INFORMATION LIFECYCLE MANAGEMENT (ILM) POLICY Documentation Control

Reference Approving Body Date Approved Implementation Date Version Supersedes Consultation undertaken MARCH 2010 1 N/A HEALTH RECORDS MANAGEMENT GROUP INFORMATION GOVERNANCE COMMITTEE December 2009 TRUST BOARD

Date of completion of Equality Impact Assessment Target Audience Supporting Procedure(s) Review Date Lead Executive Author/Lead Manager Further Guidance/Information

ALL STAFF

MARCH 2013 DIRECTOR OF ICT RECORDS MANAGER SUPPORTING INFORMATION GOVERNACE POLICIES (VIEWABLE ON NUH INTRANET) SEE FULL LIST OF SUPPORTING RELEVANT LEGISLATION AND ADVICE CONTACTS

INFORMATION LIFECYCLE MANAGEMENT (ILM) POLICY CONTENTS

Paragraph 1. 2. 3. 4. 5. 6. 7 8 9 10 11 12 13 14 15 16 Appendix 1 Appendix 2 Policy Statement

Title

Page 3 3 3 4 4 6 8 14 14 17 18 18 22 22 23 23 25 28

Associated policies and procedures Phases of the Information Lifecycle Scope and Definitions Policy Principles Records/Information Assets Inventory Policy Objectives and Performance Standards Integration of ILM Requirements Accountability and Responsibility Implementation and Monitoring Review Relevant Legislation and Guidance Advice Equality and Diversity Statement Equality Impact Assessment Statement Environmental Impact Assessment Equality Impact Assessment Report Employee Record of having read the policy

Information Lifecycle Management Policy Version 1 February 2010

1.

POLICY STATEMENT This policy sets out the principles of Information Lifecycle Management (ILM) and how they will be applied to all recorded information belonging to the Nottingham University Hospitals NHS Trust arising from business processes. ILM is a concept which describes the policies, strategies, processes, practices, services and tools used by an organisation to manage its recorded information assets through every phase of their existence, from creation or receipt, through their useful life through to final destruction or deposition to institution approved for archival deposit of Public Records by the National Archives. The policy supports the requirements of the Freedom of Information Act 2000, the Data Protection Act 1998 and other statutory and legal responsibilities.

2.

ASSOCIATED POLICIES AND PROCEDURES This over-arching policy forms a component of the Information Governance Toolkit and is complimentary to a collection of specific NUH Information Governance Policies, Procedures, Guidelines and Protocols. The total suite of Information Governance Policy and Strategy documents are published on the NUH Intranet Policy Library: Polices & Trust Wide Procedures

3.

THE FIVE PHASES OF THE INFORMATION LIFECYCLE This policy documents the intent of the Trust to manage ALL of its recorded information assets appropriately in accordance with the concept of information lifecycle management and throughout the five distinct phases of the records/information lifecycle [Fig.1]: 1. 2. 3. 4. 5. Creation Retention (organisation, storage, security, etc) Maintenance Use (retrieval, access levels etc) Disposal (timely, with appropriate and secure media destruction methods used)

Information Lifecycle Management Policy Version 1 February 2010

Fig.1
Disposal

Maintenance Creation

Use

Retention

4.

SCOPE AND DEFINITIONS This policy relates to ALL recorded information existing in ALL formats or mediums: current, non-active or archived; clinical or non-clinical; held by or under the control of the Trust. This includes and is not limited to, computer data, paper, negatives, photographs, audio or video recordings, microfilms, recorded information relating to Trust business held on memory sticks, portable computers, PDAs and mobile phones. In this policy, Records are defined as: Recorded information, in any form, created or received and maintained by the Trust in the transaction of its business or conduct of affairs and kept as evidence of such activity.

5.

POLICY PRINCIPLES The Trust acknowledges information as a vital business asset and is intent that the principles and concepts associated with ILM, are integral to all business processes that generate recorded information.

