... 9

9.1 Freedom of Information Act 2000 ....................................................... 9

9.2 Data Protection Act 1998 ................................................................... 10

9.3 Confidentiality Code of Conduct ...................................................... 10

10. Glossary of Terms ....................................................................................... 11

11. Creating Records ......................................................................................... 12

11.1 How to Version Control a Document .............................................. 14

11.2 Data Quality ...................................................................................... 14

12. Retaining Records ....................................................................................... 15

13. Maintenance of Records ............................................................................. 15

14. Use of Records ............................................................................................ 15

14.1 Use of Electronic Records .............................................................. 16

14.2 Transferring Electronic Person Identifiable Information .............. 16

14.3 Tracking Electronic Records .......................................................... 17

14.4 Example of a Manual Audit Trail for Electronic and/or Paper Records..................................................................................................... 17

14.5 Retrieving Electronic Records ........................................................ 18

14.6 Use of Paper Records ...................................................................... 18

14.7 Tracking Paper Records .................................................................. 18

14. 8 Retrieving Archived Paper Records in Storage ........................... 19

14.9 Tracking Paper Patient Report Forms (PRFs) ............................... 19

14.10 Retrieving Paper Patient Report Forms - Requests for Information by External Third Parties .................................................... 19

14.11 Retrieving Paper Patient Report Forms - Requests for Information by Internal YAS Staff ........................................................... 21

15. Disposing of Records ................................................................................. 22

15.1 How to Arrange Secure Destruction of Records ........................... 22


Page 3 of 57

15.2 Records with Archival Value ........................................................... 23

16. Appendix A1 – Complete List of Information Asset Owners (IAOs) ....... 24

17. Appendix A2 – List of YAS Authorised Users who Manage the Boxes in Store with Squirrel ....................................................................................... 25

18. Appendix A3 – How to Manage the Squirrel Authorised Users ............... 27

19. Appendix B1 – Process Flow Detailing the Step by Step Guide to Creating Clinical Records ........................................................................... 28

20. Appendix B2 – Process Flow Detailing the Step by Step Guide to Creating Corporate Records ....................................................................... 29

21. Appendix C1 – Process Flow for Retaining Records ............................... 30

22. Appendix C2 – Table Detailing the Retention Periods for each Record Type .............................................................................................................. 31

23. Appendix D1 – Process Flow for Tracking Records ................................. 50

24. Appendix D2 - Process Flow for Retrieving Archived Paper Records in Storage ......................................................................................................... 51

25. Appendix D3 – Process Flow for Tracking Paper Patient Report Forms 52

26. Appendix D4 - Process Flow for Retrieving Paper Patient Report Forms 53

27. Appendix E1 - Process Flow for a Step by Step Guide to Disposing of Records ........................................................................................................ 54

28. Appendix E2 - Copy of the Form to Request Authorisation to Dispose of Records ........................................................................................................ 55

29. References ................................................................................................... 57

Version Control

Version Dated Review Date Status / Notes 2.0 FINAL 9th Sept 2008 Sept 2009 Released.

2.1 draft Jan 2010 n/a In draft, not approved, presented to IGG for approval/feedback.

2.2 draft Feb 2010 n/a Incorporated IGG feedback. Presented to IGG for final approval.

3.0 FINAL 5th Feb 2010 Feb 2011 Released.

3.1 draft Aug 2010 n/a

Update to add a reference section, updates to appendix D4 and add new appendix A2.

3.2 draft Sept 2010 n/a Update to add further appendix A3. Presented to IGG for approval.

3.3 draft Feb 2011 n/a

Updated to reflect changes in processes over the last 12 months. Presented to IGG for approval 7th Mar 2011.

4.0 FINAL Feb 2011 Feb 2012 Released.


Page 4 of 57

1. Introduction

This Yorkshire Ambulance Service NHS Trust (the organisation, or YAS) policy sets out the processes and best practice for the management of all the organisation’s records that contain clinical, non-clinical and person identifiable information (PII). This policy aims to provide guidance to all YAS employees for the handling and management of all types of information throughout its complete lifecycle. The lifecycle of all information covers five phases; creation, retention, maintenance, use and disposal. The best practice guidance in this policy is taken from the Department of Health “Records Management: NHS Code of Practice” which is based on current legal requirements and includes the professional required standards of practice in the management of records for those who work within, or under contract to, NHS organisations in England. All records (manual or electronic) containing personal data are also covered by the Data Protection Act 1998 and consequently the provisions of the Act apply to all of the organisation’s records containing PII. Records are required for a number of reasons and essential to the organisation, some examples of why records are needed are detailed below: To support patient care and continuity of care To support the day to day business and the delivery of care To support evidence based clinical practice To support sound administrative and managerial decision making, as part of

the knowledge base for NHS services To meet legal requirements, including requests from patients under subject

access provisions of the Data Protection Act and/or the Freedom of Information Act

To assist clinical and other types of audits To support improvements in clinical effectiveness through research and also

to support archival functions by taking account of the historical importance of material and the needs of future research

To support patient choice and control over treatment and services designed around patients.


Page 5 of 57

2. Purpose

The purpose of this policy is to provide clear guidance to all YAS employees for the handling and management of all records, regardless of the media on which they are stored. It details the minimum retention periods that must be adhered to for each of the different record types held by the organisation. Please refer to the table in Appendix C2 for further details of the specific retention periods for each of the different types of records. This policy also supports the following: Connecting for Health Information Governance Toolkit requirements; 8-400,

402 & 404 NHS Litigation Authority - Risk Management Standards for Ambulance Trusts;

1.1.8 Care Quality Commission; Outcome 21 Auditors Local Evaluation 5.3.11.

3. Scope

This policy covers all record types that contain all types of information, stored on any type of media, some examples include: Patient clinical records (electronic or paper based) *Corporate records Photographs, slides and other images Microform (i.e. microfiche/microfilm) Audio and video tapes, cassettes, CD-ROM etc e-mails Message books Staff diaries Computerised records Scanned records Text messages (both outgoing from the NHS and incoming responses from

the patient) Computer database outputs, disks and all other electronic records Material intended for short term or transitory use, including notes and copies

of documents.


Page 6 of 57

*Corporate information refers to all information generated by the organisation, other than clinical or patient information. Corporate information refers to the records generated by an organisation’s business activities and includes records from the following (and other) areas of YAS: Estates and Fleet Finance and Procurement ICT and Information Governance Human Resources and training Performance management Integrated Governance Health care quality and clinical audit Complaints and compliments Communications and Patient Advisory Liaison Service Trust Board business.

Some examples of corporate information are: Policies and procedures Strategies and action plans Minutes and agendas Reports (e.g. annual, accounting, Board) Financial Standing Orders Invoices Public consultations Databases Contracts.

The table in Appendix C2 details the minimum retention period for each type of record. Records (whatever the media) may be retained for longer than the minimum period, however, records should not ordinarily be retained for more than 30 years The National Archives should be consulted where a longer retention period than 30 years is required, or for any records that pre date 1948.


