Information Management Policy
1.1 This policy is intended to ensure that information is managed in such a way as to comply with information legislation, meet the ongoing needs of the Independent Maternity Review, and deliver a well ordered and comprehensive record at the end of the review process. It is based on current legal requirements and professional best practice.
1.2 All staff members and all contractors working for Donna Ockenden Ltd, as part of the independent Maternity review team must ensure they are familiar with the contents of this policy. This includes staff who are employed or under contract on a temporary or fixed-term basis, whether full or part-time. This policy must be strictly observed. Failure to do so could result in contract termination or disciplinary action.
1.3 This policy relates to all documents and records held by Donna Ockenden Ltd of whatever type and regardless of format, whether electronic or hard copy. This includes, for instance, formal and informal paper records and electronic images of those records, email, text messages, internet and social media postings, other electronic communications, telephone records, video, film and photographs.
1.4 It is important to differentiate between records and documents:
- Documents are the working tools of an organisation and are subject to change. They include, for instance, plans and objectives, task allocation, and everyday communications within an organisation. Generation and access to documents is controlled by the Chair of this review, Ms Donna Ockenden.
- Records provide evidence of events and actions, therefore they cannot and must not be changed. They are subject to legal requirements regarding their retention, access and destruction. Records of the working of an organisation, for instance of decisions made and actions taken, are created and retained to ensure that reliable evidence of actions and decisions is kept and remains available for reference and use when needed.
1.5 In the course of the Independent Maternity Review Donna Ockenden Ltd will be reviewing records of maternity services provided by the Shrewsbury and Telford Hospital Trust over many years. These records contain large volumes of sensitive personal data and must be treated as confidential. They must be handled in accordance with this policy. As outlined below, some of these records in paper form have been physically transferred to Donna Ockenden Ltd as an interim measure, pending the scanning of paper records to create electronic copy records for use during the Review.
1.6 Donna Ockenden Ltd will also create new records in the course of its conduct of the Review, which may include new information received from the families involved. These are also confidential and must be handled in accordance with this policy.
1.7 As part of the conduct of the Review, Donna Ockenden Ltd will establish a records retention schedule and a disposal of records policy which will set out the periods for which different types of record are to be retained following publication of the Review report and the arrangements for any transfer of records to the National Archive. All records must be securely preserved and retained during the conduct of the Review, up to and including publication of the Review Report.
2.1 Donna Ockenden Ltd will take action as necessary to comply with legal and professional obligations concerning records and documents, and in particular the requirements of the:
- Public Records Act 1958
- Access to Health Records Act 1990
- Freedom of Information Act 2000
- Records Management Code of Practice for Health and Social Care 2016
- NHS Information Governance: Guidance on Legal and Professional Obligations
- EU General Data Protection Regulation 2016
- Data Protection Act 2018
a. The Public Records Act 1958 contains provisions with respect to public records and the Public Record Office. It includes duties about selection and preservation of public records, places of deposit, access and destruction.
b. The Access to Health Records Act 1990 regulates access to the health records of a deceased person.
c. The Freedom of Information Act 2000 makes provision for the disclosure of information held by public authorities or by persons providing services for them. The Lord Chancellor’s Code of Practice on the management of records is issued under section 46 of this Act.
d. The Records Management Code of Practice for Health and Social Care 2016 was published by the Information Governance Alliance in July 2016. It is a best practice guide for the management of records for those who work within or under contract to NHS organisations in England. This guide is based on legal requirements and professional best practice.
e. NHS Information Governance: Guidance on Legal and Professional Obligations provides guidance on the range of legal and professional obligations that affect the management, use and disclosure of information.
f. The General Data Protection Regulation (2016) (“GDPR”) regulates the processing of personal data in all EU member states. It is implemented in the UK by the Data Protection Act 2018 which complements the GDPR. The two pieces of legislation must be read together.
g. The Data Protection Act 2018 (“DPA”) is an Act of Parliament which regulates the processing of personal data relating to living individuals, including the obtaining, holding, use or disclosure of such information. Access to the health records of living patients is governed by this Act
2.2 Failure to comply with the GDPR or DPA could result in reputational damage to Donna Ockenden Ltd and its clients and carries financial penalties. Furthermore, individuals can be prosecuted for knowingly or recklessly disclosing, procuring or obtaining personal data.
