CH203-Compliance with NHS Records Management Code of Practice Policy
{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Compliance with NHS Records Management Code of Practice Policy
1. Purpose
The purpose of this policy is to set out how {{org_field_name}} creates, uses, stores, retains, shares, archives and disposes of records in a lawful, secure, accurate and consistent way. The policy is designed to support compliance with the Health and Social Care Act 2008, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, including Regulation 17 (Good Governance) and Regulation 12 (Safe Care and Treatment), the Data Protection Act 2018, the UK General Data Protection Regulation, the common law duty of confidentiality, and the current Records Management Code of Practice for Health and Social Care 2021 as updated.
This policy supports the service to maintain secure, accurate, complete and contemporaneous records in respect of each person using the service, records relating to staff and the management of the regulated activity, and governance systems that enable the provider to assess, monitor and improve the quality, safety and effectiveness of the service. It also supports compliance with current Care Quality Commission expectations in relation to records, information governance, medicines records, digital records and audit arrangements.
2. Scope
This policy applies to all employees, volunteers, agency staff, contractors, and managers of {{org_field_name}} who handle or process records in any form—whether paper-based or electronic. It includes care records, personnel files, financial records, policies, incident reports, medication records, and communications relating to service provision and business administration. This includes records relating to people who use the service, medicines support, assessments, care planning, consent, capacity and best-interest decision-making, incidents and accidents, complaints, safeguarding, staffing, recruitment, supervision, training, audits, complaints, maintenance, health and safety, and all other records needed for the proper management of the regulated activity. This policy applies to the regulated activity and service model operated by {{org_field_name}}, including care home records, resident care records, medicines records, staff records, governance records, safeguarding records and records required for the safe management of the service.
3. Related Policies
- CH04 – Good Governance Policy
- CH11 – Safe Care and Treatment Policy
- CH13 – Safeguarding Adults from Abuse and Improper Treatment Policy
- CH17 – Infection Prevention and Control Policy
- CH24 – Management of Accidents, Incidents, and Near Misses Policy
- CH34 – Confidentiality and Data Protection (GDPR) Policy
4. Policy Statement and Principles
4.1 Record Creation and Accuracy
All records created by {{org_field_name}} must be secure, accurate, complete, contemporaneous, legible and fit for purpose. Every entry must be dated, timed where appropriate, attributable to the person making the entry, and written as soon as reasonably practicable after the event. Care records must clearly evidence assessments, risks, needs, preferences, care and support provided, medicines support, changes in presentation or condition, communications with health and social care professionals, discussions with relatives or representatives where appropriate, and decisions taken in relation to care and treatment.
Records must be person-centred, respectful and factual. Staff must distinguish clearly between observed fact, professional judgement, information provided by others and actions taken. Abbreviations must only be used where they are locally approved and understood. Handwritten amendments must be made by drawing a single line through the original entry so that it remains legible, followed by the date, time and signature or initials of the person making the amendment. Electronic records must maintain a visible audit trail of amendments. No record must be erased, obscured, backdated or inappropriately altered.
4.2 Confidentiality, Lawful Access and Access Controls
All records held by {{org_field_name}} are confidential and must be handled in accordance with the Data Protection Act 2018, UK GDPR, the common law duty of confidentiality and the Caldicott Principles. Access to records is restricted to authorised persons who need the information to carry out their role, and access rights must reflect the minimum necessary information required for that role.
Paper records must be stored securely when not in use. Electronic records must be protected through role-based access controls, individual log-ins, strong passwords, appropriate encryption, automatic screen locking where practicable, and audit trails showing access and amendments. Shared log-ins must not be used.
The service will have clear arrangements for responding to requests for access to records, including subject access requests, requests by professionals involved in the person’s care, lawful requests from external agencies, and requests relating to deceased persons. Any disclosure must be assessed for lawful basis, necessity and proportionality, and a record of the decision to disclose or not disclose must be kept.
