Skip to Content Skip to navigation
General Policy
Digital & Information
General Manager - Clinical Support and Access
Divisional Head of Health Records
Director of Digital & Information
01 January 2011
01 September 2020
01 September 2023

General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out.
New policies will be subject to a review date of no more than 1 year from the date of first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date then the content will remain extant until either such time as the policy review is complete and the new version published, or there are national policy or legislative changes.


A Health Record is a document (in any format) which is created or received by an organisation or person in the transaction of clinical activities and which is maintained as evidence of these. The authenticity and reliability of records depends on them being created and handled in a properly managed and documented record-keeping system.

NHS Fife is dependent on its records to operate efficiently and account for its actions. This policy defines a structure for NHS Fife to ensure adequate records are maintained and they are managed and controlled effectively.

This document aims to set out the policy to be adhered to in relation to Health Records Management within NHS Fife to ensure that Health Records are:

• properly controlled
• readily accessible and available for use, and eventually archived or otherwise disposed of

Taking into consideration:

• access, storage & retrieval
• retention & destruction schedules
• confidentiality


This policy is NHS Fife wide.



3.1.1. NHS Fife Health Board

The Board is responsible for ensuring that it corporately meets its legal responsibilities, and for the adoption of internal and external governance requirements.

3.1.2. Data Controller

NHS Fife Chief Executive has overall accountability for ensuring that Health Records management operates correctly/legally within the Board. Responsibility may be delegated for management and organisation of Health Records services to the Medical Director and Director of Health and Social Care who are responsible for ensuring appropriate mechanisms are in place to support service delivery and continuity. Health Records management is key to this, as it will ensure appropriate and accurate information is available as required.

3.1.3. Caldicott Guardians

Caldicott Guardians are senior clinical managers of the Board responsible for protecting the confidentiality, privacy and fairness of patients and service-user information and enabling appropriate information-sharing.

Caldicott Guardians oversee that all procedures affecting access to person-identifiable health data are appropriate from the medical perspective.

The Board’s Caldicott Guardians have a particular responsibility for reflecting patients’ interests regarding the use of patient identifiable information.

The Caldicott Guardians have responsibility for:

• Ensuring the Board is fulfilling all legal obligations in managing patients’ Health Records• Agreeing and reviewing internal protocols governing the protection and use of patient identifiable information by Board staff
• Agreeing and reviewing protocols governing the disclosure of patient information across organisational boundaries, e.g. with social services and other partner organisations, contributing to the local provision of care
• Contributing to the Board’s security and confidentiality policies

The Caldicott Guardian must be a key member of the broader Information Governance function with support staff, Caldicott or Information Governance leads e.g. Data Protection Officer, Freedom of Information leads, Health Records Manager and IT Security staff contributing to the work as required.

NHS Fife has appointed three Caldicott Guardians as follows:

• Corporate Caldicott Guardian (Medical Director)
• Acute Services Caldicott Guardian (Associate Medical Director for Acute Services)
• H&SC Partnership Caldicott Guardian (Associate Medical Director for Integrated Joint Services)

3.1.4. Information Security and Governance Group

Information Governance refers to the structures, policies (including this document) and practice of the NHS and its suppliers to ensure the confidentiality, availability and integrity of all records, and especially patient records, and to enable the ethical and safe use of them for the benefit of individual patients and the public good.

The purpose of the Information Security and Governance Group (ISGG) is to provide assurance that information governance mechanisms are in place and effective throughout the whole of Fife NHS Board’s responsibilities, including appropriate and secure management of all types of personal and confidential data and the quality of data used by the Board.

The ISGG must have representation of the key areas of the organisation owning or using information; key partners with whom NHS Fife systematically shares information should also be invited (e.g. Fife Council, Police Scotland and voluntary sector umbrella organisations).

It is also the responsibility of the ISGG to provide strategic direction and support for Information Security Management System (ISMS) across the organisation in accordance with business requirements and relevant laws and regulations. Information security is discussed at the eHealth Threats and Vulnerability Meeting and the Information and Communications Technology (ICT) Operations Group Meeting. Any issues requiring escalation are reported to the ISGG.

The NHSS Information Security Policy Framework 2015/17 establishes the need for the Board to expand the scope of the ISMS to cover the wider NHS in Fife.

