CREATION OF ELECTRONIC RECORDS PROCEDURE

Document Sample
CREATION OF ELECTRONIC RECORDS PROCEDURE Powered By Docstoc
					       CREATION OF ELECTRONIC RECORDS
                 PROCEDURE

DATE APPROVED:                       February 2009

APPROVED BY:                         Information Governance Committee

IMPLEMENTATION DATE:                 March 2009

REVIEW DATE:                         March 2010

LEAD DIRECTOR:                       Director of Information Management &
                                     Technology

IMPACT ASSESSMENT STATEMENT:         No adverse impact on Equality or
                                     Diversity




Reference Number: IM&T-PROCEDURE-009 (Version 1)
                          WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                          CREATION OF ELECTRONIC RECORDS PROCEDURE

Change Control:

Document Number                              IM&T-Procedure-009
Document                                     Creation of Electronic Records Procedure
Version                                      One
Owner                                        Director of IM&T
Distribution list                            All
Issue Date                                   March 2009
Next Review Date                             March 2010
File Reference                               PR-009
Author                                       Records Manager


Change History:

Date             Change                             Authorised by
Sept 08          Draft
Feb 09           IG Committee                       Approved




Issue Date   March 2009   Issued By   Records Manager    Document No   IM&T-Procedure-009 (Version 1)
Revision     March 2010   Authority   Director of IM&T   Page          2 of 11
                              WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                              CREATION OF ELECTRONIC RECORDS PROCEDURE

CONTENTS


Change Control:...................................................................................................................2

Change History: ...................................................................................................................2

1       Background.................................................................................................................4

2       Introduction .................................................................................................................4

3       What is and Electronic record .....................................................................................5

4       Why Use Electronic Records ......................................................................................5

5       Do I Have Electronic Records or Electronic Information .............................................5

6       Why Should Electronic Records be Managed.............................................................5

7       I Have An Electronic Record That Has Been Altered – What Should I do ..................6

8       Who is Responsible For Managing My Electronic Records ........................................6

9       How Should an Electronic File be Named...................................................................7

10       How Should Electronic Records be Filed...................................................................7

11     I Have Written a Policy/Procedure/Strategy For Use Within the Trust – How
Should This be Referenced? ...............................................................................................8

12        What Security Precautions Should I Take Regarding The data Held........................8

13    I Have Lost My Memory Stick/CD/Laptop Containing Personal Information .............8
What Should I do .................................................................................................................8

14    I Suspect Some of my Records Have Been Infected With a Worm or a Virus ..........8
- What Should I Do ..............................................................................................................8

15       Retention Period for Electronic Records ....................................................................9

16    Can Electronic Records be Kept Longer Than the Retention Period Stated in .........9
the Records Management Policy .........................................................................................9

17        The records have Past their Retention Period What Should I Do .............................9

18       How Should I Dispose of Electronic Records...........................................................10

Appendix 1.........................................................................................................................11
Checklist for the Dealing With Electronic Records.............................................................11


Issue Date   March 2009        Issued By     Records Manager        Document No        IM&T-Procedure-009 (Version 1)
Revision     March 2010        Authority     Director of IM&T       Page               3 of 11
                            WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                            CREATION OF ELECTRONIC RECORDS PROCEDURE




  1          Background

              1.1     These notes primarily relate to records stored on Microsoft Office
                      Products. System Managers will have specific procedures relating to their
                      own software packages.

              1.2     This procedure is intended to support the following WMAS Policies,
                      Procedures, Strategies, and Guidance

                                    •   Information and Technology Security Policy
                                    •   Records Management Policy
                                    •   Network Access Policy
                                    •   A Guide to Information Governance
                                    •   Records Management Strategy
                                    •   Freedom of Information Act Policy
                                    •   Procedure for Release of Patient Identifiable Information
                                    •   IG Toolkit
                                    •   Data Protection Policy
                                    •   Disposal of Confidential waste
                                    •   Patient Record Policy and Procedure
                                    •   Procedure for the Security, Storage and Transmission of
                                        Sensitive Data.
                                    •   Procedure for Dealing with Breaches or suspected
                                        Breaches of Data Security
                                    •   Safe Haven Procedures

                               This list is not exhaustive.

              1.3     This procedure is intended for every employee of the Trust who creates
                      and maintains electronic records. This guidance can be applied to both
                      corporate and clinical records.

