ig 2.4 - information lifecycle policy - 17 dec.doc

8/13/2019 IG 2.4 - Information Lifecycle Policy - 17 Dec.doc

1/27

INFORMATION LIFECYCLE MANAGEMENT (ILM) POLICYDocumentation Control

Reference

Approving Body TRUST BOARD

Date Approved

Implementation Date MARCH 2010

Version 1

Supersedes N/A

Consultation undertaken HEALTH RECORDS MANAGEMENT GROUPINFORMATION GOVERNANCE COMMITTEE

Date of completion of Equality Impact Assessment

December 2009

Target Audience ALL STAFF

Supporting Procedure(s)

Review Date MARCH 2013

Lead Executive DIRECTOR OF ICT

Author/Lead Manager RECORDS MANAGER

Further Guidance/Information

SUPPORTING INFORMATION GOVERNACEPOLICIES (VIEWABLE ON NUH INTRANET)SEE FULL LIST OF SUPPORTING RELEVANTLEGISLATION AND ADVICECONTACTS


2/27

Information Lifecycle Management PolicyVersion 1February 2010 2

INFORMATION LIFECYCLE MANAGEMENT (ILM) POLICY

CONTENTS

Paragraph Title Page

1. Policy Statement 3

2. Associated policies and procedures 3

3. Phases of the Information Lifecycle 3

4. Scope and Definitions 4

5. Policy Principles 4

6. Records/Information Assets Inventory 6

7 Policy Objectives and Performance Standards 8

8 Integration of ILM Requirements 14

9 Accountability and Responsibility 14

10 Implementation and Monitoring 17

11 Review 18

12 Relevant Legislation and Guidance 18

13 Advice 22

14 Equality and Diversity Statement 22

15 Equality Impact Assessment Statement 23

16 Environmental Impact Assessment 23

Appendix 1 Equality Impact Assessment Report 25

Appendix 2 Employee Record of having read the policy 28


3/27


1. POLICY STATEMENT

This policy sets out the principles of Information Lifecycle Management(ILM) and how they will be applied to all recorded information belongingto the Nottingham University Hospitals NHS Trust arising from businessprocesses.

ILM is a concept which describes the policies, strategies, processes,practices, services and tools used by an organisation to manage itsrecorded information assets through every phase of their existence,from creation or receipt, through their useful life through to finaldestruction or deposition to institution approved for archival deposit of Public Records by the National Archives.

The policy supports the requirements of the Freedom of Information Act2000, the Data Protection Act 1998 and other statutory and legalresponsibilities.

2. ASSOCIATED POLICIES AND PROCEDURES

This over-arching policy forms a component of the InformationGovernance Toolkit and is complimentary to a collection of specific NUH

Information Governance Policies, Procedures, Guidelines andProtocols. The total suite of Information Governance Policy and Strategydocuments are published on the NUH Intranet Policy Library: Polices &Trust Wide Procedures

3. THE FIVE PHASES OF THE INFORMATION LIFECYCLE

This policy documents the intent of the Trust to manage ALL of itsrecorded information assets appropriately in accordance with theconcept of information lifecycle management and throughout the fivedistinct phases of the records/information lifecycle [Fig.1]:

1. Creation2. Retention (organisation, storage, security, etc)3. Maintenance4. Use (retrieval, access levels etc)5. Disposal (timely, with appropriate and secure media destruction

methods used)


4/27


Fig.1

4. SCOPE AND DEFINITIONS

This policy relates to ALL recorded information existing in ALL formatsor mediums: current, non-active or archived; clinical or non-clinical; heldby or under the control of the Trust. This includes and is not limited to,computer data, paper, negatives, photographs, audio or videorecordings, microfilms, recorded information relating to Trust businessheld on memory sticks, portable computers, PDAs and mobile phones.

In this policy, Records are defined as:

Recorded information, in any form, created or received and maintained by the Trust in the transaction of its business or conduct of affairs and kept as evidence of such activity.