5.1

Using ILM principals the Trust will demonstrate: Accountability Financial, Regulatory and Governance Effective management and use of information resources - based on best practice A culture of openness and transparency, protecting the interests of the NHS and the rights of staff, patients and members of the public

Information Lifecycle Management Policy Version 1 February 2010

5.2

Implementation of ILM principles requires appropriate creation and management of recorded information by Trust staff in the course of business. The intention is that recorded Information owned by the Trust will always be: of high quality accurately captured up to date secure easily retrievable available when needed and reflective of the following attributes;

5.3

Authentic: Recorded information can be proven to be what it purports to be; has been created or sent by the person purported to have created or sent it; has been created or sent at the time purported

5.4

Reliable: The content of a record can be trusted as a full and accurate representation of the transactions, activities or facts to which it attests; and it can be depended upon in the course of subsequent transactions or activities.

5.5

Complete and Unaltered: The integrity of recorded information refers to its being complete and unaltered. Records must be protected against unauthorised alteration. Policies and procedures must specify what additions or annotations may be made to a record after it is created, under what circumstances additions or annotations may be authorised, and who is authorised to make them. Any authorised annotation, addition or deletion must be explicitly indicated and traceable.

5.6

Useable: A useable record is one that can be located, retrieved, presented and
Information Lifecycle Management Policy Version 1 February 2010

interpreted. It should be possible to demonstrate a direct connection to the business activity or transaction that produced it. The contextual linkages of records should carry the information needed to understand the transactions that created them and how they were used. It should be possible to identify a record within the context of broader business activities and functions. The links between records documenting a sequence of activities should be maintained 6. RECORDS/INFORMATION ASSETS INVENTORY

6.1 In accordance with the requirements of the IG Toolkit V7, in July 2009 the Trust carried out an inaugural audit of its records and information assets. Individual managers and Directors were required to input data to populate and establish the inventory, to establish the type and form, in which any records are held, identify record keeping systems currently in use, also the volume, condition, location and the responsible manager for records collections/information assets. Both electronic and paper collections and current, closed or archived records/information were included. The inventory is applicable to both clinical and non-clinical records/information holdings. 6.2 The Inventory will inform the Trusts Board Assurance Framework, risk management and business continuity processes by: a) b) c) d) e) Identifying Senior Responsible Managers and Owners of specific records/information assets. Discovering record creation and disposal compliancy. Identify existence of records required for disclosure in response to an application made under the Freedom of Information Act. Identify information sharing arrangements within both the organisation and both externally. Identify which records are stored electronically and which are stored on paper and those records which are hybrid (i.e. stored partly electronically and partly on paper). Allow records to be mapped to current Retention Schedules to ensure compliance, and where appropriate, for superfluous, out of date or replicated records to be destroyed. Inform the Data Protection Act notification process and information flows surveys. Ensure that staff and managers with records management responsibilities are appropriately trained. Identify inappropriate, or pressure on, records storage conditions; and highlighting deficiencies in security arrangements for records,
Information Lifecycle Management Policy Version 1 February 2010

f)

g) h) i)

j) k) l) m)

including those electronic records which are not being routinely backed up to enable appropriate risk management. Enable internal and external records related audits, e.g. Audit Commission, Financial Audits. Protect the legal rights of the Trust, its employees, patients and third parties Provide authentication so that actions may confidently be taken on reliable information. The central inventory will be kept under annual review. Managers and Owners of records/information assets will be reminded to annually update inventory entries to guarantee their completeness and to make any necessary amendments. Reporting Scheme

6.3 Directors will be required to declare an annual Statement of Assurance to the SIRO in that an accurate and comprehensive submission to the Inventory has been provided which documents all records and information assets retained for their own areas of responsibility. 6.4 Inventory data will facilitate an Annual Report provided to the Information Governance Committee as a delegated sub group of the Board for review and sign off. The report will: Report on the status of the Trusts Inventory Report departmental compliance with IG assurance requirements1 Identify areas where there is ILM incompliancy and associated risk Make recommendations/mandate action plans and timescales for improvement

6.5 Responsible owners of records and information assets will be required to submit action plans to the Information Governance Committee in response to any identified weaknesses or incompliancy. The plans should quantify both resources and timescales required to make improvements.

Connecting for Health, Information Governance Self Assessment Toolkit.

Information Lifecycle Management Policy Version 1 February 2010

7.

POLICY OBJECTIVES & PERFORMANCE STANDARDS

The major objectives and required performance standards of this policy are that recorded information is: OBJECTIVE CREATION 7.1 Available when needed PERFORMANCE INDICATOR Sufficient to enable a reconstruction of activities or events that have taken place. Identifiable as part of a records collection that is currently registered on the Trusts Central Records Inventory/Registry of information assets and record collections*.