3.1.5. Designated Officer

The designated officers (Divisional Health Records Manager and Divisional Manager West Division, East Division & Fife-wide Division, Health & Social Care Partnership) hold a Health Records qualification or are suitably trained in Health Records practices. These officers have professional responsibility for the overall development and maintenance of Health Records management practices throughout the Board and for ensuring that related policies and procedures conform to the latest legislation and standards on data protection, patient confidentiality and Health Records practice.

All designated officers will have a designated member of staff who will manage the records on their behalf.

These officers are also accountable for the release of all patient clinical information for data subject access and medico-legal purposes. This release may be provided by nominated representatives.

3.1.6. Staff Responsibility for Record Keeping

All NHS employees are responsible for any Health Records which they create or use. This responsibility is established and defined by the law (Public Records (Scotland) Act 2011). Furthermore as an employee of the NHS, any Health Records created by an employee are public records.

All Board staff whether clinical or administrative, who create, receive and use Health Records have records management responsibilities. All staff must ensure that they keep appropriate records of their work and manage those Health Records in keeping with this policy and with any guidance subsequently produced.

Everyone working for or within the NHS who records, handles, stores or otherwise comes across patient information must comply with the GP/D3 Data Protection and Confidentiality Policy.

Breach of this policy will mean the organisation is not safeguarding information entrusted to it, which in some circumstances may render the organisation liable to prosecution. It is therefore essential staff within the organisation with responsibility for records management comply with this policy otherwise, they may be subject to disciplinary procedures.


Records management, through the proper control of the content, storage and volume of records, reduces vulnerability to legal challenge or financial loss and promotes best value in terms of human and space resources through greater coordination of information and storage systems.

The records are also public records under the Public Records Acts and must be kept in accordance with following statutory and NHS guidelines: --

- Data Protection Act 2018
- General Data Protection Regulation (GDPR) 2018
- Networks and Information Systems (NIS) Regulations
- Public Records (Scotland) Act 2011
- Medical Reports Act 1988
- The Computer Misuse Act 1990
- Access to Health Records Act 1990
- Human Rights Act 2000
- Scottish Government Records Management, Health & Social Care Code of Practice (Scotland) 2020
- Quality Improvement Scotland - Standards for Record Keeping
- Information Governance Standards
- National eHealth Strategy
- Caldicott Review of Patient Identifiable information, 2013
- Information Governance Records Management Guidance notes 1-9 27/08/2010


4.1.1. Patient Health Record

A record relating directly to the physical or mental health or condition of an identifiable individual and which has been made by, or on the advice of, a health professional in connection with the care and treatment of that person, or in connection with the organisation of that care’(see Appendix 1 for definition of a 'health professional').

4.1.2. Health Record

This policy relates to all clinical operational records. Operational records are defined as information, created or received in the course of business, and captured in a readable form in any medium, providing evidence of the functions, activities and transactions. They include:

• Patient Health Records, including those concerning all specialities, but excluding GP medical records and includes private patients seen on NHS premises
• Theatre Registers and all other registers that may be kept
• X-ray and imaging reports, output and images
• Photographs, slides, and other images
• Microform (i.e. fiche/film)
• Audio and video tapes, cassettes and digital files.
• Records in all electronic formats and material intended for short term or transitory use, including notes and ‘spare copies’ of documents, pathological records, including cervical smears and histological specimens.

This list is not exhaustive.

They do not include copies of documents created by other organisations such as the Scottish Government Health Directorates and predecessors, kept for reference and information only.

This policy sets out the best practice for NHS Fife in creating, using retaining and disposing of Health Records. It applies to records in all formats, of all types and in all locations.


The aim of this Health Records Management System is to ensure that procedures are in place to bring together the health professionals and accurate, relevant, reliable patient documentation at the correct time and place to support patient care. In achieving this aim, all the NHS Scotland employees should fulfil statutory and other legal requirements, ensuring patient safety and safe custody and confidentiality of patient information at all times.

The aims of our Health Records management system are to ensure that:

Health Records are available when needed – from which NHS Fife is able to form a reconstruction of activities or events that have taken place

Health Records can be accessed – Health Records and the information within them can be located and displayed in a way consistent with the record’s initial use and that the current version is identified where multiple versions exist

Health Records can be interpreted – the context of the record can be interpreted: who created or added to the Health Record and when, during which business process, and how the Health Record is related to other Health Records

Health Records can be trusted – the Health Record reliably represents the information that was actually used in or created by the business process, and the record’s integrity and authenticity can be demonstrated

Health Records can be maintained through time – the qualities of availability, accessibility, interpretation and trustworthiness can be maintained for as long as the Health Record is needed, perhaps permanently despite changes of format

Health Records are secure – from unauthorised and inadvertent alteration and erasure. Access and disclosure are properly controlled and audit trails will track all use and changes to ensure that Health Records are held in a robust format which remains readable for as long as they are required.

