This section provides advice on managing certain formats of records, for example, emails, cloud-based records and scanned records
3.1 Bring your own device (BYOD) created records
Any record that is created in the context of a care business is the intellectual property of the employing organisation and this extends to information created on personally owned computers, mobile phones and other equipment. This in turn extends to emails and text messages sent in the course of business on personally owned devices from personal accounts. They must be captured in the record keeping system if they are considered to fall within the definition of a record.
When an individual staff member no longer works for the employing organisation, any information that staff take away could be a risk to the organisation. If this includes personal data or confidential service user information, it is reportable to the ICO and may be a breach of confidentiality. For this reason, personal/confidential service user information should not be stored on the device unless absolutely necessary and appropriate security is in place. Local care organisations should have a policy on the use of BYOD by staff. Digital care Hub have a Smart Phone Policy BYOD – template that you can download and adapt for your organisation
3.2 Cloud-based records
Before any cloud-based solution is implemented there are a number of records considerations that must be addressed as set out by The National Archives. The ICO has issued guidance on cloud storage. Organisations must complete a Data Protection Impact Assessment when considering using cloud solutions.
Another important consideration is that at some point the service provider or solution will change and it will be necessary to migrate all of the records, including all the formats, onto another solution. Whilst this may be technically challenging, it must be done, and contract provisions should be in place to do this.
Records in cloud storage must be managed just as records must be in any other environment and the temptation to use ever-increasing storage instead of good records management will not meet the records management recommendations of this Code. For example, if digital care records are uploaded to cloud storage for the duration of their retention period, then they must contain enough metadata to be able to be retrieved and a retention date applied so it can be reviewed and actioned in good time.
Personal data that is stored in the cloud, and then left, risks breaching UK GDPR by being kept longer than necessary. This information would also be subject to Subject Access process, and if not found or left unfound, would be a breach of the service user’s rights.
3.3 Email and record keeping implications
Email is widely accepted as the primary communication tool used every day by all levels of staff in organisations. They often contain business information that is not captured elsewhere and so need to be managed just like other records. The National Archives has produced guidance on managing emails.
Email has the benefit of fixing information in time and assigning the action to an individual, which are two of the most important characteristics of an authentic record. However, a common problem with email is that it is rarely saved in the business context.
The correct place to store email is in the record keeping system according to the business classification scheme or file plan activity to which it relates. Solutions such as email archiving and ever-larger mailbox quotas do not encourage staff to meet the standard of storing email in the correct business context and to declare the email as a record.
3.4 Instant messaging records
Care services are increasingly using instant messaging apps or platforms to share service user information between care professionals or to contact services users in a transactional way, such as appointment reminders. The Transformation Directorate of NHS England has published guidance on this issue.
Instant messaging apps or platforms should not be used as the main, or primary, record for a person. Where possible, information shared in this way also needs to have a place in the care record of that person. This could be a printout of the exchange; contents transcribed into the record; or a progress note accurately covering the exchange entered into the record. If the app or platform is the only place that information is stored, then it must be managed in line with this Code.
3.5 Social media
Organisations must have approved policies and guidance when using social media platforms. It is acknowledged that social media will mainly be used for promoting activities of the organisation, rather than as a way of communicating care issues or interventions with service users. Information posted on social media may also be classed as a corporate record and appropriate retention periods set where applicable.
Information posted on social media (such as details of upcoming meetings, or published policies) will usually be captured elsewhere in an organisation’s corporate records’ function, and where this is the case, there is no value in retaining the information held in the social media platform, as it will be a duplication of the corporate records management function.
