Title: Records Management Policy

Transcription

1 Title: Records Management Policy Approved: September 2010 Revised: January 2012 Revised: January 2015 Reviewed September 2016

2 CONTENTS Page No. Scope 3 Statement 4 Aims 5 Following Best Practice 6 Accountability 13 Monitoring Compliance 13 References 14 Appendix 1- Retention and Disposal Schedule 15 2

3 Scope This policy provides for: The requirements which must be met for the records of the Patient and Client Council to be considered as a proper record of the activity of the organisation, including the provision of advocacy related services by the Patient & Client Council. The requirements for systems and processes that deal with records. The quality and reliability, which must be maintained to provide a valuable information and knowledge resource for the organisation. Review of the policy and checking the quality of implementation. An overall statement of records management policy, which is supplemented by detailed procedures. This policy covers records in all formats created during the Patient & Client Council course of business. This includes all operational records held by the Patient & Client Council as well as all administrative records: Personnel records (these are now held on the BSO HRPTS system) Estates Financial /Accounting (BSO hold significant finance records) Contracts Litigation Records associated with complaint handling. Research Policies Services This policy covers all corporate records which are records produced during the daily course of business of the Patient & Client Council and are termed public records under the Public Records Act (NI) This includes messages and all other electronic records. 3

4 Statement The records of the Patient & Client Council constitute the corporate memory of the organisation, which provide evidence of the business, actions, decisions and resulting policies formed by the Patient & Client Council. Records represent a vital asset, which support the daily functions of the organisation and protect the interests and rights of staff, and members of the public, who have dealings with the Patient & Client Council. Records support efficiency consistency and continuity of work and enable the Patient & Client Council to procure and deliver a wide range of health services. In consultation with organisations that may be concerned with the management of its records, the Patient & Client Council will create, use, manage, maintain and destroy or preserve its records in accordance with all statutory and legislative requirements. Systematic records management is fundamental to organisational efficiency. It ensures that the correct information is: Captured, stored, maintained, retrieved and destroyed or preserved according to need Fully utilised to meet current future needs, and to support change Accessible to those which need to make use of it that the proper technical, organisational and HR elements exist to make this possible. 4

5 Aims The records management policy aims to maintain data quality in the organisation which can be described using the six key characteristics listed below: Accuracy Data should be sufficiently accurate for their intended purposes, representing clearly and in enough detail the interaction provided at the point of activity. Data should be captured once only Validity Data should be recorded and used in compliance with relevant requirements, including the correct application of any rules or definitions Reliability Data should reflect stable and consistent data collection processes across collection points and over time, whether using manual or computer based systems, or a combination. Timeliness Data should be captured as quickly as possible after the event or activity and must be available for the intended use within a reasonable time period. Data must be available quickly and frequently enough to support information needs and to influence service or management decisions. Relevance Data captured should be relevant to the purposes for which they are used. This entails periodic review of requirements to reflect changing needs. Completeness Data requirements throughout functions should be clearly specified and based on the information needs of the PCC. Monitoring and review of missing, incomplete, or invalid records by IAOs can provide an indication of data quality and can also point to problems in the recording of certain data items. The Patient & Client Council PCC aims to ensure that: The record is present and correct The Patient & Client Council has the information that is needed to form a reconstruction of activities or transactions that have taken place. The record can be accessed It is possible to locate and access the information and display it in a way consistent with initial use. 5

