Roles and responsibilities

Each information asset will have an Information Asset Owner. 

The information asset includes the records associated with the operation of the business function. Key decisions about the management of information will be made by the IAO. This includes records related to the asset and management of information risks pertaining to the asset. The IAO also ensures that the Information Asset Assistant, where appointed, carries out their duties to ensure that records are managed in line with guidance and policy.

The Information Asset Assistant will be in day-to-day control of records related to the asset and will ensure records are retained in line with this policy, and guidance documents.

When records have reached the point where a decision on continued retention is needed their role is to identify these records to the IAO. They can be deleted in line with the retention policies of the organisation with the authorisation of the IAO. The IAA will liaise with the records management function.

The Chief Executive is the Accounting Officer of NHS Digital and has overall accountability and responsibility for Information Governance matters, of which effective management of records and documents is a part. 

The Accounting Officer is required to provide assurance, through the Governance Statement, that all risks to the organisation, including those relating to information, including records and documents, are effectively managed and mitigated.

The Data Protection Officer, appointed under statutory GDPR obligations, is responsible for monitoring NHS Digital’s compliance with Data Protection legislation and its compliance with its own policies in relation to the protection of personal data. This includes records management, retention and disposal, in relation to personal data of living individuals.

Monitoring of this policy will be overseen by the DPO and Privacy, Transparency, Ethics and Legal (PTEL) compliance department. In the event of the identification of high risks, the DPO will escalate to the appropriate level of management or Board.

Full details of NHS Digital DPO.

The SIRO has accountability for ensuring that effective systems and processes are in place to address the Information Governance agenda, including records and document management. 

The SIRO is the overall owner of information risk within the organisation and acts as the focal point for information risk management in the organisation including resolution of any pan-organisation or other escalated risk issues raised by Information Asset Owners. The SIRO will provide written advice to the Chief Executive on the content of the Governance Statement regarding information risk.

The role of the Caldicott Guardian is advisory. The Caldicott Guardian acts as the conscience of the organisation for patient information, patient confidentiality and information sharing issues and the proper management of patient information.

The Executive Director of Information Governance has responsibility for maintaining this corporate Policy, overseeing implementation across the organisation, ensuring delivery of supporting standards, procedures, processes, guidance, training and leading a corporate records management function to meet required legal or standard obligations. The Executive Director of PTEL has delegated responsibility for this policy to the Associate Director of Information Governance.

It is the responsibility of staff in these positions to ensure this policy and its supporting procedural / process guidance are implemented effectively. This includes ensuring that records and documents are maintained for as long as is necessary, but no longer, in context of NHS Digital’s legal and regulatory obligations, operational business needs and the retention categories and periods established in this policy. It is also the responsibility of staff in these positions to ensure records and documents are properly disposed of in accordance with this policy and its supporting procedural / process guidance.