Skip to main content

Codes of practice for handling information in health and care

Records Management Code of Practice for Health and Social Care 2016

The Records Management Code of Practice for Health and Social Care 2016 sets out what people working with or in NHS organisations in England need to do to manage records correctly. It's based on current legal requirements and professional best practice and was published on 20 July 2016 by the Information Governance Alliance (IGA).

Appendix 3 of the Code contains the detailed retention schedules. It sets out how long records should be retained, either due to their ongoing administrative value or as a result of statutory requirement.

Code of practice on confidential information

Any organisation that collects, analyses, publishes or disseminates confidential health and care information must follow the Code of practice on confidential information.  It clearly defines the steps that organisations must, should and may take to ensure that confidential information is handled appropriately. The code will help organisations put the right structures and procedures in place so that front-line staff follow the confidentiality rules. It provides good practice guidance to those responsible for setting and meeting organisational policy on the handling of confidential health and care information, such as board members.

HSCIC Guide to Confidentiality 2013

The duty to share information can be as important as the duty to protect confidentiality. The HSCIC Guide to Confidentiality 2013 shows health and care workers what they should do and why, to share information safely while following rules on confidentiality. It covers the five confidentiality rules:

  1. Confidential information about service users or patients should be treated confidentially and respectfully.
  2. Members of a care team should share confidential information when it is needed for the safe and effective care of an individual.
  3. Information that is shared for the benefit of the community should be anonymised.
  4. An individual's right to object to the sharing of confidential information about them should be respected.
  5. Organisations should put policies, procedures and systems in place to ensure the confidentiality rules are followed.

The HSCIC Guide to Confidentiality 2013 reference document provides legal background to this guidance.


The 'Confidentiality: NHS Code of Practice' sets out what health and care organisations have to do to meet their responsibilities around confidentiality and patients' consent to use their health records. It's based on legal requirements and best practice.

Information security management NHS code of practice

The 'Information Security Management: NHS Code of Practice' is a guide to the management of information security, for those who work in or with NHS organisations in England. It's based on current legal requirements, relevant standards and professional best practice, and its guidelines apply to NHS information assets of all types.