*Go to the Manual Records Inventory: http://www.surveymonkey.com/s.aspx?sm=Br6h9IhJYb_2b1Vng8KJkIDw_3d_3d Guidance document for Manual Records submissions: http://nuhnet/Communications_Marketing/briefings/Documents/Manual_records_survey_guidance_notes.doc *Go to the Electronic Records Inventory: http://www.surveymonkey.com/s.aspx?sm=_2fiuJFRqWqOZfez4lnPZTTQ_3d_3d Guidance document for Electronic Records submissions: http://nuhnet/Communications_Marketing/briefings/Documents/Electronic_records_survey_guidance_notes.doc 7.2 Accessible to all members of staff that require access in order to enable them to carry out their day to day work. Information must be located and displayed in a way consistent with its initial use. Appropriate referencing, naming, filing, protective markings and version control systems [including the printing of hard copies] must be in place and applied consistently throughout the Trust2 and for the life of the information.

A Procedure for the filing and creation of electronic corporate records is under development and will utilise Microsoft Sharepoint technology (Oct 2009)

7.3

Interpretable, clear and concise

7.4

Trusted, accurate and relevant

The context of recorded information must be clear and be able to be interpreted appropriately, i.e. who created or added to the record and when, during which business process and how the record is related to other records. The information must reliably represent the initial data that was actually used in, or created by, the business process whilst maintaining its integrity. The authenticity must be demonstrable and the content relevant. Appropriate audit trails must be kept of additions, amendments to and deletions of recorded information in IT systems (BS 1008 compliant)

7.5

The information must be secure from unauthorised or inadvertent alteration or erasure. Access and disclosure must be properly controlled and audit trails used to track all use and changes. 7.6 Employees should consider the following when creating information: what they are recording and how it should be recorded why they are recording it how to validate information to ensure they are recording the correct data how to identify and correct errors and how to report errors if they find them the use of information - staff should understand what the records are used for (and therefore why timeliness, accuracy and completeness of recording is so important) how to update information and how to add in information from other sources RETENTION 7.7 Recorded information should be Recorded information is stored in a secure environment that retained for as long as it is needed and meets to the requirements of relevant Trust IG Policies. in line with the timescales within the Recorded information undergoes a regular formal appraisal
Information Lifecycle Management Policy Version 1 February 2010 9

Secure

Trusts Records Retention and Disposal process. Policies. MAINTAINANCE 7.8 All recorded information needs to be The qualities of availability, accessibility, interpretation and maintainable through time. trustworthiness must be maintained for as long as the information is needed, perhaps permanently, despite any changes in the format. USE 7.9 All information must be used consistently, only for the purpose for which it was intended and never for an individual employees personal gain or purpose. If in doubt employees should seek guidance from the Trusts Head of Information Governance, or Information Security Manager. Contractors must also be monitored and controlled regarding their use of information DISCLOSURE 7.10 Only the specific information required should be disclosed to authorised parties and always in accordance and with strict adherence to, the Data Protection Act and the Freedom of Information Act. There are a range of statutory provisions that limit, prohibit or set conditions in respect of the disclosure of records to third parties, and similarly, a range of provisions that require or permit disclosure.
Information Lifecycle Management Policy Version 1 February 2010

The authorised initial points of contact for dealing with formal legal applications for disclosure of confidential patient records/information made under the Data Protection Act and Access to Health Records Act are: Authorised Emergency Dept Secretarial Staff Data Protection Administration Office (ICT) Security Manager Established formal application processes are in place and informed by the Department of Health publication Confidentiality: NHS Code of Practice.
10