5. POLICY PRINCIPLES

The Trust acknowledges information as a vital business asset and isintent that the principles and concepts associated with ILM, are integral

to all business processes that generate recorded information.

5.1 Using ILM principals the Trust will demonstrate:

Accountability Financial, Regulatory and Governance Effective management and use of information resources - based on

best practice A culture of openness and transparency, protecting the interests of

the NHS and the rights of staff, patients and members of the public

Disposal Creation

Retention

Maintenance

Use


5/27


5.2 Implementation of ILM principles requires appropriate creation andmanagement of recorded information by Trust staff in the course of business. The intention is that recorded Information owned by the Trustwill always be:

of high quality accurately captured up to date secure easily retrievable available when needed and reflective of the following attributes;

5.3 Authentic:

Recorded information can be proven to

be what it purports to be; has been created or sent by the person purported to have created

or sent it; has been created or sent at the time purported

5.4 Reliable:

The content of a record can be trusted as a full and accuraterepresentation of the transactions, activities or facts to which it attests;and it can be depended upon in the course of subsequent transactionsor activities.

5.5 Complete and Unaltered:

The integrity of recorded information refers to its being complete andunaltered. Records must be protected against unauthorised alteration.Policies and procedures must specify what additions or annotations maybe made to a record after it is created, under what circumstancesadditions or annotations may be authorised, and who is authorised tomake them. Any authorised annotation, addition or deletion must beexplicitly indicated and traceable.

5.6 Useable:

A useable record is one that can be located, retrieved, presented and


6/27


interpreted. It should be possible to demonstrate a direct connection tothe business activity or transaction that produced it. The contextuallinkages of records should carry the information needed to understandthe transactions that created them and how they were used. It should bepossible to identify a record within the context of broader businessactivities and functions. The links between records documentinga sequence of activities should be maintained

6. RECORDS/INFORMATION ASSETS INVENTORY

6.1 In accordance with the requirements of the IG Toolkit V7, in July 2009the Trust carried out an inaugural audit of its records and informationassets. Individual managers and Directors were required to input data topopulate and establish the inventory, to establish the type and form, in

which any records are held, identify record keeping systems currently inuse, also the volume, condition, location and the responsible manager for records collections/information assets. Both electronic and paper collections and current, closed or archived records/information wereincluded. The inventory is applicable to both clinical and non-clinicalrecords/information holdings.

6.2 The Inventory will inform the Trusts Board Assurance Framework, riskmanagement and business continuity processes by:

a) Identifying Senior Responsible Managers and Owners of specificrecords/information assets.

b) Discovering record creation and disposal compliancy.c) Identify existence of records required for disclosure in response to an

application made under the Freedom of Information Act.d) Identify information sharing arrangements within both the organisation

and both externally.e) Identify which records are stored electronically and which are stored

on paper and those records which are hybrid (i.e. stored partlyelectronically and partly on paper).f) Allow records to be mapped to current Retention Schedules to ensure

compliance, and where appropriate, for superfluous, out of date or replicated records to be destroyed.

g) Inform the Data Protection Act notification process and informationflows surveys.

h) Ensure that staff and managers with records managementresponsibilities are appropriately trained.

i) Identify inappropriate, or pressure on, records storage conditions; andhighlighting deficiencies in security arrangements for records,


7/27


including those electronic records which are not being routinelybacked up to enable appropriate risk management.

j) Enable internal and external records related audits, e.g. AuditCommission, Financial Audits.

k) Protect the legal rights of the Trust, its employees, patients and thirdparties

l) Provide authentication so that actions may confidently be taken onreliable information.

m) The central inventory will be kept under annual review. Managers andOwners of records/information assets will be reminded to annuallyupdate inventory entries to guarantee their completeness and to makeany necessary amendments.

