Brief summary of changes
The changes have been made following interim review after significant revisions were made in January 2024. The policy has been reformatted to focus on key policy statements and procedural steps have been removed
1. Introduction
1.1 Effective records management ensures that information is properly managed and is available whenever and wherever there is a need for that information.
1.2 Documents and records are not the same. Records are created, received and maintained to provide information about what happened, what was decided, and how to do things. Records also have strict compliance requirements regarding their retention, access, and destruction.
1.3 This policy sets out NHS England’s overarching records management policy and includes a set of key policy statements which govern the management of records throughout their lifecycle.
2. Scope
2.1 All NHS England directorates and regions fall within the scope of this policy. This includes staff who are employed on a permanent, fixed-term or zero-hours basis, contractors, temporary staff, secondees and volunteers. It also covers non-executive directors and non-executive associate directors. We refer to the term ‘staff’ within this policy to cover all of these different types of staff.
2.2 Staff of the following NHS area are also within the scope of this policy:
2.2.1 all commissioning support units
2.2.2 strategic clinical networks
2.2.3 clinical senates
2.2.4 sustainability and transformation partnerships
2.2.5 all other NHS England hosted bodies
2.3 Compliance with this policy is mandatory and applies to all records in all formats. It covers all stages within the record lifecycle, including creation, receipt, maintenance, use, review, retention, and disposal.
3. Policy statement
Records management is about controlling records within a framework. This framework is made up of this policy, local guidance and standard operating procedures, and should be read in conjunction with the policy. Key terms used in this policy are listed in annex 1.
3.1. Overarching principles
3.1.1 Records should be managed in line with legal and professional The Records Management team review these obligations and develop policy and guidance as appropriate. The main legal and professional obligations are listed in annex 2.
3.1.2 Records must be captured, managed and preserved in an organised system that maintains their integrity and authenticity.
3.1.3 Good record keeping requires information to be recorded at the same time an event has occurred, or as soon as possible afterwards.
3.1.4 Important and/or business critical information that is a record must not be cascaded via instant messaging (eg Microsoft Teams chat, text messages, WhatsApp messages, Signal, Slack). Secure NHS email should be the usual method, and the email saved in an appropriate record storage location, eg SharePoint. If such information is shared via instant message, it is the responsibility of the sender, or if received from an external party, the receiver, to ensure the information is extracted and saved as a record.
3.1.5 Staff should undertake records management training which is made available to staff via the electronic staff record (ESR). Staff are encouraged to complete training as part of their professional development and keep this up to date on an annual basis to ensure they are aware of any updates to record keeping guidance. Training is also available at a team level on request from the Records Management team.
3.2. Record creation, naming and version control
3.2.1 Records should be created and captured to document NHS England’s decisions, actions and transactions. This means that when decisions are taken or transactions occur, they should be documented (either through the creation of Microsoft Office files or through recording in line-of-business systems) for future reference.
3.2.2 Record naming is an important process in records management, and it is essential that a unified approach is adopted within all areas of NHS England to aid in the management of records. The NHS England’s standard naming convention should be used for the filenames of all electronic documents and folders created by staff members from the implementation date of this policy.
3.2.3 Version control should be applied when records are Version control is the management of multiple revisions to the same document and can be managed in the properties area of the file in SharePoint. Version control enables NHS England to distinguish one version of a document from another.
3.2.4 Records and documents must be classified in line with the government security classifications through the use of marking files with the appropriate classification in the header.
3.2.5 Information asset owners should ensure that sets of records are added to the Information Asset Register. The NHS England Information Asset Register is a comprehensive list of information assets. Information asset owners are required to complete mandatory fields to address the security of their information assets, specifically the access controls in place, how an asset can be recovered in the event of an incident, and whether back- ups/archives are held securely.
3.3. Record Storage
3.3.1 NHS England operates an ‘in place’ records management policy, which means records are created, stored and managed in approved applications, rather than being moved to one centralised location.
3.3.2 Staff are encouraged to save records in digital format wherever applicable. For records which cannot be digitised and require off site storing, contact the Records Management team for advice on permitted storage options and costs. The initial and ongoing costs of off-site storage need to be met from the budget of the relevant directorate.
3.3.3 Paper file storage must be secured from unauthorised access and not subject to the risk of environmental damage (eg fire, water damage, pests etc). The movement and location of paper records must also be controlled and tracked end to end to ensure that a record can be easily retrieved at any time (this includes storage with third party commercial storage providers). This will enable the original record to be traced and located if required. The tracking history must be held in a shared location (eg SharePoint). The Records Management team must be notified of paper records maintained in internal or external storage systems.
3.3.4 Digital records should be stored within a directorate or region’s collaboration hub (SharePoint) so that only authorised staff can access them. SharePoint site owners must ensure that permissions are managed effectively and remain up to date and appropriate. Emails are a type of digital record and relevant emails that constitute records are saved in SharePoint and not solely within an individual’s email inbox.
3.3.5 Records should not solely be stored in personalised storage locations such as an individual’s email account or These locations are routinely deleted when an individual leaves NHS England which is why corporate records should not be stored there.
3.3.6 Large scale scanning of paper documents into digital form can be a very expensive option and should only be undertaken after approval of a business case and following advice from the Records Management team.
3.4. Record review and disposal
3.4.1 The purpose of the review process is to ensure the records are examined at an appropriate time to determine whether they need to be preserved and transferred to a suitable archive, whether they need to be retained for a longer period by NHS England as they are still in use, or whether they should be safely and securely destroyed. Reviewing records is the responsibility of the directorates who hold them. This should be a proactive process which occurs at regular intervals, including when a member of staff exits the organisation.
