GENERAL RECORDS MANAGEMENT & DATA PROTECTION ADULT SERVICES AND CHILDREN’S SERVICES CROSS-DEPARTMENTAL PROCEDURE NO: 06/07 Records Management and Data Protection Act 1998 policy and procedure DATE: February 2007 EFFECTIVE DATE: February 2007 CATEGORY: General KEYWORDS: Records Management and Data Protection ISSUED BY: Assistant Director, Business and Performance Management CONTACT: Chris Hardie – IS Assistant Operations Manager - Records PROCEDURES CANCELLED OR AMENDED: 24/91 Case Recording and Access to Information and 24/00 Records Management and Data Protection Policy are cancelled REMARKS: SIGNED: Felicity Roe Michael Lee DESIGNATION: Assistant Director, Performance and Resources (Children’s Services) Assistant Director, Business and Performance Management (Adult Services) YOU SHOULD ENSURE THAT:- You read, understand and, where appropriate, act on this information All people in your workplace who need to know see this procedure This document is available in a place to which all staff members in your workplace have access 1 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION PURPOSE This document provides guidance in the management of all Adult Services & Children’s Services records both electronic and manual so that the Department complies with the requirements of the Data Protection Act 1998. There is also guidance for the Departments recording standards, the management of recording practice, confidentiality and best practice in the collection, recording, processing and sharing of service users information. SCOPE The contents of this document apply to all staff, including managers, who are involved in the recording of service users information. POLICY All personal information held in Adult Services & Children’s Services will be kept in accordance with the law and central government guidance and in accordance with the policies contained in this document. The Adult Services & Children’s Services policy framework expresses the values and principles underpinning recording practice and ensures that the Data Protection Act is fully implemented in the way the Departments record and shares information. Adult Services & Children’s Services IT Strategies need to be explicitly linked with case recording policies and procedures. An active policy will operate throughout Adult Services & Children’s Services for informing Users of the purposes for which information about them is collected. Wherever possible Users will be told how information is to be used before they are asked to provide it. Advice on how information is used will be presented in a convenient form and must be available both for general purposes and before a particular care plan begins. Before collecting personal information staff will introduce themselves by name and offer proof of identity and authorisation. REFERENCES TO LEGAL, CENTRAL GOVERNMENT AND OTHER EXTERNAL DOCUMENTS, INCLUDING RESEARCH Adoption and Children Act 2002 Adoption Agency regulations 1983 (still in force in some respects) Adoption Agency Regulations 2005 Arrangement for Placement of Children (General) Regulations 1991 Association of Directors of Social Services, Draft Code of Practice Autumn 1999 Carers (Recognition and Services) Act 1995 2 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Children Act 2004 Every Child Matters Children’s Homes Regulations 1991 (no longer current but still referred to) Choosing with Care – Report of the Committee of enquiry into selection, development and management of staff in Children’s Homes 1992 DOH Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 Data Protection Act 1998 The Data Protection Act Explained, James Mullock and Piers Leigh – Pollitt Data Protection Act 1998, Guidance to Social Services March 2000 Local Authority Circular 88 (17) Personal Social Services Confidentiality of Information Mental Health Act 1983 National Health and Community Care Act 1990 Protecting and Using Patient Information, NHS Executive 1999 Recording with Care, Social Services Inspectorate 1999 Care Standards Act 2000 Care Homes Regulations and National Minimum Standards The boarding-out of Children (Foster Placement) Regulations 1988 HAMPSHIRE COUNTY COUNCIL AND ADULT AND CHILDREN’S SERVICES DEPARTMENT REFERENCES Corporate e-mail, Internet, & Intranet Monitoring Policy Joint Approved List of Domiciliary (Personal) Care Providers Terms & Contract Conditions Safeguarding Our Children The policy and procedural requirements of Hampshire, Isle of Wight, Portsmouth and Southampton Child Protection Committees 2004 http://www.4lscb.org/userimages/4ACPCProceduresApril04.pdf Mental Health Practice Handbook 1983 3 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION DEFINITIONS ACCESS ARCHIVE CULLING DATA PROTECTION COORDINATOR DATA SUBJECT Ability to use different systems. Access is only granted by authorised personnel to staff who will need to access systems regularly as part of their role. To copy files to a long term storage medium when these are no longer required for regular use, but should not be deleted. Destruction of electronic or manual records according to retention and deletion criteria. Responsible for policy and procedures relating to the security and handling of information and checking compliance with the Data Protection Act. Any individual who is the subject of personal data DATA USER Any member of staff authorised to process or use personal data held by the department ISO Information Services Officer – Support, Training, KEYTEAM A team linked to a budget. A User file in SWIFT is placed in a Key team which will relate to the team/budget which will provide the bulk of the services for that User. (Eg. Havant Older Persons Team). PC/PERSONAL COMPUTER A computer, comprising screen, keyboard and local processor, which is able by virtue of additional programs, to process data locally without using the facilities of the network PERSONAL DATA RMO PROFILE/GROUP RESTORE SYSTEM USER USER USER/USER FILE LOGON ID/ Hantsweb ID VIRUS WIN TERM Any information from which a living individual may be identified, including, for example, any expression of opinion or data stored on a word processing file, or in a manual file for future use or reference. Records Management Officer Staff will be allocated a user profile which describes their role, work base type. the group defines the levels and types of information they can access and document restrictions which should be applied If a electronic file is deleted in error IT services must be contacted for a restore A member of staff who uses our systems A member of the public for whom we are providing services The computer and paper file which contains the complete User/User record A computer user’s code name identity, used to gain access to HCC’s computer network systems. Computer programs with the ability to corrupt other programs and data A computer, comprising a screen and keyboard, which can only process data if connected to the central network via communication links. 4 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ROLES Head of Facilities and Infrastructure, IS Operations Manager/Data Protection Coordinator It is the responsibility of the Head of Facilities and Infrastructure and IS Operations Manager/Data Protection Coordinator to ensure that in Adult Services & Children’s Services Department there is adequate computer security and compliance with the relevant legislation. It is the responsibility of the IS Operations Manager/Data Protection Coordinator to provide security procedures so that system users of computer facilities are aware of their responsibilities. These procedures will be reviewed in order to respond to changes in legislation. Lead Service Managers and Assistant Directors must ensure that these guidelines are understood and followed by all staff using computer systems and facilities within their geographical area/section. Central Access Administrators, have a responsibility to monitor and respond to requests and to apply the established policy and procedures for access grants. Human Resources and Line Managers have a responsibility to send prompt and appropriate notification about starters and to ensure that access is removed when it is no longer required or a member of staff leaves. All Managers must ensure that these guidelines are understood and followed by all staff using computer systems. All staff using computer facilities and systems must be trained in their use. It is the responsibility of the person authorising access to ensure that adequate provision for training is made. Adult Services & Children’s Services Team Managers and Line Managers need to demonstrate a commitment to case recording as an important part of the service to users and carers and to ensure that policy and procedures are established. The commitment should be explicit and reflected in recruitment, induction, training, performance appraisal, auditing, monitoring and review. All staff using computer facilities and systems must be trained in their use. It is the responsibility of the person authorising access to ensure that adequate provision for training is made. Key Workers and Social Workers will abide by the principles outlined in this document and will: - advise their Users on the ways in which User information is used and shared - reaffirm the principles of confidentiality - proactively share the User’s records with the User - maintain the standard of data recording - ensure that User information is safe and secure at all times For every open case there should be a named Key worker who is responsible for ensuring that the paper and electronic User files are maintained and that information is promptly recorded. 