Reporting Scheme

6.3 Directors will be required to declare an annual Statement of Assuranceto the SIRO in that an accurate and comprehensive submission to theInventory has been provided which documents all records andinformation assets retained for their own areas of responsibility.

6.4 Inventory data will facilitate an Annual Report provided to theInformation Governance Committee as a delegated sub group of theBoard for review and sign off. The report will:

Report on the status of the Trusts Inventory Report departmental compliance with IG assurance requirements 1

Identify areas where there is ILM incompliancy and associated risk Make recommendations/mandate action plans and timescales for

improvement

6.5 Responsible owners of records and information assets will be requiredto submit action plans to the Information Governance Committee in

response to any identified weaknesses or incompliancy. The plansshould quantify both resources and timescales required to makeimprovements.

1 Connecting for Health, Information Governance Self Assessment Toolkit.


8/27

7. POLICY OBJECTIVES & PERFORMANCE STANDARDS

The major objectives and required performance standards of this policy are that recorded information is:

OBJECTIVE PERFORMANCE INDICATORCREATION7.1 Available when needed Sufficient to enable a reconstruction of activities or events that

have taken place. Identifiable as part of a records collection that is currently

registered on the Trusts Central Records Inventory/Registryof information assets and record collections*.

*Go to the Manual Records Inventory:http://www.surveymonkey.com/s.aspx?sm=Br6h9IhJYb_2b1Vng8KJkIDw_3d_3dGuidance document for Manual Records submissions:http://nuhnet/Communications_Marketing/briefings/Documents/Manual_records_survey_guidance_notes.doc*Go to the Electronic Records Inventory:http://www.surveymonkey.com/s.aspx?sm=_2fiuJFRqWqOZfez4lnPZTTQ_3d_3dGuidance document for Electronic Records submissions:http://nuhnet/Communications_Marketing/briefings/Documents/Electronic_records_survey_guidance_notes.doc

7.2 Accessible to all members of staff thatrequire access in order to enable themto carry out their day to day work.

Information must be located and displayed in a way consistentwith its initial use.

Appropriate referencing, naming, filing, protective markingsand version control systems [including the printing of hardcopies] must be in place and applied consistently throughoutthe Trust 2 and for the life of the information.

2 A Procedure for the filing and creation of electronic corporate records is under development and will utilise Microsoft Sharepoint technology (Oct 2009)


9/27


7.3 Interpretable, clear and concise The context of recorded information must be clear and be able to beinterpreted appropriately, i.e. who created or added to the recordand when, during which business process and how the record isrelated to other records.

7.4 Trusted, accurate and relevant The information must reliably represent the initial data thatwas actually used in, or created by, the business processwhilst maintaining its integrity. The authenticity must bedemonstrable and the content relevant.

Appropriate audit trails must be kept of additions,amendments to and deletions of recorded information in ITsystems (BS 1008 compliant)

7.5 Secure The information must be secure from unauthorised or inadvertentalteration or erasure. Access and disclosure must be properlycontrolled and audit trails used to track all use and changes .

7.6 Employees should consider the following when creating information: what they are recording and how it should be recorded why they are recording it how to validate information to ensure they are recording the correct data how to identify and correct errors and how to report errors if they find them

the use of information - staff should understand what the records are used for (and therefore whytimeliness, accuracy and completeness of recording is so important)

how to update information and how to add in information from other sourcesRETENTION7.7 Recorded information should be

retained for as long as it is needed andin line with the timescales within the

Recorded information is stored in a secure environment thatmeets to the requirements of relevant Trust IG Policies.

Recorded information undergoes a regular formal appraisal


10/27


Trusts Records Retention and DisposalPolicies.

process.

MAINTAINANCE7.8 All recorded information needs to be

maintainable through time.The qualities of availability, accessibility, interpretation andtrustworthiness must be maintained for as long as the information isneeded, perhaps permanently, despite any changes in the format.