Page 7 of 57

4. Duties

4.1. Duties within the Organisation The Trust Board has overall responsibility for records management within the organisation with the Chief Executive being ultimately accountable for the proper management of all records within the organisation. The Directors are accountable for the quality of records management within each of their Directorates and all line managers and supervisors ensure that their staff are adequately trained and apply the appropriate guidelines on a day to day basis. The Information Governance Group (IGG) has delegated responsibility from the Integrated Governance Committee (IGC) to ratify and approve all information governance related policies and procedures. The Clinical Documentation Group has delegated responsibility from the Clinical Governance Committee for the management, control and production of the specific clinical documentation used throughout the organisation. The management of clinical documentation, including revisions to existing documentation, the release of new documentation, and staff guidance on quality of completion of the clinical documentation is the responsibility of this Group. The organisation’s Caldicott Guardian is responsible for approving and ensuring that national and local guidelines and protocols regarding the handling and management of confidential patient information are implemented and adhered to. The Information Asset Owners (IAOs) are senior staff members (most typically of Assistant Director level) who take direct responsibility for the information held in their work area, including the integrity, safe storage and quality of that information. The IAOs provide direct support to the Senior Information Risk Owner (the ICT Director) and are also responsible for identifying, managing and mitigating information risks. A complete list of all the organisation’s IAOs can be found in Appendix A. Under the Public Records Act, each employee is responsible for any records they create or use. This responsibility is established at, and defined by, the law. Furthermore, as employees of the NHS, any records which they create are public records.

4.2. Consultation and Communication with Stakeholders

Each of the key stakeholder groups are represented in the IGG and this policy was reviewed and approved by that Group. Following the approval by the IGG the policy was presented for ratification to the IGC before being issued and disseminated to all staff.


Page 8 of 57

5. Equality Impact Assessment of this Policy

The organisation aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce whilst ensuring that none are placed at a disadvantage over others. A full equality impact assessment was carried out for this policy and the results and a copy of the equality impact assessment can be found on the YAS intranet. Please go to the Document Library, Equality Impact Assessments.

6. Review and Revision Arrangements for this Policy

This policy will be reviewed by all the stakeholders detailed in section 4.2 on an annual basis and the authors of the policy will be responsible for initiating this review and the collation of all changes and revisions. The ratification and approval will be carried out annually by the IGG. The dates of each version and the corresponding dates for each approval can be found in the version control table which follows the contents page, on page 3.

7. Dissemination of this Policy

Following approval and ratification the policy will be available on the YAS intranet in the document library and in the Records Management section, under Tools and Resources. A copy will be sent to all staff, via the weekly staff bulletin “Operational Update”. Further copies will also be sent to key managers and team leaders, via email.

8. Monitoring Compliance and Effectiveness of this Policy

To ensure that all staff adhere to the processes and guidance contained within this policy, the IGG will receive six monthly and annual reports from all the nominated IAOs. The reports will contain details of any data quality issues and plans that are in place to rectify those issues. The report template is called “DQ and Info Risk Mgt_REPORT into IGG.xls”. Any deficiencies will be noted in the minutes of the IGG and relevant remedial actions agreed and implemented accordingly. The IAOs will also report all information risks through the organisation’s existing risk management process which are escalated, where appropriate, to the SIRO. The IAOs will carry out monthly checks of the records under their responsibility, to ensure that all records are kept accordance with this policy, throughout each phase of the records’ lifecycle. Any problems that cannot be rectified at the departmental level where appropriate, will be raised as a risk and managed through the risk management process, or reported into the IGG for guidance. Periodic spot checks on staff practices, against the guidance in this policy and the staff handbooks, will be carried out by the appropriate line managers. The results of those checks will be submitted to the relevant IAO for inclusion in their six monthly and annual reports into the IGG.


Page 9 of 57

9. Legal Obligations

The organisation has a common law duty of confidence to all our patients and a duty to maintain professional ethical standards of confidentiality. Everyone working for, or with the organisation, who records, handles, stores, or otherwise comes across patient information has a personal common law duty of confidence to the patients, and to the organisation. The duty of confidence continues even after the death of the patient, and/or after an employee or contractor has left the organisation. Any personal information given or received in confidence for one purpose, may not be used for a different purpose, or passed to a third party without the consent of the provider of that information. This duty of confidence is long established at common law, however, it is not an absolute duty and can be subject to an overriding public interest. There are other statutory restrictions on the disclosure of information:

The NHS (Venereal Diseases) Regulations 1974 and the NHS Trusts (Venereal Diseases) Directions 1991

The Human Fertilisation and Embryology Act 1990, as amended by the Human Fertilisation and Embryology (Disclosure of Information) Act 1992

Public Records Acts 1958 and 1967 Health and Safety at Work Act 1974 (and related regulations) Unfair Contract Terms Act 1977 Limitation Act 1980 Companies Acts 1985 and 1989 Financial Services Act 1986 Latent Damage Act 1986 Consumer Protection Act 1987 Copyright, Designs and Patents Act 1988 Value Added Tax Act 1994 Civil Evidence Act 1995 Data Protection Act 1998 Human Rights Act 1998 Freedom of Information Act 2000 Access to Health Records Act 1990.

9.1 Freedom of Information Act 2000 The Freedom of Information Act 2000 has lead to greater openness concerning NHS administrative records and the organisation has to meet and follow legal requirements which include requests from patients and/or members of the public. Please refer to the Freedom of Information Publication Scheme on the YAS intranet: http://www.yas.nhs.uk/


Page 10 of 57

9.2 Data Protection Act 1998 All records (manual or electronic) are covered by the Data Protection Act 1998 and consequently the provisions of the Act apply to all YAS records containing personal data. Requests from patients under subject access are dealt with according to the Data protection Act 1998. Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with your rights Secure Not transferred to other countries without adequate protection.

9.3 Confidentiality Code of Conduct All YAS employees are bound by a legal duty of confidence to protect personal information that they may come into contact with during the course of their work. This is not only a contractual requirement, but also a requirement of the Data Protection Act 1998. For health and other professionals it is also part of their own profession’s code of conduct. This means that employees must keep any person-identifiable information strictly confidential eg patient and employee records. In addition, employees coming into contact with important non person-identifiable information should treat it with the same degree of care and confidentiality. When dealing with confidential information please follow these guidelines: Keep all person-identifiable information with you at all times. Do not leave confidential or person-identifiable information on printers, photocopiers or fax machines or on your desk for others to view. It is your responsibility to remove it from the printer, photocopier or fax machine. If faxing confidential information mark the fax header ‘private and confidential’ and request a receipt. Follow up with a phone call to make sure the information has been received. If you require further information, please contact the Information Governance Coordinator Michelle Power, email: [email protected]


Page 11 of 57

10. Glossary of Terms

Clinical Records / Health Records – A single record with a unique identifier containing information relating to the physical or mental health of a given patient who can be identified from that information and which has been recorded by, or on behalf of, a health professional, in connection with the care of that patient. This may comprise text, sound, image and/or paper and must contain sufficient information to support the diagnosis, justify the treatment and facilitate the ongoing care of the patient to whom it refers. Corporate Records – Records (other than health records) that are of, or relating to, an organisation’s business activities covering all the functions, processes, activities and transactions of the organisation and of its employees. Information Asset Owner (IAO) – Is a senior staff member (most typically of Assistant Director level) who takes direct responsibility for the information held in their work area, including the integrity, safe storage and quality of that information. The IAOs provide direct support to the Senior Information Risk Owner (the ICT Director) and are also responsible for identifying, managing and mitigating information risks. A complete list of all the organisation’s IAOs can be found in Appendix A. Information Lifecycle – the five distinct phases that all information will follow. The five phases are; creation, retention, maintenance, use and disposal. For further details on each phase please refer to sections 11 to 15. Person Identifiable Information (PII) – Information (or data) relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. Information that can be used to uniquely identify, contact, or locate a single person, or can be used with other sources to uniquely identify a single individual. Record – Information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations, or in the transaction of business. An NHS record is anything which contains information (in any media) which has been created or gathered as a result of any aspect of the work of NHS employees, including consultants, agency or casual staff.


