CHW203-Compliance with NHS Records Management Code of Practice Policy
{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Compliance with NHS Records Management Code of Practice Policy
1. Purpose
The purpose of this policy is to ensure that {{org_field_name}} complies fully with the principles and requirements of the NHS Records Management Code of Practice, as applicable to care providers working in partnership with NHS Wales and responsible for maintaining accurate, secure, and accountable health and social care records. This policy supports the safe handling, retention, disposal, and access of all records created or held by the organisation, whether electronic or paper-based, in line with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, Freedom of Information Act 2000, and CIW expectations under the Regulation and Inspection of Social Care (Wales) Act 2016. The objective is to protect the rights of individuals, maintain trust and confidence in the service, and ensure information is available when needed to support effective care.
2. Scope
This policy applies to all staff at {{org_field_name}}, including employees, agency workers, contractors, volunteers, and anyone with access to care records, including visiting professionals. It covers all types of records: resident care records, medication charts, risk assessments, clinical notes, financial documentation, staffing and HR files, incident logs, safeguarding records, and records related to quality assurance and governance. It applies regardless of format, whether handwritten, typed, scanned, or stored digitally.
3. Related Policies
This policy should be read in conjunction with:
CHW34 – Confidentiality and Data Protection (GDPR) Policy
CHW04 – Good Governance Policy
CHW11 – Safe Care and Treatment Policy
CHW24 – Management of Accidents, Incidents, and Near Misses Policy
CHW13 – Safeguarding Adults from Abuse and Improper Treatment Policy
CHW27 – Staff Supervision, Training, and Development Policy
4. Policy Details
4.1 Adherence to the NHS Records Management Code of Practice
Although the NHS Records Management Code of Practice is primarily directed at NHS bodies, {{org_field_name}} adopts its principles as best practice for managing health and social care records. The Code outlines requirements for records creation, storage, retention periods, access, transfer, review, and disposal. It categorises records by type and sets out minimum retention periods and secure disposal expectations. By aligning with this framework, we ensure consistency, accountability, and compliance with both regulatory and partnership obligations when sharing or handling NHS-originated records.
4.2 Roles and Responsibilities
The Registered Manager is accountable for ensuring this policy is implemented effectively and monitored regularly. The Data Protection Officer, {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}}, is responsible for overseeing data protection compliance and advising on retention and security. All staff have a responsibility to ensure that records are accurate, up-to-date, and handled confidentially. Any record that includes personal, clinical, or sensitive data must be treated as confidential and protected from unauthorised access, alteration, or loss.
4.3 Creation and Accuracy of Records
All records must be complete, factual, timely, and written in a clear, professional manner. Entries in care records must include:
The date and time
The name and role of the person writing the entry
Objective, evidence-based observations and actions
Legible handwriting or appropriate electronic input
Records must be updated as soon as possible after any care intervention or event and must never be altered retrospectively. Errors should be struck through with a single line, marked as an error, and initialled. Electronic records must have audit trails enabled.
4.4 Retention and Archiving
All records are retained in accordance with the NHS Records Management Code of Practice retention schedules. Examples include:
Adult health and care records: retained for a minimum of 8 years after the end of care
Children’s records: retained until the child’s 25th birthday (or 26th if they were 17 at the end of care)
Safeguarding records: retained for 75 years
Personnel records: retained for 6 years after employment ends
Incident reports and complaints: retained for 10 years
Archived records are stored securely, in locked cabinets or encrypted digital systems, with restricted access. Regular reviews are undertaken to identify records due for destruction, and a log is maintained of all archived materials.
4.5 Secure Storage and Access Controls
Paper records are stored in locked areas with restricted staff access. Electronic records are stored on secure, encrypted systems with password protection, user authentication, and audit logging. Staff access is based on role and need-to-know principles. Mobile devices used for accessing records are protected by PINs, antivirus software, and secure connections. Records must not be left unattended in public areas or visible on computer screens. Any unauthorised access attempt is treated as a data breach and investigated.
4.6 Safe Disposal of Records
Records are only destroyed when their retention period has ended and with authorisation from the Registered Manager. Destruction methods include:
Shredding of paper records using a cross-cut shredder or secure shredding service
Permanent deletion of electronic records, including from backup systems
Secure destruction logs are maintained, recording the date, type of record, method of destruction, and authorising staff member
No record may be destroyed if it is subject to an ongoing investigation, audit, or legal request.
4.7 Information Sharing and Transfers
When sharing records with NHS services, local authorities, or other authorised bodies, we follow strict protocols to ensure secure transfer. This includes:
Obtaining informed consent where applicable
Redacting irrelevant or excessive personal data
Using secure email systems (e.g., NHSmail) or encrypted drives
Documenting all transfers, including date, recipient, and purpose
In the event of a resident moving to another provider or health setting, a clear and accurate summary of their records is provided with consent, with originals retained in accordance with retention schedules.
4.8 Data Breach Reporting and Security Incidents
Any actual or suspected loss, misuse, or unauthorised access to records must be reported immediately to the Data Protection Officer. An internal investigation is initiated, and where required, the ICO and CIW are notified. All staff are trained to recognise breaches and escalate concerns. A record of all breaches, incidents, and corrective actions is maintained and used to inform future prevention strategies.
4.9 Staff Training and Monitoring
All staff receive mandatory training on data protection, confidentiality, and records management at induction and annually thereafter. Training includes practical guidance on secure handling, record-keeping standards, data sharing, and breach prevention. Competency is assessed through supervision, audits, and periodic spot checks. Any staff found to be in breach of this policy may be subject to disciplinary procedures in line with CHW31.
4.10 Monitoring, Audit, and Continuous Improvement
Routine audits are conducted to ensure record-keeping standards are met. Audits include checks on care notes, medication records, safeguarding files, and personnel documentation. The results are reviewed by the Registered Manager and discussed in governance meetings. Any deficiencies are addressed through targeted training and policy updates. CIW inspection findings are also used to drive improvements in compliance.
5. Policy Review
This policy will be reviewed annually or earlier if there are updates to legislation, national guidance (including updates to the NHS Records Management Code of Practice), or in response to audit findings, data breaches, or feedback from CIW. It forms part of {{org_field_name}}’s overarching commitment to high-quality governance, transparency, and information security.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.