USE7.9 All information must be used consistently, only for the purpose

for which it was intended and never for an individualemployees personal gain or purpose. If in doubt employeesshould seek guidance from the Trusts Head of InformationGovernance, or Information Security Manager.

Contractors must also be monitored and controlled regardingtheir use of information

DISCLOSURE7.10 Only the specific information required

should be disclosed to authorisedparties and always in accordance andwith strict adherence to, the DataProtection Act and the Freedom of

Information Act. There are a range of statutory provisions that limit, prohibit or set conditions in respect of thedisclosure of records to third parties,and similarly, a range of provisions thatrequire or permit disclosure.

The authorised initial points of contact for dealing with formal legalapplications for disclosure of confidential patient records/informationmade under the Data Protection Act and Access to Health Records Act are:

Authorised Emergency Dept Secretarial Staff Data Protection Administration Office (ICT) Security Manager

Established formal application processes are in place and informedby the Department of Health publication Confidentiality: NHS Codeof Practice.


11/27


The key statutory requirements can befound in Annex C of the RecordsManagement: NHS Code of Practice(Part 1):

Records Management: NHS Code of Practice (Part 1):http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747Department of Health publication Confidentiality: NHS Code of Practice:http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747

TRANSFER7.11 The mechanisms for transferring information from oneorganisation to another should also be tailored to thesensitivity of the material contained within the records and themedia on which they are held.

The Head of Information Governance or the Information SecurityManager can advise on appropriate safeguards. Guidance can alsobe found within the Trusts Information Sharing Protocol and theInformation Governance Toolkit on the CFH website.

CLOSURE7.12 Closure Information held in records should be closed (i.e. made

inactive and transferred to secondary storage) as soon as ithas ceased to be in active use other than for reference

purposes. An indication that a file of paper records, or electronic records,has been closed, together with the date of closure, should beshown on the record itself as well as noted in the index or database of the files/folders.

Where possible, information on the intended disposal of electronic records should be included in the metadata when


12/27


the information is created. The storage of closed records should follow the accepted

standards relating to environment, security and physicalorganisation of the files. The standards are set out in theCorporate Records Management Policy.

DISPOSAL7.13 Retention and disposal periods vary and

are dependant upon the type of

information being stored. The specificretention periods are set out in theRecords Management: NHS Code of Practice below.

Records information on whatever media must be retained anddisposed of in a timely way in accordance with Trust Policy

and DoH Minimum Retention Periods* to ensure DataProtection Act compliance and the minimum volume of records information is maintained consistent with costeffective and efficient operations.

Disposal of records information is undertaken promptly andconducted in accordance with Trust Policies and byauthorised staff.

All records disposal must be fully documented. The policy and process includes provision for permanent

preservation and transfer of information with archival value.The Records Manger can advise on archiving and transfer of records to approved archival institutions.

*Records Management: NHS Code of Practice:

http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4131747TRAINING7.14 Local training and induction procedures

must ensure staff are trained andcompetent

Staff know what records/information to keep for evidentialpurposes;

what actions need to be applied to records throughout their lifecycle;

how recorded information should be stored and indexed so


13/27


that records can be retrieved and if required used by others Supporting Local/Departmental policies and operational

procedures will be documented and applied Job Descriptions across the Trust include relevant references

to record keeping/records management responsibilities AUDIT

7.15 The Trust will audit its ILM compliancevia the IG Toolkit requirements.

The Trust will audit departmental/localcompliance with ILM related Trustpolicies, obtain improvement actionplans where procedures do not matchthe desired levels of performance or where non-conformance to policy isoccurring. The programme of audit for ILM will be built into the ICT Audit

Trust and Local policies must include provision for theestablishment of audit and evaluation processes for

establishing the effectiveness of ILM in paper and ICTsystems.