6 The record is clear and can be interpreted It is possible to establish the context of the record: who created the document, during which business process, and how the record relates to other records. The record can be trusted The record reliably represents the information that was actually used in or created as part of the business process, and its integrity and authenticity can be demonstrated. The record can be maintained through time The qualities of accessibility, interpretation and trustworthiness can be maintained for as long as the record is needed, perhaps permanently despite change of formats. All staff of Patient & Client Council who create, use, manage, maintain or dispose of records have a duty to protect them and to ensure that any information that they add to the record is accurate, complete, up-to-date, relevant and not excessive. The confidentiality of patient and client records must always be of primary concern to Patient & Client Council staff. All staff will receive the necessary training in managing records and will be required to formally acknowledge their duty of care with regards to Patient & Client Council records. This records management policy is a specific part of the Patient and Client Council overall corporate programme and relates to other policies and guidance, such as: ICT Security Policy Code of Practice on Protecting the Confidentiality of Service User Information Use of Use of Internet Guidance on the Use of Social Networking Freedom of Information (FOI) procedure Data Protection Policy Statement Following Best Practice in the Management of Records Records should be managed in accordance with relevant standards including Good Management, Good Records (GMGR),ISO 15489, the NI Records management Standard (NIRMS) and the Information Management Controls Assurance Standard. 6

7 Good Management, Good Records (GMGR) These guidelines offer an overview of the key issues and solutions, and best practice for HSCNI organisations to follow when managing records. GMGR represents the joint DHSSPS and PRONI view of how records should be administered and sets the standard required throughout HSCNI. The Disposal Schedule contained within GMGR has been approved by PRONI and after consultation and review was revised in late It sets out minimum retention periods for HPSS records of all types, except for GP medical records, and indicates which records are most likely to be appropriate for permanent preservation. The schedule also explains the reasoning behind the determination of minimum retention periods, including legal requirements where relevant. ISO International Standard on Information and Documentation - Records Management The International Standard on managing recorded information, initially based on an earlier Australian standard, was adopted by ISO in The Standard acts as an enabler towards accreditation and renewal of ISO9001. Northern Ireland Records Management Standard (NIRMS) The standard, which was produced by the Public Records Office (NI) in March 2002, is a best practice benchmark for all organisations creating or holding public records. Controls Assurance Standard The Information Management Controls Assurance Standard sets out criteria by which an organisation can assess the degree to which it has in place a systematic and planned approach to the management of all records which ensures that, from the moment a record is created until its ultimate disposal, the organisation can control, both the quality and quantity of information it generates; can maintain that information in a manner that effectively services its needs and those of its stakeholders; and can dispose of the information appropriately when it is no longer required. 7

8 The organisation s e-government strategy Electronic records management will underpin e-government providing records for business use, corporate knowledge management, evidence-based policy making, quality monitoring, accountability, and historical use. Data Protection Records need to be managed in accordance with the Data Protection Act 1998 (DPA) as well as the Patient & Client Council Data Protection Policy Statement on the protection and use of patient and/or client information. When processing personal and/or sensitive data staff should adhere to the eight DPA principles listed below and ensure that data is: 1. Processed fairly and lawfully. 2. Obtained for specified and lawful purposes. 3. Adequate, relevant and not excessive. 4. Accurate and up to date. 5. Not kept any longer than necessary. 6. Processed in accordance with the data subject s (the individual s) rights. 7. Securely kept. 8. Not transferred to any other country without adequate protection in situ. Freedom of Information All records need to be managed in accordance with the procedures set out in the Freedom of Information Act 2000 (FOIA) and its related codes of Practice. Staff are advised that deleting or concealing information with the intention of preventing its disclosure following receipt of a request is a criminal offence under section 77 of FOIA. For example, where information that is covered by a request is knowingly treated as not held because it is held in a private account, this may count as concealment intended to prevent the disclosure of information, with the person concealing the information being liable to prosecution. Audit All records have to meet audit requirements, which may be carried out by internal and external auditors and by PRONI as directed by the Information Commissioner. Records registration ensures a link between the record and its administrative roots. The registration of records should follow best practice in records management and allow for the users of the records to identify and 8

