Corporate Records Management Policy

Transcription

1 Corporate Records Management Policy Reference No: Version: 3 Ratified by: P_IG_20 LCHS Trust Board Date ratified: 13 th March 2018 Name of originator/author: Name of approving committee/responsible individual: Date issued: March 2018 Review date: January 2020 Target audience: Distributed via: Kaz Scott. Information Governance Lead / DPO Information Governance Management Assurance Group All staff and third party contractors employed by LCHS Website 1

2 Lincolnshire Community Health Services NHS Trust Corporate Records Management Policy Version Control Sheet Version Section/Para/ Appendix Version/Description of Amendments Date Author/ Amended by 1 New Policy to reflect organisational change. Appendix 3 List of Assets Apr 13 Oct 13 Kaz Scott Kaz Scott month extension agreed Apr 15 IGSC 2 Full Review. Updated information and asset list. 3 Full Review. Updated branding, information and EIA Dec 15 Jan 18 Kaz Scott Kaz Scott Copyright 2018 Lincolnshire Community Health Services NHS Trust, All Rights Reserved. Not to be reproduced in whole or in part without the permission of the copyright owner. 2

3 Lincolnshire Community Health Services NHS Trust Corporate Records Management Policy i) Version Control Sheet ii) Policy Statement Contents Introduction 5 - Scope and Definitions 5 - Objectives 6 - Duties and Responsibilities Training 7 - Records Management 8 - Management of Electronic Records 9 - Creating a Document or File 9 - Naming Folders, Files and Documents Version Numbers 10 - Structuring Folders and Files 10 - Where to Save Documents 11 Management of Paper Records 11 - Creating a paper document 11 - Filing Paper Documents 12 - Storage of Paper Records 12 - Disposal of Documents 12 - Retention of Records 12 - Retention Schedules s 13 - Freedom of Information 13 Retention, Archiving and Disposal Procedure 13 - Confidentiality and Security of Records 13 - Identification of Records for Permanent Preservation 14 Access to Records 14 Sharing Records 14 Sending Corporate Records by Post 14 Process for Manager s Staff Folders 15 Records Audit 15 Corporate Assets 15 NHSLA Monitoring 15 Appendix 1 Archive Year (Corporate Records) 16 Appendix 2 Equality Analysis 17 Appendix 3 Information Assets

4 Lincolnshire Community Health Services NHS Trust Corporate Records Management Policy Policy Statement Background The purpose of this policy is to guide staff towards a systematic, consistent and planned approach to the management of non-clinical records and will outline the specific requirements for management of paper and electronic records, although there will be similarities between these media A record is any recorded information created or received in the course of the Trust s business and which needs to be retained in order to provide evidence of business activity, transaction or decision-making. This policy conforms to current legislation and other Trust associated policies: Computer Use Policy Disciplinary Policy and Investigation Process Information Asset Policy Information Security Policy Freedom of Information and EIR Policy Policy and Procedure Data Protection and Confidentiality Policy Scanning Documents Policy Incident Reporting Policy Relevant Legislation: Computer Misuse Act (1990) Data Protection Act (1998) Freedom of Information Act (2000) Human Rights Act (1998) Equality Act (2010) Records Management Code of Practice for Health and Social Care (2016) Statement Responsibilities Training Dissemination Resource implication The Trust will use all appropriate and necessary means to ensure that it complies with the Data Protection Act All staff have responsibility for managing records they create or use, which are public records and may be disclosed under legal or professional obligations. Records belong to the Trust and not the individual who created them. Training will be facilitated via Trust induction and mandatory annual training updates for all staff. The policy will be published on the Trust s website. None. 4