                      1.3.1    Appendix 1 summarises these notes

  2          Introduction

              2.1     Most of you are familiar with Microsoft Office products, which could contain
                      records.

              2.2     Other types of electronic records the Trust use include:
                                 • E-mails
                                 • Scanned Images held on servers, CDs and microfilm
                                 • Document Management Systems such as CEDAR
                                      [Accounts System] and FORMIC [for Patient report forms]
                              This list is not exhaustive.



Issue Date    March 2009    Issued By   Records Manager    Document No   IM&T-Procedure-009 (Version 1)
Revision      March 2010    Authority   Director of IM&T   Page          4 of 11
                           WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                           CREATION OF ELECTRONIC RECORDS PROCEDURE




  3          What is and Electronic record

              3.1     The web gives several definitions two of which are:

                      3.1.1   A paperless record that is created, generated, sent,
                              communicated, received, or stored electronically
                      3.1.2   A group of related data elements - a record might represent a line
                              item, a provider, or an employer

  4          Why Use Electronic Records

              4.1     Electronic records support three broad types of need:
                                  • As accessible records providing timely information for
                                     current operational need.
                                  • As secure and legally admissible records providing
                                     accountability.
                                  • As historical records of past activity, providing a corporate
                                     memory

  5          Do I Have Electronic Records or Electronic Information

              5.1     Not all electronic documents that are created are appropriate to be filed as
                      records; some are purely ephemeral or personal; some merely contain a
                      re-iteration of records held elsewhere. It is necessary to distinguish
                      between the two as there are legal obligations relating to the retention and
                      release of records.

              5.2     The IG Toolkit offers the following distinction between the two:

                      5.2.1   ‘A document becomes a record when it has been finalised and
                              become part of an organisation’s corporate information. At this
                              point the record should only be held in the corporate system e.g.
                              the network drive, shared folder or in an electronic document and
                              record management system’.
                      5.2.2   Electronic Information should be deleted on a regular basis.

  6          Why Should Electronic Records be Managed

              6.1     Managing your electronic records will help you:
                                • Ensure you can find what you want when you need it
                                • Ensure that your colleagues can find important information
                                   even if you are not in the office
                                • Save server space and make better use of resources
                                • Assist with compliance with the Data Protection Act and the
                                   Freedom of Information Act 2000
                                • Ensure that your records carry weight in court as they may
                                   be requested as evidence as part of legal proceedings.

Issue Date    March 2009   Issued By   Records Manager    Document No   IM&T-Procedure-009 (Version 1)
Revision      March 2010   Authority   Director of IM&T   Page          5 of 11
                           WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                           CREATION OF ELECTRONIC RECORDS PROCEDURE




  7          I Have An Electronic Record That Has Been Altered – What Should I do

              7.1     Any records that are altered must give the name of the person making the
                      alteration and the date the alteration was made.

  8          Who is Responsible For Managing My Electronic Records

              8.1     Point 5.7 of the Records Management Policy states ‘It is the responsibility
                      of all staff to ensure that they keep appropriate records of their work in the
                      Trust and manage those records in keeping with this policy and with any
                      guidance subsequently produced by the Trust’.

              8.2     The Director of Information Management and Technology has the
                      responsibility for the protection of all Trust data in all formats. They also
                      have responsibility for the Management of Freedom of Information
                      requests and for the release of any information.

              8.3     The Director of Clinical Services is the Caldicott Guardian and has
                      responsibility for the secure transmission of sensitive information across
                      other agencies.

              8.4     The full Records Management Policy is on the Intranet under the IM&T
                      section.

              8.5     The Data Protection Act 1998 and the Freedom of Information Act 2000
                      apply to all records you create and maintain as part of your employment
                      with the Trust.

              8.6     The Data Protection Act permits people to see records that the Trust holds
                      about them while the Freedom of Information Act gives people the right to
                      access corporate records. The Data Protection Act also requires us to
                      hold information about living individuals for no longer than is necessary, to
                      ensure that information is accurate and to adopt appropriate security
                      measures for this information to protect it from unauthorised access,
                      amendment or deletion. Records relating to deceased individuals should
                      be treated with the same degree of confidentiality.

              8.7     We have 40 calendar days to respond to a data protection request and 20
                      working days for a freedom of information request. These deadlines mean
                      that the Trust must know what information it holds, and must be able to
                      retrieve that information even if key employees are away.

              8.8     Although both pieces of legislation include exemptions that will apply in
                      certain circumstances, it is advisable to work on the assumption that all the
                      records you create and maintain will be accessible to somebody.