9 track particular records and record collections. The registration system should include: Classifying records into series that have meaningful titles and a consistent reference code. Setting a responsibility on individuals creating records to allocate them to an appropriate work area in a secure file series. Having sequences of reference numbers that can facilitate both paper and electronic records that can eventually be aligned with the Patient & Client Council file classification process. Checking that the correct records have been allocated to the sequence and that meaningful titles are used. Auditing lists of the references used so that the registration system makes sense and records can be found in appropriate search sequences. Guidance on the Classification of Records Naming Conventions comprise the following 13 basic rules: Keep file names short, but meaningful. Avoid unnecessary repetition and redundancy in file names and file paths. Use capital letters to delimit words, not spaces or underscores. When including a number in a file name always give it as a two-digit number, i.e , unless it is a year or another number with more than two digits. If using a date in the file name always state the date back to front, and use four digit years, two digit months and two digit days: YYYYMMDD or YYYYMM or YYYY or YYYY-YYYY. When including a personal name in a file name give the family name first followed by the initials. Avoid using common words such as draft or letter at the start of file names, unless doing so will make it easier to retrieve the record. Order the elements in a file name in the most appropriate way to retrieve the record. The file names of records relating to recurring events should include the date and a description of the event, except where the inclusion of any of either of these elements would be incompatible with rule 2. The file names of correspondence should include the name of the correspondent, an indication of the subject, the date of the correspondence and whether it is incoming or outgoing correspondence, except where the inclusion of any of these elements would be incompatible with rule 2. 9

10 The file name of an attachment should include the name of the correspondent, an indication of the subject, the date of the correspondence, attch, and an indication of the number of attachments sent with the covering , except where the inclusion of any of these elements would be incompatible with rule 2. The version number of a record should be indicated in its file name by the inclusion of V followed by the version number and, where applicable, Draft. Avoid using non-alphanumeric characters in file names. Guidance on Version Control Version control is important for electronic documents that undergo a lot of revision and redrafting because it can avoid the danger of documents being changed by different users without those changes being known. Knowing which version you are looking at is important especially if you are working on a collaborative document with a number of contributors and where there are frequent revisions. There may be a number of draft versions of the document but the first completed version becomes Version 1 followed by Version 2 etc. Use this process for all documents where more than one version exists, or is likely to exist in the future. When you save it, put the version number and date on the document itself as well as in the file name. Common places for the insertion of version numbers are the document cover, or in either the header or footer text of each page. The version number of a record should be indicated in its file name by the inclusion of V followed the version number and, where applicable, Draft or Final Some records go through a number of versions, for example policies for consultation, which may then be reviewed and updated at a later date. It is important to be able to differentiate between these various versions by giving them each their own number. Where a version number is applicable, it should always appear in the file name of the record so that the most recent version can be easily identified and retrieved. Guidance on Correspondence The file names of correspondence should include the following elements so that the record can be easily identified and retrieved: 10

11 Name of correspondent, that is either the name of the person who sent you the letter/memo/ message or the name of the person to whom you sent the letter/memo/ message Subject description Date of letter/memo/ message If incoming correspondence, include rcvd Guidance on This guidance is intended for any member of staff who creates or receives e- mails as part of carrying out their contract of employment with the PCC. Below is a checklist of dos and don ts. Do: Remember that all work s are organisational records Exercise the same degree of care and professionalism in regard to the content of messages as you would with a letter or a memo Set an out of office message giving alternative contact details when you are away for more than a week Delete unwanted s as soon as they are no longer required Ensure that your deleted items are actually deleted permanently Set up a separate folder for your personal s Use shared drives, servers or websites rather than sending an attachment Make use of expiry date and properties options if these are available in your system Use short, meaningful titles/subjects for your s When replying to an , keep the original text as part of your response Only use the cc (carbon copy) function when it is necessary. Avoid using the bcc function Only use distribution lists (with approval) to avoid long to lists or to avoid disseminating the addresses of external contacts Remember that is not a secure form of communication Remember that all your s may be open to scrutiny and discoverable under the Freedom of Information Act 2000 and the Data Protection Act Don t: Keep the only copy of important s in your in and sent items boxes Allow backlogs of unwanted s to accumulate in your account Copy s to people unless they need to see them Mix personal and work s 11