Page 12 of 57

11. Creating Records

All information follows five distinct phases: 1. Creation 2. Retention 3. Maintenance 4. Use 5. Disposal.

This policy covers each of these phases and the YAS employees’ obligations under this policy. Please refer to the process flow in Appendix B1 for a step by step guide to creating clinical records and the process flow in Appendix B2 for a step by step guide to creating corporate records. Note: The checklist referred to in section 8, which is to be used by line managers for spot checks, can be found on the YAS intranet in the Records Management section, under Tools and Resources. This checklist covers all five phases of a records’ lifecycle and should be used by line managers to regularly assess compliance with this policy. It is recommended that spot checks using this checklist should be carried out initially on a monthly basis until a stable position is established. This frequency can then be reduced accordingly, to the minimum of every six months in order to fall in line with the IAO six monthly reports to the IGG. When creating information in the first instance, the following should be adhered to and the information must be:

Available when needed to enable a reconstruction of activities or events that have taken place

Accessible to all members of staff that require access in order to enable them to carry out their day to day work - the information must be located and displayed in a way consistent with its initial use and that the current version is clearly identified where multiple versions exist

Interpretable, clear and concise so the context of the information is clear and be able to be interpreted appropriately, i.e. who created or added to the record and when, during which business process and how the record is related to other records

Trusted, accurate and relevant - the information must reliably represent the initial data that was actually used in, or created by, the business process whilst maintaining its integrity. The authenticity must be demonstrable and the content relevant

Secure from unauthorised or inadvertent alteration or erasure. Access and disclosure must be properly controlled and audit trails used to track all use and changes. The information must be held in a robust format which remains readable for as long as the information is required and/or retained.


Page 13 of 57

For reasons of business efficiency or, in order to address problems with storage, consideration should be given to the option of scanning paper format records into electronic format. Where this is proposed, the factors to be taken into account include the:

Costs of the initial (and any later) media conversion to the required standard, bearing in mind the length of the retention period for which the records are required to be kept

Need to consult in advance with the local Place of Deposit or The National Archives with regard to records which may have archival value, as the value may include the format in which it was created

Need to protect the evidential value of the record by copying and storing the record in accordance with British Standards, in particular the ‘Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically’ (BIP 0008).

In order to fully realise the benefits of reduced storage requirements and business efficiency, the Information Asset Owners (IAOs) should consider secure disposal of any paper records that have been copied into electronic format and stored in accordance with appropriate standards. Employees should also consider the following when creating information for the first time:

What is being recorded and how it should be recorded Why is it being recorded How to validate the information (and against what) in order to ensure that

what is being recorded is the correct data How to identify errors and how to report errors and correct them

accordingly The intended use of the information, understand what the records are

used for (and therefore why timeliness, accuracy and completeness of recording is so important)

How to update the information and how to add in information from other sources

When and how to incorporate document and version control. Please refer to the table below for details of how to use version control numbering for a document:


Page 14 of 57

11.1 How to Version Control a Document

Stage Version Number

Filename

Initial creation 0.1 APolicyDocument_v0.1 - draft Second draft to include some feedback

0.2 APolicyDocument_v0.2 - draft

Third draft to include changes from stakeholders


All changes included, ready for approval


Approved version – now ready for release

1.0 APolicyDocument_v1.0 - FINAL

DOCUMENT PUBLISHED AND RELEASED


Review now due Make amendments on the draft as applicable


Incorporate feedback from stakeholders


Issue for approval 1.3 APolicyDocument_v1.3 - draft Incorporate feedback from the approvers


Re-issue for final approval 1.5 APolicyDocument_v1.5 - draft Approved version – now ready for release


DOCUMENT RE-PUBLISHED AND RE-RELEASED


11.2 Data Quality All staff must ensure that high standards of data quality are applied at every phase of the records lifecycle, for further detailed guidance regarding the organisation’s data quality policy and procedures please refer to the Data Quality Policy on the intranet in the Document Library under the section; Policies Procedures and Guidance, ICT and Information Governance Policies. For details of the policy, procedures and quality standards which must be used by all YAS staff with patient contact, when completing the clinical records, please refer to the Clinical Record-Keeping Standards Policy available on the YAS intranet.


Page 15 of 57

12. Retaining Records

Please refer to Appendix C1 for the process flow for retaining records. Refer to Appendix C2 for the table detailing the retention periods for each record type. The retention period varies dependant on the type of information being stored, clinical records should not ordinarily be retained for more than 30 years and all the organisation’s clinical records can be securely destroyed after 10 years. The information being recorded and retained must be relevant, fit for the purpose it was intended and only retained for as long as it is genuinely required. It is a legal requirement that NHS records which have been selected as archives should be held in a repository that has been approved for the purpose by The National Archives. Where an organisation is already in regular contact with its Place of Deposit, it should consult with it over decisions regarding selection and transfer of records. Where this is not the case, The National Archives should be contacted in the first instance.

13. Maintenance of Records

All information needs to be maintainable through time. The qualities of availability, accessibility, interpretation and trustworthiness must be maintained for as long as the information is needed (perhaps permanently) despite changes in the format. The use of standardised filenames and version control methods should be applied consistently throughout the organisation and the life of the information. Please refer to the table in section 11.1 for guidance on how to version control a document, from the point of its creation, throughout it’s use and maintenance.

14. Use of Records

All information must be used consistently, only for purposes for which it was intended and never for an individual employee’s personal gain or purpose. If in doubt employees should seek guidance from the Information Governance Coordinator in the first instance, who will inform the relevant IAO for the business area concerned. Only the specific information required should be disclosed to authorised parties and always in accordance and with strict adherence to, the Data Protection Act and the Freedom of Information Act. There are a range of statutory provisions that limit, prohibit or set conditions in respect of the disclosure of records to third parties, and similarly, a range of provisions that require or permit disclosure. The key statutory requirements can be found in Annex C of the “Records Management: NHS Code of Practice” (Part 1): http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747


Page 16 of 57

14.1 Use of Electronic Records Records held in electronic format are often easier to access and maintain, however staff must always ensure that records are not being accessed unnecessarily, or kept for any longer than reasonably required just because it’s easier to do so. If the records contain information that is person identifiable, personal or of a sensitive nature the eight principles of the Data protection Act must be adhered to. Please refer to section 9.2 for details of the eight principles. 14.2 Transferring Electronic Person Identifiable Information The mechanisms for transferring information from one organisation to another should be tailored to the sensitivity of the material contained within the records and the media on which they are held. Before transferring any information that may be of a confidential nature, and/or include some Person Identifiable Information (PII), please firstly consult with the relevant IAO for the business area concerned. As a minimum, all PII should be transferred in encrypted files using WIN ZIP Version 12. To send PII safely and in accordance with the organisation’s procedures staff must: 1. Email the document as a zipped file with a password. 2. Send the password in a separate email that has also been encrypted or 3. Contact the person who is to receive the file and provide the password verbally (unless the password has already been previously agreed). Under no circumstances must the password and the attachment be sent on the same email. This is a direct breach of the organisation’s current Security Policy and would render the above process useless, should the email and attachment land in the wrong hands. YAS currently uses WIN ZIP Version 12 which encrypts data to the highest available capacity. If staff require a one-off document encrypting they should contact the service desk on 0845 122 0522 and log a call. A member of the helpdesk will be then be in touch to encrypt the document on your behalf, including setting the password specified by the requesting staff member. The information will then be placed on the requestor’s workstation for them to send via their own email account. If staff will be sending information on a regular basis then a licence for the WIN ZIP software will be required. Please follow the usual procurement procedures through your line manager to arrange for a licence to be purchased and installed. Any questions should be directed to the ICT service desk on the above number.