RISK ASSESSMENT7.16 All ILM risks must be managed in

accordance with the Trusts RiskManagement Strategy (including

resource risks which impact upon ILMrequirements)

Departments must treat information risk as a business issue.Information Risks relating to and stage of therecords/information lifecycle must be recorded on Risk

Registers, risk tolerances set and impacts assessed Business recovery and continuity plans must be risk assessed All records and information vital to the continuing functioning

of the activities of the Trust will be identified and provisionmade for their protection in event of disaster. 3

3 NUH Risk Management Strategy


14/27


8. INTEGRATION OF ILM REQUIREMENTS INTO ICT SYSTEMS

The integration of ILM requirements into the information architecture of future ICT systems is essential. Information architecture is defined

within this policy as: the structural design of shared informationenvironments, including both manual and electronically generatedinformation. It involves analysing, designing and coordinating thevarious elements that make up an information system, including:hardware, software, data, networks, business processes, staff andresources.

ILM requirements and information architecture on Trust hosted systemswill be managed by ICT Services by IT specialists who know how to

achieve and advise on ILM requirements and appropriate strategies,standards, practices, and technologies suitable for the entireorganisation.

The Trust acknowledges that managing information held electronically isnot just a technology issue; it is also a policy issue, a business issueand a training issue. Reliable information, not technology is essential toaccountability. . As the Trust has an increasing dependency upon digitalinformation, it is essential that future policy counters potential futureproblems relating to inadequate information technologies and unsuitableelectronic record-keeping practices.

In summary, this approach will ensure all Trust IT systems generate andmanage records that are capable of:

Serving as a source of trusted and contextualised information thatcan be used to support business functions and decision-making.

Capable of serving as instruments of accountability

9. ACCOUNTABILITY AND RESPONSIBILITY FOR THE POLICY

Advancing technologies and business processes are transforming theway organisations work and shifting the responsibility for capturing andmanaging records and information from NHS ICT departments to ALLNHS staff that create and use records and information on a daily basis.

Many records previously held on paper are now being held on electronicsystems. However, few systems have currently entirely eliminated the

use of all hard copy documents. As a result both paper and electronicrecords management must be closely co-ordinated. This places new


15/27


and important ILM related demands and responsibilities onto bothmanagers and staff.

This policy covers the details of the obligations of all Trust employees,including temporary, substantive and honorary contract holders,students, agency staff and independent contractors providing servicesto the Trust.

9.1 The Trust Board and Chief Executive

The Trust recognises that it has a specific corporate responsibility for ILM. All relevant Policies will demonstrate ILM principals and adherenceto standards promulgated by regulatory bodies. The Chief Executive hasultimate responsibility for compliance with this policy.

9.2 All Staff

All staff have a personal responsibility for recorded information that theycreate or that they have some impact upon, whether clinical or corporate, and for adhering to the Trusts suite of InformationGovernance policys principles and procedures to help maintain theavailability, effectiveness, security and confidentiality of recordedinformation.

9.3 The Senior Information Risk Officer (SIRO)

The Trust has a Board Level Senior Information Risk Officer as requiredby the Connecting for Health Information Governance Toolkit. The SIROtakes ownership of the Trusts information risk policy, acts as advocatefor information risk on the Board and provides written advice to theaccounting officer on the content of their Statement of Internal Control inregard to information risk.

The SIRO is responsible for developing and encouraging goodinformation handling practice amongst all members of the Trust. Thisindividual will work with other Trust Directors and Managers who have aremit which includes records and information management elements,either clinical or corporate.

9.4 The Caldicott Guardian

The Caldicott Guardian is responsible at Board level for approving andensuring that national and local policies on the handling of confidentialpersonal information are implemented. The Caldicott Guardian also has


16/27


17/27


evaluating IG standards and creating and implementing action plans for compliance.

9.9 The Health Records Management Group (HRMG)

HRMG has an operational remit for evaluating IG standards specificallyrelating to health records and creating and implementing action plans for compliance.

9.10 Local Health /Corporate Records Managers

Local Corporate Records Managers nominated by individual Directorsprovide focus for and are responsible for local implementation of ILMand other information governance policies and procedures. They also

form a Local Records Managers Network in which best practice andknowledge can be shared.