12 Annotate or change the text of the original when replying to it or forwarding it on to others Use the system to promote personal views Use a non organisational account for PCC business Use symbols in the subject line of s Retention and Disposal of Records The Patient & Client Council has endorsed and will follow the guidelines set out in GMGR and will also adhere to the retention and disposal schedule contained within it. Additional guidance for PCC staff on the retention and disposal of records can be found in Appendix 1. For information and details of the retention periods for all records staff should refer to the schedule within GMGR at - 12

13 Accountability This policy outlines the accountability of the Board and its staff to ensure that the appropriate records are maintained within a structured management system, which constitutes a complete and accurate account of all actions and decisions. This is of importance in the protection of the rights of staff and members of the public with regard to their legal and other rights. It is also of importance in the instance of an audit or investigation. The Chief Executive and Senior Managers have a duty to ensure that the Patient and Client Council complies with the requirements of all relevant legislation and supporting regulations and codes affecting the management of records and information. The Senior Information Risk Owner (SIRO) and Information Asset Owners (IAOs) will work closely with Corporate Services to ensure consistency in the management practice throughout their organisations. Staff are responsible for ensuring that records and information systems in their business areas conform to this policy and to the requirements of all relevant legislation and best practice guidelines set out in GMGR. All members of staff are responsible for documenting their actions and decisions in the records and for maintaining the records in accordance with good records management practice and professional guidelines. Monitoring Compliance The Patient & Client Council will follow this records management policy within all relevant procedures and guidance used for operational activities. Interpretation of the policy will be monitored and there will be regular planned inspections by the SIRO and also by Internal Auditors to assess how the policy is being put into practice. These inspections will seek to: Identify areas of good practice which can be used throughout the Patient & Client Council Highlight where non-conformance to the procedures is occurring If appropriate, recommend a tightening of controls and make recommendations as to how compliance can be achieved. 13

14 References Public Records Act (NI) 1923 Disposal of Documents Order No167, 1925 Limitation Act 1980 Freedom of Information Act 2000 The Lord Chancellor s Code of Practice on the Management of Records under Section 46 of the Freedom of Information International Standard on Records Management (ISO 15489) The Privacy and Electronic Communications Regulations Electronic Records Management: Toolkits (PRO, ) Data Protection Act 1998: Records Management Standards and Guidance (PRO, form 1998) Northern Ireland Records Management Standards (NIRMS) (2002), Public Records Office of Northern Ireland (PRONI) Good Management, Good Records (GMGR) DHSS&PS

15 Appendix 1 Purposes of this Retention and Disposal Schedule This disposal schedule identifies the disposal arrangements for all records created by the Patient and Client Council. All records created by the Patient and Client Council are public records according to the Public Records Act (Northern Ireland) The schedule ensures compliance with the requirements in the Public Records Act (Northern Ireland) 1923, the Disposal of Documents Order 1923 (No 167) and The Lord Chancellor s Code of Practice on the Management of Records, issued under Section 46 of the Freedom of Information Act The Lord Chancellor s Code of Practice on the Management of Records, issued under Section 46 of the Freedom of Information Act The aims of the code are: To set out the practices which public authorities, and bodies subject to the Public Records Act 1958 and the Public Records Act (NI) 1923 should follow in relation to the creation, keeping, management and destruction of their records (Part 1 of the Code: and To describe the arrangements which public bodies should follow in reviewing public records and transferring them to places of deposit or to the Public Record Office of Northern Ireland (Part ll of the Code). The Code of Practice provides the benchmark of good record keeping practice, which is likely to be used, if necessary, to assess compliance with the requirements of the Freedom of Information Act

