Skip to main content


Management of Records



"Records management refers to a set of activities required for systematically controlling the creation, distribution, use, maintenance, and disposition of recorded information maintained as evidence of business activities and transactions"  – ISO 15489

Records and Information Management are key elements within the Information Governance Agenda, which steer the design and maintenance of appropriate policies and procedures. Records management will help ensure that we have the right information at the right time to make the right decisions. Organisations are required to create and manage records appropriately as set out in the requirements of the UK General Data Protection Regulation, the Data Protection Act 2018 and the Freedom of Information Act 2000.

Various standards and legislation govern the use of records within an organisation. These can include, but are not limited to administrative records, paper and electronic documents, emails, audio and video recordings, X-rays and CCTV footage.

Records within NHS Wales consist of: a) Business Information and b) Personal Information - Patients and Staff

As well as being a requirement under the UK General Data Protection Regulation (UK GDPR), it is important for organisations to know what information they hold, if it's correct and up to date, who it's shared with and how it's processed. An Information Asset Register is a useful tool to track this information and not only show what information is held where, but to also map out the information flows to ensure there are appropriate security measures and controls in place based on how information moves around. Organisations should consider all personal data it holds when developing a register, therefore business information such as staff details should become part of the register as well as patient data. Table One’ details the ICO’s expectations for developing and maintaining an Information Asset Register.

Keeping the register up to date and effective is just as important as having one. In any new projects which are considered, the information flows should be part of the early planning, together with the completion of a Data Protection Impact Assessment.

Information security also supports good data governance and is itself a legal data protection requirement. Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals; it may even endanger lives in some extreme circumstances.


There is a varied selection of national standards on the management of records and information, including electronic records management held in the National Archives.

In April 2010, the Welsh Assembly Government released a framework of standards that listed requirements of what was to be expected of all NHS and partner organisations in providing effective, timely and quality services across all healthcare settings. This is called 'Doing Well, Doing Better - Standards for Health Services in Wales'.

In 2021 The Code of Practice on the Management of Records issued under section 46 of the Freedom of Information Act 2000 was released, replacing the former FOI Code of Practice. The code was updated by the National Archives to provide guidance to relevant authorities that reflects contemporary information management practice and the modern digital working environment.  

The newly developed 'Records Management Code of Practice for Health and Social Care 2022' sets out good practice in records management for all public authorities in Wales. Welsh Government have now issued a Welsh Health Circular – WHC (2022) 008 notifying all organisations within the NHS in Wales, that with effect from May 2022, they should use the new Code of Practice.

Records Management Documentation

Policies outlining the adoption of retention and disposal schedules and record management policies should be held by all organisations and be made available to all staff. These should provide clear guidance on how long records, including Health Records, should be maintained. The Records Management Code of Practice for Health and Social Care 2022 provides a useful guide for organisations on how to manage records appropriately.


Every organisation should establish how records and information are managed within their organisation. It is recommended that an audit should be performed to identify the current state of play with the organisation's records management so that risks can be highlighted, and improvements made. It is the responsibility of the Caldicott Guardian and Information Governance Lead/Team to ensure that local policies and procedures are enforced within their organisation and that all staff members are aware of both their corporate and individual responsibilities regarding the creation and storage of any record which may contain patient identifiable information. 


Attainment Level

   Summary Requirement


There are a set of documented and approved records management procedures which incorporate the creation, filing, tracking, appraisal, retention and destruction of all records within the Practice; including corporate, staff and patient records. The Practice should develop and regularly maintain an Information Asset Register (IAR)


Procedures have been embedded within the organisation and all staff have been informed. The Information Asset Register (IAR) is referred to on a regular basis


Procedures are regularly reviewed and maintained and where available spot checks are made to ensure the procedures are enforced across the organisation. The Information Asset Register (IAR) is a working document and the reporting procedure is regularly reviewed to ensure it remains effective and up to date