Health Records are retained and disposed of appropriately – using consistent documented retention and disposal procedures, which include provision of appraisal and permanent preservation for Health Records with archival value

Staff are trained – all staff are made aware of their responsibilities for Health Record keeping and management to:

• support patient care and continuity of care
• support day to day corporate activities which underpin delivery of care
• support evidence based practice
• support epidemiology
• meet legal and regulatory requirements
• assist medical and other audits
• support improvements in clinical effectiveness through research


Health Records are confidential documents and should be clearly identifiable, accessible and retrievable. They should be authentic, meaningful, authoritative, and adequate for their purpose and correctly reflect what was communicated, decided or done. They should be unalterable and after an action has occurred nothing from the Health Record should be deleted or altered. Information added to an existing hard copy Health Record should be signed and dated. Health Records systems should be secure, and their creation, management, storage, transport and disposal should comply with current legislation.

4.3.1. Creation

A comprehensive Health Record is created and maintained for every patient attending health services to provide an up to date and chronological account of the patient’s care.

Patient demographic data for each registration should be recorded on the master patient index of the patient administration or departmental patient management system. The minimum patient demographic data should include surname, forename, sex, date of birth, home address, postcode, Community Health Index (CHI) number and departmental number.

NHS Fife should use the CHI number as the primary patient identifier.

Where there is more than one local identifier or case record per patient, a system should be in place to ensure that the existence of all other Health Records is known at all times.

Paper Health Records have a standard case record folder constructed of robust material to withstand handling and transport and with secure anchorage points to prevent loss or damage to documents. There should be no inside pockets or flaps as these can lead to misfiling or loss of documents.

There is a method for indicating alert or risk factors which is used consistently in all Health Records, with a designated place for healthcare professionals to record actual or suspected clinical alerts and hazards which are signed and dated.

There may be an indicator on the outside of the folder but the confidential detail should be placed inside the folder.

There is a locally agreed format for filing of information within the Health Record which facilitates ease of access to all clinical information. Clear instructions regarding the order of filing should be contained within the folder or printed on the divider(s). Documents should be viewable in chronological order reflecting the continuum of patient care.

Machine generated reports and recordings, e.g. CTG, ECG and laboratory reports, are securely stored using a method that will minimise deterioration.

There are dated documented procedures for the management of electronic Health Records.

All electronic Health Record information systems comply with the GP/P2 Password policy.

4.3.2. Storage

Health Records storage areas should provide a safe working environment with secure storage that allows Health Records to be retrieved at all times.
These areas should only be accessible to authorised Administrative or Clinical staff.

Health Records storage areas and office accommodation conform to all current legislation and guidance regarding health and safety.

Regular risk assessments are undertaken in line with the organisation’s risk management strategy.

Racking for storage of Health Records is stable, of strong enough construction to support the weight of Health Records and complies with current health and safety regulations.

There are safety step ladders and safety stools appropriate to the number of staff employed/size and use of the Health Records storage area.

There is a documented protocol for safe manual and object handling practices.
All staff are fully trained in related manual handling.

There is a mechanism to ensure that all equipment used in the department conforms to appropriate legislation and a record of equipment checks is kept.

Access to Health Records storage areas is restricted to authorised personnel only. Health Records should not be accessible to unauthorised persons nor left for any period where they might be accessed by unauthorised persons. The keys/access codes/access pass to storage areas that are locked are available to authorised staff at all times to facilitate retrieval of Health Records.

Health Records storage areas must be able to accommodate current needs and annual growth of Health Records. The Health Records collection inventory demonstrates how this will be achieved.

Health Records are stored securely when located in clinical areas or offices and arrangements are in place to facilitate retrieval of Health Records when required.

When paper Health Records are no longer required for current episodes of care they may be placed in secondary storage areas, either on site or off site.

4.3.3. Scanning

Paper records may be scanned into electronic format to allow them to be uploaded into clinical systems for immediate access.

4.3.4. Transport

All Patient Identifiable Information must be transported securely. Transportation methods must be fit for purpose and in accordance with individual departmental procedures. There are various methods employed for both manual and electronic records.