5 Introduction Corporate Records Management is the process by which an organisation manages all aspects of corporate records whether internally or externally generated and in any format or media type, from their creation to their eventual disposal. The Records Management: Code of Practice for Health and Social Care 2016 has been published by the Information Governance Alliance (IGA) for the Department of Health (DH). This Code is relevant to organisations who work within, or under contract to NHS organisations in England. This also includes public health functions in Local Authorities and Adult Social Care where there is joint care provided within the NHS. Records are its corporate memory, providing evidence of actions and decisions and representing a vital asset to support daily functions and operations. Records support policy formation and managerial decision-making, protect the interests of the organisation and the rights of patients, staff and members of the public. They support consistency, continuity, efficiency and productivity and help deliver services in consistent and equitable ways. The Trust has adopted this corporate records management policy and is committed to ongoing improvement of its records management functions as it believes that it will gain a number of organisational benefits from doing so. The Trust requires corporate records to: Support patient care and continuity of care; Support improvements in clinical effectiveness through research; Assist record audits; Protect the interests of the Trust and the rights of patients and employees by providing evidence of patient care given All records created and maintained by the Trust are Public Records under the Public Records Act 1958 and 1967 and the Trust must ensure that Records Management policies and procedures are in accordance with the following statutory and NHS guidelines. Data Protection Act 1998 Freedom of Information Act 2000 NHS Code of Confidentiality NMC Guidelines for Records & Record Keeping 2009 NHSLA Risk Management Standards for NHS Trusts Data Security and Protection Toolkit Scope and Definitions In the context of this policy, a corporate record is anything which contains information, electronic or paper based in any media - which has been created or gathered as a result of the work of NHS employees, including: Microfiche or electronically digitalised records Audio and videotapes, cassettes, photographs Digital Records Computerised Records s Records of private service users seen on NHS premises This policy applies to all staff employed within the Trust (including those on temporary contracts, students or Bank/Agency staff) who are involved in handling, contributing to or creating corporate records, making them aware of their responsibilities to meet the requirements and standards relating to the records. 5

6 Objectives Accountability adequate records are maintained to account fully and transparently for all actions and decisions, in particular: To protect legal and other rights of staff or those affected by those actions To facilitate audit or examination To provide credible authoritative evidence Quality that records are complete and accurate and the information they contain is reliable and its authenticity can be guaranteed - through yearly audit. Accessibility that records and the information within them can be efficiently retrieved by those with a legitimate right of access, for as long as the records are held by the Trust through yearly audit. Security that records will be secure from unauthorised or inadvertent alteration or erasure, that access and disclosure will be properly controlled and audit trails will track all use and changes. Records will be held in a robust format which remains readable for as long as records are required. Retention and disposal monitor and review the Trust s Corporate Records Management Policy. Duties and Responsibilities The Trust is subject to a number of legal, statutory and good practice guidance requirements covering corporate records. All staff members, volunteers and persons acting on behalf of the Trust Under the Public Record Act all NHS employees have a degree of responsibility for any records that they create or use. Thus any records created by an employee of the NHS are public records and may be subject to both legal and professional obligations. Staff must attend relevant training on records management. Staff must refer any concerns and incidents to their manager. This responsibility will be set out in all job descriptions. Senior Managers/Heads of Services Managers are responsible for ensuring that policies and procedures in relation to records management are followed and any problems reported immediately. Managers are responsible for ensuring, that where required, local guidelines are developed that compliment organisation-wide policies and procedures. Managers are responsible for carrying out risk assessments for all aspects of records management and bringing risk issues to the attention of Quality Governance. Managers are responsible for taking actions to minimise any risk issues affecting their departments. Training and induction updates. Managers are responsible for encouraging staff in the good records management practice, identification and reporting of hazards and risks. 6