Issue Date    March 2009   Issued By   Records Manager    Document No   IM&T-Procedure-009 (Version 1)
Revision      March 2010   Authority   Director of IM&T   Page          6 of 11
                           WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                           CREATION OF ELECTRONIC RECORDS PROCEDURE




  9          How Should an Electronic File be Named

              9.1     The National Archives offers the following advice:
                                • Give a unique name to each record
                                • Give a meaningful name which closely reflects the contents
                                • Express elements of the name in a structured and
                                    predictable order.
                                • Locate the most specific information at the beginning of the
                                    name and the most general at the end.
                                • Give a similarly structured and worded name to records that
                                    are linked e.g. an earlier and a later version.

              9.2     The National Archives gives the following guidance for the classification of
                      records in the electronic environment.
                                  • To ensure a complete recall of all records which relate to a
                                     particular sequence, i.e. that all information can be found
                                     rather than just a subset.
                                  • To ensure that all the records are presented in an order,
                                     which shows the narrative development of the activity to
                                     which they relate, and in which they were available to the
                                     record creators and users.
                                  • To provide an opportunity for co-ordinating the electronic
                                     classification of records with that used for paper records, so
                                     that hybrid electronic/paper record groupings can be
                                     identified.
                                  • To enable the systematic and consistent scheduling of and
                                     disposal of records, so that all associated records are
                                     retained for the same length of time, and are destroyed or
                                     transferred together.

 10          How Should Electronic Records be Filed

              10.1    Connecting for Health advises that we use a clear and logical filing
                      structure that aids retrieval of records. Ideally, the filing structure should
                      reflect the way in which paper corporate records are filed to ensure
                      consistency. However, if it is not possible to do this, the names allocated
                      to files and folders should allow intuitive filing i.e. if you were away could
                      someone else find the document?

              10.2    Records must never be stored on local drives on a PC or a laptop. They
                      should be stored on a shared drive or a server.




Issue Date    March 2009   Issued By   Records Manager    Document No   IM&T-Procedure-009 (Version 1)
Revision      March 2010   Authority   Director of IM&T   Page          7 of 11
                           WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                           CREATION OF ELECTRONIC RECORDS PROCEDURE




                       10.2.1 Reasons:
                                • If the PC or laptop is stolen, the record is lost forever
                                • The record may be sensitive and should not be in the
                                   public domain
                                • If the user is absent for any reason, access to the record
                                   can be gained by anyone with a legitimate right of access
                                   which will ensure the day-to-day running of the business
                                   will not be affected.
                                • If you change your PC at all, it would have been necessary
                                   to copy any important files onto another PC and ensure
                                   that the hard drive is properly cleaned before the computer
                                   is disposed of.

 11          I Have Written a Policy/Procedure/Strategy For Use Within the Trust – How
             Should This be Referenced?

              11.1     Contact the Document Control and Freedom of Information Manager for
                       further advice. Do not issue it to anyone without speaking to him first.

 12          What Security Precautions Should I Take Regarding The data Held

              12.1     All records stored on a server are automatically backed up by the IT
                       Department on a daily basis.

              12.2     You should not store the only copy of a record on portable media e.g.
                       Memory Sticks, floppy disks, CDs.

              12.3     Every member of staff who creates records has a duty of care to protect
                       the information contained within.

              12.4     If you take any records out of the Trust on portable media, ensure it is on
                       Trust approved media and encrypted.

 13          I Have Lost My Memory Stick/CD/Laptop Containing Personal Information
             What Should I do

              13.1     Report it immediately and refer to the Procedure for Reporting Breaches
                       or Suspected Breaches of data security.

 14          I Suspect Some of my Records Have Been Infected With a Worm or a Virus
             - What Should I Do

              14.1     Every possible precaution is taken to ensure Trust records are protected
                       but occasionally viruses do get through. They usually get in via portable
                       media from dubious sources; Internet downloads from dubious sites and
                       using unlicensed products.



Issue Date    March 2009   Issued By   Records Manager    Document No   IM&T-Procedure-009 (Version 1)
Revision      March 2010   Authority   Director of IM&T   Page          8 of 11
                           WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                           CREATION OF ELECTRONIC RECORDS PROCEDURE




              14.2     If you suspect that you have a problem, ring your IT Department
                       immediately. Do NOT touch anything and leave any portable media in
                       place. IT will advise you what to do next.

 15          Retention Period for Electronic Records

              15.1     The retention periods of electronic records is detailed in Appendix B of the
                       Records Management Policy.