16 Operation of this Disposal of Records Schedule The Final Actions described in the Retention and Disposal of Records Schedule fall into three categories. Those categories are: 1) Review 2) Permanent Preservation / Transfer to the Public Record Office of Northern Ireland (PRONI) 3) Destruction Closed Records Records should be closed as soon as they have ceased to be of active use other than for reference purposes. Files, which are registered, should only remain open for a period of 5 years after which they should be closed. Files should also be closed when they have reached 2.5cm thick, the subject is finished or when nothing new has been added for 2 years. When a file is due to be closed the PCC Officer should consult the Disposal Schedule and complete the front cover of the file, indicating the date on which the file can be destroyed or transferred to the Public Record Office of Northern Ireland (PRONI), or whether it should be subject to the review process. A closure sheet should be inserted on the right hand side of the file with the date of closure clearly marked. Closing a file simply means that no further papers can be added but the file can be used for reference. The closure date should be logged on the central registry database. This registry database will have a brought forward system, which will indicate when the file is due for review, destruction or transfer to PRONI. The retention period required for each file is calculated from the point of closure. For example if a file is to be retained for 5 years and is closed on the 27 th April 2005, its retention period would elapse on the 27 th April If the file is to be transferred to PRONI then the Head of Corporate Services as SIRO and FOI Officer will assess whether information on the file should be exempt from release under that Freedom of Information Act The appropriate documentation from PRONI should be completed and attached to the file. These forms are available from the Head of Development and Corporate Services. Review of Files Where the disposal action indicates Review the file should be subject to the normal review process. Reviewers should only consider the administrative 16

17 value of the records and should ask the following useful questions when making their decision. Is there a continuing need to retain this record for the conduct of day to day business? Is there clear evidence of a future need for constant reference to this record? Will it be needed to deal with enquiries in the future? Is the information needed for statistical analysis within the organisation? Are there bodies of statistical information upon which future decisions or forecasts could be based? Is the information required for conducting legal proceedings in the event of a legal action being taken by, or against the organisation? Is there any legal requirement to retain these records (For example, Health and Safety regulations)? Is there a financial need to retain these records (for audit purposes)? Is the information significant because it provides precedents or is required for authorisation purposes? Is the information otherwise available whether within the organisation or in published form? Records recommended for destruction will be referred by the SIRO to PRONI, whose staff will inspect such files to consider whether or not they should be preserved permanently or held in storage to await a second review, 15 years later. Permanent Preservation / Transfer to PRONI Records selected for permanent preservation should be transferred to PRONI twenty years after the date of closure along with a completed PR14 form which can be obtained from the Head of Corporate Services. After transfer, the records become the property of PRONI. A list of records transferred to PRONI should be retained by the Patient and Client Council. Consideration of public access needs to be documented and this should also accompany the transfer of any records to PRONI. Guidance on the completion of PR14 forms Since the introduction of the Freedom of Information Act 2000, new documentation has been introduced by PRONI in order to comply with the S46 code of the FOI Act. It is important that the forms are completed correctly 17