7 Chief Executive is responsible for the quality of records management within the Trust to ensure compliance of the Data Protection Act 1998 and responsible for managing and monitoring the risks associated with the quality of health records. Caldicott Guardian The Caldicott Guardian is responsible for approving and ensuring that national and local guidelines and protocols on the handling and management of personal data (PCD) are in place. It is also their responsibility for representing and championing Information Governance and have a fundamental role around ity; justifying and testing that the Trust and partner organisations satisfy the highest practical standards for handling PCD, ensuring it is shared only for justified purposes, and that only the minimum information is shared. Senior Information Risk Owner (SIRO) The SIRO and nominated deputies are responsible within their Business Units/ Directorates for approving and ensuring that national and local guidelines and protocols on the handling and management of information are in place. This will include the need to review all information flows and the use of commercial sensitive data. The SIRO is responsible to the Board for ensuring that all Information risks are recorded and mitigated where applicable. The SIRO is responsible for ensuring that all record management issues (including electronic media) are managed in accordance with this policy. Training Staff induction programmes will include Records Management training. Directorate SIRO s should ensure specific training is given to all staff and have access to appropriate Information Governance E-Learning. A Training Needs Analysis (TNA) with staff will identify any additional training required for particular staff roles e.g. Records Management. Data Security Awareness Level 1 and 2 are available on the E-lfh Website: All managers and staff responsible for corporate records can receive training through the Information Governance Lead in relation to storage or retention. Individual training needs can also be highlighted within the Trust Individual Performance Review process. As the volume and complexity of corporate information increases, the Trust demands the highest standards of probity in the way it is gathered, recorded, stored and transmitted. In implementing this policy, the Trust will put in place training and guidance on legal and ethical responsibilities for all NHS staff involved with the creation, maintenance and ongoing management of records. In addition to complying with legislation, this training will follow the HORUS principles: Holding information securely and ly; Obtaining information fairly and efficiently; Recording information accurately and reliably; Using information effectively and ethically; Sharing information appropriately and lawfully Only nationally recognised training material which is referenced to appropriate publications should be used. An audit will be undertaken at least annually to ensure training has been effective. This will be linked to the staff ESR Training Record and reports will be available through the Qlikview Dashboard. 7

8 Records Management is a discipline which utilises an administrative system to direct and control the creation, version control, distribution, filing, retention, storage and disposal of records, in a way that is administratively and legally sound, whilst at the same time serving the operational needs of the Trust and preserving an appropriate historical record. The key components of records management are: Record keeping Record maintenance (including tracking of record movements) Access and disclosure Closure and transfer Appraisal Retention Archiving Disposal The term Records Life Cycle describes the life of a record from its creation/receipt through the period of its active use, then into a period of inactive retention (such as closed files which may still be referred to occasionally) and finally either disposal or archival preservation. Records are defined as recorded information, in any form, created or received and maintained by the Trust in the transaction of its business or conduct of affairs and kept as evidence of such activity. This policy relates to all non-clinical records held in any format by the Trust and includes: All administrative records e.g. Diaries, s, Correspondence, Human Resources, Estates, Financial and Accounting, Contracts, Complaints, Records of meetings, Policies and Procedures. The Trust records are its corporate memory, providing evidence of actions and decisions representing a vital asset to support daily functions and operations. Records: support policy development and decision-making at all levels across every function protect the interests of the Trust and the rights of patients, staff and members of the public support research and development support consistency, continuity, efficiency, productivity and patient safety and help deliver services in consistent and equitable ways. Records capture the information about transactions, decisions and business activity, which needs to be retained as evidence. Not all documents and files used in a business process will necessarily need to be captured into record keeping systems. Only those required to provide an adequate, accurate record of the work carried out or decisions made. The capture of relevant records into appropriate record keeping systems should be an integrated part of all Trust business processes. The content of a record will primarily be determined by the purpose for which it is being created. 8