5 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION The Key Worker is responsible for the case record and is accountable to his or her line manager for ensuring that the management and quality of that record is in line with the standards set out in this document. The RMO will ensure that Departmental records management policy and guidance are consistently applied to all records in an Area Office and its managed units and will particularly focus on the management of manual records and ensure that they can be located and retrieved within the prescribed timescales, that they conform to the specified file structure and are stored securely. All Staff working for Adult Services & Children’s Services who have access to information about individual Users have a duty of confidence. The individual’s right to confidentiality must be respected. Personal information must be treated with care and this means not disclosing it to people who do not need to know. In normal circumstances the consent of the consumer will always be required for the disclosure of information to third parties. Subjects and donors must be satisfied that information supplied for social work purposes will not normally be disclosed without their permission. All staff are required to be familiar with the law and this policy and procedure guidance and will be subject to supervision which will include the review of the quality of recording against standards identified in this document. All staff will comply with corporate standards for the use of e-mail and the Internet. These standards can be found in Hantsweb. (See also Appendices for details) All Staff are responsible for ensuring that records are kept up-to-date and the maintenance of records is a high priority for all teams and units. All Staff who receive an enquiry from the media about a service user related matter must refer the enquirer to the Adult Services & Children’s Services Press Officer. All Staff using computer and/or manual records must be aware of and comply with :The principles of the Data Protection Act 1998 The specific requirements of Hampshire County Council and HCC Adult Services & Children’s Services Departments. Staff using Electronic information systems must be aware of and comply with:The principles of the Computer Misuse Act 1990 The principles of the Copyright Designs and Patents Act 1988 AUTHORITY TO VARY THE PROCEDURE Assistant Director, Business and Performance Management 6 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION PROCEDURE Contents 1. INTRODUCTION 2. CONFIDENTIALITY 3. PROCESSING OF USER’S INFORMATION 4. SHARING OF USER’S INFORMATION 5. SUBJECT ACCESS 6. RECORDING PRACTICE GUIDANCE 7. FILE STRUCTURE 8. RETENTION OF RECORDS 9. STORAGE AND SECURITY 10. ACCESS TO SYSTEMS 11. INFORMATION SHARING WITH OTHER AGENCIES 12. ROLES AND RESPONSIBILITIES 13. DATA QUALITY STANDARDS 14. TRAINING AND AWARENESS 15. MONITORING AND ENFORCEMENT 16. GLOSSARY APPENDICES Guidance for Outlook Users (Section 12.3.6) Ethnic recording policy (Section 6.2) Processes for set up of userids and system access (Section 10.4) Guidelines on the use of the Internet and e-mail (Section 12.3.6) Copy of declaration which all staff sign (Section 12.3.4) Courses supporting effective records management (Section 14) Full list of relevant legislation 7 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION List of leaflets, guides, system manuals and who gets them File Structures (Section 7.1) Information Sharing Protocols (11.4.1) Retention Schedule REFERENCES The Data Protection Act Explained. (Mullock James Leigh-Pollitt Piers) HMSO 1999 Data Protection Act 1998 Guidance to Social Services. Department of Health. March 2000 Protecting and Using Patient Information. NHS Executive 1999 Recording with Care. SSI 1999 1. INTRODUCTION This document is for use by all Hampshire County Council Adult Services & Children’s Services Staff. The document outlines the principles of the Data Protection Act 1998 as they apply to Adult Services & Children’s Services and gives guidance on processes for application of the principles both internally and in our work with Service Users. 1.1 Collecting Information From Service Users All personal information held in Adult Services & Children’s Services will be kept in accordance with the law and central government guidance and in accordance with the policies contained in this document. (A list of the relevant legislation can be found in Section 12). The Adult Services & Children’s Services policy framework expresses the values and principles underpinning recording practice and ensures that the Data Protection Act is fully implemented in the way the department records, processes and shares information. Adult Services & Children’s Services IT Strategies need to be explicitly linked with case recording policies and procedures. In addition to a policy framework that expresses the values and principles underpinning recording practice, staff will receive guidance on best practice in case recording Adult Services & Children’s Services will ensure that training, awareness and guidance is readily available. An active policy will operate throughout the Adult Services & Children’s Services for informing Users of the purposes for which information about them is collected. All new Users will receive a copy of ‘Your Records’ leaflet. Wherever possible Users will be told how information is to be used before they are asked to provide it. Advice on how information is used will be presented in a convenient form and must be available both for general purposes and before a particular care plan begins. 8 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Before collecting personal information staff will introduce themselves by name and offer proof of identity and authorisation. 1.2 Sharing with other agencies Adult Services & Children’s Services in conjunction with Health Authorities and other agencies is actively working towards the provision of a “seamless service” when caring for the user/patient. This necessitates the sharing of key information. Adult Services & Children’s Services will ensure that effective policies and procedures are in place to safeguard User information and the User’s right to confidentiality, whilst facilitating the best possible service in terms of health and social care. Users will be advised about organisations to which information may need to be passed and the reasons for this. Users will be made aware that staff from other agencies sometimes need to have strictly controlled access to information and that any disclosure of personal information will take place in accordance with established policy and procedures. A User’s consent for the sharing of personal information with other agencies will be sought wherever possible. Users will be advised of the social care and health implications if they withhold consent to share with other agencies. 1.3 Service Users’ access to records The User will have the right to request access to all parts of the User file, electronic and manual. The User will not have the right to know what is recorded about someone else and in circumstances where disclosure of the data requested is not possible without disclosing information about another person, the request need not be complied with unless the other person has given consent to the disclosure. For further information on Users’ access to their records, see Section 5 of this document. Adult Services & Children’s Services will promote the practice of regular sharing of the User’s record by the Key Worker with the User throughout the period of service delivery. The User should rarely need to make a special request. 1.4 Security Ensuring the security and accuracy of records and the information held in them is the responsibility of staff at all levels. This includes arrangements for the secure storage and disposal of all information about the user, both paper and electronic. Care will be taken that unintentional breaches of confidence do not occur, for example by leaving files unattended in an open office, or a computer logged on and unattended. Computer security measures are in place to safeguard information from misuse and staff at all levels will be vigilant at all times to prevent breaches of security. 9 (Proc 06/07 – 21 Feb 2007) GENERAL 1.5 RECORDS MANAGEMENT & DATA PROTECTION Quality of information Information recorded on a User’s file will always be accurate and timely. It will always be written with the aim of sharing with the User and so information will be complete, concise, clear and accurately expressed. Where the User identifies an inaccuracy in the record this should be rectified immediately. Where the User and the Key Worker disagree as to the accuracy of an item in the record, this should be noted in the file. During the provision of service to the User, different Key Workers may take over the file. The quality of the transferred record will enable the continued provision of a consistent level of service. 1.6 Staff Training All staff will have an understanding of the security and confidentiality issues and the legal requirements as well as data quality and recording issues. This will be facilitated through: Induction training and signing of the relevant Form of Undertaking to abide by the rules of the Data (Appendix 5) Protection Act and Departmental Policy. Refresher training Guidance notes and bulletins Monitoring by line manager at supervision Audits which identify issues to be tackled through training and other measures. 2. CONFIDENTIALITY 2.1 The Rights of the Service User Users have the right to expect that information about them will be treated as confidential. Adult Services & Children’s Services staff cannot designate a record confidential in order to prevent a user from seeing their record. See Section 5 for further information. 2.2 The Responsibilities of Staff Working with Information Everyone working for, or with Adult Services & Children’s Services who records, handles, stores, or otherwise comes across information has a duty of confidence to Users, to Adult Services & Children’s Services and to Hampshire County Council, our employer. Other individuals and agencies to whom information is passed legitimately may use it only as authorised for specific purposes and possibly subject to particular conditions. In the event of unauthorised disclosure of information by any member of Adult Services & Children’s Services staff, disciplinary action will be considered. Misuse of information will result in disciplinary action and could lead to prosecution under the Computer Misuse Act. It is expected that all staff who have access to information held by Adult Services & Children’s Services will abide by the following principles. 