9.11 Contractors and support organisations

Service Level Agreements and contracts with other organisations mustinclude and set out the responsibilities for the management of recordsand information and address all relevant aspects of InformationGovernance.

10. IMPLEMENTATION AND MONITORING PLANS

10.1 The Information Governance Committee is the overarching group withresponsibility for monitoring the ILM Policy. It is supported by anInformation Governance Sub Group with an operational remit for evaluating IG standards and creating and implementing action plans for compliance.

10.2 Senior Managers are responsible for applying the Policy torecords/information assets within areas of their responsibility.

10.3 This Policy is applicable and should be noted by all staff employed byNottingham University Hospital NHS Trust.

10.4 The Policy will come into effect in January 2009 and managerialawareness and Trust compliancy will be measured via annual auditconducted by East Midlands Audit reported to the InformationGovernance Committee.


18/27


11. REVIEW

The Policy is due for review in January 2013.

12. SUPPORTING RELEVANT LEGISLATION/NATIONAL GUIDANCE

A considerable amount of legislative requirements, professionalobligations limit, and internationally recognised standards prohibit or setconditions in respect of the five stages of Information LifecycleManagement. The requirements of these are set out or referenced inspecific Trust Information Governance Policies.

Code of Practice for Legal Admissibility and Evidential Weight of Information Stored Electronically (BIP 0008) sets outrequirements to protect the evidential value of records inaccordance with British Standards.

BS ISO 15489-1:2001(E) To ensure the authenticity of records,organisations should implement and document policies andprocedures which control the creation, receipt, transmission,maintenance and disposition of records to ensure that recordcreators are authorised and identifiable and that records areprotected against unauthorised addition, deletion, alteration, useand concealment.

(The Lord Chancellors Code of Practice under Section 46 of theFreedom of Information Act 2000. See:http://www.dca.gov.uk/foi/codemanrec.pdf The Code of Practice provides guidance to all public authorities asto the practice which it would, in the opinion of the LordChancellor, be desirable for them to follow in connection with thedischarge of their functions under the Freedom of Information Act2000.

The National Archives: Model Action Plan for Developing Records

Management Compliant with the Lord Chancellors Code of Practice under Section 46 of the Freedom of Information Act 2000.See:http://www.nationalarchives.gov.uk/policy/foi/pdf/national_health.rtf

The National Archives: Complying with the Records ManagementCode: Evaluation Workbook and Methodology (March 2005)www.nationalarchives.gov.uk/news/stories/62.htm

The National Archives: File Creationhttp://www.nationalarchives.gov.uk/recordsmanagement/advice/

ISO 15489 international record keeping standards. e-Government Technical Standards


19/27


20/27


The Congenital Disabilities (Civil Liability) Act 1976 The Consumer Protection Act (CPA) 1987 The Control of Substances Hazardous to Health Regulations 2002 The Copyright, Designs and Patents Acts 1990 The Crime and Disorder Act 1998 The Data Protection Act (DPA) 1998

The Data Protection (Processing of SensitivePersonal Data) Order 2000

Directive 2001/83/EC of the European Parliament and of theCouncil of 6 November 2001 on the Community Code Relating toMedicinal Products for Human Use

The Disclosure of Adoption Information (Post-Commencement Adoptions) Regulations 2005

The Electronic Communications Act 2000 The Environmental Information Regulations 2004 The Freedom of Information Act (FOIA) 2000 The Gender Recognition Act 2004

The Gender Recognition (Disclosure of Information)(England, Wales and Northern Ireland) (No. 2) Order 2005

The Health and Safety at Work Act 1974 The Health and Social Care Act 2001

The Human Fertilisation and Embryology Act 1990, as Amendedby the Human Fertilisation and Embryology (Disclosure of Information) Act 1992