Page 17 of 57

14.3 Tracking Electronic Records Please refer to Appendix D1 for the process flow for tracking records. The tracking of electronic records is held automatically in the audit trails of the systems that hold the data. Where this type of audit trail does not exist for some systems, staff must enter a manual audit trail in the record itself that details the full name of the person to last update the record and the date and time the amendment was carried out (please refer to the example in section 14. 4). Depending on the nature of the record, this level of detail may not always be applicable, however best practice is to ensure version control is always applied as a minimum. If a particular record cannot be version controlled, has no automatic system audit trail and a manual audit trail cannot be easily applied directly to the record itself, consideration should be given to a separate document that details the audit of amendments to that particular record. Information held in records should be closed (i.e. made inactive and transferred to a secondary storage) as soon as they have ceased to be in active use, other than for reference purposes. An indication that a file of paper records, or folder of electronic records, has been closed, together with the date of closure, should be shown on the record itself, as well as noted in the index, manual audit trail or database of the files/folders. Where possible, information on the intended disposal of electronic records is included in the metadata when the information is created. The storage of closed records follows accepted standards relating to environment, security and physical organisation of the files. This is handled by the organisation’s third party storage provider which is used for archiving closed paper records and also the secure destruction of the records once the relevant retention period has expired. 14.4 Example of a Manual Audit Trail for Electronic and/or Paper Records Version Number

Date of Change

Time of Change

Full Name Reason for / Type of Change

1.0 31/01/2010 14.30 John Smith To include staff mobile contact numbers.

1.1 28/02/2010 10.00 Joanne Smith Add additional data to include full postal address.

The above table can be less detailed where applicable, for example the time of the change may only be required if a particular record is being updated numerous times during the same working day. Likewise additional columns can be added if further details about the type of change are required. The above manual audit trail can be used for both electronic and paper records.


Page 18 of 57

14.5 Retrieving Electronic Records The retrieval of electronic records is also easier to control due to the rights and restrictions that can automatically be applied to individual staff logins for the various systems that hold the records. Managers are responsible for authorising and requesting the appropriate user rights for individual members of staff, however all staff continue to be responsible for security and integrity of the records and information which they record, handle, store, or otherwise comes across during their day to day duties. 14.6 Use of Paper Records Records held in paper format are less easy to access, maintain and control than electronic records due to the very nature of them. Paper based records often only have the one master copy and are difficult to backup easily and cost effectively. Therefore, staff must take additional precautions when safeguarding and filing paper records to ensure that retrievals will be possible, when required at some point in the future. Where possible the filing and archiving of paper based records should provide sufficient information to allow the identification of the records needed. 14.7 Tracking Paper Records Please refer to Appendix D1 for the process flow for tracking records. Paper records do have the facility of an automatic audit trail that electronic systems offer and so staff must enter a manual audit trail in the record itself that details the full name of the person to last update the record and the date and time the amendment was carried out (please refer to the example in section 14. 4). Depending on the nature of the record, this level of detail may not always be applicable, however best practice is to ensure version control is always applied as a minimum. If a particular record cannot be version controlled and a manual audit trail cannot be easily applied directly to the record itself, consideration should be given to a separate document that details the audit of amendments to that particular record. Whilst the organisation is continually making changes to help reduce the amount of paper records produced in the first instance and to also convert some paper based records into electronic format, there is always likely to be the need for some paper based records within the organisation. In the first instance, staff must always look for alternative methods of creating, storing and maintaining records that do not involve the paper based means being the primary source. However, where a suitable electronic alternative is not readily available, staff must always seek to be as efficient as possible, file records in a logical manner to aid future retrieval and avoid making unnecessary duplications to help reduce the risk of data being lost or unlawfully disclosed. Staff must apply clear version control as described in section 11 and manual audit trails in the record itself that details the full name of the person to last update the record and the date and time the amendment was carried out. Please refer to the table 14.4 for an example of how to create a manual audit trail.


Page 19 of 57

14. 8 Retrieving Archived Paper Records in Storage Please refer to Appendix D2 for the process flow for retrieving archived paper records in storage. To retrieve paper archived records that have been boxed and stored with the organisation’s external storage supplier, please contact the relevant authorised user for your department. The storage supplier holds the same list of authorised users that can make requests for boxes to be retrieved from store and delivered to designated addresses across the organisation. For details of the authorised users in each department and their levels of permissions, please go to the YAS intranet in the Records Management section, under Tools and Resources: http://intranet.yas.nhs.uk/toolsandresources/Pages/RecordsManagement/default.aspx 14.9 Tracking Paper Patient Report Forms (PRFs) Please refer to Appendix D3 for the process flow for tracking paper patient report forms. YAS are currently piloting an electronic system for capturing clinical information when treating patients and the intention is to move onto this system in the future. In the meantime all staff when treating a patient, continue use the latest paper based versions of the various Patient Report Forms. All paper patient forms (w.e.f. 1st February 2010) across the whole organisation are scanned and verified by one of the two Clinical Audit teams. The paper forms once scanned are retained for one month and then securely destroyed using external suppliers. There are a number of other teams within the organisation that also require access to these forms for a number of reasons. These teams have the required (direct) access to the database, where the scanned copies are held, which has an audit trail automatically generated each time a file is accessed. 14.10 Retrieving Paper Patient Report Forms - Requests for Information by External Third Parties Please refer to Appendix D4 for the process flow for retrieving paper patient report forms. Should members of staff be approached by a third party organisation (or a member of YAS staff) for copies of any information they must refer the request to the appropriate team within the organisation. Under no circumstances should staff divulge any information, however small, to anyone external to the organisation. Staff must direct all such requests immediately to the teams trained to handle and process these requests. These teams take ownership of the request and ensure that it is handled in a consistent manner, whilst also ensuring that any disclosures, when carried out, are in strict accordance with the Data Protection Act.


Page 20 of 57

The requests included may be Subject Access Requests, Police and Coroners’ requests or any other type of request where staff are being asked for copies of paper patient report forms (PRFs), copies of calls placed with the Access and Response Communications Centre and any other documentation held by the organisation. Regardless of what is being requested and who the third party making the request is, staff must refer the requestor to the teams listed in the table below. Please refer the requestor to the following teams during Mon to Fri, 9am to 5pm: CBU Name Email Tele. No.

North Yorkshire & Craven

Kath Cullerton (Coroners)

[email protected] or [email protected]

01824 58 4029

Jessica Evans (Police)

[email protected]

01904 66 6002

Hull & East Riding

Julie Button

[email protected] 01482

670 808 Sarah Atkinson


66 6110

Bradford Calderdale & Kirklees and Leeds Wakefield

Kath Cullerton (Coroners)

[email protected] or [email protected]

09124 58 4029

Jessica Evans (Police)


58 4038

South Yorkshire

Carole Pearson


58 4288 Sue Bingham

[email protected]

01924 58 4287

Subject Access Requests

Hayley Forsyth (for all of YAS)

[email protected]

01924 58 4032

Kath Cullerton is the YAS contact for all Coroners and responsible for the collation of all Coroner’s requests into YAS. For requests that must have the information released urgently, i.e. the information must be provided outside of the above hours, please refer the requestor to the following team: Contact Email Tele. No.