3.4.2 Records must not be destroyed without seeking prior advice from the Records Management team.
3.4.3 Records should only be destroyed in accordance with the NHS England’s Records retention and disposal schedule. Primary care records should only be destroyed in accordance with the NHS England’s primary care services retention schedule. NHS England needs to be able to demonstrate that the destruction of records has taken place safely and in accordance with records disposal It can be a personal criminal offence to destroy information in certain circumstances under the UK General Data Protection Regulation (GDPR), the Inquiries Act, the Freedom of Information Act 2000 and the Environmental Information Regulations 2004.
3.4.4 The recommended retention periods shown on the Records retention and disposal schedules apply to the official or master copy of the records. Any duplicates or local copies made for working purposes should be kept for as short a period as Duplication should be avoided unless necessary. It should be clear who is responsible for retaining the master version of a record and copies should be clearly marked as such to avoid confusion.
3.4.5 Records should be reviewed and selected for permanent preservation according to the Operational selection for preservation policy. NHS England records selected for preservation should generally be transferred to the National Archives, but some legacy records may be more suited to transfer to a local ‘place of deposit’ (eg a local authority archive service) that has adequate storage and public access facilities.
3.5. Legal holds
3.5.1 A legal hold is an instruction directing staff to preserve certain records that may be relevant to an actual or potential legal claim, investigation, incident, or inquiry.
3.5.2 When a legal hold is in place, relevant records must be preserved within the scope of the hold. This means that you must not dispose of records within the scope of the To do so may be a criminal offence in certain circumstances.
3.5.3 Staff must immediately notify the Records Management team and seek advice if they have been notified of an actual or potential legal claim, investigation, incident, or inquiry which could result in a legal hold.
3.5.4 When a legal hold comes to an end, records which had been covered by the legal hold should be reviewed and disposed of in accordance with the Records retention and disposal schedules and disposal of records.
4. Roles and responsibilities
The roles and responsibilities relating to Records Management within NHS England are set out below.
All staff and others who this policy applies to: it is the responsibility of everyone to whom this policy applies to comply with this policy and all records management policies and procedures.
Chief executive: overall accountability for procedural documents across the organisation lies with the chief executive as the accounting officer that has overall responsibility for meeting all statutory, legal and regulatory requirements relating to the management of NHS England records.
Senior information risk owner (SIRO): the SIRO is a senior advocate for records management matters at board-level. The deputy SIRO is the director of privacy and information governance and is authorised to discharge the day-to-day operational responsibilities of the SIRO, including in relation to records management.
Records Management team: the deputy director of information governance delivery (digital and operations) and the Records Management team within the Privacy, Transparency and Trust Sub-Directorate have operational responsibility for this policy and are responsible for:
- the overall development and maintenance of NHS England’s records management framework and strategy
- ensuring this policy complies with legal and regulatory requirements
- developing and supporting a culture of high- quality records management practice across NHS England
- knowing what records NHS England holds and where they are, by conducting or commissioning appropriate records management audits in high-risk business areas.
Records and information management coordinators: records and information management coordinators within each business area will champion records management from a local level supporting their team in records management matters and ensuring good records management within their area.
Information asset owners: information asset owners need to:
- understand what records are held by their unit or directorate
- address risks to their records
- ensure that records are appropriately protected and marked
- ensure records are used in compliance with all legal requirements, including records management legal requirements
- provide written assurance to the SIRO annually on the security and use of their information assets as part of meeting the Data security and protection Toolkit requirements
5. Equality impact assessment (EqIA)
As part of the development of this Policy, its impact on equality has been analysed and no detrimental issues were identified.
Annex 1
Data protection: the protection of personal data and the actions we take to ensure that we comply with the law.
Information asset owners (IAOs): IAOs are senior individuals responsible for each identified information asset (eg set of records, dataset, database or ICT system) at the appropriate business level within NHS England.
NHS England’s record retention and disposal schedules: these are documents outlining retention periods: NHS England’s records retention and disposal schedule and NHS England’s primary care services retention schedule.
Primary care records: medical records of patients being treated by primary care general practitioners (GPs) within the community. Formerly referred to as Lloyd-George records, but now mostly held in digital format, they are maintained within practices until patients are deceased or de-registered, whereupon a paper record or its paper surrogate is sent for storage at Primary Care Support England Capita.
Record: information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business.
UK General Data Protection Regulation (GDPR): regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
Annex 2
Legal and professional obligations relating to records management
- The Public Records Act 1958
- The Access to Health Records Act 1990
- The Freedom of Information Act 2000
- The Inquiries Act 2005
- UK General Data Protection Regulation (GDPR)
- The Data Protection Act 2018
- The NHS Records Management Code of Practice 2021
- The Code of Practice on the Management of Records issued under section 46 of the
- Freedom of Information Act 2000
- NHS information governance: guidance on legal and professional obligations
- ISO 15489 (the International British Standard for Records Management)
- BS10008 Standards for Legal Admissibility
Policy prepared by: Louise Whitworth, Deputy Director of Information Governance Delivery (Digital and Operations)
Privacy, Transparency, and Trust Sub-Directorate
Policy Owner: Jackie Gray, Director of Privacy and Information Governance
Policy approved by and date: Steve Russell, National Delivery Director 28 March 2025
This is a controlled document. Whilst this document may be printed, the electronic version published on the NHS England website is the controlled copy. Any printed copies of this document are not controlled.
As a controlled document, this document should not be saved onto local or network drives but should always be accessed from the NHS England website.