Record management policy

Introduction:  

It is essential that Space 2B You obtain, records, and maintain information to ensure the efficient management of services and to provide the highest standard for our clients, stakeholders, commissioners and public. Therefore, it is vital that information is efficiently managed, and that appropriate policies, procedures, management accountability and structures provide a robust governance framework for information management.  

Space 2B You are committed to complying with legal and statutory requirements to ensure all records are obtained, recorded, maintained, and disposed of correctly following best practice. Therefore, all clinicians and staff members are expected to ensure they have read, understood, and implement this policy in all aspects of their work.   

The benchmark for the retention of our records is 7 years. 

Space 2B You will ensure records no longer required are disposed of as early as possible in an authorised and systematic manner. 

Purpose: 

It is a requirement of the General Data Protection Regulation (GDPR) and Data Protection Act (2018) that information must only be retained for as long as necessary. Keeping information for longer than required is breach of the rights of the Data Subjects that the information relates to. 

This Policy sets out requirements and responsibilities for managing the retention and disposal of records and information. 

All Space 2B You staff and contractors regardless of role have responsibility for storing information only for as long as necessary and ensuring it is destroyed confidentially without unauthorised persons accessing it. This is important to protect data subjects’ rights and maintain legal compliance. 

All information must be retained (stored on the online practice management software Power Diary) safely so that it cannot be lost, stolen, or accessed by unauthorised persons. It is essential that authorised persons can monitor and recover current and archived information safely. When disposing of data and information, processes must be in place to ensure confidentiality is maintained. Any records of items destroyed must be kept in a manner that does not detail any personal information. 

This policy provides staff and contractor guidance regarding: 

  • Record keeping procedure from creation to disposal. 

  • Transparency procedures 

  • Retention & disposal procedures 

  • Information handling procedures –including safely and legally sharing information externally. 

  • Procedures for individuals making requests for their data. 

  • Subject access request procedures 

  • Right to erasure (‘Right to be forgotten’) procedures. 

  • Right to restrict processing procedures 

  • Right to object procedures 

  • When there is a withdrawal of consent to share. 

Scope: 

This policy applies to all service users and Space 2B You staff and contractors regardless of role and level of responsibility. Therefore, each staff member should have a clear understanding of this policy and are expected to follow the guidance to prevent situations from arising that may impact the integrity of Space 2B You.  

Record keeping procedures: 

This procedure outlines the creation and use of records.  

  • When a record is created Space 2B You will use standardised structures and layouts for the contents of records. 

  • All records are kept in accessible but protected locations. The location of these records is documented in the Information Asset Register (IAR). The security procedures around access to records are detailed in the Data Security Policy. 

The records we retain:  

  • Documents the continuum of service provided to our clients and is viewable in chronological order. 

  • Provides a clear care plan when interventions are being delivered by several members of the team. Furthermore, ensures records are maintained and updated, and shared only with staff and contractors who are legally authorised to review this information.  

  • Provide staff with guidance and training on the creation and use of records and their legal responsibilities to share and safeguard personal confidential information. 

  • Monitors access to the record (auditing and monitoring process, are detailed in Data Security Policy). 

  • At any point in the record's lifespan, the data subject has the right to request access to their data.  

  • At any point in the record's lifespan, the data subject has the right to request their record be corrected. 

  • At any point in the lifespan of the record, the data subject has the right to request the erasure (‘Right to be forgotten’) of their record. 

  • Space 2B You will only retain records while they are necessary for the purposes they were originally collected.  

  • Space 2B You will audit record-keeping procedures annually to ensure they are fit for purpose, are GDPR compliant and continue to maintain records to the highest standards.  

Transparency procedures: 

  • Space 2B You’s privacy statement outlines why we retain an individual’s or family’s data, the lawful basis for doing so, and their rights in terms of how we process their data. 

  • Our privacy statement is freely available to all individuals whose data we process, GDPR compliant, and is part of our commitment to transparency and accountability.  

  • This privacy statement is available on our website. The privacy statement is discussed at the point of referral and first appointment.  

  • All clients, or their legal representative, if necessary, will be informed of their rights regarding their personal data when they sign initial agreements. 