3 Roles and Responsibilities
3.1 Donna Ockenden Ltd is accountable for the management of all information which it holds or creates.
3.2 Donna Ockenden Ltd has appointed a Data Protection Officer who has responsibility for informing and advising on data protection principles and monitoring compliance with this policy.
3.3 The Senior Management Team within Donna Ockenden Ltd are responsible for ensuring that documents and records created by or shared with Donna Ockenden Ltd are stored securely and that access to them is controlled.
3.4 Donna Ockenden Ltd is responsible for the application of this policy through its appointed HR adviser, Senior Management Team and Data Protection Officer, and for responding to any data subject access requests made under the Data Protection Act 2018.
4 Secure Records Storage
Where records contain person identifiable data or corporate sensitive information it is a legal requirement that such data is stored securely. For the independent Maternity review Donna Ockenden Ltd, has adopted three approaches:
- Use of a secure web based server provided for Donna Ockenden Ltd by Venom IT for records created in the course of the Review
- Use of the Electronic Document Records Management System (or EDRMS) platform provided for medical records relevant to the Independent Maternity Review provided by Shrewsbury and Telford NHS Trust and NHSE/I.
- Securely locked storage at the offices of Donna Ockenden Ltd for paper records provided by Shrewsbury and Telford NHS Trust.
Access to these facilities is controlled by specified procedures.
5 Record Access and Maintenance: paper records
5.1 Paper file storage is secured from unauthorised access and the offices meet all necessary fire regulations.
5.2 The movement, use and location of paper records within the offices of Donna Ockenden Limited are controlled and tracked to ensure that a record can be easily retrieved at any time.
5.3 All reviewers must complete the signing in/out log when they remove medical records from their folders held within the locked cupboards. Reviewers should only remove and work on one record at a time.
5.4 Reviewers are responsible for ensuring that medical records and associated documents are stored in the appropriate file, that files are kept in numerical order in the appropriate cupboard, and that the cupboard is kept locked at all times with the key locked within the code accessed key safe. The cupboard should be unlocked for no longer than is necessary to remove or replace files.
5.5 Donna Ockenden Ltd provides all staff with specific hard back notebooks in order to capture notes. These notebooks must only be used for the purposes of the maternity review and they remain the property of Donna Ockenden Ltd at all times. They are securely stored when not in use. Team members are responsible for ensuring that the information in the notebooks remains confidential.
6 Record Access and Maintenance: EDRMS Platform
6.1 Donna Ockenden Ltd will comply with all requirements regarding access to and management of digitised records via the EDRMS platform once the Data Protection Agreement between NHSE/I and Donna Ockenden Ltd is in place, with the authority granted to enable full access to the system by members of the independent Maternity review team
6.2 Separate instructions will be issued to all those with permission to access the EDRMS to enable secure access. It is a mandatory requirement that relevant staff follow these instructions.
6.3 Donna Ockenden Ltd will ensure that the provided training in system usage is fully utilised by the review team to enable full compliance with information management on the EDRMS platform.
7 Record Access and Maintenance: Venom IT Platform
Donna Ockenden Ltd stores governance documentation on the secure Venom IT server. Venom IT has in place a series of UK compliant security measures and has also completed and passed the NHS Data Security Toolkit self-assessment.
7.1 The server stores governance documents received directly from families as well as records of email conversations and meetings with families. These are stored within individually family named folders which the Review Team access to assist with their clinical review.
7.2 The server holds governance records received from the Trust which the Review team access. These include but are not limited to records of complaints, investigation outcomes, MDT meetings and records of meetings with families. These are accessed by members of the Review Team.
7.3 The Review team compile their individual case reports which are stored within the individual family named folder.
7.4 Once the Review is concluded, the family will be advised of the retention and destruction arrangements in accordance with the agreements for this.
Once the Review is concluded, all governance records will be retained, archived or destroyed in accordance with the agreements in place for this.
8 Record Access and Maintenance: General
There is an Information Sharing Agreement in place between the Trust and Donna Ockenden Ltd.