9 Management of Electronic Records Electronic records within the Trust are to be clearly identified. They must be able to be preserved and stored for the required period. In order to ensure that the information constitutes a record the Trust is required and endeavours at all times to ensure that: The record is present the information needed to reconstruct activities and transactions that have taken place is recorded The record can be accessed it is possible to locate and access the information The record can be interpreted a context for the information can be established showing when, where, and who created it The record can be trusted the information and its representation exactly matches that which was actually created and used, and its integrity and authenticity can be demonstrated beyond reasonable doubt The record can be maintained the record can be deemed to be present and can be accessed, interpreted and trusted for as long as necessary and on transfer to other approved locations, systems and technologies Effective electronic records management supports: Efficient joint working and information exchange both internally and with other NHS and Partner Organisations Evidence-based policy making by providing reliable and authentic information for the evaluation of past actions and decisions Administration of data protection principles and effective implementation of Freedom of Information and other information policy legislation, through good organisation of records. Creating a Document or File Each department within the Trust shall keep adequate records to document its activities. When determining what records are to be kept, managers shall take into account public accountability, operational, legal and regulatory requirements. Records shall be complete and accurate enough to meet accountability, operational, legal and regulatory requirements. As far as possible, there shall be no unwarranted duplication of records. Records should be placed within designated record keeping systems that enable them to be accessed quickly and easily e.g. shared folders. Corporate record keeping systems shall classify and group records according to business function and activity, so that there is sufficient context to relate records to the business activities that they document. Wherever possible, records which have been created or received electronically shall be captured and stored in electronic record keeping systems i.e. not printed and stored in paper form. Electronic records shall be managed like any other record, in accordance with this policy. Naming Folders, Files and Documents Naming conventions are standard rules to be used for naming both documents and electronic folders and are used to make it easier to find documents. Corporate standards must be followed in the naming of record files and folders. It is unacceptable for any documents to leave the Trust without having either a logical file name or format for presentation that shows the Trust as being the owner of such documents. Basic file naming practices: Give a unique name to each record, which is clear and simple Give a meaningful name which closely reflects the records contents Use standard terms for organisations, roles, projects, activities and other types of document (e.g. agenda / report / board paper) Express elements of the name in a structured and predictable order 9

10 Locate the most specific information at the beginning of the name and the most general at the end Give a similarly structured and worded names to records which are linked (for example, an earlier and later version) Electronic file names should not include excessive wording or inconsistent referencing formats. A file name description (normally the document title). Long words such as, management, organisation and department, should be shortened to mgt, org and dept. The file name must represent the content of the document. The document status is appropriate if the document is in preparation e.g. labelled draft. A version number in the format of e.g. v1 A date reference may also be used to enable documents with the same titles but different dates to be distinguished. The file extension. This is normally allocated by the application i.e. doc or xlsx. In general, if you cannot see a file extension, there is no need to add one as it will be assigned automatically by the application you are using. All file names must exclude illegal characters. These include \ / *? < >. : If filenames contain an underscore this will allow transfer to other computer systems whilst keeping the file name intact. Version Numbers Where the record is likely to be replaced in the future by a new version, e.g. a policy, a version number should be included, both in the filename and also the document itself (usually via a template). The format to be used is v1, v2. For policies, minor amendments would follow v1.1 whilst major amendments would be v2. The key objective with version numbers is that the most current version is obvious and that there is an audit trail of previous versions. Structuring Folders and Files A well thought out structure of folders (also known as directories or classification schemes) for filing documents is a key element to efficient electronic record keeping. There is a balance to strike between having many levels of folders and having a very flat folder structure with everything under one major heading. Folder titles should be clear and concise and adequately describe the contents. Access to folders can be set up with varying degrees of permissions / controls, depending on the nature of the contents and who requires access. The Trust should use a clear and logical filing structure that aids retrieval of records. Ideally, the filing structure should reflect the way in which paper corporate records are filed to ensure consistency. 10

11 Where to Save Documents There are generally two main areas where documents can be saved either shared or personal folders. Both of which are located on the network. The use of shared folders should be adopted wherever possible to facilitate the sharing of Trust information and to improve access to the information during absences of individuals. Folder structure should allow logical access to data and should typically be set out around department, activities or projects, rather than the work of individuals. Examples of documents that should be stored in shared areas include; reports, training materials or staff rotas. The ICT Service Desk will be able to advise Trust staff on setting up shared folders and providing mechanisms to control access where required. Type into your Internet Browser and it will load the ICT Service Desk page where there is guidance regarding folder access, including setting up Secure Folders. C: drive is the data storage area in your laptop / PC H: drive is your personal area on the server J: drive is the network non-secure storage area on the server for the Trust LCHS (Secure) is also on J and these folders are only accessible to people with the appropriate permission to their respective folder. R: shared drive with external organisations on the same network Trust network drives (H J R) will benefit from the automated back-up and recovery services and access security controls. Documents stored on the local hard disk drive of your computer (C Drive) are not automatically backed up and therefore should this drive fail; data stored on it is often unrecoverable. Management of Paper Records Creating a paper document Records of business activity should be complete enough to: Facilitate an audit or examination of the business by anyone so authorised Protect the legal and other rights of the Trust, its clients and any other person affected by its actions Provide authenticity of the records so that the evidence derived from them is shown to be credible and authoritative Paper records should be: Factual, consistent and accurate Written as soon as possible after an event has occurred, providing current information Written clearly and in such a way that the text cannot be erased Written in such a way that any alterations or additions are dated, timed and signed so the original entry can still be read clearly Accurately dated, timed and signed with the signature printed alongside the first entry Not include abbreviations (unless officially approved by the Trust), jargon, meaningless phrases, irrelevant speculation and offensive subjective statements Readable on any photocopies Written in black pen, not ink as this can run, and on white paper (other coloured pens and paper can be used providing the combination of pen and paper produces a legible and permanent record) Not include the use of correction fluid 11