The key statutory requirements can be found in Annex C of the Records Management: NHS Code of Practice (Part 1): Records Management: NHS Code of Practice (Part 1): http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747 Department of Health publication Confidentiality: NHS Code of Practice: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747 TRANSFER 7.11 The mechanisms for transferring information from one organisation to another should also be tailored to the sensitivity of the material contained within the records and the media on which they are held. The Head of Information Governance or the Information Security Manager can advise on appropriate safeguards. Guidance can also be found within the Trusts Information Sharing Protocol and the Information Governance Toolkit on the CFH website. CLOSURE 7.12 Closure Information held in records should be closed (i.e. made inactive and transferred to secondary storage) as soon as it has ceased to be in active use other than for reference purposes. An indication that a file of paper records, or electronic records, has been closed, together with the date of closure, should be shown on the record itself as well as noted in the index or database of the files/folders. Where possible, information on the intended disposal of electronic records should be included in the metadata when
Information Lifecycle Management Policy Version 1 February 2010 11

the information is created. The storage of closed records should follow the accepted standards relating to environment, security and physical organisation of the files. The standards are set out in the Corporate Records Management Policy. DISPOSAL 7.13 Retention and disposal periods vary and are dependant upon the type of information being stored. The specific retention periods are set out in the Records Management: NHS Code of Practice below. Records information on whatever media must be retained and disposed of in a timely way in accordance with Trust Policy and DoH Minimum Retention Periods* to ensure Data Protection Act compliance and the minimum volume of records information is maintained consistent with cost effective and efficient operations. Disposal of records information is undertaken promptly and conducted in accordance with Trust Policies and by authorised staff. All records disposal must be fully documented. The policy and process includes provision for permanent preservation and transfer of information with archival value. The Records Manger can advise on archiving and transfer of records to approved archival institutions. *Records Management: NHS Code of Practice: http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747 TRAINING 7.14 Local training and induction procedures Staff know what records/information to keep for evidential must ensure staff are trained and purposes; competent what actions need to be applied to records throughout their lifecycle; how recorded information should be stored and indexed so
Information Lifecycle Management Policy Version 1 February 2010 12

 AUDIT 7.15 The Trust will audit its ILM compliance via the IG Toolkit requirements.

that records can be retrieved and if required used by others Supporting Local/Departmental policies and operational procedures will be documented and applied Job Descriptions across the Trust include relevant references to record keeping/records management responsibilities Trust and Local policies must include provision for the establishment of audit and evaluation processes for establishing the effectiveness of ILM in paper and ICT systems.

The Trust will audit departmental/local compliance with ILM related Trust policies, obtain improvement action plans where procedures do not match the desired levels of performance or where non-conformance to policy is occurring. The programme of audit for ILM will be built into the ICT Audit RISK ASSESSMENT 7.16 All ILM risks must be managed in accordance with the Trusts Risk Management Strategy (including resource risks which impact upon ILM requirements)

Departments must treat information risk as a business issue. Information Risks relating to and stage of the records/information lifecycle must be recorded on Risk Registers, risk tolerances set and impacts assessed Business recovery and continuity plans must be risk assessed All records and information vital to the continuing functioning of the activities of the Trust will be identified and provision made for their protection in event of disaster. 3

NUH Risk Management Strategy

Information Lifecycle Management Policy Version 1 February 2010

13

8.

INTEGRATION OF ILM REQUIREMENTS INTO ICT SYSTEMS The integration of ILM requirements into the information architecture of future ICT systems is essential. Information architecture is defined within this policy as: the structural design of shared information environments, including both manual and electronically generated information. It involves analysing, designing and coordinating the various elements that make up an information system, including: hardware, software, data, networks, business processes, staff and resources. ILM requirements and information architecture on Trust hosted systems will be managed by ICT Services by IT specialists who know how to achieve and advise on ILM requirements and appropriate strategies, standards, practices, and technologies suitable for the entire organisation. The Trust acknowledges that managing information held electronically is not just a technology issue; it is also a policy issue, a business issue and a training issue. Reliable information, not technology is essential to accountability. . As the Trust has an increasing dependency upon digital information, it is essential that future policy counters potential future problems relating to inadequate information technologies and unsuitable electronic record-keeping practices. In summary, this approach will ensure all Trust IT systems generate and manage records that are capable of: Serving as a source of trusted and contextualised information that can be used to support business functions and decision-making. Capable of serving as instruments of accountability

9.