10 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION i) The aimless scanning of personal records, or browsing through files is forbidden ii) Use of personal data should be related solely to work procedures iii) Do not mislead others about the reasons why they are providing information, how it will be held and with whom it will be shared. iv) The passing of information from the system to any person not entitled to such information is forbidden. Knowingly making available information from the systems to such people may result in disciplinary proceedings. v) All enquiries from the media about user related matters must be referred to the Adult Services & Children’s Services Press Officer. vi) Confidential information should not be released as the result of a telephone enquiry. The identity of the caller and the telephone number should be established and an offer made to call them back. The authenticity of the caller can then be checked by reference to the telephone number and it can be verified that they are entitled to the information before calling back. vii) It may happen that a member of staff becomes aware of information relating to people known to him/her personally. The confidentiality of this information should be respected and not divulged unless required in the course of their work. In all cases of doubt, a supervisor should be contacted. viii) All data must be as accurate as possible: regular verification of data and culling of obsolete records must be carried out on all records to ensure that data is correct, complete, up-to-date and not held for longer than necessary. ix) Only hold data which is relevant for work purposes. Do not elaborate! x) Adequate steps must be taken to safeguard data from loss or corruption. Sensitive Personal Information should not usually be shared without the explicit consent of the user. It can, however, be shared with the police to help them investigate a crime, or prosecute. (LAC 88(17)). Sensitive Personal Information is: the racial or ethnic origin of the data subject political opinions religious beliefs or other beliefs of a similar nature membership of a trade union physical or mental health or condition sexual life commission or alleged commission of any offence any proceedings for any offence committed or alleged to have been committed 11 (Proc 06/07 – 21 Feb 2007) GENERAL 2.3 RECORDS MANAGEMENT & DATA PROTECTION Confidentiality and Councillors Personal information about users is exempt information under the Local Government ( Access to information ) Act 1985 and is therefore not automatically available to any Councillor just because it relates to business to be transacted in a meeting of the Council or a Committee. When a Councillor, who is a member of the Adult Services/Children’s Services Policy Review Committee wishes to exercise the common law right to inspect information in the possession of the authority it must be necessary for the proper performance of their duties. In which case the Director of Adult Services or Children’s Services will be informed. It is good practice for the user whose information is being requested, to be consulted and give their permission to disclose the information to the Councillor. When the information requested includes personal information received from third parties, the consent of that third party will be sought before disclosure. Whatever the source of the information, including information from Health Professionals, the advice from the Association of Directors of Adult Services or Children’s Services ( Draft Code of Practice for DPA 1999) is that the right of the Councillor will normally be expected to prevail. The Director of Adult Services or Children’s Services will make arrangements for the disclosure of personal information in the possession of the Department if the authority decides that a Councillor who is not a member of the Adult Services/Children’s Services Policy Review Committee needs disclosure to enable them to carry out their duties. Elected members who, in the performance of their constituency duties, request access to personal information, or the service provided, on behalf of a constituent who is a user of the Department’s services, will be asked to provide proof of the user’s consent to disclosure. (For further information see Section 4) 3. PROCESSING OF PERSONAL DATA 3.1 Policy An active policy will operate throughout Adult Services & Children’s Services for informing Users of the purposes for which information about them is collected. Wherever possible Users will be told how information is to be used before they are asked to provide it and will be given a copy of the “Your Records” booklet. Advice on how information is used will be presented in a convenient form and must be available both for general purposes and before a particular care plan begins. Users should be advised that the Data Controller is Hampshire County Council. Users should also be advised at the earliest possible stage that we sometimes share information with other agencies and further information about this is given in the “Recording Practice Guidance” section of this document. 12 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION 3.2 Advice that should be given to the User when collecting information 3.2.1 How we use and protect personal information Users should be advised that we will collect information from them which will be recorded on their file. There will be a computer file and some information on a paper file as well. The information written on the files allows us to provide the User with care services appropriate to their need. Service Users should be told that all staff in Adult Services & Children’s Services have a duty of confidentiality and there are strict rules about who should have access to the record and how they should work with it. 3.2.2 Users’ Access to Their Files The User should be advised that he/she has the right to see and comment on the information recorded about them. The User should be aware that they can ask the Social Worker or Key Worker to give them a copy of the Assessment, Care Plan, Financial Assessment and Reviews at any time. The Key Worker, or Social Worker should proactively share the record with the User at each meeting so that the User does not have to ask for this. 3.2.3 Collecting the basic details The User will be advised that we first need to collect some very basic information, (including name, address, date of birth, next of kin, name of GP). We also need information about any other departments or organisations currently giving them help. This could be very important in giving them the appropriate kind of help. We also ask for information about ethnic origin, religion and the language spoken in the home. Before the User supplies this information it will be made clear that we ask this so that we can ensure that appropriate services and assistance are provided. For instance, it may be that interpreters are required to assist, or there are special dietary requirements which should be considered when providing Residential, Day, or Meals services. The User must give their explicit consent for us to share this information with other agencies. 3.2.4 Checking the accuracy of information At the earliest opportunity the accuracy of the information supplied will be checked with the User. (It is recognised that in many cases, basic details may have been given at first contact by someone other than the User). Checking of the record with the User will continue at each stage of contact. The User will be aware that if any of the record is factually inaccurate they can ask for it to be corrected. If it is corrected, then agencies with whom this information has been shared should be advised. To enable this, any instances of sharing information with other agencies should be recorded on the User File. 13 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION The User will be aware that if they disagree with anything that is recorded, then they can ask for their views and comments to be added to the record. 3.2.5 Collecting information at each stage The User will be advised that details will be recorded about the services arranged, what they are and who is providing them and any changes that might be made. The User will be advised that details of subsequent meetings will also be recorded. 3.2.6 Complaints The User will be given information on the procedure for making complaints. A clear distinction should be made between the routine process of checking accuracy of a record and correcting it where necessary and the formal complaints procedure which can be initiated when the User is dissatisfied with the service. 4. SHARING PERSONAL INFORMATION WITH OTHER AGENCIES 4.1 Advice that should be given to the User Where other agencies and organisations might be involved in the care of the User, Adult Services & Children’s Services may share information in order to ensure that a complete and consistent service is provided. It helps all agencies involved in the care of the User to respond quickly to needs and the User does not have to repeatedly give the same information. This information will be shared with other organisations only for particular purposes and the staff in those organisations will be bound by the same rules about confidentiality as our own staff. Procedures are in place to ensure that organisations we share with have the same levels of security and safeguards as Adult Services & Children’s Services. Children’s Services have an Information Sharing Protocol Appendix 10 4.2 Principles for Sharing The main record should state what has been shared with another agency. 4.2.1 Consent to Share The Key Worker and staff of other agencies involved in the User’s care have a responsibility for informing a provider of information of the potential need to share information and why, with other members of the User’s Adult Services or Children’s Services and/or Healthcare team. Wherever possible the User’s explicit and valid consent must be obtained before disclosure of personal information is made. Sensitive Personal Information should not be shared without the explicit consent of the User. It can, however, be shared with the police to help them investigate a crime, or prosecute (LAC 88(17)). 