Access To Health Records




Record Keeping Policy

1. Introduction

  • This Record Keeping Policy is Forest Hill Road Group Practice’s (hereafter referred to as "us", "we", or "our") policy regarding the safekeeping of all records from their creation to disposal – this includes our procedures for sharing information externally.

2. Purpose

  • This policy will ensure that both service user & staff records are properly created, accessible and available for use and that they are disposed of in a secure and timely fashion. It provides staff with guidance regarding individual responsibility for accuracy and appropriate storage of records.
  • This Record Keeping Policy covers:
  • Our record keeping procedure from creation to disposal;
  • Transparency procedures;
  • Our retention & disposal procedures;
  • Our information handling procedures – including our procedures for safely and legally sharing information externally;
  • Procedures for individual making requests about their data (GDPR individual data rights);
  • Subject access request procedures;
  • Right to erasure (‘Right to be forgotten’) procedures;
  • Right to restrict processing procedures;
  • Right to object procedures;
  • Our procedures when there is a withdrawal of consent to share.

3. Scope

  • This policy includes in its scope all data which we process either in hardcopy or digital copy, this includes special categories of data.
  • This policy applies to all staff, including temporary staff and contractors.

4.Record keeping procedures – creation and use of records

  • When we create records, we use standardised structures and layouts for the contents of records.
  • All records are kept in accessible but protected locations. The location of these records is documented in the Information Asset Register (IAR). The security procedures around access to records are detailed in the Data Security Policy.
  • Throughout the lifespan of the record we:
  • Ensure documentation reflects the continuum of care and is viewable in chronological order;
  • Provide a clearly written care plan when care is being delivered by several members of the team, and ensure records are maintained and updated, and shared with those who have a legal basis for seeing the information;
  • Provide staff with guidance and training on the creation and use of records and their legal responsibilities to share and safeguard personal confidential information;
  • Monitor access to the record. The procedures which detail our auditing and monitoring process are detailed in our Data Security Policy.
  • At any point in the lifespan of the record, the data subject has the right to request access to their data. These subject access procedures are detailed in [9].
  • At any point in the lifespan of the record, the data subject has the right to request that their record is corrected. These procedures are detailed in the Data Quality Policy.
  • At any point in the lifespan of the record, the data subject has the right to request the erasure (‘Right to be forgotten’) of their record. These procedures are outlined in [10].
  • Records are only retained while they are necessary for the purposes for which they were originally collected. We will ensure that all records are retained and destroyed in-line with [6] Retention & Disposal Procedures.
  • At least annually we guarantee that we will audit our record keeping procedures to ensure that they are adequate and continue to keep our records to the highest standards.

5. Transparency procedures

  • Our privacy notice outlines to people why we hold their data, the lawful basis for doing so, and their rights in terms of how we process their data.
  • Our privacy notice is freely available to all individuals whose data we process and is part of our commitment to transparency and accountability. It satisfies the individual’s right to be informed under GDPR.
  • All service users, or their legal representative if necessary, will be informed of their rights regarding their personal data when they sign initial contracts.
  • The privacy notice will be reviewed and updated at least annually.
  • The privacy notice has been signed off by Practice Manager.
  • We will provide people with this information at the moment that we ask them to give us their personal data.
  • If we receive an individual’s personal data from a source other than that individual, we will provide them with privacy information without undue delay and at least within one month.

6. Retention schedule & disposal procedures

  • We will adhere to the retention timelines determined by the Information Governance Alliance (IGA) in Appendix 3 of Records Management Code of Practise for Health and Social Care 2016
  • At the end of their lifespan, the records will go through an appraisal process. This process will determine if there is a continuing legal basis for keeping the record. Practice Manager will have final responsibility for determining whether the record will be destroyed or retained. They will maintain a record of all retention or disposal decisions.
  • In the instance that records are destroyed, our in-house process is shred the documents .

7. Information handling procedures

  • Information Handling Procedures ensure that personal information is protected and that it is not disclosed inappropriately, either by accident or design, whilst in use or when it is being transferred.
  • In line with legislation, personal information is not processed without a lawful basis being identified. The Record of Processing Activities (ROPA) records all processing of personal data and identifies the legal basis for it being processed.
  • These procedures cover all records which contain data or information which can be said to contain sensitive commercial or personal data whether stored in hardcopy or digitally.
  • Guidelines for staff on the secure use of personal information are outlined in the staff handbook..
  • We ensure that there are secure points for the receipt of personal information transferred to us and we have applied the following measures to safeguard personal information during receipt and transfer/transit:

Verbal communications:

  • Staff members have been provided with training on verbal communications. They know that they must take appropriate precautions not to reveal confidential information e.g. to avoid being overheard when making a phone call or not to have confidential conversations in public places or open offices. The staff handbook and their training inform them that breach of this procedure may be a disciplinary or legal offense.

Postal services and couriers:

  • We will ensure that all confidential information we transfer by post or courier is done so as securely as is practicable. All records transferred in this manner are addressed to a named individual and marked “Private and Confidential”. All records which are posted will be done through signed-for delivery so that it is guaranteed that the correct person receives the record.

Faxes: The fax machine is Reception area and when receiving faxes containing confidential information, the organisation ensures:

  • The fax machine is located in secure area.
  • The fax is removed from the machine as soon as it is received;
  • Where necessary, the sender is contacted to confirm receipt;
  • The information in the fax is appropriately dealt with and safely stored.
  • To ensure that confidential information transferred from the organisation by fax is done so as securely as is practicable, the organisation ensures:
  • The fax number is always double checked, and frequently used numbers are stored in the fax machine to reduce the risk of typing errors;
  • A fax cover sheet is used and marked "Private and Confidential";
  • Faxes are only sent to a named person rather than a team;
  • The recipient is informed that a fax will be sent, and asked to confirm receipt;
  • Faxes are not sent outside a recipient organisation's working hours where there is no-one present to receive;
  • We regularly check the date and time, especially following power outages, or change of British summer time;


  • We undertake that person identifiable information (either of employees or service users) can only be sent by secure email. Both the recipient and sender must have access to secure email.