Team Leaders [email protected] 01924

58 4977


Page 21 of 57

14.11 Retrieving Paper Patient Report Forms - Requests for Information by Internal YAS Staff Please refer to Appendix D4 for the process flow for retrieving paper patient report forms. Should staff be approached to provide copies of records, divulge information verbally or confirm specific details of records to internal YAS staff, this is acceptable providing the member of staff being approached is confident that the member of staff requesting the information is actually a member of YAS staff. Should the staff member be in any doubt, it is acceptable to ask for the request to be emailed in order to verify the requesting staff member’s identity more fully. If there is a problem following the email request then staff should discuss the request with their line manager before disclosing any information. For full details on the procedures for handling requests for information by external third parties and/or internal YAS staff, please refer to the “Procedure for Handling Disclosure Requests” available on the YAS intranet: http://intranet.yas.nhs.uk/departmentsandservices/Pages/CorporateAffairs/CorpAffairsLibrary.aspx


Page 22 of 57

15. Disposing of Records

Disposal is defined as the point in the records lifecycle when it is either transferred to an archive, or securely destroyed. It is particularly important under the Freedom of Information legislation that the disposal of records, is undertaken in accordance with this policy, which has been formally adopted by the organisation and which is enforced by authorised staff. No records should be destroyed until the retention period for that particular record type has expired. The specific YAS retention periods for the most frequently used record types are listed in the table in Appendix C2. 15.1 How to Arrange Secure Destruction of Records Please refer to the process flow in Appendix E1 for a step by step guide to disposing of records and use the form “Authorisation for the Destruction of YAS Records” which can be found in Appendix E2. All records that have been retained for the correct period, in accordance with details in the table in Appendix C2, and are now deemed ready for secure destruction should be documented onto the form “Authorisation for the Destruction of YAS Records”. A copy of this form can be found in Appendix E2. Once all the details are of the records that need destroying have been listed, the relevant Director / Assistant Director must authorise the destruction. At no point should any member of staff request destruction of any records without the signed permission of a Director / Assistant Director. In order to help safeguard against the unauthorised destruction of records the organisation’s external supplier, responsible for the storage and secure destruction of paper records, has a list of authorised users that can make such requests. There are a few of those authorised users that have authority to request secure destructions of records. For details of the authorised users in each department and their levels of permissions, please go to the YAS intranet in the Records Management section, under Tools and Resources: http://intranet.yas.nhs.uk/toolsandresources/Pages/RecordsManagement/default.aspx The form in Appendix E2 should also be used for documenting records that are expired, or no longer required but do not need destroying using secure methods. The relevant Director / Assistant Director must still authorise their destruction but the external supplier will not need to be contacted to carry out the destruction. The records can then be disposed of responsibly and where possible, as environmentally friendly as possible. Use this same form for electronic records that require destruction/deletion and contact the ICT department for details of how to ensure that all copies/instances of the records are deleted from any temporary cache or mirrored databases/systems. The form listing the records that were destroyed, can then be retained indefinitely in accordance with the retention period described in the table in Appendix C2.


Page 23 of 57

15.2 Records with Archival Value Records of the NHS and its predecessor bodies are subject to the Public Records Act 1958, which imposes a statutory duty of care directly upon all individuals who have direct responsibility for any such records. If the records have no ongoing administrative value but have or may have long-term historical or research value, or they have some administrative value but are more appropriately held as archives. Records with such value must be transferred to the organisation’s approved Place of Deposit. Where the organisation has no existing relationship with a Place of Deposit, The National Archives should be contacted in the first instance. Where an organisation is unsure whether records may have archival value, The National Archives or the Place of Deposit with which the organisation has an existing working relationship should be consulted. Contact National Advisory Services at TNA ([email protected] , 020 8392 5330 x2620). National Advisory Services are also be happy to advise on any other queries regarding the working of the Public Records Act in respect of NHS records. A list of all the current appointed Places of Deposit is available on The National Archives website (see below) http://www.nationalarchives.gov.uk/archives/deposit.htm *The table does not contain all record types, only those records that are used or referred to most frequently in the organisation have been extracted for guidance. If information is required regarding another type of record, not listed in the table, please refer to the code of practice that can be found on the DOH website: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747


Page 24 of 57

16. Appendix A1 – Complete List of Information Asset Owners (IAOs)

ICT Director – Senior Information Risk Owner

Information Asset Owners: A&R Head of Service Delivery Assistant Clinical Director Assistant Director ICT Assistant Director of Financial Services Assistant Director of Human Resources Assistant Director of PTS Communications Assistant Director Operations - North Yorks Corporate Communications Manager Executive Officer Head of Corporate Affairs Head of Resource Planning Management Information Manager Named Professional for Safeguarding Vulnerable Groups Patient Services Manager


Page 25 of 57

17. Appendix A2 – List of YAS Authorised Users who Manage the Boxes in Store with Squirrel

The following list of users are checked and approved annually by all IAOs and a report submitted to the Information Governance Group. (S) = Supervisor access rights – these users can add/delete new users to this list/system. Please refer to Appendix A3 for the procedures on how to manage the Squirrel authorised users.

Name Location Alison Helme Fairfields - A&E Ops Angela Brown Northallerton Ambulance Station – Corporate Affairs Anne-Marie Haigh Wakefield HQ - SH1 & 2 - Office Services Beverley Whittleson Rotherham Carol Hill Wakefield HQ - SH1 & 2 - Office Services Carole Taylor (S) Rotherham - Clinical Audit Claire Walker Wakefield - Fleet David Blain (S) Wakefield HQ - SH2 Denise Boulton Elmbank - Training Edward Maaye Redworth House - Payroll Eleri Russell Phoenix House (NHSP) - Wakefield Hayley Forsyth HQ, Corporate Affairs Helen Coleson Fairfields - A&E Ops Helen Goff Burn Hall - Training Ian Lomas Leeds Amb Stn - PTS James Bolton Wakefield HQ - SH1 & 2 - Office Services Jane Webster Halifax Ambulance Station Janet Smith Gildersome Ambulance Station - Supplies Janine Waters Wakefield HQ - SH2 Jean Brennan (S) Brighouse Ambulance Station - Corporate Affairs Jeanne Mitchell Wakefield HQ - SH1 & 2 - Office Services Jenny Haley Wakefield Ambulance Station Jo Clarke Wakefield HQ - SH2 - Access & Response Julie Barber Wakefield HQ - SH1 - Patient Services Julie Button Willerby Ambulance Station Julie Milburn Burn Hall - Clinical Audit Karen Cooper (S) Wakefield HQ - SH1 - Patient Services Karen Mitchell Wakefield HQ - SH2 - Access & Response Kath Cullerton HQ, Corporate Affairs Katrina Hepworth Gildersome Ambulance Station - Supplies Kay Barrs Rotherham - Clinical Audit Kerri Cooper Wakefield HQ - SH1 & 2 - Office Services Kerrie Potter (S) Wakefield HQ - SH1 - Finance Kerry Shore Wakefield HQ - SH2 - Access & Response Kevin Learoyd Redworth House - Payroll Lael Hird Wakefield HQ - SH1 & 2 - Office Services