ACCOUNTABILITY AND RESPONSIBILITY FOR THE POLICY Advancing technologies and business processes are transforming the way organisations work and shifting the responsibility for capturing and managing records and information from NHS ICT departments to ALL NHS staff that create and use records and information on a daily basis. Many records previously held on paper are now being held on electronic systems. However, few systems have currently entirely eliminated the use of all hard copy documents. As a result both paper and electronic records management must be closely co-ordinated. This places new
Information Lifecycle Management Policy Version 1 February 2010 14

and important ILM related demands and responsibilities onto both managers and staff. This policy covers the details of the obligations of all Trust employees, including temporary, substantive and honorary contract holders, students, agency staff and independent contractors providing services to the Trust. 9.1 The Trust Board and Chief Executive The Trust recognises that it has a specific corporate responsibility for ILM. All relevant Policies will demonstrate ILM principals and adherence to standards promulgated by regulatory bodies. The Chief Executive has ultimate responsibility for compliance with this policy. 9.2 All Staff All staff have a personal responsibility for recorded information that they create or that they have some impact upon, whether clinical or corporate, and for adhering to the Trusts suite of Information Governance policys principles and procedures to help maintain the availability, effectiveness, security and confidentiality of recorded information. 9.3 The Senior Information Risk Officer (SIRO) The Trust has a Board Level Senior Information Risk Officer as required by the Connecting for Health Information Governance Toolkit. The SIRO takes ownership of the Trusts information risk policy, acts as advocate for information risk on the Board and provides written advice to the accounting officer on the content of their Statement of Internal Control in regard to information risk. The SIRO is responsible for developing and encouraging good information handling practice amongst all members of the Trust. This individual will work with other Trust Directors and Managers who have a remit which includes records and information management elements, either clinical or corporate. 9.4 The Caldicott Guardian The Caldicott Guardian is responsible at Board level for approving and ensuring that national and local policies on the handling of confidential personal information are implemented. The Caldicott Guardian also has
Information Lifecycle Management Policy Version 1 February 2010 15

the added responsibility for protecting the confidentiality of patient and service user information and enabling appropriate information sharing. 9.5 The Information Governance Committee (IGC) The IGC is responsible for ensuring that information governance policies principals and standards including those relating to ILM are implemented and understood within the organisation and for performance reporting of compliance with standards. 9.6 Directors and Senior Managers Directors and Senior Managers are expected to lead by example by promoting a culture which properly values, protects and uses data. The responsibility for local records and information lifecycle management is devolved to Directors and Service Managers. Heads of Department/Professional leads have overall responsibility for records and information generated by their activities and specifically for: ensuring recorded information is managed in accordance with the ILM Policy and other Information Governance Policies within their designated areas; and for ensuring that their staff receive training, are aware of the requirements of appropriate Information Governance policies and apply the correct procedures and controls relevant to their work. 9.7 The Records Manager The Records Manager is accountable to the Director of ICT Services who is also the SIRO and is responsible for the overall development and maintenance of ILM policy for the Trust, in particular for drawing up practice guidance and promoting policy compliance. The post meets the provisions set out in the International Standard ISO, 15489, Records Management, and the Model Action Plan for Developing Records Management Compliant with the Lord Chancellors Code of Practice under Section 46 of the Freedom of Information Act 2000 [National Archives]. 9.8 The Information Governance Committee The Information Governance Committee is the overarching group with responsibility for monitoring the ILM Policy. It is supported by an Information Governance Sub Group with an operational remit for
Information Lifecycle Management Policy Version 1 February 2010 16

evaluating IG standards and creating and implementing action plans for compliance. 9.9 The Health Records Management Group (HRMG) HRMG has an operational remit for evaluating IG standards specifically relating to health records and creating and implementing action plans for compliance. 9.10 Local Health /Corporate Records Managers Local Corporate Records Managers nominated by individual Directors provide focus for and are responsible for local implementation of ILM and other information governance policies and procedures. They also form a Local Records Managers Network in which best practice and knowledge can be shared. 9.11 Contractors and support organisations Service Level Agreements and contracts with other organisations must include and set out the responsibilities for the management of records and information and address all relevant aspects of Information Governance. 10. 10.1 IMPLEMENTATION AND MONITORING PLANS The Information Governance Committee is the overarching group with responsibility for monitoring the ILM Policy. It is supported by an Information Governance Sub Group with an operational remit for evaluating IG standards and creating and implementing action plans for compliance. Senior Managers are responsible for applying the Policy records/information assets within areas of their responsibility. to

10.2

10.3

This Policy is applicable and should be noted by all staff employed by Nottingham University Hospital NHS Trust. The Policy will come into effect in January 2009 and managerial awareness and Trust compliancy will be measured via annual audit conducted by East Midlands Audit reported to the Information Governance Committee.