• Single record Envopak carriers with seals
• Multiple record Envopak carriers with seals
• Sealed double envelopes
• Purpose designed plastic boxes


Please refer to the following NHS Fife General policies:

• GP/A4 Acceptable Use Policy
• GP/B2 eHealth Remote Access Policy
• GP/D3 Confidentiality and Data Protection Policy
• GP/D6 Data Encryption Policy
• GP/E6 Email – ISO 27001 ISMS
• GP/I5 Information Security Policy
• GP/M4 Media Handling Policy
• GP/M5 Mobile Device Management Policy
• GP/P2 Password Policy
• GP/S8 eHealth Incident Management Policy
• GP/V2 Virus Protection and Management Policy – ISO 27001 ISMS

4.3.5. Management

Maintaining proper Health Records is vital to patient care. A comprehensive Health Record should be maintained for every patient. Each Health Records system should have well defined procedures for the ongoing management of the Health Record from initiation to final disposal in accordance with current legislation.

Whenever possible, separate areas are maintained for current and non-current Health Records in use within the organisation.

There are documented procedures for the safe storage and retrieval of Health Records, both manual and electronic.

There are documented procedures for booking Health Records out from the normal filing system which enable rapid retrieval of Health Records and prevents misfiles.

Tracer and tracking systems facilitate timeous retrieval of Health Records.

There is a documented procedure for dividing unmanageable folders including cross-referencing of the volumes such that clinical staff may efficiently use them. Closed volumes are suitably labelled.

There is a documented procedure relating to the return of patient held records to the Health Records department when the episode of care for an individual patient is complete.

Contents of the Health Record are filed in the correct order according to the design of the Health Record folder and dividers. Documents are securely fastened within the folder.

The responsibility for filing of loose documentation is clearly defined.

There is a system to ensure that staff routinely remove poorly filed and torn Health Records to reassemble or re-cover.

There are documented procedures for the transportation of Health Records within and out with health board boundaries.

There are documented procedures for handling Subject Access and other legal requests with clear responsibility for responding by fully trained dedicated staff who process requests efficiently and in accordance with the law.

There is a mechanism to help identify any misfiled Health Records, e.g. colour coding.

There are documented procedures for the retention, archiving or destruction of Health Records in accordance with national guidelines.
Refer to GP/R4 Management, Retention, Storage and Destruction of all Business and Administrative Information and Records and GP/R8 NHS Fife - Health Records Retention and Destruction, which details the minimum retention period for the information and procedures for the safe disposal of personal information.

Health Record case notes can be accessed from Home Library/Secondary Stores 24 hours a day, 7 days a week.  Case notes tracking guidance is in place detailing the correct process for tracking the case notes’ location at any given time to ensure availability.

Health Records are stored securely when located in clinical areas or offices and arrangements are in place to facilitate retrieval of Health Records when required.

4.3.6. Archiving and Disposal of Health Records

There is a documented Policy for the Retention & Destruction of Health Records in accordance with the Scottish Government Records Management NHS Code of Practice (Scotland). The method of destruction must ensure that confidentiality is maintained at all times. The Policy specifies the timescale for retention for all types of Health Records and media, the procedure for transfer between media. Refer to GP/R4 Management, Retention, Storage and Destruction of all Business and Administrative Information and Records and GP/R8 NHS Fife - Health Records Retention and Destruction, which details the minimum retention period for the information and procedures for the safe disposal of personal information.


All NHS Health Records are public records under the Public Records (Scotland) Act. The Board will take actions as necessary to comply with legal and professional obligations such as:

General Data Protection Regulation (GDPR) 2018
Scottish Government Records Management, Health & Social Care Code of Practice (Scotland) 2020
The NHS Scotland Confidentiality Code of Practice
Access to Health Records Act 1990
Public Records (Scotland) Act 2011

And any new legislation affecting Health Records management as it arises.


The following core standards must be met across NHS Fife, and within each area/department/ward, with clear access procedures agreed locally

4.5.1. All entries in records must be recorded legibly in ink, dated and signed

4.5.2. All records are stored securely with controlled access

4.5.3. Out with the main Health Records Libraries, all confidential records are kept secure in locked filing cabinets or offices with controlled access.

4.5.4. The main Health Records Libraries will secure physical access through scan entry systems.

4.5.5. Records are filed in the manner most appropriate for effective management, timeous retrieval and compliance with NHS Fife Retention & Destruction Policy.