Page 26 of 57

Larissa Porter Wakefield - Fleet Leesa Charlesworth Elmbank - Training Lilian Long Doncaster - Training Linsey Gerrity Gildersome Ambulance Station - Supplies Lisa Selwood Rotherham Louise Pender HQ - SH2 - Corporate Affairs Michelle Cutsforth Fairfields - A&E Ops Maggie Harris HQ - SH1 - Patient Services Marion Gilheaney Phoenix House (NHSP) - Wakefield Martin Johnson HQ - SH2 Matthew Norton Burn Hall - Clinical Audit Mick Kirton Bradford Ambulance Station Naomi Sword (S) Phoenix House (NHSP) - Wakefield Pauline Clegg HQ - SH1 - PTS Comms Rachael Cassar Leeds Ambulance Station - PTS Rachael Martin Bradford Ambulance Station Rachel Dunn Burn Hall - Clinical Audit Rita Kay Wakefield HQ - SH1 & 2 - Office Services Rosamond Lawton Huddersfield Ambulance Station Ruth Wilkinson (S) Wakefield HQ - SH2 - Access & Response Sarah Atkinson Beverley Ambulance Station Sharon Carson Burn Hall - Clinical Audit Steve Parsons Wakefield HQ - SH1 - Finance Sue Walton Elmbank - Training Stephen Williams Barnsley Ambulance Station Susanna Vatta Wakefield - Fleet Tiffany Bentley Phoenix House (NHSP) - Wakefield Vicky Audsley Wakefield - Fleet


Page 27 of 57

18. Appendix A3 – How to Manage the Squirrel Authorised Users

Only users with the Supervisor access rights have the functionality to manage the other users who access the Squirrel online system called Filetrak. To add a new user please follow the steps below:

Double check that they are not on the system already as a user Remember to add each user onto all 4 databases Ensure that the W3 database has different permissions to the other 3

databases (to allow for adding new boxes into W3, which is not allowed in the other databases)

Add each new users’ email address onto the existing email distribution list Update the spreadsheet of authorised users as that’s the only complete

record of all users held by YAS that contains what access permissions each user has

Email the online team to replace the current copy of the spreadsheet, on the intranet with the latest copy, it’s currently on the Records Management page at: http://intranet.yas.nhs.uk/workingatyas/Pages/Information_Governance/Records_Management.aspx Or go to Working at YAS / Information Governance / Records Management

Send email [1] to the new user which details their username, some instructions and the user guide

Send the email [2] which contains their default password (this email asks them to change the default password to something only they know, when they login for the first time).

Records Management Policy_v3.2 draft

Page 28 of 57

19. Appendix B1 – Process Flow Detailing the Step by Step Guide to Creating Clinical Records


Page 29 of 57

20. Appendix B2 – Process Flow Detailing the Step by Step Guide to Creating Corporate Records IC

TY

AS

Sta

ff

Is therecord

to be elec orpaper?

Performs regular backups of the

databases/systems

FINISH

START

Requires information to be

retained and record(s) to be

created

Elec

Paper

Determines the correct version control to be

applied

Determines the correct version control to be

applied

For guidance on how to version control a file/document please refer to section 11.1

Creates the record in accordance with

departmental procedures

Determines the appropriate format in which to create

the record

Creates the record in accordance with

departmental procedures

Saves record in appropriate

shared folder

Saves the record in the appropriate

filing cabinet/location

For guidance on how to version control a file/document please refer to section 11.1

Retains records in line with retention periods in Records

Management Policy

Archives closed records in

accordance with existing process

Retains records in line with retention

periods in Records Management

Policy


Page 30 of 57

21. Appendix C1 – Process Flow for Retaining Records

START

Determines appropriate retention period in accordance with

Records Management policy

Carries out monthly checks for records that

can be destroyed and / or archived

Creates record in accordance with existing process

Destroy?

Archive?

Follows existing destruction

processYes

No

Yes

No

Maintains the record to ensure availability,

accessibility and version control

Follows existing archiving process


Page 31 of 57

22. Appendix C2 – Table Detailing the Retention Periods for each Record Type

The retention periods listed in the column “YAS Retention Period” in the following table are the retention periods that staff should refer to and adhere to at all times, the DOH guidance column for is for additional information and reference only. The table below has been taken directly from the DOH document “Records Management: NHS Code of Practice Part 2” (2nd edition dated Jan 2009). The table does not contain all record types, only those records that are used or referred to most frequently in the organisation have been extracted for guidance. If information is required regarding another type of record not listed in the table, please refer to the code of practice that can be found on the DOH website: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747 The main source of patient identifiable records, produced by the organisation, are the paper based patient report forms completed by ambulance crews. Due to the operational constraints regarding the collation, retention, archiving and subsequent retrieval of those paper patient report forms, the organisation cannot segregate records pertaining to different patient types. Therefore, all the organisation’s paper patient report forms fall under the record type “ambulance records” and from February 2010 onwards, are scanned into electronic format, verified and the paper copies securely shredded after one month.


Page 32 of 57

Record Type (in alphabetical order) Example(s)

YAS Retention Period (from the date of creation unless otherwise stated)

DOH Guidance / Notes

Clinical Records / Operations:

Ambulance records (patient identifiable component)

Main A3 Patient Report Form Computer Aided Dispatch Record

10 years

10 years - where a patient is transferred to the care of another NHS organisation all relevant clinical information must be transferred to the patients’ health record held at that organisation. Staff must always pass the yellow (bottom) copy of the patient form(s) to the hospital.

Audio tapes of calls requesting care A&R calls

3 years and/or 10 years - see notes in the DOH guidance column.

Retain taped calls for 3 years providing all relevant clinical information has been transferred to the appropriate patient record. Where the information is NOT transferred into a health record, the tapes should be retained for 10 years.

Audit Trails of electronic health records ePRF audit trail Indefinitely. NHS organisations are advised to retain all audit trails until further notice.

Children and young people (all types of records relating to children and young people)

See ‘Ambulance records’ and refer to page 20.

Clinical audit records

Clinical Performance Indicators reports.

5 years


Page 33 of 57




Controlled drug documentation Drug books

Requisitions – 2 years. Registers and CDRBs – 2 years from last entry.

Please refer to Department of Health http://www.dh.gov.uk/en/index.htm and Royal Pharmaceutical Society of Great Britain http://www.rpsgb.org.uk/ websites for up-to-date information.

Destruction records of individual health records, case notes and other health-related records - paper and/or elec format. (refer to ‘destruction of records (other than health records)’ for corporate record destructions)

Indefinitely.

Electrocardiogram (ECG) records ECG strips 7 years

Each chart should be labelled with the patient’s name and unique identifier (the incident date and number). Any over-sized charts can be stored separately where a report is written into the health records (this must be noted on the main A3 PRF).

Homicide / Serious Untoward Incident records

30 years

Litigation - records/documents related to any litigation

Dependant on the case – see notes in the DOH guidance column

As advised by the organisation’s legal advisor. All records to be reviewed. Normal review period is 10 years after the file is closed.


Page 34 of 57




Occupational health records (staff)

3 years after termination of employment, unless litigation ensues

Occupationally Related Diseases (e.g. asbestosis, pneumoconiosis, byssinosos)

10 years after date of last entry in the record

(general) Operating Policies and Procedures

3 years retain the current version and previous version for 3 years

From CQC outcome 21 (not the DOH)

Paediatric records See ‘Ambulance records’

Scanned records (relating to patient care)

Electronic scanned copy of a patient report form (originally on paper)

10 years

Risk Assessments Retain the latest risk assessment until a new one replaces it

Voice recordings, video records relating to patient care, videoconferencing records related to patient care, DVD records related to patient care (includes Telemedicine records, Out of hours records, GP cover and NHS Direct records).