14 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Sensitive Personal Information is: the racial or ethnic origin of the data subject political opinions religious beliefs or other beliefs of a similar nature membership of a trade union physical or mental health or condition sexual life commission or alleged commission of any offence any proceedings for any offence committed or alleged to have been committed 4.2.2 Restriction of Purpose Information given or obtained for one purpose should not be used for a different purpose without the express or implied authorisation of the provider of the information. When wider disclosure of information is being considered the provider should always refer back to the information source for authorisation. 4.2.3 Consent and Mental Incapacity Whilst every effort should be made to obtain a User’s views, where an individual is unable to give informed consent, such consultations should be recorded in writing. 4.2.4 Disclosure without Consent Exceptionally some information may be shared without prior consultation. In such cases the reasons should be recorded for deciding not to observe the duty of confidence we owe to the person who is the subject of the information. This should be recorded in a profile note on the User’s electronic record. The Adult Services & Children’s Services does not need to inform the data subject that information about him/her has been disclosed to the Police, (or other organisation), when this has been done in order to assist the prevention or detection of a crime. 4.2.5 Refusal, or absence of consent to disclosure: A person may positively refuse to give consent to disclosure or consent may be absent. A person’s right to confidentiality is not absolute and may be overridden where there is evidence that sharing information is necessary in exceptional cases – because of: the power of the courts the power of certain tribunals as a requirement of legislation eg. Statutory assessment under the Mental Health Act 1983 the need to prevent serious crime the health of the person public health and welfare concerns effective service delivery within the bounds of duty and care There may be circumstances where Officers of the Court are appointed to look at records or there is a need for the Police or other Departments of the County Council to have access to a record in order to prevent or detect a crime. This may only be done within the rules set out in Data Protection Law. In these circumstances the record holder should consult fully with their line manager before giving access. 15 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Before releasing information to Officers of the Court, or tribunals, legal advice should always be sought. Where a witness summons is received, which requests disclosure of relevant Adult Services & Children’s Services files, this should be faxed through to the legal section immediately. 4.2.6 Conditions Regarding Disclosure Any information disclosed should be: clear regarding the nature of the problem and purpose of sharing information based on fact, not supposition or rumour restricted to those with a legitimate need to know strictly limited to the needs of the situation at that time recorded in writing with reasons stated. NB. Where consent has not been given, extra care should be taken in recording reasons, decisions and actions taken. Where disclosure of information without a person’s consent has been considered and a decision has been taken not to disclose, the decision should be recorded in writing with reasons given. 4.3 Procedures for Obtaining Consent to Share At the earliest possible stage of contact the User will be given the permission to share form which lists the organisations we most commonly share with and will be asked to sign that they consent. Whenever information is shared with another agency this will be recorded on the User file. Where consent is withheld, the User should be made aware of the implications for their health and social care and the fact that consent is withheld should be recorded on the computer file. Should an emergency arise and information is shared with another organisation to safeguard the User, or a third party and the User has not consented to sharing, then this will be recorded on the file. At each Review the Key Worker should re-check the User’s consent. 4.4 Sharing information with unpaid carers Unpaid carers need to be given general information about the services provided to help them in their role. They need to be informed about their rights under the Carers ( Recognition and Services ) Act 1995 to an assessment of their needs. It is good practice, at the earliest opportunity, to discuss with the user what confidentiality means in the context of their relationship with their carer and record the users’ views, particularly any statements about what information may not be shared with the carer. As with sharing information with other partners it needs to be emphasised only the information necessary to support the situation should be shared including the identification of any risks to the user or carer. 16 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION It will be necessary to have a similar discussion with the carer about confidentiality and what information the user is willing to share. Any comments made by the carer relevant to confidentiality need to be recorded. Where the carer is also the Nearest Relative as defined in the Mental Health Act 1983 it is still good practice to seek the permission of the user before approaching the Nearest Relative. If permission is refused the Approved Social Workers are supported by the legislation to seek information and the Nearest Relative’s views. 4.5 Sharing users’ information with external providers of domiciliary care Personal information shared between Adult Services & Children’s Services staff and providers is no less confidential because it is shared. In sharing information all concerned take responsibility for preserving the principle of confidentiality. Confidentiality is covered in Hampshire County Council’s terms of accreditation and contract conditions, Hampshire County Council, for providers in Condition 15. Providers also have the same responsibilities as we do under the Data Protection Act 1998. Therefore providers will need to provide users with information which explains what is recorded, users rights etc. In exceptional circumstances where there is concern about the need to share users’ sensitive information or there are allegations of abuse. It would be good practice for the Key Worker to discuss the issues with the provider and consider whether, when the contract ends, the information needs to be recovered to preserve confidentiality. We will supply only the information about the user necessary for the Provider to meet the contract. 4.6 The information may only be used by the Provider to carry out the contract. This will include the name and address of the user. A copy of the care plan. Details of the service requested. The information about risks to the user if tasks are not completed. The information about potential risks to the provider when performing tasks for the user. The names and telephone numbers of other people that will be needed carry out the contract. A contingency plan to be followed in emergencies. Sharing users’ information with independent residential home providers Personal information shared between Adult Services & Children’s Services staff and providers is no less confidential because it is shared. In sharing information all concerned take responsibility for preserving the principle of confidentiality. Confidentiality is covered in the terms of accreditation and conditions of contract, Hampshire County Council, of providers in condition 18. There are also legal requirements, under the Registered Homes Act 1984, for the registered person to comply with in relation to the information, which must be kept, and the privacy of individual records. In exceptional circumstances where there is concern about the need to share users’ sensitive information or there are allegations of abuse. It would be good practice for the Key Worker to discuss the issues with the provider and consider whether, when the contract ends, the information needs to be recovered to preserve confidentiality. 17 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION We will routinely share the following information about the user. 4.7 The name, address, date of birth, marital status of the resident and whether she/he is subject to a court order or other process. The name, address, and telephone number of the resident’s next of kin or any other person authorised to act on her/his behalf. The name and address of the resident’s registered medical practitioner and of the Key Worker whose duty it is to supervise the welfare of that person. If the resident is an adult and is subject to the Guardianship of Adult Services or Children’s Services the name of the Key Worker who will to supervise the welfare of the resident. Aggregated information Aggregated information is vital for the purposes of management, research and joint working. However, aggregating selective information about a small number of Users may not always safeguard confidentiality. Those with control of the information must make a judgement as to the point at which aggregated material on its own cannot be regarded as personal and identifiable. 5. SUBJECT ACCESS This section covers the guidance on how to give users access to their personal information held on their record, this includes all paper files and all information stored electronically. Please note that there is a separate policy for access to Adoption records. 