18 to ensure for the efficient transfer of files from Northern Ireland departments and other public bodies to the archives in PRONI. The PR14 form is to be completed for files that are less than 30 years old from the date of the last paper. If a file is 30 years old or more a PR14 Historical version form should be completed. The PR14 is to be completed in conjunction with a page by page review of the file. The reviewing officer should work from the premise that an FOI request has been received for the information contained in the registered file. Therefore, the general presumption is one of openness and that in most cases files will transfer to PRONI with an open recommendation. However, to ensure the protection of information that may be deemed exempt under the FOI Act such as sensitive personal data, files may be recommended for full closure, partial closure or blanking (redaction). Once one of these options has been selected, the PR14 should indicate which exemptions[s] have been applied. Detailed guidance about exemptions is available from the SIRO. The accurate identification of the pages requiring redaction or partial closure is crucial. The tabbing of the relevant pages is helpful but the PR14 must also identify the relevant individual documents, e.g. memo/letter dated. 3 rd paragraph, lines 5-9. This will allow for proper checking by the SIRO/ IAO and subsequent quality assurance by PRONI. It may be necessary to return the file if the PR14 documentation has only being partially completed. The standard closure period will be 5 years except if there is a statutory prohibition or if S40 (personal data) of the FOI Act is to be applied. In the case of the statutory prohibition, the closure will be for whatever period specified in the relevant statute bar and this should be recorded on the PR14 form. If S40 the personal information exemption of the FOI Act has been cited, it will be necessary to include an age assumption so the information to be exempted will remain closed until the individual is assumed to be 100 years old. For example, if the paper states the individual is 50 in 1990, the information will be released by PRONI in It is recognised that in some instances it will be virtually impossible to make an accurate age assumption and this should be stated on the PR14. Although tabbing is permitted files must not be marked or altered by stapling of flags, or by writing/highlighting /underlining of text recommended for redaction. If you have any queries regarding the completion of the PR14 you should refer to your Information Asset Owner (IAO) in the first instance. The IAO will then liaise with the SIRO who is the Head of Corporate Services and PRONI as required. Destruction of Records Authorisation for destruction of records must be obtained firstly from the appropriate IAO and then by the SIRO. The Freedom of Information Act

19 says that we must keep a record of the destruction of records. Lists of any records destroyed should be kept and copied to the Head of Corporate Services for recording on the Registry database. Guidance on the Disposal of Paper Records Paper records can be disposed of through normal waste procedures, for example, in a recycling bin provided the record does not contain sensitive material or personal data. Sensitive paper records may be cross shredded or disposed of through the confidential waste bags. The PCC has a contract with a private contractor to destroy confidential waste in these bags for a fee. Bags containing confidential waste should be stored in a locked room where an unauthorised access is not permitted. If the material is particularly sensitive, it is advisable to shred locally to ensure the record has been destroyed. Shredded paper may go in the normal waste, or, for a belt and braces approach, in the confidential waste. Guidance on the Disposal of Electronic Records As part of your everyday use of your computer, you will probably destroy electronic records by deleting them. In the case of information held on servers or shared drives, this will be the responsibility of the BSO IT Security Department. For example, if you use an organisational service, then this information will be stored on a central server, and you will need to take no action other than ensuring that all your deleted items folders have been emptied. The IT Department will make arrangements for the appropriate disposal of the server and the backup tapes in due course. If you have saved information to a PC, CD or other storage medium, you must take measures to ensure that the information is fully deleted before disposing of the item. For portable media such as a CD, the best way of destroying the information they contain is to destroy the items concerned. CDs should be broken, or you should score lines over them. If your computer has been used to process highly sensitive information, you may also use the decommissioning tool before passing on the computer within the organisation You should contact the IT Helpdesk for information 19

20 and advice on how to do this and how to reinstall the software needed by the computer s next user. Guidance on the Disposal of Video and Audio Tapes Audio and video tapes should be recorded over with silence, unless highly sensitive, in which case they should be physically destroyed. Roles and Responsibilities The Chief Executive, the SIRO, and IAOs are personally accountable for the quality of records management within the organisation and have a duty to make arrangements for the safekeeping and eventual disposal of those records. All Managers are responsible for ensuring that staff are aware of their personal responsibilities for record keeping. This includes the creation, use, storage, security and confidentiality and disposal of records. The Head of Corporate Services as SIRO, the Policy and Planning Manager and the IAOs will take the lead in developing the organisations records management strategy. Collectively they are responsible for: Co-ordinating, publicising and monitoring implementation of the records management strategy. Ensuring that there are systems in place for records management and these are monitored and reviewed by the Function Managers and Senior Management Team at least annually in order to make improvements to the system. Individual members of staff are responsible for maintaining records in accordance with all relevant legislation and in line with the guidance set out in DHSS&PS Good Management, Good Records (GMGR). 20