                       System Upgrades

              15.2     At the feasibility stage of the process, records that need to be transferred
                       should be identified and planned into any upgrade. Do not switch off the
                       old system until you are happy that the records have been successfully
                       transferred over. Your local IT Department should be able to assist you
                       on this matter.

              15.3     Records need to be copied onto another medium such as DVD or CD
                                 • Decide how long the records need to be kept
                                 • Seek the advice of IT as to the best method of saving the
                                     data for the length of time the record needs to be retained.
                                 • Plan the time needed and the costs of transfer into any
                                     upgrading proposals
                                 • Ensure that there are two copies made – one to be kept
                                     securely in the Department and the ‘disaster recovery
                                     copy’ is kept securely elsewhere. Your local IT
                                     Department will be able to advise you.

 16          Can Electronic Records be Kept Longer Than the Retention Period Stated in
             the Records Management Policy

              16.1     No. However, if there is a compelling reason to keep them such as an
                       ongoing legal case they can be kept until the case has been resolved.

              16.1     The Information Commissioner has the legal power to issue enforcement
                       notices against any organisation that keeps information for any longer
                       than is necessary.
                                   • Retaining personal information ‘just in case’ is no defence
                                      in law.
                                   • Please bear in mind the 8 data protection principles when
                                      considering retaining records beyond the retention period.

 17          The records have Past their Retention Period What Should I Do

              17.1     Contact the Records Manager to see if they have an archival value,
                       If not, list all the records that need to be disposed of on a piece of paper:
                       e.g.


Issue Date    March 2009   Issued By   Records Manager    Document No   IM&T-Procedure-009 (Version 1)
Revision      March 2010   Authority   Director of IM&T   Page          9 of 11
                           WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                           CREATION OF ELECTRONIC RECORDS PROCEDURE



                               Records due for destruction April 2007

Incident forms Coventry and Warwick March to May 2000
Complaints Staffordshire ref 99/001 to 99/100


I am happy for these records to be destroyed:
Signed:
Date:


              17.2     Print off two copies of the list.
                                    • Check with the relevant senior officer that all the records
                                       can be disposed of.
                                    • Get the relevant senior officer to sign both copies.
                                    • One copy should be sent to the Records Manager
                                    • The other copy should be retained in the department.

 18          How Should I Dispose of Electronic Records

              18.1     This will depend upon the format that it is held.
                                    • Records held on a stand-alone computer or server can be
                                      deleted from the system.
                                    • Other records contact the IT Helpdesk for advice.
                                    • CDs/DVDs/Microfilm – There is a designated bin at
                                      Millennium Point for the disposal of this type of media.

              18.2     What help is available
                                  • Your local IT Department can help with queries relating to
                                      computer hardware [i.e. the equipment]
                                  • The System Administrator can help with queries relating to
                                      the operating systems
                                  • The Records Manager can provide advice on record
                                      retentions and disposals. The contact number is 01384
                                      246465.
                                  • The Document Control and Freedom of Information
                                      Manager can advise on Freedom of Information queries
                                      and the issuing of policies, procedures and strategies. The
                                      contact number is 01384 246371.
                                  • Your local Training School can advise if there are any
                                      suitable courses available to learn how to use Microsoft
                                      Office Products




Issue Date    March 2009   Issued By   Records Manager    Document No   IM&T-Procedure-009 (Version 1)
Revision      March 2010   Authority   Director of IM&T   Page          10 of 11
                            WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                            CREATION OF ELECTRONIC RECORDS PROCEDURE

                                                                                              Appendix 1

                          Checklist for the Dealing With Electronic Records


Do:
         Separate Electronic Records from Electronic Information on a regular basis
         Manage your electronic records regularly
         Apply consistency to the naming, reference and filing of electronic records
         Send any policies, procedures and strategies to the Document Control and
         Freedom of Information Manager for formatting.
         Take care of any records you may take out of the Trust
         Report immediately any breach of Data Security
         Remember to contact IT and Records Manager when planning upgrades.
         Encrypt or password protect any personal data that needs to be transferred
         elsewhere
         Encrypt or password protect any personal data that needs to be transferred
         anywhere.

Don’t:
         Store Records on a local drive on a PC or a laptop
         Store the only copy of a record on portable media
         Keep all copies of a record together in one place
         Send any personal data that has not been password protected or encrypted




Issue Date   March 2009     Issued By   Records Manager    Document No   IM&T-Procedure-009 (Version 1)
Revision     March 2010     Authority   Director of IM&T   Page          11 of 11