5.1 Equality of opportunity One of the best ways of providing equal opportunities for users is by behaving consistently when giving a service. For the purposes of this guidance this will mean ensuring that every user is informed about the Adult Services or Children’s Services information sharing policy. Not just by handing out information but by offering an explanation appropriate to the users understanding. Users need to be informed that there are advocacy services to assist them in their communication with the Department, for example, the Citizens Advice Bureau. It is essential to ensure that every user is actively involved in the recording process from the beginning of their contact with Adult Services & Children’s Services and until the work is complete. When English is not the first language of the user, it will be necessary to have copies of the records translated into the appropriate language when the records are to be shared with users. Contact the Race Equality Adviser for guidance on finding and arranging translation. Users with sight loss who request access to records should be offered the following choices. Copies of records in large print, to have their records read verbatim by the Key Worker or transposed into Braille for Braille readers. For advice about Braille contact the Disability Adviser. http://www.hants.gov.uk/equalities/ Formal access to a users records Whilst it should be the norm that records should be routinely shared with users there will nonetheless be formal requests for access to case files. The record to be prepared will be complete and include all paper files and information stored electronically. The record should not be tampered with or altered in any way. 18 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION The user should be advised to complete a CR11 form (Subject Access Request Form) which should be addressed to the Subject Access Team, Adults & Children’s Services, 4th Floor, Nuance Global House, Southampton Road, Eastleigh, SO50 5ZF. The application should contain enough information about the Data Subject to confirm their identity and locate their records. The Subject Access Request Team will notify the Key Worker on open cases that a validated request has been received and will liaise with the User and Key Worker throughout the processing of the application. For closed cases the relevant Reception and Assessment Team will be notified that a validated subject access request has been received at which point the case should be allocated to a Key Worker to support the Subject Assess Team with the processing of the request. For a request to see Adoption records the access to Adoption records procedure will need to be followed. If we do not hold records about the Data Subject the Subject Access Request Team should write and inform the requester within 5 working days a record should be placed on SWIFT and a copy of the letter placed on the User record. When we do hold information the requester should be informed in writing that we are processing their request within 5 working days. The letter should contain a description of the personal information held, why we are processing the information and if it has been or will be disclosed to anyone else. From the date the validated request is received Adult Services & Children's Services has 40 calendar days in which to arrange for the user to look at their records. The user has the right to see all the personal information held about them by Hampshire County Council not affected by exemptions or 3rd party restrictions. Which are: Information that is held that relates to criminal offences or is being used for the detection or prevention of crime. Information that is disclosed to another organisation to assist with the above eg the police. Information received from an organisation that is using the information to assist with the above. If the disclosure of the information would prejudice the outcome of any of the above. If the information is being used to investigate allegations of fraud involving public funding. If the disclosure of information held is likely to prejudice the carrying out of social work by reason of the fact that serious harm to the physical or mental health or condition of the user or another person. This final exemption does apply to the safety of all employees. It is important to note that the above exemptions are only to be used in exceptional circumstances and where the serious harm is demonstrable. Each case should be considered individually and legal advice sought. A user does not have the right to see information recorded about anyone else or information given by anyone else other than Hampshire County Council employees. 19 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION The source of third party information needs to be identified and permission to share this data with the user should be obtained if the User requests 3rd party information. If the third party withholds consent an explanation must be given to the user. Where records hold information about a third party permission to share should usually be obtained. There may be circumstances where it is reasonable not to obtain permission, for example, where the third party is an alleged abuser of the user. The third party has 40 days in which to respond. Where it is not possible to seek consent or consent is withheld as much information as possible should be shared without revealing the identity of the third party. One copy of the users’ records will be made available at the users’ request. Any further copies that are requested will be charged for at the current rate for photocopying to staff members. Where possible disclosure should be made in person with social work/care management support. 5.3 Appeals against a decision not to allow access to a Users’ record When a request to give access to a Users’ records is refused the requester must be informed of the Complaints procedure. The first complaint is to the Director of Adult Services or Children’s Services. Requesters must also be advised how to contact the Data Protection Commissioner or make an application to a Court for a decision. 5.4 Access to deceased Users’ records The Data Protection Act 1998 does not cover the information held about deceased users. However, information about a deceased user must still considered as confidential under the Common Law of Confidentiality and treated in the same way as if the person was living. When there are requests to have access to a deceased Users’ records the following will be necessary. The request must be in writing to the Subject Access Request Team, Adult & Children’s Services, 4th Floor, Nuance Global House, Southampton Road, Eastleigh, SO50 5ZF and the letter should contain sufficient information to identify the User’s records. Before granting access it will be necessary to establish the nature of the relationship between the requester and the deceased. The applicant must provide evidence that he/she had Power of Attorney or is an Executor of the will of the deceased person. The requester must be able to demonstrate that it is necessary for the requester to have access to the record. Evidence of the relationship should be looked for in the case record. When the person requesting access to the case record was involved in providing information for the records this must be considered when reaching a decision about access. The decision to disclose must take into account all the circumstances, be reasonable and be in the best interests of the deceased User. 20 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION The Subject Access Request Team will seek professional advice to reach the decision as to whether to disclose or not. If the request to have access to the user’s records is refused, the refusal must be in writing informing the requester of the grounds for the refusal. 5.5 Formal access to a Child’/ Young Persons’ records A formal request to access to a child’s/young person’s record should be made using the CR11 application form and the validation process will be carried out by the Subject Access Request Team. The right of access is available to young people under the age of eighteen years if it can be demonstrated that they understand what it means to exercise this right. The maturity and the degree of intelligence and understanding need to be taken into account not just the age of the young person. A person with parental responsibility may make the request on behalf of the young person, if it can be demonstrated that the young person lacks the capacity to make the request, or has the capacity to authorise, or refuse to authorise, the person to make the request. The Subject Access Request Team will liaise with the appropriate Service Manager & Key worker who will make the decision for/or on behalf of the young person. When arriving at this decision consideration will need to be given to whether the granting of access is in the best interests of the young person and/or likely to result in serious harm to the young person or others. If this is likely it is reasonable to refuse access. If the request to allow access to the User’s records is refused, The Service Manager must advise the Subject Access Request Team of their decision, record the reasons for refusal to disclose the whole record or key documents. The decision must be sent in writing to the requester outlining the grounds for the refusal. 5.6 Formal access to a Child’s/ Young Person’s records by a Children & Family Court Advisory & Support Service (CAFCASS) The Children’s Act 1989 requires records to be open to inspection by any person authorised by the Secretary of State (such as CSCI) and requires agencies to give access to CAFCASS Family Court Advisors appointed in care, access, parental rights resolutions or adoption proceedings. There is no provision for reporting officers, whose duties should not require access to social work records. 5.7 Formal request to access a Users’ records where the User has a mental disability A formal request to access to a User’s record where the User has a mental disability should be made using the CR11 application form and the validation process will be carried out by the Subject Access Request Team. Mental disability is defined as any disability or disorder of the mind or brain, whether permanent or temporary, which results in an impairment or disturbance of the mental functioning. The Law Commission has recommended: “anything done for, and any decision made on behalf of, a person without capacity should be done or made in the best interests of that person.” 