4.5.6. Protection from the risk of fire and flood must be considered in designating storage areas


It is a fundamental requirement that all of the Board’s Health Records are maintained for a minimum period of time for clinical, legal, operational, research and safety reasons. The length of time for retaining Health Records will depend on the record type.

NHS Fife has adopted the minimum retention periods set out in the Scottish Government Records Management NHS Code of Practice (Scotland) 2020 and is contained in a separate policy. The local retention schedule will be reviewed every 3 years or earlier in the light of legislative or Scottish Government changes. Refer to GP/R4 Management, Retention, Storage and Destruction of all Business and Administrative Information and Records and GP/R8 NHS Fife - Health Records Retention and Destruction, which details the minimum retention period for the information and procedures for the safe disposal of personal information.


NHS Fife requires to know what records are held, where they are kept and how the information contained within the records is being used. An up-to-date Health Records inventory will be maintained by the Divisional Health Records Manager and Divisional Manager West Division, East Division & Fife-wide Division, Health and Social Care Partnership. This will identify all record collections/information sets that exist within the organisations, the volume of records, the type of media on which they are held, their physical condition, their location, the physical and environmental conditions in which they are stored and the responsible manager.

The Divisional Health Records Manager and Divisional Manager, West Division, East Division & Fife-wide Division, Health and Social Care Partnership should be made aware when new collections of records or information sets are created or where management arrangements or physical locations change. A Manual Health Records Inventory Form can be found as Appendix 2.


NHS Fife will regularly audit the records management practices for compliance with this policy. Auditing Health Records policies and procedures will be done on a systematic basis. The audit will compare current operational practice against defined procedures. The audit cycle will include self assessment against the Information Governance Standards A summary of these standards are listed at Appendix 3. The audits will be carried out by internal audit.


The Divisional Health Records Manager and appropriate managers within Health and Social Care Partnership are responsible for planning and documenting Health Records departmental local procedures, thus providing standardisation of work tasks throughout the departments. The Health Records Policies and Procedures are summarised in Appendix 4


All staff employed by NHS Fife including volunteers and contractors should be given training on their personal responsibilities for Health Records keeping. This includes the creation, use, storage, security and confidentiality of Health Records. Appropriate training should be provided for all users of the Health Records systems to meet local and national standards. All new employees to the organisation will be given basic training as part of the organisation’s induction process. Additional training in the specifics of Health Records management will be provided where appropriate. Training is tailored to specific staff groups and functions including the following:

• All current relevant legislation and NHS standards
• All current relevant organisation policies and procedures
• Caldicott requirements
• Patient confidentiality and the security of records, whether paper or electronic
• Access to Health Records Act 1990
• Scottish Government Records Management NHS Code of Practice (Scotland)
• Secure destruction of confidential waste
• Individuals rights to access information (Data Protection Act 1998/Mental Health (Scotland) Act 2003)
• NHS Scotland Code of Practice on Confidentiality
• Health Records practitioners and personnel are pivotal to the management of Health Records systems and should receive customised training in Health Records practice. The procedure manual is a key management tool and should form the basis for all Health Record system specific training.


Failure to abide by this Policy could lead to breach of the Data Protection Act, Freedom of Information Act and Caldicott recommendations.

It is the responsibility of the Line Manager to ensure this Policy is deployed within their area of responsibility.


Appendix 1 Definition of a 'health professional'
Appendix 2 A Manual Health Records Inventory Form
Appendix 3 Information Governance Standards
Appendix 4 Health Records Policies & Procedures


• NHS Fife Health Records Retention and Destruction Policy
• Public Records (Scotland) Act 2011
• Medical Reports Act 1988
• The Computer Misuse Act 1990
• Access to Health Records Act 1990
• General Data Protection Regulation (GDPR) 2018
• Human Rights Act 2000
• CEL 31 (2010) Records Management Code of Practice (Scotland)
• Scottish Government Records Management, Health & Social Care, Code of Practice (Scotland) 2020
• Quality Improvement Scotland – Standards for Record Keeping
• Information Governance Standards
• National eHealth Strategy
• Caldicott Review of Patient Identifiable Information, 2013
• Information Governance Records Management Guidance notes 1-9 27/08/2010
• Retention and Destruction Policy of health records in accordance with
Public Records (Scotland) Act 2011
• The NHS Scotland Confidentiality Code of Practice
• The Scottish Government Records Management NHS Code of Practice (Scotland) Version 2, March 2010