CH203-Compliance with NHS Records Management Code of Practice Policy
{{org_field_logo}}
{{org_field_name}}
Registration Number: {{org_field_registration_no}}
Compliance with NHS Records Management Code of Practice Policy
1. Purpose
The purpose of this policy is to ensure that {{org_field_name}} fully complies with the NHS Records Management Code of Practice and the associated requirements under the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. The policy outlines how we create, manage, store, retain, and dispose of records relating to individuals we support and our business operations, in line with Regulation 17 (Good Governance) and Regulation 12 (Safe Care and Treatment). This policy supports transparency, accuracy, accountability, and confidentiality in all recordkeeping practices.
2. Scope
This policy applies to all employees, volunteers, agency staff, contractors, and managers of {{org_field_name}} who handle or process records in any formâ€â€whether paper-based or electronic. It includes care records, personnel files, financial records, policies, incident reports, medication records, and communications relating to service provision and business administration.
3. Related Policies
- CH04 – Good Governance Policy
- CH11 – Safe Care and Treatment Policy
- CH13 – Safeguarding Adults from Abuse and Improper Treatment Policy
- CH17 – Infection Prevention and Control Policy
- CH24 – Management of Accidents, Incidents, and Near Misses Policy
- CH34 – Confidentiality and Data Protection (GDPR) Policy
4. Policy Statement and Principles
4.1 Record Creation and Accuracy
All records must be complete, accurate, dated, legible (where handwritten), and attributable to the person who created them. Care records must be written contemporaneously and reflect person-centred support in line with care plans. Records must document assessments, care delivered, communications with professionals or families, incidents, concerns, and changes in condition. Abbreviations must be avoided unless standardised, and corrections must be made with a single line through the original entry, clearly initialled and datedâ€â€never erased or overwritten.
4.2 Confidentiality and Access Controls
All records are subject to the principles of confidentiality and data protection as outlined in the CH34 – Confidentiality and Data Protection Policy. Access to records is strictly limited to those who need to see them as part of their role. Electronic records are protected by encrypted systems, secure passwords, and access permissions. Paper records are stored in locked cabinets when not in use. Individuals have the right to access their personal records, and staff must know how to respond to Subject Access Requests appropriately.
4.3 Retention and Disposal
{{org_field_name}} follows the NHS Records Management Code of Practice for retention periods. Examples include:
- Adult care records: 8 years after the last entry
- Safeguarding records: 30 years or until the person’s 75th birthday (whichever is longer)
- Recruitment records: 6 months for unsuccessful applicants
- Personnel records: 6 years after employment ends
- Incident records: 20 years (if related to clinical care)
Records are disposed of securely and confidentially. Paper records are shredded or incinerated. Electronic records are deleted using approved methods that prevent recovery. Disposal is recorded on a destruction log signed by the person responsible.
4.4 Electronic Records and Systems Management
All digital records systems used by {{org_field_name}} are compliant with NHS Digital and CQC standards. Systems are subject to regular data backups, software updates, and access audits. We maintain secure networks with antivirus protection, firewalls, and encryption to prevent unauthorised access or data loss. Mobile and remote access is restricted and controlled through secure login procedures and devices.
4.5 Records Audit and Monitoring
Recordkeeping practices are subject to quarterly internal audits by the Deputy Manager {{org_field_deputy_manager_first_name}} {{org_field_deputy_manager_last_name}} or delegated officers. Audits examine the quality, accuracy, security, and timeliness of records. Any anomalies or risks are documented and followed up with action plans, staff support or further training. These audits form part of our continuous improvement and quality assurance framework.
4.6 Staff Roles, Responsibilities and Training
Every staff member who creates or handles records is responsible for ensuring they do so in line with this policy. Training on record management is included in induction and refreshed annually. This includes training on documentation standards, data protection, and secure disposal. The Registered Manager {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}} is responsible for ensuring compliance with this policy, while the Data Protection Officer {{org_field_data_protection_officer_first_name}} {{org_field_data_protection_officer_last_name}} oversees regulatory compliance and investigates any breaches.
4.7 Incident Reporting and Data Breaches
Any breach of records security, such as loss of data, unauthorised access, or suspected tampering, must be reported immediately to the Data Protection Officer at {{org_field_data_protection_officer_email}}. A data breach risk assessment will be conducted, and where required, the Information Commissioner’s Office (ICO) and affected individuals will be notified within 72 hours. All such incidents will be investigated fully, and actions taken to prevent recurrence.
4.8 Record Sharing and Inter-agency Collaboration
Records may be shared with authorised external agencies (e.g. GPs, district nurses, safeguarding teams) only where there is a lawful basis under data protection law and with appropriate consent or in the individual’s best interest. All such information sharing must be documented and limited to the minimum necessary data. Staff must follow our CH13 – Safeguarding Policy where sharing information is required to protect someone from harm.
5. Policy Review
This policy will be reviewed annually or sooner if there are changes in legislation, CQC expectations, or best practice guidance from NHS England or the Information Commissioner’s Office. The most recent version is available via {{org_field_website}} or from {{org_field_email}} upon request.
Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.