10.4

Information Lifecycle Management Policy Version 1 February 2010

17

11.

REVIEW The Policy is due for review in January 2013.

12.

SUPPORTING RELEVANT LEGISLATION/NATIONAL GUIDANCE A considerable amount of legislative requirements, professional obligations limit, and internationally recognised standards prohibit or set conditions in respect of the five stages of Information Lifecycle Management. The requirements of these are set out or referenced in specific Trust Information Governance Policies. Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically (BIP 0008) sets out requirements to protect the evidential value of records in accordance with British Standards. BS ISO 15489-1:2001(E) To ensure the authenticity of records, organisations should implement and document policies and procedures which control the creation, receipt, transmission, maintenance and disposition of records to ensure that record creators are authorised and identifiable and that records are protected against unauthorised addition, deletion, alteration, use and concealment. (The Lord Chancellors Code of Practice under Section 46 of the Freedom of Information Act 2000. See: http://www.dca.gov.uk/foi/codemanrec.pdf The Code of Practice provides guidance to all public authorities as to the practice which it would, in the opinion of the Lord Chancellor, be desirable for them to follow in connection with the discharge of their functions under the Freedom of Information Act 2000. The National Archives: Model Action Plan for Developing Records Management Compliant with the Lord Chancellors Code of Practice under Section 46 of the Freedom of Information Act 2000. See: http://www.nationalarchives.gov.uk/policy/foi/pdf/national_health.rtf The National Archives: Complying with the Records Management Code: Evaluation Workbook and Methodology (March 2005) www.nationalarchives.gov.uk/news/stories/62.htm The National Archives: File Creation http://www.nationalarchives.gov.uk/recordsmanagement/advice/ ISO 15489 international record keeping standards. e-Government Technical Standards
Information Lifecycle Management Policy Version 1 February 2010

18

There are a number of Government standards which aim to ensure the consistency of electronic information transferred between public organisations or made available to the public through means such as websites. e-GIF is mandatory for all public sector bodies, including the NHS. Full details can be found at: http://www.govtalk.gov.uk Good Practice Guidelines for General Practice Electronic Patient Records (version 3.1) prepared by the Joint Computing Group of the General Practitioners Committee and the Royal College of General Practitioners, sponsored by the Department of Health. It can be found at: http://www.dh.gov.uk/PublicationsAndStatistics/Publications/Public ationsPolicyAndGuidance/PublicationsPolicyAndGuidanceArticle/f s/en?CONTENT_ID=4008657&chk=rr8fQT The Royal College of Pathologists: The Retention and Storage of Pathological Records and Archives (3rd edition, 2005). See: http://www.rcpath.org/resources/pdf/retention-SEPT05.pdf Recommendations for the retention of pharmacy records: http://www.pjonline.com/pdf/hp/200305/hp_200305_pharmacyreco rds.pdf Information Commissioner: Use and Disclosure of Health Data http://www.ico.gov.uk/cms/DocumentUploads/use%20and%20disc losure%20of%20health%20data.pdf Information Commissioner: CCTV Code of Practice http://www.informationcommissioner.gov.uk/cms/DocumentUpload s/cctvcop1.pdf Confidentiality: NHS Code of Practice (page 17) This details an overview of record keeping best practice, in respect of confidentiality. It can be found at: http://www.dh.gov.uk/assetRoot/04/06/92/54/04069254.pdf The Abortion Regulations 1991 The Access to Health Records Act 1990 The Access to Medical Reports Act 1988 Administrative Law The Blood Safety and Quality Regulations 2005 Directive 2002/98/EC of the European Parliament and of the Council of 27 January 2003 Commission Directive 2005/61/EC of 30 September 2005 The Census (Confidentiality) Act 1991 The Civil Evidence Act 1995 The Common Law Duty of Confidentiality Confidentiality: NHS Code of Practice The Computer Misuse Act 1990
19