  • The privacy statement will be reviewed and updated at least annually. 

  • The privacy notice has been signed off by the Operations Manager.   

  • If we receive an individual’s personal data from a source other than that individual, we will provide them with privacy information without undue delay and at least within one month.   

Retention schedule & disposal procedures: 

  • At the end of the records lifespan, it will go through an appraisal process which will determine if there is a continuing legal basis for keeping the record.  

  • We will adhere to the retention timelines determined by the Health and Care Information Governance Alliance (IGA) in the Records Management Code of Practice for Health and Social Care 2023     

  • The Information Governance Lead following GDPR compliance will have final responsibility for determining whether the record will be destroyed or retained. Space 2B you will maintain a record of all retention or disposal decisions. 

 Information handling procedures: 

  • Ensures personal information is protected and not disclosed inappropriately, by either accident or design, whilst in use or when it is being transferred. 

  • In line with legislation, personal information must not processed without a lawful basis being identified. The Record of Processing Activities (ROPA) records all processing of personal data and identifies the legal basis.  

  • These procedures cover all records, which contain data or information, which can be said to contain personal data whether stored in hardcopy or digitally. 

Secure Points for the Receipt of personal information: 

Space 2B You ensure secure points for the receipt of personal information transferred to us and we have applied the following measures to safeguard personal information during receipt and transfer/transit:  

Verbal communications: 

Staff and contractor understand that they must take appropriate precautions not to reveal confidential information. Staff are aware that a breach of this procedure may be a disciplinary or legal offense. 

Postal services and couriers: 

We will ensure that all confidential information we transfer by post or courier is done as securely as is practicable. All records transferred in this manner are addressed to a named individual and marked “Private and Confidential” and will be done through signed-for delivery so that it is guaranteed that the correct person receives the record. 

Portable devices:  

We recognise that information held on portable devices is at increased risk. Portable devices include memory sticks, mobile phones etc. All portable devices have been documented on the IAR, and all relevant staff have received guidelines on safe usage and have signed a Portable Device Assignment Form. Due to the increased risk of viruses and the risk of losing data, the following procedures are followed:  

  • Portable devices must be encrypted; When the data is no longer required the information should be deleted from the encrypted devices.  

  • All Smart phones need to be in line with our BOYD policy and have installed Microsoft MDM  

  • Portable devices such as memory sticks, CDs, etc. must not be used on personal computers 

  • Password protected screensavers are installed on laptops 

  • Anti-virus software is in use and is regularly updated. This patching schedule is detailed in the Network Security Policy 

  • Regular backups are taken of the data stored on portable devices  

  • All portable devices are protected by either a PIN or password (dependent on the type of device). 

Email: 

We undertake that personal identifiable information can only be sent by secure email. Both the recipient and sender must have access to secure email. 

Procedures for individual’s making requests about their data (GDPR individual data rights): 

GDPR provides all individuals within the EU specific rights when it comes to their personal data. 

  • To exercise these rights an individual should contact any staff member or contractor and make a request either verbally or in writing. 

  • In the instance that the request is made to a member of staff who is not the Data Security and Protection Lead, that staff member will inform the Data Security and Protection Lead as soon as possible, the timeline for responding to requests begins from when the first staff member is contacted.   

  • Space 2B You will respond to a request immediately and in a timeframe not exceeding one month from when the request was made. 

  • Should the request be complex the timeframe may be extended to two months. Space 2B You we will inform the individual in writing of the extension and the reasons within one month. 

  • If Space 2B you are unable to comply with a request, we will inform the individual why we are unable to taking action, inform them about their right to complain to the ICO, and tell them that they have the right to seek a legal advice. 

  • When processing any request, we will use reasonable means to verify the identity of the individual making the request so that no data is shared inappropriately. 

  • The Data Security and Protection Lead will maintain a log of all requests and their outcomes.   A register of all requests and their outcomes is kept by admin lead. 

  • All staff will be informed of these procedures in the staff handbook. 

Subject access request procedures: 

  • All individuals have the right to access their personal data which Space 2B You process and store. 