4.3 Retention, Review, Disposal and Destruction Holds
{{org_field_name}} will retain records in accordance with the current Records Management Code of Practice for Health and Social Care 2021, including subsequent updates, and any more specific legal, regulatory, safeguarding, employment, tax, health and safety, insurance or contractual requirements that apply to the record. The service will maintain a separate retention schedule or matrix identifying the minimum retention periods for each record type used by the service.
Records must not be kept for longer than necessary without lawful justification. Equally, no record may be destroyed where it is, or may reasonably become, relevant to an inquiry, complaint, safeguarding process, serious incident review, legal claim, inquest, insurance matter, police investigation, regulatory action, public inquiry or other formal process. In such cases, destruction must be suspended until written authority is given to resume normal disposal arrangements.
Before disposal, records must be reviewed where the retention schedule requires review rather than automatic destruction. Where records are due for confidential destruction, the method used must be appropriate to the medium and the sensitivity of the information. Paper records must be cross-shredded or destroyed by an approved confidential waste contractor. Electronic records must be securely deleted or destroyed so that the information cannot be reconstructed. A destruction log must be maintained showing the record category, date range, disposal authority, date of destruction, method of destruction and the person or contractor carrying it out.
The retention periods below are illustrative examples only and must not be treated as a complete retention schedule. Staff must always check the organisation’s current retention schedule before disposing of any records.
4.4 Retention Schedule Governance
{{org_field_name}} will maintain and review a records retention schedule covering all record types used within the service, including resident care records, medicines records, safeguarding records, complaints, accidents and incidents, recruitment and personnel records, training records, audits, governance records, maintenance records, financial records and contractor records. The schedule must identify the minimum retention period, trigger event, review requirements, disposal action and any hold criteria that suspend destruction. The retention schedule will be reviewed whenever the national Code is updated or where service changes create new record types.
4.5 Electronic Records, Digital Systems and Cyber Security
Where {{org_field_name}} uses digital record systems, those systems must support safe, effective and person-centred care and the proper governance of the service. Digital systems must provide appropriate role-based access, audit trails, data backup, recovery arrangements, protection against malware, timely security updates, and secure remote access where remote working is authorised. Portable devices used to access records must be appropriately secured, encrypted where required, and managed in accordance with organisational information security controls.
The service will complete the Data Security and Protection Toolkit annually, or maintain equivalent evidence of compliance where appropriate, and will take action on any identified gaps. The service must also have clear contingency arrangements for system downtime, cyber incidents, loss of connectivity or data corruption, to ensure continuity of care, access to essential records and timely restoration of systems.
4.6 Records Audit, Quality Assurance and Governance Oversight
{{org_field_name}} will operate a programme of records audit as part of its governance and quality assurance systems. Audits will review the completeness, timeliness, accuracy, security and quality of records relating to people using the service, medicines support, incidents, safeguarding, staffing and the overall management of the regulated activity. Audit findings must be analysed for themes, risks and repeated omissions, and must result in documented actions, timescales and management oversight.
Audit activity must not be limited to routine file checks. It must also consider whether records are being used effectively to support safe care, risk management, continuity, escalation of concerns, learning from incidents, and service improvement. The Registered Manager remains accountable for ensuring audit findings are acted upon and escalated appropriately through the provider’s governance arrangements.
4.7 Roles, Responsibilities, Competence and Training
All staff are personally responsible for creating, handling and protecting records in line with this policy and any related procedures. No member of staff may create, amend, access, share or dispose of records unless they have received appropriate information governance and recordkeeping training relevant to their role. Training must be provided at induction and refreshed thereafter at intervals determined by the organisation’s training matrix, or sooner where audits, incidents or changes in law or guidance identify a need.
{{org_field_name}} will designate a member of staff of appropriate seniority as the lead for records management. This role will be formally acknowledged and communicated across the service. The Registered Manager retains overall responsibility for implementation of this policy within the service. The Data Protection Officer or designated information governance lead will advise on data protection compliance, breach management, access requests and lawful information sharing. Managers and senior staff must monitor the quality of recordkeeping in practice, address poor recording standards promptly, and ensure staff receive supervision, support and competency assessment where concerns are identified.