8 years

Vulnerable Adults See ‘Ambulance records’


Page 35 of 57




Corporate Records (administrative and organisational): Accident forms Prism 10 years Accident register (reporting of injuries, diseases and dangerous occurrences register)

Prism 10 years

Agendas of board meetings, committees, sub-committees (master copies including associated papers)

30 years

Agendas (other) 2 years


Page 36 of 57




Agreements / Contracts Financial contracts:

Approval filesApproved suppliers lists

Non-sealed (property) contracts on termination Non-sealed (other) contracts on termination Sealed contracts (and associated records) Maintenance contracts (routine) Contractual arrangements with hospitals or other bodies outside the NHS, including papers relating to financial settlements made under the contract (e.g. waiting list initiative, private finance initiative)

15 years 11 years 6 years after termination of contract 6 years after termination of contract 15 years (min) 6 years from end of contract 6 years after end of financial year to which they relate

Retain for a minimum of 15 years, after which they should be reviewed.

Ambulance Records – Administrative (records containing non-clinical details only, eg records of journeys)

PTS journey sheets

2 years from the end of the year to which they relate

Annual / corporate reports 3 years Assembly / Parliamentary questions, MP enquiries

10 years


Page 37 of 57




Audit Records, Internal & External in any format paper, electronic etc

Organisational Audits, Records Audits, Systems Audits

2 years from the date of completion of the audit

Business plans, including local delivery plans

20 years

Catering forms 6 years

Close circuit TV images 31 days and erase permanently

Commissioning decisions, appeal documentation, decision documentation

6 years from date of appeal and/or decision

Complaints (see also litigation & litigation dossiers) Correspondence, investigation and outcomes Returns made to DH

8 years from completion of action Files closed annually and kept for 6 years following closure

Current policy on the handling of complaints is under review by the DOH and further guidance will be issued in due course.

Computer programmes written in-house, related documentation

Lifetime of software

Contracts See ‘Agreements / Contracts’

Copyright declaration forms (Library Service)

6 years

Data Input Forms where the data/information has been input to a computer system

Address notifications from local Councils

2 years


Page 38 of 57




Destruction of records (other than health records), records documenting the archiving, transfer to public records archive. (refer to ‘destruction records of individual health-related records’ for health record destructions)

30 years

Diaries (office)

1 year after the end of the calendar year to which they refer

Flexi working hours (personal record of hours actually worked)

6 months

Freedom of Information requests

3 years after full disclosure 10 years if information is redacted or not disclosed

Health and safety documentation Prism 3 years History of the organisation or predecessors, its organisation and procedures

Establishment order

30 years

Incident forms Prism 10 years Indices (records management) registry lists of public records marked for permanent preservation, or containing the record of management of public records. File lists and document lists where public records or their management are not covered.

30 years


Page 39 of 57




Laundry lists and receipts 2 years from completion of audit

Litigation dossiers (complaints including accident/incident reports) Records/documents relating to any form of litigation

Coroners’ requests

10 years Where a legal action has commenced, keep as advised by legal representatives

Manuals – policy and procedure (administrative and clinical, strategy documents)

10 years after life of the system (or superseded) to which the policies or procedures refer

Policy documents may have archival value.

Meetings and minutes papers of major committees and sub-committees (master copies) - 30 years

30 years

Meetings and minutes papers (other, including reference copies of major committees)

2 years

Papers of minor or short-lived importance not covered elsewhere, eg advertising matter, covering letters, reminders, letters making appointments, anonymous or unintelligible letters, drafts, duplicates of documents known to be preserved elsewhere (unless they have important minutes on them) indices and registers compiled for temporary purposes, routine reports, punched cards, other documents that have ceased to be of value on settlement of the matter involved.

2 years after the settlement of the matter to which they relate


Page 40 of 57




Patient Advice & Liaison Service (PALS) records

10 years after closure of the case

Patient information leaflets 6 years after the leaflet has been superseded

Patient Surveys re access to services etc 2 years Police Statements (made in the context of Accident and Emergency episodes. Statements are requested by the Police to the A&E staff in relation to alleged injuries of, or by, patients coming through A&E)

10 years (congruent retention period as Incident Forms)

Press cuttings 1 year Where bound volumes exist, these may have archival value.

Press releases 7 years Project files (including abandoned or deferred projects):

Over £100,000 on terminationLess than £100,000 on termination

Project team files (summary retained)

6 years 2 years 3 years

Public Consultations eg about future provision of services

5 years

Quality control records:

External

Internal (relating to products)

2 years 10 years


Page 41 of 57




Quality assurance records eg Healthcare Commission, Audit Commission, King’s Fund Organisational Audit, Investors in People

12 years

Receipts for registered and recorded mail

2 years following the end of the financial year to which they relate

Reports (major) 30 years Requests for access to records (other than Freedom of Information or subject access requests)

6 years after last action

Requisitions 18 months Serious incident files 30 years Software licences Lifetime of software Specifications eg equipment, services 6 years Statistics including Korner returns, contract minimum data set, statistical returns to DOH, patient activity

3 years from date of submission

Subject access requests (DPA and AHR) records of requests

3 years after last action

Time sheets (relating to a Group or Department where the timesheets are kept as a tool to manage resources/staffing levels)

6 months

Estates / Procurement / Supplies records:

Approval files (contracts and purchase orders)

6 years after end of the year the contract expired


Page 42 of 57




Approved suppliers lists 11 years Buildings, papers relating to occupation of the building (but not health and safety information)

3 years after occupation ceases

Deeds of title

While the organisation has ownership of the building – see notes in the DOH guidance column

Retain while the organisation has ownership of the building unless a Land Registry certificate has been issued, in which case the deeds should be placed in an archive. If there is no Land Registry certificate, the deeds should pass on with the sale of the building.

Delivery notes

2 years after end of financial year to which they relate

Drawings, plans and buildings (architect signed, not copies)

Lifetime of the building to which they relate

Engineering works, plans and building records

Lifetime of the building to which they relate

Equipment records of non-fixed equipment, including specification, test records, maintenance records and logs

11 years

If the records relate to vehicles (ambulances, responder cars, fleet vehicles etc) and where the vehicle no longer exists, providing there is a record that it was scrapped, the records can be destroyed.

Inspection reports eg boilers, lifts Lifetime of installation

If there is any measurable risk of a liability in respect of installations beyond their operational lives, the records should be retained indefinitely.