8. Procedures for individual’s making requests about their data (GDPR individual data rights)

  • GDPR provides all individuals within the EU specific rights when it comes to their personal data.
  • To exercise these rights an individual should contact any staff member, though ideally the Data Protection Officer, and make a request either verbally or in writing.
  • In the instance that the request is made to a member of staff who is not the Data Protection Officer , that staff member will inform the Data Protection Officer  as soon as possible, the timeline for responding to requests begins from when the first staff member is contacted.
  • In all cases we will respond to a request without delay and in a timeframe not exceeding one month from when the request was made.
  • Should the request be complex this may be extended to two months, however, we will inform the individual in writing of the extension and the reasons why it is required within one month.
  • If the request is manifestly unfounded or excessive we may either request a reasonable fee to cover our administrative costs or we may refuse to comply with the request.
  • If we refuse to comply with a request we will inform the individual why we are not taking action, tell them about their right to complain to the ICO, and tell them that they have the right to seek a judicial remedy.
  • In order to process any request, we will use reasonable means to verify the identity of the individual making the request so that no data is shared inappropriately.
  • The Data Protection Officer  will maintain a log of all requests and their outcomes.
  • All staff will be informed of these procedures in the staff handbook.

9. Subject access request procedures

  • All individuals have the right to access their personal data which we process and store.
  • Confidential records of the deceased have the rights afforded to them by the Duty of Confidentiality and the Access to Health Records Act 1990. Should any person wish to request access for any records of the deceased they should contact the Data Protection Officer.
  • We will provide a copy of any information which it is lawful to provide free of charge. If further copies are required, we will charge a fee which will exclusively cover the administration costs of making copies.
  • We will provide copies of the information requested in a reasonable format – either in hard copy or digital.

10. Right to erasure procedures

  • All citizens have the right to request the erasure of their data which we control or process.
  • Citizens can request for their data to be erased in the following instances:
  1. Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
  2. When they withdraw consent;
  3. When they object to the processing and there is no overriding legitimate interest for continuing the processing;
  4. The personal data was unlawfully processed;
  5. The personal data must be erased in order to comply with a legal obligation;
  6. The personal data is processed in relation to the offer of information society services to a child.
  • We will not be able to honour any requests to have personal data erased when the data is being processed for the following reasons:
  1. to assess the working capacity of an employee;
  2. to provide a medical diagnosis;
  3. to provide health or social care or treatment or the management of health or social care systems and services;
  4. to exercise the right of freedom of expression and information;
  5. to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
  6. for public health purposes in the public interest;
  7. archiving purposes in the public interest, scientific research historical research or statistical purposes;
  8. the exercise or defence of legal claims.
  • Where at all possible, in the instance that we have appropriately shared an individual’s records with any third-party we will inform this third-party of the erasure if appropriate.
  • We will erase records in line with the disposal procedures set out above.

11. Right to restrict processing procedures

  • All individuals have the right to request that we restrict the processing of their data in the following circumstances:
  1. while we are verifying the accuracy of any data we keep when an individual has made a request for the rectification of their personal data;
  2. in the instance that their personal data has been processed unlawfully and the individual requests that their data is not erased;
  3. When we do not need to keep the personal data but the individual has requested that we keep it in order to establish, exercise or defend a legal claim;
  4. If an individual objects to us processing their personal data, we will restrict all processing while we investigate the request.
  • When we restrict processing, we will store the individual’s personal data but will not process their data in any other way.

12. Right to object procedures

  • All people have the right to object to us processing their data in the certain circumstances.
  • They have an absolute right to object to us using their personal data for any direct marketing.
  • If they object to us using their data for marketing we will immediately stop using their data for this purpose. We will retain only enough data for us to be able to have a record that they don’t want to receive direct marketing so that their request can be respected.
  • Individuals can also object to us processing their data if we are doing it under Public Task or Legitimate Interests grounds. The individual should provide specific reasons which are based on their specific situation for why they object.
  • We cannot comply with the objection if we have compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual or if the processing is for the establishment, exercise or defence of legal claims.
  • In the instance that we cannot comply, we will clearly document our decision for this, inform the individual, inform them of their right to go to the ICO, or to seek judicial recourse.

13. Withdrawal of consent procedures

  • All people have the right to withdraw their consent to have their personal information shared at any time.
  • We guarantee that it will be as easy to withdraw consent as it is to give consent.
  • If an individual withdraws their consent to share information we will discuss in full and explain how this decision may impact on their health and care outcomes.
  • In certain instances, where legislation or public good outweighs the individual’s right to not consent to information sharing, we may not be able to honour any withdrawal of consent. This will be discussed in detail and will only occur if we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual.
  • Any time in which consent is not given or is withdrawn the Data Officer  will keep a log of this and a note will be made on the individual’s records.

14. Responsibilities

  • The Data Protection Officer is responsible for maintaining records around Subject Access, Rectification, Erasure and Withdrawal of Consent requests.
  • The Data Protection Champion is also responsible for maintaining staff training on record keeping and auditing staff knowledge annually.
  • The Data Protection Officer will report to the DPO and SIRO any Subject Access Requests or similar.
  • The Data Protection Officer has final say on any Subject Access decisions.
  • The SIRO will monitor compliance with the Record Keeping Policy and has responsibility for reviewing the policy at least annually.