12 Filing Paper Documents Where documents are kept as hard copy files, the filing structure and naming of the files should follow the same principles as described within the management of electronic files. All records should be arranged in a system that will enable the Trust to obtain the maximum benefit from the quick and easy retrieval of information. Storage of Paper Records In order to comply with statutory requirements, the Trust should be aware of what records it holds and where they are held. Storage accommodation should be clean and tidy, should prevent damage to the records and provide a safe working environment for staff. Equipment used to store records should provide storage which is safe and secure from unauthorised access, but which allows maximum accessibility to the information in line with its frequency of use. When records are no longer required for the conduct of current business, they should be stored appropriately with consideration of NHS retention periods. Disposal of Documents Disposal of records does not necessarily mean destruction. This could be the transfer of records from one media to another e.g. paper records to CD Rom, or the transfer of records from one organisation to another e.g. archivists or offsite storage. Destruction of Records The destruction of records is an irreversible act. Many NHS records contain sensitive and / or information and their destruction must be conducted in a secure manner to ensure there are safeguards against accidental loss or disclosure. The normal destruction method used is shredding. All waste should be placed in the allocated Shred-it consoles where this applies or shredded waste can go out with normal recycling provided it has been shredded using a Cross-Cut Shredder. Non- waste can be placed in the recycle bins. Shredding equipment within departments must comply with Trust standards which is a Cross-Cut or Confetti-Cut Shredder with a minimum Din level 3 (for shredding documents and DoH Directive 2007). The secure destruction of computer media is undertaken by the ICT Department where further advice and guidance can be sort. Retention of Records As a general rule, information should only be kept as long as absolutely necessary. deleting: Unnecessary duplicates of final documents Working copies which are no longer required Documents which have no continuing value This includes Good housekeeping of paper and electronic filing systems is essential to maintaining long-term viability, removing material which should no longer be kept, consistent with this policy. The Trust is only responsible for the retention of its own original documents. Corporate records that require permanent preservation need to be stored appropriately to preserve their integrity and availability should refer to the Scanning Documents Policy. Retention Schedules NHS guidance for the minimum retention periods for records is set out in the Records Management Code of Practice for Health and Social Care 2016 and is available on the Trust Website under Policies, Information Governance. Paperless The Trust is working towards a paperless environment as part of the Paperless Strategy and Digital Revolution. 12

