- Good Management, Good Records (issued in December 2004)
- Circular HSS (PCCD) 1/2000 – Preservation, Retention and Destruction of GP Medical Records
- Circular HSS(F) 14/03 - Preservation and Destruction of Financial and Associated Records
In establishing this guidance the Department has taken account of current practice followed by a wide range of organisations in both the public and private sectors, recommendations emanating from reviews, guidance from professional organisations and bodies, and importantly what the law requires.
It is important that the guidelines within GMGR are factored into contractual negotiations with the independent contractor sector providing services to the HSC.
The aims of GMGR are to:
- establish a framework for records management in relation to the creation, use, storage, management and disposal (destruction or archiving) of all types of DoH, HSC and Public Safety records
- clarify the legal obligations in relation to records management and information access
- explain the actions required by Chief Executives and other managers to fulfil these obligations
- explain the requirement to select records for permanent preservation as directed by PRONI
- set out recommended minimum periods for retention of all types of DHoH, HSC and Public Safety records, regardless of the media on which they are held
- provide an important reference for provider bodies and organisations in delivering HSC services thereby providing a framework for records for both providers and users of the service
- indicate where further information on records management may be found
The Ministry of Justice assumed responsibility for the Department for Constitutional Affairs (formerly the Lord Chancellor’s Office) on 09/05/2007.
All DoH, HSC and Public Safety records are public records under the terms of the Public Records Act (Northern Ireland) 1923 (PRA 1923).
The PRA 1923 established PRONI as the place of deposit for public records, created the roles of Keeper and Deputy Keeper of the records as well as defining NI public records.
The PRA 1923 sets out the broad responsibilities for everyone who works with such records. Organisations have a statutory duty to make arrangements for the safe keeping and eventual disposal of their records.
PRONI can assist and provide advice on how to manage all types of records.
The PRA 1923 made PRONI responsible for the records of any Court, Government Department, Authority or Office in Northern Ireland over which the Parliament of Northern Ireland (NI) has the power to legislate.
It is therefore a statutory requirement for the HSC and Public Safety to implement records management as set out in the PRA 1923 and in the Disposal of Documents (NI) Order (1925).
PRONI has an overarching responsibility within the public sector in NI to ensure that records are managed in accordance with agreed policies and procedures.
- PRONI is concerned with identifying any deficiencies in the way records are organised and maintained and in records management procedures as a whole
PRONI must be involved in:
- updating and quality assurance of all Disposal Schedules
- the sampling of Particular Instance Papers (case files)
- ensuring the proper use of microfilm and other non-paper based storage media e.g. records held electronically
The assessment of records for historical/research purposes
The storage of records identified for permanent preservation and which are no longer required by Organisations for administrative/business purposes
The Permanent Secretary, Departmental Information Manager, Chief Executives and senior managers are personally accountable for records management within their Organisation and have a duty to make arrangements for the safe keeping and eventual disposal of those records under the overall supervision of the Deputy Keeper of Public Records at PRONI.
Organisations are also required to take positive ownership of, and responsibility for, the records legacy of predecessor organisations and/or obsolete services.
Robust records management procedures are required to meet the requirements set out under the Data Protection Act 2018 (DPA 1998), the Freedom of Information Act 2000 (FOI Act 2000) and the Environmental Information Regulations 2004 (EIR 2004).
Records are a valuable resource because of the information they contain.
High-quality information underpins the delivery of high-quality evidence-based health and social care, and many other key service deliverables. Information has most value when it is accurate, up to date and accessible when it is needed.
An effective records management system ensures that information is properly managed and is available whenever and wherever there is a justified need for that information to:
- support patient / client care and continuity of care
- support service provision
- support day-to-day business which underpins the delivery of care
- support evidence-based clinical practice
- support sound administrative and managerial decision making, as part of the knowledge base for DoH, HSC and Public Safety services
- meet legal requirements, including requests from the public under subject access provisions of the DPA 1998, FOI Act 2000 or EIR 2004
- assist clinical/professional and other types of audits
- support improvements in clinical/professional and service effectiveness through research and also to support archival functions by taking account of the historical importance of material and the needs of future research
- support choice and control of patients and clients over treatment and services
The increasing shift towards electronic records will transform the way health and social care information is managed. In the mixed economy of paper and electronic records it is essential that they are managed consistently to ensure that a complete record is available at the point of need.
GMGR identifies the specific actions, managerial responsibilities and minimum retention periods for the effective management of all types of DHSSPS, HSC (i.e. both corporate and individual health and social care records) and public safety records, regardless of whether they are paper or electronic, from creation to disposal.