21 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION In general the User has the right to have access to his or her records, no one else does. It must be established whether this is a request on behalf of the User or an independent request. Whilst the requester may hold authority, that is have a registered enduring power of attorney or be a receiver authorised by the court of protection, to manage the User’s financial affairs, and have an authorising order, consideration still needs to be given to the following: The ascertainable past and present wishes and feelings of the User concerned and the factors the User would consider if able to do so. The need to permit and encourage the User to participate, or to improve their ability to participate, as fully as possible in anything done for and any decision affecting the User. The views of other people whom it is appropriate and practicable to consult about the User’s wishes and feelings and what would be in the user’s best interests. Whether the purpose for which any decision is required can be as effectively achieved in a manner less restrictive of the User’s freedom of action. It must not be assumed that because a User has a mental disability that they are without the capacity to make a decision about access to their records. In all situations an assessment, taking into account the above points, should be made as to whether the user is capable of indicating their wishes or a decision must be made on their behalf. This assessment must be recorded in the profile notes. If a User’s condition appears to be temporary, wait and reassess the situation. Seek the advice of the User’s General Practitioner or Psychiatrist. Ask for their decision to be put in writing. Seek the advice of the Receivership Officer and/or Mental Health Adviser. On occasions it may be necessary to ask the permission/ advice of the Court of Protection. If there is evidence of financial abuse please contact the Receivership Officer for advice. Access does not have to be granted where the User is likely to suffer serious harm or an offence is suspected or alleged. The decision about whether to grant access should be made by the appropriate Service Manager for Mental Health/Learning Disabilities. If the request to allow access to the User’s records is refused, The Service Manager must advise the Subject Access Request Team of their decision, record the reasons for refusal to disclose the whole record or key documents and the decision must be sent in writing to the requester outlining the grounds for the refusal. 5.8 Access by agents appointed by the User Requests for access to the User’s records, from and agent such as a Solicitor, advocate or relative, must be accompanied by a CR11 form, written authorisation from the user together with appropriate identification eg birth certificate/passport and/or driving licence or utility bill as proof of address. The User must state which papers may be accessed. The authorisation must also state that the authority has been freely given. 22 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION If the request to allow access to the User’s records is refused, The Service Manager must advise the Subject Access Request Team of their decision, record the reasons for refusal to disclose the whole record or key documents and the decision must be sent in writing to the requester outlining the grounds for the refusal. 5.9 Routine User involvement in case record as work proceeds Recording is an essential component of our service to the User. The care with which we record demonstrates our respect for the User and their private and family life. It is expected that all staff who record personal and sensitive information, for the purposes of providing care services, about the users will routinely share what has been recorded with the user. At the earliest opportunity Key Workers will need to have a conversation with the User about how this will be done. The outcome of the conversation will be recorded and when copies of records are given to Users the date of the transaction will be recorded. Key Workers must ensure that Users are given the opportunity to talk through what is recorded and where necessary support in reading and understanding the contents of the records. Particular attention must be paid to helping Users understand how and why decisions about their care are made. Users will be encouraged to express their view about decisions and these will be recorded. When the user identifies factual errors these must be corrected within one working day of the Key Worker being notified. Where there are differences of opinion about the record between the User and worker these must be recorded in the profile notes and shown to the User. This should take place within one working day of being notified. The User should be given the opportunity to add their opinion to the record which should sit alongside the original document. Documents to be routinely copied to Users Assessments of need. Care plans Re-assessments of need. Financial assessments / statements. Reviews. Minutes of meetings where personal information is recorded. Users have the right to see what is recorded on profile notes. However, the routine sharing of these documents after each visit/contact may prove impractical. Key Workers will inform the User of their rights and discuss the issue with the User. If the User expresses a wish to exercise their rights to see the profile notes the records will be shared at agreed intervals. The discussion and the outcome of the discussion will be recorded. 23 (Proc 06/07 – 21 Feb 2007) GENERAL 5.9 RECORDS MANAGEMENT & DATA PROTECTION Access by members of staff to their personnel records The Data Protection Act 1998 applies equally to employees of Hampshire County Council. Therefore staff may have access to their personnel records. This includes any document where a staff member may be identified. To access Information on the Human Resources system staff should access Employee Self Service (ESS) follow the link for further information on how to access ESS. To access manual personnel records staff should write to the Area Personnel Officer who will respond to the request within 10 working days. It is good practice for line managers to routinely give copies of any supervision notes to staff that they manage. 6. RECORDING PRACTICE GUIDANCE The recording of personal information in the context of Adult Services & Children’s Services is frequently seen as an activity that gets in the way of the real work, that is, seeing and helping Users. However, numerous, public inquiries into the deaths of children, suicides, people murdered by the mentally ill and work by the Commission for Social Care Inspection, have cited poor recording and poor communication as a contributory factor in situations that have resulted in tragic outcomes. Therefore it is vital that the recording of our work with Users of our services is given the attention and care it deserves from everyone involved in the recording process. This means not only the recording of direct work with Users but also the recording of data that forms the basis of the statistical information we must routinely provide for central government. It is no longer possible to assert that this Adult Services & Children’s Services are providing good services without the evidence to support that assertion. Everyone involved in the recording process has a responsibility to familiarise themselves with their roles and responsibilities and have detailed knowledge about the processes and procedures. It is acknowledged that in a busy day recording and the management of records may not seem to be an urgent priority but all of our work should be planned including time for recording. Managers have an enabling role in this respect and need to ensure workloads are managed in such a way as to allow staff sufficient time for recording as well as all the other tasks associated with providing excellent services. 6.1 Informing and Carers and Users why we need to keep records Users and Carers will be informed about why we keep records and our recording practice at the earliest opportunity. The leaflet ‘Your Records’ informing the User of their rights must be given. This leaflet contains all the reasons why we need to record personal information. These are: To distinguish between two people with the same name. To account for actions taken. We are accountable to the Director of Adult Services or Children’s Services and Hampshire County Council and other bodies on occasion. To comply with the law, for example, the Mental Health Act 1983, the Children Act 1989 and the National Health and Community Care Act 1990 To provide a record of events for an individual. For example, a looked after child. To monitor the progress of the services we provide. To help with the supervision and professional development of individual staff. To help plan the services we provide we use information about individuals, which is anonymised and aggregated. To provide information to Central Government to monitor the services we provide to users and assist with central planning. 