13 s It should be noted that s can be, or be part of, a record of business activity and can fall within the scope of the Freedom of Information Act (FIOA), with potential for disclosure into the public domain. s which record business activity must be treated in the same manner as for the management of electronic records, which means they may be saved to network drives rather than being managed through Microsoft Outlook. Freedom of Information Although by its nature, seems to be less formal than other written communication, the same laws apply. Therefore, it is important that users are aware of the legal risks of . As defined in this Policy, is an electronic record. A printed copy of an is a hardcopy record. Information contained in an may be disclosed either in part or in whole to the public through the FOIA or associated legislation. Although exemptions exist, staff and stakeholders need to be aware that the Trust cannot guarantee ity of correspondence conducted by , as stated in the disclaimer. Confidentiality Statement CONFIDENTIALITY STATEMENT DISCLAIMER: This and any files transmitted with it are and intended solely for the use of the individual or entity to whom they are addressed. Therefore if the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this is strictly prohibited. Any views or opinions expressed are those of the author and do not necessarily represent the views of Lincolnshire Community Health Services NHS Trust unless otherwise explicitly stated. The information contained in this may be subject to public disclosure under the Freedom of Information Act Unless the information is legally exempt from disclosure, the ity of this and your reply cannot be guaranteed Retention, Archiving and Disposal Procedure The Trust has a strict process for the retention and disposal of corporate records to ensure compliance with legal obligations, operational, research and safety reasons. In addition to this, the process allows the Trust to effectively manage the storage space available. The intention of this policy is to provide clear instructions to all staff regarding the appropriate retention and disposal of paper based corporate records via an agreed archiving process. The need for guidance is evident from the archived records inherited by the merging of Organisation s and the diversity of current archiving practice. Compliance with the FOIA requires robust records management. This guidance is underpinned by NHSLA and Information Governance standards for the maintenance and storage of records Confidentiality and Security of Records The storage, distribution, use and disposal of records will conform to relevant legislation e.g. Data Protection Act 1998, Freedom of Information Act 2000 and ISO/IEC Information Security, and NHS guidance such as, Caldicott Principles, NHS Code of Practice on Confidentiality 2003, and local policies, taking into account best practice. Staff must always consider the most appropriate method for ensuring information is distributed securely e.g. secure . If transporting paper records, only such notes as are necessary for those purposes may be taken, and they must remain with the individual at all times. If there is a need to transport corporate records staff are to ensure the process is as safe as possible. Any vehicle the Trust provides for the purpose of transporting records must have concealment capability for the records and be lockable. 13

14 Identification of Records for Permanent Preservation Records which seem likely to provide material for research or have historical value should be scrutinised with a view to permanent preservation, which must be transferred to an Approved Place of Deposit. Corporate Records with historical value / interest will be retained for 20 year following the implementation of the 20 Year Rule, these usually relate to records prior to the NHS (1948) or the documented history of a Hospital Trust. The Approved Place of Deposit for Lincolnshire is located at the Lincolnshire Archives, St Rumbold Street, Lincoln. LN2 5AB. When records stored commercially become due for destruction the storage company may notify the appropriate designated service manager for authorisation. Following authorisation the storage company will securely destroy the records and issue a certificate of destruction. Destruction certificates should be retained to provide legal proof of destruction in case the records are subsequently requested for subject access disclosure, litigation purposes or under Freedom of Information or Data Protection legislation. The following should be recorded: a list of the records destroyed, when this took place, who authorised destruction, who carried out the process and the reason for destruction. Exceptions If a record due for destruction is known to be the subject of a request for information, or potential legal action, destruction should be delayed until disclosure has taken place or, if the authority has decided not to disclose the information, until the complaint and appeal provisions of the FOIA have been exhausted or the legal process completed Access to Records Access to administrative / business records is covered by the FOIA. Always be mindful that these records may be disclosed into the public domain, subject to certain exemptions. Sharing Records All staff should work towards rationalising record collections through sharing records and the information they contain (subject to legal and NHS constraints), by merging or ensuring effective cross-reference. Information should ideally be collected once and used many times across departments / organisations. Important points: Data belong to the Trust and not to individuals or departments Each individual has a responsibility for records they create, but they do not own them NHS records are public records and the Chief Executive is ultimately responsible for all records generated in the Trust The Trust recognises that there are restrictions on the disclosure of information and these are to be respected at all times Information sharing agreements can be established for regular information flows Sending Corporate Records by Post This section applies to internal post, external post such as the Royal Mail and any other postal or courier / delivery service. Corporate records relating to or commercially sensitive must be in appropriately addressed in a secure, sealed envelope, using the new government markings and clearly marked OFFICIAL SENSITIVE: COMMERCIAL or OFFICIAL SENSITIVE: PERSONAL and sent securely by the most appropriate method pertaining to the content. The envelope must be robust and sealed to withstand transit through the postal system. Special Delivery is a tracked service which goes separately and recorded delivery is signed for. 14