Team members will not use home, work or non ‘Donna Ockenden’ email accounts or personal computers or removable media to hold or store any sensitive records or information which relate to the independent Maternity review at any time during or after the review.
8.1 The printer is located in a secure area within the office at Chichester. When printing any paper records or documents, appropriate measures are taken to ensure all documents are collected immediately after printing.
8.2 On induction, all staff are reminded that they should never leave their computer screen open when unattended.
8.3 Donna Ockenden Ltd operates a strict ‘clear desk policy’ for all team members when working in the Chichester Office. Where documents are printed that are then not required for future use – for example individual copies of team minutes Donna Ockenden Ltd utilises a secure and witnessed ‘on site’ shredding system that is explained to all team members on induction. Documents for shredding are stored in a locked cupboard prior to shredding occurring. A certificate of shredding is provided by the shredding provider.
8.4 No disclosure of any records held by Donna Ockenden Ltd will be made without the express authority in writing of Ms Donna Ockenden, Chair of the Review.
9 Record Naming and Good Practice
9.1 Record naming is an important process in records management and it is essential that a unified approach is undertaken within all areas to aid in the management of records.
9.2 Donna Ockenden Ltd has established a naming framework which applies to all non-personnel records and documents and on commencement with the team, staff are shown how to navigate their way through the various files and folders in order to gain understanding of the naming process
9.3 In particular, team members should refrain from naming folders or files with their own name unless the folder or file contains records that are biographical in nature about that individual, for example, personnel records.
10 Data Protection
10.2 A Data Protection Impact Assessment has been completed between the Trust and NHSE/I and a Data Protection Agreement has been completed between Donna Ockenden Ltd and NHSE/I.
10.3 Venom IT provides secure back up for Donna Ockenden Ltd, and cCube hosts and provides secure back up for the EDRMS platform.
11 Transfer of Records
When transferring data, robust security measures and precautions are in place between the Trust and Donna Ockenden Ltd. An Information Sharing Agreement is in place between the Trust and Donna Ockenden Ltd which details the process for data transfer and who is responsible for transferring and receiving the data.
11.1 The current arrangement for transfer of information between the Trust and Donna Ockenden Ltd is via an nhs.net email address. This arrangement will cease once the EDRMS system is in place as the Trust will transfer all relevant medical records which are required by Donna Ockenden Ltd onto the EDRMS platform.
11.2 Any governance records requested from the Trust by Donna Ockenden Ltd will be transferred via email using the Trust NHS email address and the Donna Ockenden email address maternity admin.
11.3 In the early months of the review when there was no alternative, some data was transferred from the Trust to Donna Ockenden Ltd via a corporate encrypted memory stick. The information on the memory stick was deleted once it had been transferred to a folder on the Venom IT platform. Records are held at Donna Ockenden Ltd recording the existence of the memory stick with historical information relating to its use and movements.
12 Missing and Lost Records (Paper)
12.1 A ‘missing record’ is when a record or document cannot be found, or is not available when required, with there being a clear record that it has been received from the Trust in the first instance.
12.2 In the event of a missing record, the Clinical Review Managers must be informed immediately and a thorough extensive search must be undertaken. This will include initiating a physical search in addition to reviewing the tracking history of the record and, if medical records, checking the sign in/out sheets with the relevant review team members being contacted as a matter of urgency.
12.3 If after one working day, the record has not been found, the missing record must be reported to the Chair and an immediate investigation must commence. If the record is a medical record, the Trust must be informed.
12.4 If after two working days it becomes clear that the medical record is not on the premises, the Data Protection Officer must liaise with the Information Commissioners’ Office (ICO) to inform them of the missing record and to seek advice. The Trust must be kept fully informed at all times.
13 Records Held and/or Transferred for Archiving Purposes
14 Record Disposal
14.1 Donna Ockenden Ltd will comply with the Records Disposal Agreement once the policy is in place.
15 Distribution, implementation and review
15.1 Once ratified, this policy will be circulated amongst the Review team and will be made available to new members of staff during their induction and to all contractors.
15.2 This document will be reviewed annually or sooner if required
Date of next review May 2021