What is a record?
A record is information that has been received, created or maintained by an individual or an organisation as evidence of a business activity, patient/client care, treatment given, treatment planned and can be in any format – paper, electronic, digital and/or voice.
In the context of GMGR a record is anything which contains information (in any media) which has been created or gathered as a result of any aspect of the work of employees or those providing a service– including consultants, General Practitioners, Dentists , Opticians, Pharmacists, agency, or casual staff and all contracted services.
DoH, HSC and Public Safety records are public records as defined in the PRA 1923.
Why do you need to keep records?
Records enable Organisations to:
- conduct business in an orderly, efficient and accountable manner
- deliver care and services in a consistent and equitable manner
- support and document policy formation and managerial decision-making
- provide consistency, continuity and productivity in management and administration
- facilitate the effective performance of activities throughout the DoH, HSC and Public Safety
- provide continuity in the provision of services, care, or treatment
- provide continuity in the event of a disaster
- meet legislative and regulatory requirements including archival, audit and oversight activities
- provide protection and support in litigation including the management of risks associated with the existence of or lack of evidence of DoH, HSC and public safety activity
- protect the interests of the DoH, HSC, Public Safety and the rights of employees, patients, clients, and present and future stakeholders
- support and document current and future research, and document activities, developments and achievements, as well as historical research
- establish and provide evidence of business, personal and cultural identity
maintain the corporate, personal or collective memory
What is Records Management?
Records management is:
- the systematic and consistent control of all records, regardless of the media on which they are held, throughout their lifecycle - it includes setting up the infrastructure or system into which the records are created, received or added as well as the process of record creation itself
- organising the records so that related records are grouped together, usually according to a file plan or classification scheme (managing groups of related records is more efficient than managing many individual records)
- the retention and disposal actions such as destruction or transfer to PRONI at the appropriate time and procedures for documenting those actions
Organisations must know what records they have in order to manage them. Control of the records depends on a range of carefully developed procedures applied to them before their creation through to their disposal.
There are five vital elements of records management:
- meeting business and patient/client needs
- public records legislation
- managing records as a valuable and expensive asset
- accountability for practice and service provision
- accountability and quality of information and services
Management and organisational responsibility
Organisations should have in place organisational arrangements that support records management.
The records management function should be recognised as a specific corporate responsibility within every Organisation.
It should provide a managerial focus for records of all types in all formats, including electronic records, throughout their life cycle, from planning and creation through to disposal.
It should have clearly defined responsibilities and objectives, and adequate resources to achieve them and should include records managed on behalf of the authority by an external body such as a contractor.
Records and information management should be included in the corporate risk management framework.
Information and records are a corporate asset, the loss of which could cause disruption to the business of the Organisation.
The level of risk will vary according to the strategic and operational value of the asset to the Organisation and risk management should reflect the probable extent of disruption and resulting damage.
Organisations should have a governance framework that includes defined roles and lines of responsibility.
This should include allocation of lead responsibility for the records and information management function to a designated member of staff at sufficiently senior level to act as a records management champion, for example a board member, and allocation of operational responsibility to a member of staff with the necessary knowledge and skills.
In smaller organisations it may be more practicable to combine these roles.
Ideally the same people will be responsible also for compliance with other information legislation, for example the Data Protection Act 2018 and the Re-use of Public Sector Information Regulations 2005, or will work closely with those people.
These roles should be formally acknowledged and made widely known throughout the Organisation.
The organisation should have in place clear instructions covering the creation, maintenance and management of records which apply to staff at all levels of the Organisation.
In larger organisations the responsibilities of managers, and in particular heads of business units, could be differentiated from the responsibilities of other staff by making it clear that managers are responsible for ensuring that adequate records are kept of the activities for which they are accountable.
Organisations should identify information and business systems that hold records and provide the resources needed to maintain and protect the integrity of those systems and the information they contain.
Organisations must consider records management issues when planning or implementing ICT systems, when extending staff access to new technologies and during re-structuring or major changes to the Organisation.
All staff must be appropriately trained so that they can carry out their designated duties and responsibilities.
Induction and other training should ensure that all staff are aware of the authority’s records management policies, standards, procedures and guidelines and understand their personal responsibilities.
This should be extended to temporary staff, contractors and consultants who are undertaking work that it has been decided should be documented in the authority’s records.
This should include training for staff in the use of electronic records systems. Training should be provided through both generic and specific training programmes, complemented by organisational policies and procedures and guidance.
If the organisation is large enough to employ staff whose work is primarily about records and information management, they should be given opportunities for professional development.
Senior Information Risk Owner (SIRO)
The Senior Information Risk Owner (SIRO) is an Executive Director or Senior Management Board Member who will take overall ownership of the Organisation’s Information Risk Policy, act as champion for information risk on the Board and provide written advice to the Accounting Officer on the content of the Organisation’s Statement of Internal Control in regard to information risk.
The SIRO must understand how the strategic business goals of the Organisation and how other organisations’ business goals may be impacted by information risks, and how those risks may be managed.
The SIRO implements and leads the Information Governance (IG) risk assessment and management processes within the Organisation and advises the Board on the effectiveness of information risk management across the Organisation.
Information Asset Owner (IAO)
Information Asset Owners (IAO) are senior individuals involved in running the relevant business.
Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why.
As a result they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good, and provide written input to the SIRO on the security and use of their asset.
Organisations need to be able to demonstrate progress in:
- enabling staff to conform to the records management standards
- identifying resource requirements
- areas where organisational or systems changes are required
Information Governance Performance Assessment and management arrangements facilitate and drive forward the necessary changes.
Those responsible for monitoring HSC performance play a key role in ensuring that effective systems are in place.
The PRA 1923 makes all employees responsible for any records that they create or use in the course of their duties.
Staff are responsible for maintaining their records in accordance with their Organisation’s Records Management Policy.
- following the procedures endorsed by senior management
- only destroying records in accordance with the Organisation’s Disposal Schedule and procedures
Records management policy
Each Organisation should have in place a Records Management Policy defining how it manages all of its records, including electronic records.
The policy should be endorsed by the Organisation’s Board and made available to all staff at all levels of the Organisation, both on induction and at regular training.
The policy should provide a mandate for the performance of all records and information management functions.
In particular, it should set out an Organisation’s commitment to create, maintain and manage records and document its principal activities in this respect.
The policy should also:
- outline the role of records management within the organisation, and its relationship to the Organisation’s overall strategy
- define roles and responsibilities within the organisation, including the responsibility of individuals to document their actions and decisions in the Organisation’s records, and to dispose of records appropriately when they are no longer required
- provide a framework for supporting standards, procedures and guidelines
- indicate the way in which compliance with the policy and its supporting standards, procedures and guidelines will be monitored and maintained
The policy should be reviewed at least once every two years and if appropriate amended to maintain its currency and relevance.
Information quality assurance
It is important that all Organisations train staff appropriately and provide regular update training.
In the context of records management and information quality, Organisations need to ensure that their staff are fully trained in record creation, use and maintenance, including having an understanding of:
- what they are recording and how it should be recorded
- why they are recording it
- the need to differentiate fact from opinion and how to represent information supporting the opinion
- how to validate information with the patient, client or carers or against other records – to ensure that staff are recording the correct data
- how to identify and correct errors – so that staff know how to correct errors and how to report errors if they find them
- the use of information – so staff understand what the records are used for (and why timeliness, accuracy and completeness of recording is so important)
- how to update information and add information from other sources