24 (Proc 06/07 – 21 Feb 2007) GENERAL 6.2 RECORDS MANAGEMENT & DATA PROTECTION Content and style of recording Before collecting personal information staff will introduce themselves by name and offer proof of identity and authorisation. We will only record what is necessary to provide the User with a service that meets their needs. We will not record information just in case it might be useful. The records should reflect anti-discriminatory practice and demonstrate sensitivity to the needs of all people in the community. There will be occasions when the User shares information that is “sensitive”. Sensitive personal data includes, ethnic origin (see appendix 2 for ethnic recording policy) http://intranet.hants.gov.uk/social-services/equalities-2.htm), political opinions, religious or other beliefs of a similar nature, membership of a trade union, medical or mental health condition, sexual life, criminal offences, criminal proceedings and convictions. Generally medical information needs to be treated with caution and should be recorded in terms of the implications for the needs of the User not in medical language. But there will be occasions when it is necessary to use medical terms, for example, when we are providing a service for a User with mental health problems or with an illness limiting abilities. All records should be written as though the User is reading the record with you. Records should be written in plain language that is free of jargon. Abbreviations must not be used. The record must be factual and when opinions are expressed these must clearly be identified as such. Opinions and observations must be shared with the user and the user should be encouraged to express their views and have these recorded. The amount and quality of the recording should be sufficient to enable the reader to have an understanding of the Users needs and any risks involved. See also the section on the quality of recording. A chronology of significant events should be kept and updated at three monthly intervals. All records must show who was present at the contact, where and when the contact took place. The purpose of the contact, any outcomes, the time, the date and who wrote the record must be clear and legible. Entries must not be tampered with or altered at a later date. Where there are allegations of abuse against a named person care needs to be taken to ensure that the account of the allegation is factual. As far as possible alleged perpetrators of abuse must not be defamed. Where Users’ information is disclosed without consent a record of the information disclosed will be made. The record will include who was involved in making the decision and, if consulted, the solicitors’ advice. 25 (Proc 06/07 – 21 Feb 2007) GENERAL 6.3 RECORDS MANAGEMENT & DATA PROTECTION The quality of the recording As with all the services we provide we aim for excellence and recording is no exception. To help people assess the quality of the recording the Social Service Inspectorate in “Recording with Care” (published 1999) suggests the following criteria: 6.4 Poor. No record of work, or it is so partial it is of little value. Weak. The record indicates the dates the people were contacted/seen and gives brief details of actions taken/ decisions but is incomplete or superficial. Good. The record indicates the dates, purpose and outcomes of contacts (i.e. meetings/ interviews/ telephone conversations) and who was present. It presents all the information and at intervals brings it together as part of the assessment, planning and review cycle. Superior. In addition to the requirements for good recording it presents all the salient information, both past and present, about the service user/ child and family. This information is analysed and used as a basis for deciding what the current risk to service user/ child; what plans need to made to reduce risks and rationale for these; details the work being offered to the service user/ child and family and being undertaken, including by whom. When to record Every contact with a User or contact about a User must be recorded within three working days. Recording for Child Protection, Adult Protection (appendix 12) and Mental Health Act assessments must be completed within one working day. This is necessary because memories are unreliable and accurate recording is essential. When there are changes in the user circumstances. For example, the User moves to another address or dies. The recording of death is of particular importance because of the potential to cause distress to families. Deaths should be recorded in the appropriate systems, for example, SWIFT. In exceptional circumstances where delaying recording is necessary the reasons for the delay must be recorded. 6.5 Recording decisions Any decision that affects the User and signifies the department’s intentions towards the User must be recorded on the form appropriate to the situation. The date when the User was informed will be recorded. The people involved in making the decision should be identified and the reasons for making the decisions should be clear. If there is a link between the decision made and departmental policy, legislation or research this should be explained in the record. The person responsible for the decision should make the record. However, there will be occasions when decisions are made in meetings. In this event the decision should be recorded, by the Key Worker, in the profile notes together with information about the date the meeting was held, the nature and purpose of the meeting. 26 (Proc 06/07 – 21 Feb 2007) GENERAL 6.6 RECORDS MANAGEMENT & DATA PROTECTION Supervision of recording Line Managers/Supervisors are responsible for ensuring that records meet the quality and time standards contained in this document. For this reason it will be necessary to ensure that existing and new staff are familiar with and understand both this policy/procedure and other policies/procedures where expectations and guidance for recording are specified. The supervision of recording is a vital activity. In supervision, when cases are discussed, the case file and the electronic file, for the subject of discussion, should be examined. Feedback about whether the file/recording meets the department’s standards should be given to the worker and recorded in the profile notes. See also section on the quality of recording. Where a staff member consistently fails to meet departmental standards, that is the recording is consistently poor or weak, it will be necessary to consider further action. Please use the attached link for the Adult Services Quality Practice Case File Auditing Policy and Procedure http://www3.hants.gov.uk/proc2305-2.doc When work is completed, or transferred to another worker, it is the Team Manager’s responsibility to examine the manual/computer case file and recording before the file is closed When examining files prior to closure or transfer Team Managers will ensure that recording is accurate, the record complete, that all duplicate information (in manual records) is deleted and original documents are kept. A summary of the work with the User will be completed by the Key Worker before the case is closed or transferred. This will include information about whether the services provided have met users needs and whether the desired outcomes have been achieved. In SWIFT the summary will be entitled, “closing summary” or “transfer summary”. 7. FILE STRUCTURE The electronic SWIFT record is the main file. Therefore it is not necessary to keep documents that have been printed from SWIFT and file them in the manual file. The only records that should be kept in the manual file should be documents that are not generated by the SWIFT System. One of the reasons we record is so that staff can provide continuity of service and the case file should do all that it can to support this. The case file is also the main form of written communication between Adult Services & Children’s Services staff. The file should contain only original documents as reproduced documents such as photocopies and facsimile records may deteriorate thus destroying personal information contravening the 7th principle of the Data Protection Act 1998. All paper records in each file section should be filed in book order. For example, in section 3 the first contact sheet should be at the beginning and the most recent at the end. The reason for this is in order to draw the attention of the reader to the history of the User and previous work undertaken. This is especially important when considering the risks to a User or members of the public. When an additional file is opened it will be necessary to transfer all key information, all the most recent information including minutes of last meetings, care plans and other relevant current documentation. 27 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION 7.1 File Structure see Appendix 9 8. THE RETENTION AND DESTRUCTION OF RECORDS The purpose of this section is to define the requirements for the retention and disposal of paper files/ manual records and electronic records. Please note this guidance does not apply to business or administrative records. The Data Protection Act 1998 says that records must not be kept for longer than necessary, the timescales in this schedule are based directly on relevant legislation or are decisions made by the Adult Services & Children’s Services and deemed to be necessary. For example, for jointly held Mental Health Users’ records it is necessary to keep the records for 20 years to comply with the legal requirements of the Health Service. When a User has an electronic case file, currently in SWIFT, this is the main file. Therefore it is not necessary to keep documents that have been printed from SWIFT. Manual records will have one main file that will be kept in the Area centre. Users can receive a service in a unit and when the service is finished the Users’ record should be returned to the Area centre. When a file is closed, the responsible officer will assign a retention period to the file in accordance with the retention schedule. The file should be clearly marked on the outside with the destruction date, which should also be entered on SWIFT. Any doubt concerning the interpretation of the retention schedule should be referred to the Records Management Officers, who will seek advice if necessary. Regular spot checks, a record of the findings will be kept, will be made by the Records Management Officers to ensure that all closed files have had a retention period set, and that SWIFT has been updated with the destruction date where appropriate. Lists of files which have reached the end of the retention period, and which are due for destruction, should be regularly obtained monthly from SWIFT. This should be supplemented by physical checking of the files in the closed file storage area by the Records Management Officers. The electronic case file should be destroyed at the same time as the paper file. All papers from case files should be disposed of in a confidential way eg shredded or placed in confidential waste bags. Files with long term retention periods can be transferred to Hampshire Record Office, subject to the procedure set out in section 9.12 of this document being followed. These files can be transferred at any stage during the retention period, but it is recommended that they are retained in the Area Centre or unit for a minimum of 3-6 years. It is the responsibility of the Records Management Officers to identify those files that could be transferred to Hampshire Record Office, and to make the appropriate arrangements. The disposal of files held at Hampshire Record Office will be handled by Hampshire Record Office in consultation with the depositing Area Centre or unit. Retention schedule See Appendix 11 28 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION 9. STORAGE AND SECURITY 9.1 Systems covered by the Data Protection Act 1998 The legislation applies to “accessible personal information” which means information held by the local Authority to carry out its Adult Services & Children’s Services functions. This includes material held both locally and centrally, in manual files, electronic mail, card indexes, day books, and logs, video and audio tapes and on computer systems and word-processor files stored on individual disks. Databases that contain personal information should only be held by agreement with the line manager and the IS Section and should be kept in accordance with the policy and guidance set out in this document. All accessible systems as described in paragraph 1 above should be kept in accordance with the policy and guidance set out in this document. A complete list of all databases will be maintained by the IS Section and newly created databases should be registered there. 