Monitoring records management performance
A number of bodies have oversight of DoH, HSC and Public Safety performance in respect of records management.
The Regulation and Quality Improvement Authority monitors a core governance standard relating to broad records management as part of its annual assessment of performance.
The Audit Commission regularly conducts studies into records management and related data quality issues.
The DoH collects performance details as part of the annual Controls Assurance Standards.
Other bodies likely to comment on records management performance include the Northern Ireland Public Services Ombudsman when investigating a complaint, and the Information Commissioner when investigating alleged breaches of the DPA 1998 or the FOI Act 2000 or in promoting the Lord Chancellor’s Code of Practice on Records Management under section 46 of the FOI Act 2000 and PRONI.
Legal and professional obligations
All individuals who work for an Organisation are responsible for any records which they create or use in the performance of their duties.
Such records are public records and may be subject to both legal and professional requirements.
A key statutory requirement for compliance with records management in relation to records containing personal data lie within the principles of the DPA 1998.
The DPA 1998 regulates the processing of all personal data, held both manually and on computer.
Personal data is defined as data relating to a living individual that enables him/her to be identified either from that data alone or from that data in conjunction with other information in the data controller’s possession.
It therefore includes such items of information as an individual’s name, address, age, race, religion, gender and physical, mental or sexual health.
A Data Controller is defined as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or to be processed”.
Any organisation which acts as a data controller has responsibility in law for compliance with the DPA.
Data Controllers should be aware of the statutory requirements imposed upon them when engaging a data processor to process data on their behalf.
At all times the responsibility for personal data remains with the data controller and any contract between a data controller and data processor should reflect this.
In particular, it will be the responsibility of the data controller to ensure any data retention periods are clearly communicated to the data processor.
Data Access Agreements should be drawn up between the Data Controller and the Data Processor, which will assist the data controller in setting out the guidelines for retention and disposal of the information.
This will help the Data Controller to ensure retention and disposal actions are taken by the data processor.
Processing includes everything done with that information, i.e., obtaining, recording, holding using, disclosing and sharing it.
Using includes disposal, i.e. closure of the record, transfer to an archive or destruction of the record.
Section 7 of the Data Protection Act 1998 gives individuals the right to request a copy of their personal data via a Subject Access Request.
The Data Protection Act 1998 states that data subjects have the right to have access to any personal data that is held on them.
As the data subjects in this instance will include vulnerable individuals and people with mental health disabilities, greater consideration needs to be given to ensuring that subject access provisions are effective and accessible.
This can be achieved by ensuring that data subjects have access to all of the information and assistance that they may require in order to exercise their rights of access, and that all information provided is clear and understandable to its intended audience.
A system of flagging records which may contain information that could be exempted from release under a subject access request should be considered.
Other legislation relating to personal and corporate information and the records management function generally can be found in Annex C.
Additionally, health and social care professionals have a duty to comply with the Common Law Duty of Confidentiality and meet records management standards relating to patient and client care records set by their regulatory bodies.
The complexity of the delivery of health and social care and the increasing emphasis on team working and multidisciplinary management requires easy and appropriate access to patient/client information.
The confidentiality of information about patients/clients is protected by law and professional values and practice.
The Data Protection Act allows for the lawful sharing of patient/client identifiable information.
The law and related professional guidelines make clear that informed consent is of paramount importance.
The implementation of the law has to take account of the complexities of modern health care and research and the conflicts that arise over access to information about patients/clients.
Organisations must ensure that DPA ‘fair processing’ obligations are met in relation to any request for consent.
This means that each organisation must provide patients/clients with sufficient information to make them aware of:
- the uses and disclosures of their information associated with their care
- the identity of who will be holding their information (the data controller and any representatives)
- the choices they have (except where collection and disclosure is mandatory)
- the implications of choosing to limit how their information may be used or shared
Should a patient choose to refuse or limit the use of his / her information, the implications of such limitation or refusal must be clearly explained and the discussion clearly recorded in his / her record.
If information sharing is to operate by consent then there will also be issues surrounding an individual’s capacity for providing that consent, particularly if the individual is an older person or has any form of degenerative mental illness or disability.
With regard to the security of personal and sensitive personal data, the seventh data protection principle requires that:
(a) ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
The Act further states that 'Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.'
Organisations should be aware of the potential risk to personal data that they hold and ensure that:
- measures taken are appropriate in proportion to the detriment that could be caused to the data subjects and the nature of the information involved if their personal data were to be compromised
- all staff and particularly those who have responsibility for the management and retention of information are trained on all relevant aspects of Data Protection to ensure that their information management is well targeted and effective.
This will help with the early identification and classification of personal data for retention or destruction.