4.8 Information Incidents, Data Breaches and Record Security Events
Any actual or suspected breach of confidentiality, loss of records, unauthorised access, misfiling, inappropriate disclosure, cyber incident, device loss, record tampering, or other information security event must be reported immediately in line with the organisation’s incident reporting and data breach procedures. All information incidents, including near misses, must be risk assessed promptly to determine the likely impact on individuals, service delivery and regulatory compliance.
Where required by law, reportable personal data breaches will be notified to the Information Commissioner’s Office without undue delay and, where applicable, within 72 hours of the organisation becoming aware of the breach. Affected individuals will be informed where legally required or where this is necessary to reduce risk of harm. All incidents must be investigated, lessons learned identified, and actions taken to reduce the risk of recurrence.
4.9 Record Sharing, Inter-agency Working and Disclosure
Information may be shared where there is a lawful basis to do so and where the sharing is necessary, proportionate and relevant to the purpose. This includes sharing information for direct care, safeguarding, risk management, legal obligations and other purposes permitted by law. Staff must recognise that the duty to share relevant information for individual care and safeguarding is as important as the duty to protect confidentiality.
Before sharing information, staff must consider the purpose of the sharing, the lawful basis, whether consent is required or appropriate, whether the person has capacity to make the relevant decision, whether there is an overriding public interest or safeguarding concern, and whether only the minimum necessary information is being disclosed. The rationale for sharing, the information disclosed, the recipient, date, method and any consent or best-interest decision must be recorded.
4.10 Medicines Records
Medicines records, including medicines administration records (MAR), must be maintained securely, accurately and in a timely manner for each person receiving medicines support. Records must clearly show the medicines support provided, refusals, omissions, variable dose decisions, allergies, changes to prescribed medicines, advice received from prescribers or pharmacists, and actions taken in response to errors or concerns. Medicines records must be completed in line with the organisation’s Medicines Policy and must support the safe administration, review and monitoring of medicines.
4.11 Records Relating to Staff and the Management of the Regulated Activity
{{org_field_name}} must maintain secure and fit-for-purpose records relating to staff and to the management of the regulated activity. These include, but are not limited to, recruitment records, identity and right to work checks, DBS information where retained lawfully, training records, supervision records, competency assessments, rotas, policies, audits, complaints, accidents and incidents, safeguarding records, quality assurance records, maintenance logs, health and safety checks, emergency planning records, meeting minutes and action plans. These records must be organised, retrievable, current where applicable, and available for governance, assurance and inspection purposes.
4.12 Suspension of Destruction and Preservation Notices
Where {{org_field_name}} becomes aware of a complaint, safeguarding enquiry, serious incident, police investigation, coroner’s investigation, employment dispute, legal claim, public inquiry, CQC enforcement matter or other issue that may require records to be preserved, all routine destruction of relevant records must cease immediately. The Registered Manager, supported by the records management lead and Data Protection Officer or information governance lead where applicable, will issue or authorise a preservation notice identifying the record categories affected and the period for which destruction is suspended.
4.13 Service Closure, Transfer and Contract Change
In the event of service closure, transfer of ownership, change of provider, contract handover or significant service reconfiguration, {{org_field_name}} will ensure that records remain secure, accessible and lawfully managed throughout the transition. Arrangements must be made in advance for the safe transfer, retention, continued access and eventual disposal of records, with clear accountability for records at each stage of the transfer.
5. Policy Review
This policy will be reviewed at least annually and sooner where there is a change in legislation, CQC guidance, information governance requirements, the Records Management Code of Practice for Health and Social Care, or learning from incidents, audits, complaints, safeguarding matters or enforcement activity. The service will also review this policy whenever new record types, digital systems or information-sharing arrangements are introduced.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.