The Human Rights Act 1998 The Limitation Act 1980 The NHS Trusts and Primary Care Trusts (Sexually Transmitted

Diseases) Directions 2000 The Police and Criminal Evidence (PACE) Act 1984 The Privacy and Electronic Communications (EC Directive)

Regulations 2003 Public Health (Control of Diseases) Act 1984 and Public Health(Infectious Diseases) Regulations 1988

The Public Interest Disclosure Act 1998 The Public Records Act 1958 The Radioactive Substances Act 1993 The High-activity Sealed Radioactive Sources and OrphanSources Regulations

The Re-use of Public Sector Information Regulations 2005

The Sexual Offences (Amendment) Act 1976 Subsection 4(1) as Amended by the Criminal Justice Act 1988


21/27


The Access to Health Records Act 1990 The Access to Medical Reports Act 1998 The Abortion Regulations 1991 BSI BIP 0008 - The current British Standard document relating to

Legal Admissibility and Evidential Weight of Information StoredElectronically. It sets a benchmark for procedures that should befollowed in order to achieve best practice.

BSI PD 5000 - Electronic Documents and e-CommerceTransactions as Legally Admissible Evidence: the BSI Code of Practice, PD 5000:1999, enables organisations to demonstrate theauthenticity of their electronic documents and e-commercetransactions, so they can be used as legally admissible evidence.The Standard contains five parts as follows: Information Stored Electronically (DISC PD 0008:1999) Electronic Communication and email Policy Identity, Signature and Copyright Using Certification Authorities Using Trusted Third Party Archives.

BS 4743 - This series of Standards published between 1988 and1994 cover the storage, transportation and maintenance of different types of media for use in data processing and informationstorage.

BS 5454:2000 - This makes recommendations for the storage of archival documents.

BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 BS 7799-2:2005- This Standard provides a code of practice and a set of requirements for the management of information security. TheStandard is published in two parts. Part one has been adopted asISO 17799:2000 and provides a code of practice for informationsecurity management. Part two provides a specification for information security management systems.

ISO 15489 - This is the international records managementstandard and is about best practice in records management.

ISO 19005 - This Standard provides for organisations to archivedocuments electronically for long-term preservation.

The NHS Information Governance Toolkit - The InformationGovernance Toolkit return is required from all NHS organisationsand provides guidance and best practice on all facets of information governance including:

Data Protection Act 1998 Freedom of Information Act 2000

The NHS Confidentiality Code of Practice Records Management


22/27


Information Quality Assurance Information Security Information Governance Management.See: http://nww.nhsia.nhs.uk/infogov/igt/

13. ADVICE

The following specialists can be contacted regarding aspects of ILMadvice:

Name Specialist Area ExtDavid Cadwell Information Security 57100Debbie Terry Data Protection, Freedom Of

Information, Confidentiality,

Information Governance ToolkitCompliance

57100or

57169

Deborah Coombs Records Management 66838or 63975

Neil Mart Integrated Governance/RiskManagement

62553

John Somers Caldicott Guardian 64229or 61091

Ben Halliday IT Systems Maintenance 54990Nikki Turgoose IT Software Implementation 54989

or 62521

Matt Howden IT Systems Design 66052Steve Baxter Data Collection, Information Analysis 62009

or 56609

14. Equality and Diversity Statement

All patients, employees and members of the public should be treatedfairly and with respect, regardless of age, disability, gender, maritalstatus, membership or non-membership of a trade union, race, religion,domestic circumstances, sexual orientation, ethnic or national origin,social & employment status, HIV status, or gender re-assignment.

