Skip to Content Skip to navigation
Digital & Information
Una Hill
Una Hill
C. Bowring
01 July 2011
20 June 2012
01 December 2015


1.1.1 NHS Fife has a duty under Common Law,  the Data Protection Act (1998), Freedom of Information (Scotland) Act (2002) and the Guidance for the Retention and Destruction of Health Records (MEL 1992) 152 to ensure that health records are stored in secure environments and that confidentiality of information is safeguarded at all times. 

1.1.2 The Procedure specifically does not cover administrative records which are subject to the Freedom of Information (Scotland) Act 2002 and related guidance. However, personal, identifiable information may on occasion be included in administrative records and the provisions under Data Protection legislation may therefore apply in some instances

1.1.3 NHS Fife will have in place procedures that assist staff in following the correct      process when records are found to be lost or stolen.

1.1.4 The term “lost” is deemed to cover health records which:

  • are held internally and not found following a thorough search, or
  • are missing in transit between Fife and other Health Authorities
  • The term “lost” describes health records which have gone astray outwith NHS Fife premises.  The term “stolen” describes the physical theft of health records from NHS Fife premises, vehicles or staff personal briefcases etc.

1.1.5 The term “health record” includes any record related to a patient treated     within NHS Fife, regardless on the professional group that maintains the       record or the formal management arrangements for storage of such.


2.1 NHS Fife Hospitals, Health Centres and other premises

2.2 This procedure is offered as advice to independent GPs, Dental, Pharmacy and Ophthalmic Contractors.  It is acknowledged that the accountability for arrangements    of these independent contractors differ from those of NHS Fife employees, and therefore this procedure should be accepted as good practice and used in conjunction with the requirements of their own professional body.


3.1. Director of Public Health, NHS Fife

The Director of Public Health for NHS Fife (as Executive Lead in Information Governance) is responsible for reporting the loss or theft of records to the police on behalf of all parts of the organisation.  This reflects the seriousness with which such a loss is treated by NHS Fife and the intention to take extreme care with personal information held.   Other relevant parties may be notified of the loss at the discretion of the Director of Public Health.

3.1.2.   Where a report has been made to the police and the lost record(s) are subsequently found, the Director of Public Health is also responsible for informing the police of that find. 

3.2 Clinical Head of Department

3.2.1 The Clinical Head of Department is responsible for alerting the CHP General Manager of the loss or theft of all health records notified to him/her.

3.2.2   Patients have the right to know that their records are lost or stolen.  The appropriate Clinical Director or Consultant is responsible for approving the release of such information to avoid situations where knowing of the loss would cause the patient serious harm, taking advice as necessary from the Director of Public Health.

3.3 CHP General Managers

3.3.1 The CHP General Managers have responsibility for advising the loss or theft of records within their area of responsibility to the Administration Services Manager (Mental Health).  Outwith Mental Health, they may appoint a designated person within the CHP to assume responsibility for the administration of lost/stolen health records.           

3.4 All Managers with responsibility for staff who access, handle or process health records are responsible for ensuring that:

  • Where staff witness health records being stolen, they must report the theft to their Manager, who in turn must inform the CHP General Manager.
  • An Incident Report (IR1) must be completed.
  • The Administration Services Manager (Mental Health) or designated person within the CHP is informed of the loss or theft of health records.
  • Individual staff are aware of, undertake and comply with this procedure.
  • Contractors such as data distributors or transporters know of and comply with this procedure.

3.5 Staff Responsibility

3.5.1 All staff who access, handle or process health records within the CHP Division must make themselves aware of and comply with this procedure.


The following operational procedures must be read in conjunction with this Policy:

4.1 Lost & Stolen Health Records Procedure (CHP) GP/D3-8

4.2 Lost & Stolen Health Records Procedure (Operating Division) GP/D3-9


5.1 This policy is an integral part of NHS Fife’s system for managing risk as described in the NHS Fife Risk Management Strategy.  Failure to comply with this policy could lead to breach of the Data Protection Act, Human Rights Act and Caldicott Recommendations.  

5.2 The risk will be administered through the DATIX system.

5.3 Follow up will be through DATIX and will incorporate the identification of hazardous working practices.


6.1 NHS Fife Incident Management Policy - GP/I2

6.2 NHS Fife Business & Administrative Information: Record Management Policy - GP/R4 

6.3 NHS Fife Data Protection Policy - GP/D3


7.1 Data Protection Act (1998)

7.2 Freedom of Information (Scotland) Act 2002

7.3 Human Rights Act (1998)

7.4 Access to Medical Reports Act (1988)

7.5 MEL (1992)152Guidance on the Retention and Destruction of Health Records

7.6 CEL 28 (2008) Records Management: NHS Code of Practice (Scotland)


8.1 An Equality & Diversity Rapid Impact Assessment has been completed for this procedure  No negative impacts have been identified.