15 Process for Manager s Staff Folders These are staff files which Line Manager s create and usually copies of documents which are already held in ESR or within HR systems. These files should not be sent to offsite storage and any staff folders should be sent by prior arrangement to the Workforce Services Team (WST) at Beech House. Prior to sending the files the following items should be removed; Annual leave cards T1 approval forms Training course details Green sick leave notification forms Doctors sick notes If there are any documents which staff are unsure whether to retain, please contact the WST for further advice. Records Audit Corporate Record Audits will be undertaken regularly to support the requirements of the DSPT standard 404. The Trust is required to review their corporate record keeping standards annually and further audits may be undertaken throughout the year. Outcomes (including risks and issues) and recommendations will be reported to the Information Governance Management Assurance Group (IGMAG). Corporate Assets Any new Corporate Assets identified should follow the process within the Information Asset Policy; A list of current assets including Corporate, are detailed in appendix 3. NHSLA Monitoring Minimum requirement to be monitored Process for monitoring e.g. audit Responsible individuals/ group/ committee Frequency of monitoring/ audit Responsible individuals/ group/ committee (multidisciplina ry) for review of results Responsible individuals/ group/ committee for development of action plan Responsible individuals/ group/ committee for monitoring of action plan DSP Toolkit Standards Review / Audit / Reports IG Lead Annual IG Lead / IGMAG IG Lead / IGMAG IG Lead / IGMAG 15

16 Appendix 1 Archive Year For all records the archive year is the calendar year in which the last entry was made. The destruction date is the appropriate number of years pertaining to the relevant type of record: e.g. a corporate record with a last entry of 2009 and a 10 year retention period will be due for destruction in This is (complete years) = 2019 Destroy the following year 2020 Type of Corporate Record Retention Period Destruction Agendas of board meetings, major committees, sub-committees (master copies, including associated papers) 30 years Destroy under (Executive Committees, PEC etc) Agendas (other) 2 years Destroy under Decontamination Logs 3 years Destroy under Incident Forms 10 years Destroy under Invoices Litigation dossiers (complaints including accident/incident reports) Records/documents relating to any form of litigation) Medical Devices Alerts Meetings and minutes papers of major committees and sub-committees (master copies) Meetings and minutes papers (other, including reference copies of major committees Office (Admin) Diaries Phone Message Books 6 years after end of financial year to which they relate 10 years Where a legal action has commenced, keep as advised by legal representatives Retain until updated or withdrawn (check MHRA website) 30 years Destroy under Destroy under Destroy under Destroy under (Executive Committees, PEC etc.) 2 years Destroy under 1 year after the end of the calendar year to which they refer 2 years NB Any clinical information should be transferred to the patient health record Destroy under Destroy under Requisition Books (RDC) 18 months Destroy under For further guidance please refer to the Records Management Code of Practice for Health and Social Care, 2016 on the Trust Website under Policies, Information Governance. 16

17 Equality Analysis Appendix 2 A. B. C. D. Briefly give an outline of the key objectives of the policy; what it s intended outcome is and who the intended beneficiaries are expected to be Does the policy have an impact on patients, carers or staff, or the wider community that we have links with? Please give details Is there is any evidence that the policy\service relates to an area with known inequalities? Please give details Will/Does the implementation of the policy\service result in different impacts for protected characteristics? To provide clear and effective management and accountability structures, governance processes, documented policies and procedures, a comprehensive IG training programme and adequate resources to manage and embed Information Governance throughout the Trust. All Staff and Service Users No No Disability Sexual Orientation Sex Gender Reassignment Race Marriage/Civil Partnership Maternity/Pregnancy Age Religion or Belief Carers Yes If you have answered Yes to any of the questions then you are required to carry out a full Equality Analysis which should be approved by the Equality and Human Rights Lead please go to section 2 The above named policy has been considered and does not require a full equality analysis Equality Analysis Carried out by: Kaz Scott Date: 23 rd January 2018 No 17