All trust polices and trust wide procedures must comply with the relevantlegislation (non exhaustive list) where applicable:


23/27


Equal Pay Act (1970 and amended 1983)Sex Discrimination Act (1975 amended 1986)Race Relations (Amendment) Act 2000Disability Discrimination Act (1995)Employment Relations Act (1999)Rehabilitation of Offenders Act (1974)Human Rights Act (1998)Trade Union and Labour Relations (Consolidation) Act 1999Code of Practice on Age Diversity in Employment (1999)Part Time Workers - Prevention of Less Favourable TreatmentRegulations (2000)Civil Partnership Act 2004Fixed Term Employees - Prevention of Less Favourable TreatmentRegulations (2001)

Employment Equality (Sexual Orientation) Regulations 2003Employment Equality (Religion or Belief) Regulations 2003Employment Equality (Age) Regulations 2006Equality Act (Sexual Orientation) Regulations 2007

15. Equality Impact Assessment Statement

NUH is committed to ensuring that none of its policies, procedures,services, projects or functions discriminate unlawfully. In order to

ensure this commitment all policies, procedures, services, projects or functions will undergo an Equality Impact Assessment.

Reviews of Equality Impact Assessments will be conducted inline withthe review of the policy, procedure, service, project or function

16. Environmental Impact Assessment

Following the initial screening of this policy, a full impact assessment is

not required at present as disposal of all information media within mustbe carried out in accordance with the requirements of the establishedWaste Policy.


24/27


APPENDIX 1

Equality Impact Assessment Report Outline

Remember that your EIA report should demonstrate what you do (or willdo) to make sure that your service/policy is accessible to differentpeople and communities, not just that it can, in theory, be used byanyone.

1. Name of Policy or Service

Information Lifecycle Management Policy

2. Responsible Manager

Records Manager

3. Name of Person Completing Assessment

Antonia Kingaby

4. Date EIA Completed

17 December 2009

5. Description and Aims of Policy/Service (including relevanceto equalities)

The Trust acknowledges information as a vital business asset andis intent that the principals and concepts associated with ILM, areintegral to all business processes that generate recordedinformationThis policy sets out the principles of Information LifecycleManagement (ILM) and how they will be applied to all recordedinformation belonging to the Nottingham University Hospitals NHSTrust arising from business processes.This policy relates to ALL recorded information existing in ALLformats or mediums: current, non-active or archived; clinical or non-clinical; held by or under the control of the Trust. This includesand is not limited to, computer data, paper, negatives,photographs, audio or video recordings, microfilms, recordedinformation relating to Trust business held on memory sticks,portable computers, PDAs and mobile phones


25/27


6. Brief Summary of Research and Relevant Data

Freedom of Information Act 2000Data Protection Act 1998

7. Methods and Outcome of Consultation

HEALTH RECORDS MANAGEMENT GROUPINFORMATION GOVERNANCE COMMITTEE

8. Results of Initial Screening or Full Equality Impact Assessment:

Equality Group Assessment of Impact

Age No Impact Identified

Gender No Impact Identified

Race No Impact Identified

Sexual Orientation No Impact Identified

Religion or belief No Impact Identified

Disability No Impact Identified

Dignity and Human Rights No Impact Identified

Working Patterns No Impact Identified

Social Deprivation No Impact Identified

9. Decisions and/or Recommendations (including supportingrationale)

Following the initial screening of this policy, a full impact assessment isnot required at present as the policy relates to the retention,management and disposal of information in any form including and notlimited to, computer data, paper, negatives, photographs, audio or videorecordings, microfilms, recorded information relating to Trust businessheld on memory sticks, portable computers, PDAs and mobile phones.


26/27


10. Equality Action Plan (if required)

N/A

11. Monitoring and Review Arrangements (including date of nextfull review)

It is recommended that this policy is reviewed inline with thecurrent guidelines of NUH, unless there is a change in relevantlegislation in which case, the policy should be reviewed within 6months of new legislation and changes made accordingly.

.


27/27

APPENDIX 2

EMPLOYEE RECORD OF HAVING READ THE POLICY

INFORMATION LIFECYCLE MANAGEMENT (ILM) POLICY

I have read and understand the principles contained in the namedpolicy.

PRINT FULL NAME SIGNATURE DATE