In August 2021, NHSX published the new Records Management Code of Practice 2021 (the "Code"). The 2021 Code builds upon the 2016 version. The Code aims to provide guidance on managing, storing and deleting NHS and adult social care records.

We've highlighted our key 5 takeaways - these will be essential to any organisation working within or under contract to the NHS in England (including cloud service providers), or within adult social care and public health.

  1. Paper to digital: Where possible, organisations should be moving away from paper towards the use of digital records.
  2. Updates to reflect UK GDPR: The Code has been updated to take into account the UK GDPR and Data Protection Act 2018. The Code calls out that organisations may be required to undertake a Data Protection Impact Assessment (DPIA) if establishing a new records management function, or amending an existing one (such as storing records off-site). Good records management will help organisations to demonstrate compliance with the principle of accountability. Data privacy concerns are also central when moving records to the cloud, including DPIAs, audit rights and clear instructions of the controller, including on destruction.
  3. Retention periods: Generally, retention periods for key medical records remain unchanged. For example, adult health records will generally be retained for 8 years, ante/postnatal records are retained for 25 years post care and GP records will normally be retained for 10 years following a patient's death. A full list of retention periods can be found at Appendix II of the Code.
  4. GP record retention periods: NHSX plans to review the retention time for de-registered GP records (i.e. records for patients no longer on the GP practice system). Currently, such records are retained for 100 years, and NHSX will be reviewing whether the significant cost of such retention is justified. They will consider various factors in drawing their conclusion, such as how many records are recalled and the reasons for such recall.
  5. Retention in relation to public inquiries: Appendix I of the Code provides new guidance on records management in relation to public inquiries. Any records relating to inquiries must not be destroyed until the relevant inquiries team has provided clear instructions for such destruction to take place. There are two relevant independent inquiries at the time of writing: (i) the Independent Inquiry into Child Sexual Abuse; and (ii) the Infected Blood Inquiry. According to the government, an inquiry into the COVID-19 pandemic is also forthcoming.

Organisations should ensure they are compliant with the standards set out in the Code - the CQC will be conducting inspections to ensure that organisations have effective management systems in place.

The Code can be found here.