18 Major Information Assets Appendix 3 ESR (Electronic Staff Record) holds staff personal employment details and is the World's largest, single, integrated HR and Payroll system, empowered by McKesson. Blithe Lillie (Sexual Health) - system provides for all your standard clinical, administration, communication and reporting requirements, and meets all statutory reporting requirements. The Phoenix Partnership (TPP SystmOne) - centralised clinical system that provides healthcare professionals with a complete management system including electronic patient records, one patient, one record model of healthcare. Datix (Incident Reporting) - software fully integrated with other modules including claims, complaints and patient feedback management software to deliver a comprehensive risk management solution. Allocate Software (Bank Staff Management) now called HealthRoster delivers intelligent, end-to-end staff management based on one consolidated view of all staff groups and all staff types, whether substantive, bank or agency. Tunstall Healthcare UK (Docobo) - remote monitoring service for LTC s, offers an integrated solution for the collection, management and analysis of essential patient related data, and permits efficient interaction between clinicians and patients at home. Software Europe (Expenses) - online solution to improve the process of recording and paying employee expenses to its claimants, whilst ensuring compliance against policy. Membership Engagement Services (MES) The first choice for NHS Foundation Trusts, The database is hosted on the same servers that host all of the ERS Group's internet voting and local authority e-registration systems, which ensures absolute data security and reliability. Inphase Ltd (Performance Plus) business intelligence application that integrates any number of performance management approaches and visually highlights the flow of objectives and impacts throughout an organisation.` Medgate Ltd (Cohort) occupational health software suite to track medical trends, manages compliance and regulatory requirements, mitigate absences, and make informed decisions on how to improve employee health and productivity. Clarity Informatics (GP Appraisal) - An enhanced toolkit in partnership with the Royal College of General Practitioners has created a bespoke solution that provides seamless support through appraisals and revalidation. Harris Retail Services (Out of Hours Rota System) - On Line Booking system to organise GP's shifts. Harlequin Software (Charitable Accounts) - system management and multi-user security features together with an optional report generator complete the system. Capita IB Solutions UK Ltd (Integra) - Financial management software combines an adaptable approach with solid practical experience and solution to achieve e-business targets. This is a snapshot of some of the major assets used within the Trust. The Asset Register is a working document which changes as new systems and processes are implemented. 18

19 Decommissioned Assets SMI (Palcare) Patient Information Management System for use as a day to day tool to provide rapid access to patient s clerical and medical and to increase the staff/patient contact time. The Database of Palliative Care patient s is secured on the Trust network for retention. (Asset destroyed 2017). Mosaique (Aspyre) an integrated portfolio, programme and project management application that has been developed to help programme and project managers. It is retained as an ML extract of contents. Microsoft (Groove) a discontinued desktop application designed for document collaboration in teams with members who are regularly off-line or who do not share the same network security clearance. It was used to store Child Protection documentation and as an offline communications tool. NHS Stoke on Trent (Florence) allows clinicians to engage patients with their own healthcare. With faster health outcomes, better adherence to medication or other treatments, and increased productivity compared with normal care whilst harnessing SMS technology yields much better engagement between clinician and patient. (Contract ended, LCC commissioned). Northgate Arinso (CAJE) The centrally-funded Computer Aided Job Evaluation (CAJE) contract for England terminated at the end of December Contract was extended for 12 months. (De-commissioned in 2014). North-51 (QuitManager) was developed for stop smoking services and is designed to meet the exact needs of today's service using Microsoft technologies, providing a highly reliable platform that can be simultaneously accessed by a number of users (De-commission Dec 15) North-51 (QuitManager) was developed for stop smoking services and is designed to meet the exact needs of today's service using Microsoft technologies, providing a highly reliable platform that can be simultaneously accessed by a number of users (De-commission Dec 15) Carestream Kodak R4 (Dental) - CS R4 Clinical+ Practice Management Software functions include simplifying routine tasks, improving communication and making information more accessible throughout your business. (De-commissioned Dec16). Internal Bespoke Assets Capacity Reporting designed within the Trust to support Business Units with Available Beds, Planned Discharges and Admissions and capacity of Community Teams and Out of Hours reporting. Clinical Supervision designed within the Trust to support Clinical Supervision Training for compliance and monitoring purposes. 19