Policy

Information Asset Owners and Information Asset Assistants play a critical role in ensuring NHS Digital’s information assets are managed and protected, both through the application of Data Protection Impact Assessments (DPIAs), and System Level Security Policies (SLSPs). Owners should ensure these are regularly reviewed and kept up to date throughout the year. View an outline of these roles.

Information Asset Owners and deputies shall need to decide:

• what kind of records are held
• what the retention period is (with reference to the retention schedule)
• what to do with the records at the end of the retention period

Corporate records and documents are grouped into categories which are allocated a standard default retention period. A retention period does not automatically result in an action – rather, it is a trigger to review. When the retention period is reached, a decision shall be taken to perform one of the following actions:

• securely destroy content, where there is no continuing administrative, legal, financial, business or historical / research importance
• retain, because it is still needed within the organisation (and assign a new retention/review point) or:
• transfer records of historic value, to an appropriate archive (normally The National Archives)

Destruction decisions shall be recorded to establish that records are not missing and as an audit trail to demonstrate compliance with the policy. See Retention and disposal form and destruction certificate.

All records held by NHSD shall be treated as public records under the 1958 Public Records Act. These can be in any media, such as microfiche, images, and audio as well as conventional digital and paper records. Note, records selected for permanent preservation are a small subset of the total content held by NHS Digital.

Lines of Business will identify, appraise and offer records identified as having historic value in consultation with the Privacy, Transparency, Ethics and Legal (PTEL) Records Management (RM) function. Transfer to The National Archives will normally take place in the year following the record’s 20-year anniversary. Historic records can also be transferred earlier by agreement of all parties affected by the decision. Records retained beyond the 20 year (plus 1) will require authority from the Advisory Council on Records and Archives, citing a relevant exemption under the Freedom of Information Act 2000.

Records considered as of potential historical value will be subject to a permanence review by the PTEL records management function at 15 years. At 20 years, a decision will be made to determine whether they should be offered to The National Archives or other approved place of deposit for permanent preservation or can be destroyed. The decision is based on the selection policy guidance which sets out which records are likely to have historical importance.

A record of any action in relation to these records or documents must be maintained and the records management function informed. A template destruction certificate is attached at Appendix 4. Records transferred to The National Archives will be recorded by Records Management, along with records retained for a longer period, for example due to administration or clinical need. The retention and disposal processes must be followed in respect of the control and management of records and documents with a retention period specified in the retention document.

Processing personal data within records of historical value has implications for UK GDPR. Article 89 provides a structure under which records containing personal data can be archived. The National Archives provides further guidance. See also Retention and disposal - personal data considerations. NHS Digital will also need to confirm that places of deposit have their own Article 89 UK GDPR compliance requirements in place. 

Under Article 89(2) UK GDPR, safeguards must ensure that technical and organisational measures are in place, in particular, in order to ensure respect for the principle of data minimisation.

This policy and the ‘Corporate Retention and Disposal Framework: Implementation Process’ also allows for the identification and agreement of exceptions for shorter or longer retention periods. Such exceptions must demonstrate proper rationale and ensure compliance with legislative and regulatory obligations, best practice standards and operational business requirements. These must be approved by the PTEL records management function.

Retention and Disposal – personal data considerations – please see Retention and disposal - personal data considerations.

You shall read and apply the principles specified in the Corporate Retention and Disposal Framework: Implementation Process for the day-to-day handling of records or documents through their lifecycle. You will note the guidance on the records management portal, in particular, the procedural guides which make up the records management handbook. 

Best practice would state that you use the retention schedule to help consider record organisation, for example in your local file plans or in SharePoint. Records should be managed as logical groups, ideally based on business functions, which may not always relate to organisational units. Do not store records with different retentions together, as actions will normally be taken at folder level, if not higher. You may find it helpful to keep a local log of folder names, with retentions listed against them, and relevant review dates, as an interim measure, in preparation for technical solutions, which are currently under consideration.

You shall ensure that you complete the annual mandatory Data Security Awareness e-learning which includes awareness of staff responsibilities for record-keeping and record management.