Page 43 of 57




Inventories of furniture, medical and surgical equipment not held on store charge and with a minimum life of 5 years Inventories of plant and permanent or fixed equipment

Keep until next inventory 5 years after date of inventory

Leases, the grant of leases, licences and other rights over property

Period of the lease plus 12 years

Photographs of buildings 30 years Plans, building (as built) Lifetime of building May have historical value. Purchase Orders – see ‘Approval Files’ above

Stock control reports - 18 months Stores records:

Major (eg stores ledgers)

Minor eg requisitions, issue notes, transfer vouchers, goods received books

6 years 18 months

Structure plans, organisational charts i.e. the structure of the building plans

Lifetime of building

Supplies records eg invitations to tender and inadmissible tenders, routine papers relating to catering and demands for furniture, equipment, stationery and other supplies

18 months

Surveys, building and engineering works Lifetime of building or installation


Page 44 of 57




Tenders / Purchase Orders / Quotations:

Successful

Unsuccessful

Tender period plus 6 year limitation period 6 years

Financial / Accounting records: Accounts, annual (final, one set only) 30 years Accounts, minor records; pass books, paying-in slips, cheque counterfoils, cancelled/discharged cheques, accounts of petty cash expenditure, travel and subsistence accounts, minor vouchers, duplicate receipt books, income records, laundry lists and receipts

2 years from completion of audit

Accounts, working papers 3 years from completion of audit

Advice notes, payment 18 months Audit reports, internal and external including management letters, value for money reports and system/final accounts memoranda

2 years after formal completion by statutory auditor

Bank statements 2 years from completion of audit

Banks Automated Clearing System (BACS) records

6 years after year end

Bills, receipts and cleared cheques 6 years


Page 45 of 57




Budgets including working papers, reports, virements and journals

2 years from completion of audit

Cash sheets


Estimates, including supporting calculations and statistics


Expense claims, including travel and subsistence claims, and claims and authorisations


Fraud case files/investigations 6 years Fraud national proactive exercises 3 years

Invoices, capital paid invoices, cash books


PAYE records 6 years after termination of employment

Payments 6 years after year end

Payroll list of staff in the pay of the organisation

6 years after termination of employment

Destroy under confidential conditions. For superannuation purposes, organisations may wish to retain such records until the subject reaches benefit age.


Page 46 of 57




Receipts


Salaries See ‘Wages / salaries’ Superannuation accounts and registers 10 years Tax forms 6 years

Transport (staff pool car documentation) 3 years unless litigation ensues

VAT records


Wages / salaries 10 years after termination of employment

Human Resources / Personnel records: CVs for non-executive directors:

Successful applicants

Unsuccessful applicants

5 years following term of office 2 years

Industrial relations, not routine staff matters, including industrial tribunals

10 years

Job advertisements - 1 year 1 year


Page 47 of 57




Job applications:

Successful

Unsuccessful

3 years following termination of employment 1 year

Job descriptions 3 years

Leavers’ dossiers

6 years after individual has left Summary to be retained until individual’s 70th birthday (or until 6 years after cessation of employment if aged over 70 years at the time) – see notes in the DOH guidance column.

The summary should contain everything except attendance books, annual leave records, duty rosters, clock cards, timesheets, study leave applications, training Plans. The 6 year retention period is to take into account any ET claims, or EL claims that may arise after the employee leaves NHS employment, requests for information from the NHS pensions agency etc. Claims of this nature can include periods of up to 6 years or more, prior to the claim and where evidence could be needed from a number of sources, it is appropriate to retain as much as possible from the original file.


Page 48 of 57




Letters of appointment

6 years after employment has terminated or until 70th birthday, whichever is later.

Pension Forms (all) 7 years

Personnel / human resources records, major, eg personal files, letters of appointment, contracts, references and related correspondence, registration authority forms, training records, equal opportunity monitoring forms (if retained))

6 years after individual has left Summary to be retained until individual’s 70th birthday (or until 6 years after cessation of employment if aged over 70 years at the time) – see notes in the DOH guidance column

The summary should contain everything except attendance books, annual leave records, duty rosters, clock cards, timesheets, study leave applications, training Plans. The 6 year retention period is to take into account any ET claims, or EL claims that may arise after the employee leaves NHS employment, requests for information from the NHS pensions agency etc. Claims of this nature can include periods of up to 6 years or more, prior to the claim and where evidence could be needed from a number of sources, it is appropriate to retain as much as possible from the original file.


Page 49 of 57




Personnel / human resources, minor, eg attendance books, annual leave records, duty rosters i.e. duty rosters held on the individual’s record not the organisation or departmental rosters, clock cards, timesheets (relating to individual staff members)

2 years after the year to which they relate

Staff car parking permits 3 years Study leave applications 5 years

Timesheets (for individual members of staff)

2 years after the year to which they relate

Training plans 2 years


Page 50 of 57

23. Appendix D1 – Process Flow for Tracking Records Y

AS

Sta

ffF

INIS

H


Page 51 of 57

24. Appendix D2 - Process Flow for Retrieving Archived Paper Records in Storage Y

AS

Sta

ffF

INIS

H


Page 52 of 57

25. Appendix D3 – Process Flow for Tracking Paper Patient Report Forms


Page 53 of 57

26. Appendix D4 - Process Flow for Retrieving Paper Patient Report Forms


Page 54 of 57

27. Appendix E1 - Process Flow for a Step by Step Guide to Disposing of Records

START

Link is:http://intranet.yas.nhs.uk/toolsandresources/Pages/RecordsManagement/default.aspx Checks intranet for

latest copy of Records Management Policy

Logs onto on-line system to extract

catalogue details of boxes to be destroyed

Have theCorrect

retention periodsbeen adhered

to?

Records are due for destruction

Yes

Request authorisation from appropriate

Director / Assistant Director

Not Sure

Completes “Authorisation for

Destruction of YAS Records” form using

catalogue details

No

No

Yes

Records OK to destroy?

Yes

Retains for longer period in accordance

with Records Management Policy

Notifies requestor that secure destruction is

completed successfully

Follows existing destruction

process

Signs authorisation form

Passes unsigned form back and specifies corrective action

Records listedare OK todestroy?

Logs onto on-line system to request

destruction of relevant boxes

Takes appropriate corrective action

Notes details and files form and

certificate


Page 55 of 57

28. Appendix E2 - Copy of the Form to Request Authorisation to Dispose of Records

Authorisation for Destruction of YAS Records

Use this form to obtain Director / Assistant Director level authorisation to securely destroy Yorkshire Ambulance Service NHS Trust’s records. This form can be used for records that:

Are of a confidential nature and require secure destruction Contain person identifiable data and require secure destruction Have expired and been retained for the correct period for the type of record involved (please refer to the Records Management

Policy for details of how long to retain each different type of record) and can now be securely destroyed and require secure destruction

Are no longer required and do not need to be destroyed using secure destruction methods Are not confidential, do not contain PII and/or do not need to be destroyed using secure destruction methods.

Secure Destruction Required? Yes or No

(please indicate accordingly) Once authorisation from the relevant Director has been obtained, for records containing sensitive, personal or person identifiable data the actual destruction of the records should be carried out securely and by the designated external company that YAS use to destroy records. Please refer to the YAS intranet for details of the supplier and how to contact them to arrange collection and secure destruction. If secure destruction is not required please dispose of the records responsibly and where possible, as environmentally friendly as possible.

Ref Number Description of Records Dates

(from & to)

Reason for Destruction (Expired / NLR / Other, please state)

Records Held by Storage Company

(Y / N?)


Page 56 of 57

YAS member of staff requesting the destruction: Authorising YAS Director or Assistant Director: Print Name: Print Name: ________________________________ _______________________________ Signed: Signed: ________________________________ _______________________________ Department Name: Department Name: ________________________________ ________________________________ Date: Date: _______________ _______________


Page 57 of 57

29. References

Document Title Version / Date DOH Records Management: NHS Code of Practice Part 1 / March 2006 DOH Records Management: NHS Code of Practice Part 2 / January 2009 / 2nd Edition CFH Information Governance Toolkit Version 8.0 BSI Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically

BIP 0008: 2004

Care Quality Commission 2010/11

Documents

Records Management Policy v4.0 FINAL · Records Management Policy Document Reference RECORDS MANAGEMENT POLICY Version 4.0 FINAL Purpose To outline the …