Information Lifecycle Management Policy Version 1 February 2010

The Congenital Disabilities (Civil Liability) Act 1976 The Consumer Protection Act (CPA) 1987 The Control of Substances Hazardous to Health Regulations 2002 The Copyright, Designs and Patents Acts 1990 The Crime and Disorder Act 1998 The Data Protection Act (DPA) 1998 The Data Protection (Processing of Sensitive Personal Data) Order 2000 Directive 2001/83/EC of the European Parliament and of the Council of 6 November 2001 on the Community Code Relating to Medicinal Products for Human Use The Disclosure of Adoption Information (Post-Commencement Adoptions) Regulations 2005 The Electronic Communications Act 2000 The Environmental Information Regulations 2004 The Freedom of Information Act (FOIA) 2000 The Gender Recognition Act 2004 The Gender Recognition (Disclosure of Information) (England, Wales and Northern Ireland) (No. 2) Order 2005 The Health and Safety at Work Act 1974 The Health and Social Care Act 2001 The Human Fertilisation and Embryology Act 1990, as Amended by the Human Fertilisation and Embryology (Disclosure of Information) Act 1992 The Human Rights Act 1998 The Limitation Act 1980 The NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000 The Police and Criminal Evidence (PACE) Act 1984 The Privacy and Electronic Communications (EC Directive) Regulations 2003 Public Health (Control of Diseases) Act 1984 and Public Health (Infectious Diseases) Regulations 1988 The Public Interest Disclosure Act 1998 The Public Records Act 1958 The Radioactive Substances Act 1993 The High-activity Sealed Radioactive Sources and Orphan Sources Regulations The Re-use of Public Sector Information Regulations 2005 The Sexual Offences (Amendment) Act 1976 Subsection 4(1) as Amended by the Criminal Justice Act 1988
20

Information Lifecycle Management Policy Version 1 February 2010

The Access to Health Records Act 1990 The Access to Medical Reports Act 1998 The Abortion Regulations 1991 BSI BIP 0008 - The current British Standard document relating to Legal Admissibility and Evidential Weight of Information Stored Electronically. It sets a benchmark for procedures that should be followed in order to achieve best practice. BSI PD 5000 - Electronic Documents and e-Commerce Transactions as Legally Admissible Evidence: the BSI Code of Practice, PD 5000:1999, enables organisations to demonstrate the authenticity of their electronic documents and e-commerce transactions, so they can be used as legally admissible evidence. The Standard contains five parts as follows: Information Stored Electronically (DISC PD 0008:1999) Electronic Communication and email Policy Identity, Signature and Copyright Using Certification Authorities Using Trusted Third Party Archives. BS 4743 - This series of Standards published between 1988 and 1994 cover the storage, transportation and maintenance of different types of media for use in data processing and information storage. BS 5454:2000 - This makes recommendations for the storage of archival documents. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 BS 7799-2:2005 - This Standard provides a code of practice and a set of requirements for the management of information security. The Standard is published in two parts. Part one has been adopted as ISO 17799:2000 and provides a code of practice for information security management. Part two provides a specification for information security management systems. ISO 15489 - This is the international records management standard and is about best practice in records management. ISO 19005 - This Standard provides for organisations to archive documents electronically for long-term preservation. The NHS Information Governance Toolkit - The Information Governance Toolkit return is required from all NHS organisations and provides guidance and best practice on all facets of information governance including: Data Protection Act 1998 Freedom of Information Act 2000 The NHS Confidentiality Code of Practice Records Management
21

Information Lifecycle Management Policy Version 1 February 2010

 Information Quality Assurance Information Security Information Governance Management. See: http://nww.nhsia.nhs.uk/infogov/igt/ 13. ADVICE

The following specialists can be contacted regarding aspects of ILM advice: Name David Cadwell Debbie Terry Specialist Area Information Security Data Protection, Freedom Of Information, Confidentiality, Information Governance Toolkit Compliance Records Management Ext 57100 57100 or 57169 66838 or 63975 62553

Deborah Coombs

Neil Mart John Somers

Integrated Governance/Risk Management Caldicott Guardian

Ben Halliday Nikki Turgoose

Matt Howden Steve Baxter

64229 or 61091 IT Systems Maintenance 54990 IT Software Implementation 54989 or 62521 IT Systems Design 66052 Data Collection, Information Analysis 62009 or 56609

14.