  • Confidential records of the deceased have the rights afforded to them by the Duty of Confidentiality and the Access to Health Records Act 1990. Should any person wish to request access for any records of the deceased they should contact the Data Security and Protection Officer 

  • Space 2B You will provide a copy of any information which it is lawful to provide free of charge.  

  • Space 2B You will provide copies of the information requested either in hard copy or digital. 

 Right to erasure procedures: 

 All individuals have the right to request the erasure of their data, which we control, or process.  

 Individuals can request their data to be erased in the following instances:  

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. 

  • When they withdraw consent. 

  • When they object to the processing and there is no overriding legitimate interest for continuing the processing. 

  • The personal data was unlawfully processed. 

  • The personal data must be erased in order to comply with a legal obligation. 

  • The personal data is processed in relation to the offer of information society services to a child. 

 We will not be able to honor any requests to have personal data erased when the data is being processed for the following reasons: 

  • to assess the working capacity of an employee. 

  • to provide health, social care, treatment or the management of health or social care systems and services. 

  • to exercise the right of freedom of expression and information. 

  • to comply with a legal obligation for the performance of a public interest task or exercise of official authority. 

  • for public health purposes in the public interest 

  • archiving purposes in the public interest, scientific research historical research or statistical purposes. 

  • The exercise or defense of legal claims.  

  • Where at all possible, in the instance that we have appropriately shared an individual’s records with any third party we will inform this third party of the erasure if appropriate. 

  • We will erase records in line with the disposal procedures set out above. 

 Right to restrict processing procedures: 

 All individuals have the right to request that Space 2B You restrict the processing of their data in the following circumstances: 

  • while we are verifying the accuracy of any data we keep when an individual has made a request for the rectification of their personal data. 

  • in the instance that their personal data has been processed unlawfully and the individual requests that their data is not erased. 

  • When we do not need to keep the personal data, but the individual has requested that we keep it in order to establish, exercise or defend a legal claim. 

  • If an individual objects to us processing their personal data, we will restrict all processing while we investigate the request. 

  • When we restrict processing, we will store the individual’s personal data but will not process their data in any other way.  

 Right to object procedures: 

  •  All people have the right to object to Space 2B You are processing their data in the certain circumstances. 

  • They have an absolute right to object to us using their personal data for any direct marketing. We will retain only enough data for us to record that they do not want to receive direct marketing so that their request can be respected. 

  • Individuals can object to us processing their data if we are doing it under Public Task or Legitimate Interests grounds. The individual should provide specific reasons. 

  • We cannot comply with the objection if we have compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual or if the processing is for the establishment, exercise or defense of legal claims. 

  • In the instance that we cannot comply, we will clearly document our decision, inform the individual, inform them of their right to go to the ICO, or to seek legal advice/ 

  Withdrawal of consent procedures: 

  •  All people have the right to withdraw their consent to have their personal information shared at any time. 

  • We guarantee that it will be as easy to withdraw consent as it is to give consent.    

  • If an individual withdraws their consent to share information we will discuss in full. 

  • In certain instances, we may not be able to honor any withdrawal of consent. This will be discussed in detail and will only occur if we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual. 

  • When consent is not given or withdrawn, the Data Security and Protection Officer will keep a log, and a note will be made on the individual’s records.  

 Responsibilities 

  • The Data Security and Protection Officer is responsible for maintaining records around Subject Access, Rectification, Erasure and Withdrawal of Consent requests. 

  • The Data Protection Officer is also responsible for maintaining staff training on record keeping and auditing staff knowledge annually. 

  • The Data Protection Officer will report to Directors any Subject Access Requests and ensure SAR register is updated by admin. 

  • The Data Protection Officer will monitor compliance with the Record Keeping Policy and has responsibility for reviewing the policy at least annually. 

Disciplinary Actions 

Breach of this Code of Conduct may result in disciplinary action.  

Contact Details 

If staff or contractors have any concerns, they must inform Space 2B You directors Marie-Anne McKee and Alison Joyce. 

Telephone: 

020 3048 3331 (ext. 301) 

Email: 

barbara.johnston@space2byou.co.uk 

alison.joyce@space2byou.co.uk 

marie-anne.mckee@space2byou.co.uk