Equality and Diversity Statement

All patients, employees and members of the public should be treated fairly and with respect, regardless of age, disability, gender, marital status, membership or non-membership of a trade union, race, religion, domestic circumstances, sexual orientation, ethnic or national origin, social & employment status, HIV status, or gender re-assignment. All trust polices and trust wide procedures must comply with the relevant legislation (non exhaustive list) where applicable:
Information Lifecycle Management Policy Version 1 February 2010

22

Equal Pay Act (1970 and amended 1983) Sex Discrimination Act (1975 amended 1986) Race Relations (Amendment) Act 2000 Disability Discrimination Act (1995) Employment Relations Act (1999) Rehabilitation of Offenders Act (1974) Human Rights Act (1998) Trade Union and Labour Relations (Consolidation) Act 1999 Code of Practice on Age Diversity in Employment (1999) Part Time Workers - Prevention of Less Favourable Treatment Regulations (2000) Civil Partnership Act 2004 Fixed Term Employees - Prevention of Less Favourable Treatment Regulations (2001) Employment Equality (Sexual Orientation) Regulations 2003 Employment Equality (Religion or Belief) Regulations 2003 Employment Equality (Age) Regulations 2006 Equality Act (Sexual Orientation) Regulations 2007 15. Equality Impact Assessment Statement

NUH is committed to ensuring that none of its policies, procedures, services, projects or functions discriminate unlawfully. In order to ensure this commitment all policies, procedures, services, projects or functions will undergo an Equality Impact Assessment. Reviews of Equality Impact Assessments will be conducted inline with the review of the policy, procedure, service, project or function 16. Environmental Impact Assessment

Following the initial screening of this policy, a full impact assessment is not required at present as disposal of all information media within must be carried out in accordance with the requirements of the established Waste Policy.

Information Lifecycle Management Policy Version 1 February 2010

23

APPENDIX 1 Equality Impact Assessment Report Outline Remember that your EIA report should demonstrate what you do (or will do) to make sure that your service/policy is accessible to different people and communities, not just that it can, in theory, be used by anyone. 1. Name of Policy or Service Information Lifecycle Management Policy 2. Responsible Manager Records Manager 3. Name of Person Completing Assessment Antonia Kingaby 4. Date EIA Completed 17 December 2009 5. Description and Aims of Policy/Service (including relevance to equalities) The Trust acknowledges information as a vital business asset and is intent that the principals and concepts associated with ILM, are integral to all business processes that generate recorded information This policy sets out the principles of Information Lifecycle Management (ILM) and how they will be applied to all recorded information belonging to the Nottingham University Hospitals NHS Trust arising from business processes. This policy relates to ALL recorded information existing in ALL formats or mediums: current, non-active or archived; clinical or non-clinical; held by or under the control of the Trust. This includes and is not limited to, computer data, paper, negatives, photographs, audio or video recordings, microfilms, recorded information relating to Trust business held on memory sticks, portable computers, PDAs and mobile phones
Information Lifecycle Management Policy Version 1 February 2010 24

6.

Brief Summary of Research and Relevant Data Freedom of Information Act 2000 Data Protection Act 1998

7.

Methods and Outcome of Consultation HEALTH RECORDS MANAGEMENT GROUP INFORMATION GOVERNANCE COMMITTEE

8.

Results of Initial Screening or Full Equality Impact Assessment:

Equality Group Age Gender Race Sexual Orientation Religion or belief Disability Dignity and Human Rights Working Patterns Social Deprivation 9.

Assessment of Impact No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified No Impact Identified

Decisions and/or Recommendations (including supporting rationale) Following the initial screening of this policy, a full impact assessment is not required at present as the policy relates to the retention, management and disposal of information in any form including and not limited to, computer data, paper, negatives, photographs, audio or video recordings, microfilms, recorded information relating to Trust business held on memory sticks, portable computers, PDAs and mobile phones.
Information Lifecycle Management Policy Version 1 February 2010 25

10.

Equality Action Plan (if required) N/A

11.

Monitoring and Review Arrangements (including date of next full review) It is recommended that this policy is reviewed inline with the current guidelines of NUH, unless there is a change in relevant legislation in which case, the policy should be reviewed within 6 months of new legislation and changes made accordingly.

Information Lifecycle Management Policy Version 1 February 2010

26

APPENDIX 2 EMPLOYEE RECORD OF HAVING READ THE POLICY INFORMATION LIFECYCLE MANAGEMENT (ILM) POLICY I have read and understand the principles contained in the named policy.

PRINT FULL NAME

SIGNATURE

DATE

Information Lifecycle Management Policy Version 1 February 2010

27