9.2 Security of information held on Computers 9.2.1 The role of the organisation It is the role of the Local Authority and Adult Services & Children’s Services to ensure that adequate safeguards are in place to protect the security of personal data held in computer systems. To ensure that this is the case, there will be detailed policy and procedures as well as technical measures to safeguard against the following: Loss of data (routines for backup and restore and disaster recovery) Corruption of data (routines for virus checking, firewalls, security procedures as well as rigorous testing of new systems). Misuse of data and unauthorised release of confidential data (technical and procedural access control, training, awareness and supervision to raise awareness of policies, procedures and sanctions as well as declarations of undertaking by both Adult Services & Children’s Services and other agency staff as well as contracted staff and bureaux). 9.2.2 The role of every member of Adult Services & Children’s Services Ensuring the security and accuracy of User information is a responsibility of management and staff at all levels. This includes arrangements for the secure storage and disposal of all User information. 9.2.3 Security – Responsibilities of Computer Users Terminals and Personal Computers (PCs) that access personal data must be logged off when unattended. System users must ensure that they log off at the end of each working day. Systems accesses by ids are monitored and repeated failure to log off at the end of the day will be followed-up. 29 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Siting of terminals should prevent accidental viewing of personal data by unauthorised personnel. This is particularly important in locations which give access to the public. Avoid leaving sensitive data displayed on the screen. Removable media (disks, memory sticks) that store personal data must be removed and stored securely when not in use. Backup disks and tapes must also be stored securely and separately from the originals. For business critical data, storage should be in a fireproof safe, or off-site. Disks sent or taken to other work bases should only contain data relevant to the proposed task. All equipment must be security marked. (Contact the IS Section Helpdesk for further advice). Removable media should be kept away from extremes of temperature and electrical or magnetic equipment. Laptops should not be left in cars, or unattended in any public place. See Appendices for guidelines on use of the Internet and E-mail. 9.2.4 Security – Responsibilities of Users of Computer printout and Fax Computer printouts and fax containing confidential, personal, or sensitive financial data must be kept securely, not left lying around in printer trays, or elsewhere. Printouts which are printed at a central location must be collected immediately, or arrangements made for their secure storage until collection is possible. Confidential printout sent through the courier systems should always be placed in a sealed envelope, marked “Personal and Confidential” and addressed to a named recipient, an if undelivered address should also be added If these printouts cannot be transported by the courier service and need to go in the post, they must be sent by recorded delivery. A register of files sent out must be maintained by the sending officer whether from HQ, Area or a Unit on the P fFiles Tab in SWIFT. Access to computer output documentation and paper files must be authorised and managed in the same way as access to electronic records. Documents used for data input reference should be stored securely before and after input, or destroyed in accordance with any agreed procedures. Instruction booklets, papers, files or manuals describing personal data or its processing must be kept securely when not in use. When printed output containing confidential, personal, or sensitive data is no longer required it should be destroyed via the confidential waste facility. Confidential waste sacks should always be kept in locked cupboards or rooms. 30 (Proc 06/07 – 21 Feb 2007) GENERAL 9.2.5 RECORDS MANAGEMENT & DATA PROTECTION Backups It is the responsibility of the IS Manager, Data Protection Coordinator, system developers and development project managers to ensure that backup facilities are included in the development of any corporate, or departmental systems. Data which is stored on the hard drive of the PC, or on floppy disks should be backed up regularly to ensure that there is a clean and up-to-date copy if there is an equipment failure. For business critical data, storage should be in a fire-proof safe, or off-site. 9.2.6 Virus Viruses are computer programs which can hide within other programs, files or computer memory and when they become active they can corrupt data held in the computer’s memory. IS Section Helpdesk should be contacted immediately if you suspect you have a virus on your PC. It is vital to stop the spread of viruses quickly once they are introduced. Conduct, or arrange regular “virus checks” with the local AISO, and be especially vigilant if you work with floppy disks on a range of different machines. Never load programs from disks without consulting IS Section who will advise on virus checking and machine setup. Never change system files without prior consultation with IS Section who will advise about the way your PC is set up. Never copy programs from one PC to another, without proper authorisation from IS Section. Never copy HCC programs onto personally owned equipment without proper authorisation from IS Section. 9.2.7 Home working Once the need for home working and, subsequently, the demand for home computing facilities have been established, it is necessary to obtain permission via your line manager to provide equipment and other facilities in the home base. When authorised, equipment should be ordered in the normal way via the IS Section. Extra care must be taken to ensure that the principles of the Data Protection Act are complied with and that unauthorised persons do not have access to confidential, personal, or sensitive data. If staff members are processing personal data on their own initiative and outside their remit as an employee of HCC, then they will be data users in their own right. As such they will not be covered by the Adult & Children’s Services Data Protection Registration and they should register their own use with the Data Protection Coordinator. 31 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Particular attention must be paid to maintaining the integrity of duplicate or skeleton records where files are held in more than one location. Disks carrying data between home computers and those used in work bases are vulnerable to attack by viruses. If disks are used in this way it is particularly important that virus checks are carried out. 9.3 Security of Information Held on Manual Files All Adult Services & Children’s Services staff are responsible for the safe keeping and storage of records. It is expected that all Staff in contact with information held by Adult Services & Children’s Services will abide by the following standards files must not be left on desks overnight when not in use paper files must be stored in lockable cabinets when not in use computer files must be closed and subject to password security when in use files must not be left unattended for passers-by to observe paper files in transit must be enclosed in appropriate envelopes and marked confidential files must not be displayed in public places (eg on trains) or left in vehicles at any time. 9.4.1 Storage of files relating to staff members and their families Where a link can be made at referral stage, (or any stage of contact with Adult Services & Children’s Services Department), between a member of staff and a referral, or a member of staff’s family and a referral there should in all cases be tightly restricted access to the files. The SWIFT Record can be made confidential on request. The request must be authorised by the relevant Service Manager and passed on to the Information Services Support Team via HEAT Self Service giving the names and USERID of those who require access to the record in order to provide a service. Paper files should be held by the Lead Service only and accessible only to any key worker on request to the Lead Service Manager or to another nominated senior staff member in their absence. The SWIFT P File tab should be amended to reflect the location of the paper record. These files will be kept in a locked cabinet in the Lead Service Manager’s room and will remain so until it is necessary for the files to be moved to Hampshire Record Office or destroyed in accordance with the retention and destruction policy. 9.5 Storage of Manual Files 9.5.1 Introduction The following procedures relate to manual user files created by Hampshire County Council Adult Services & Children’s Services. They are intended to ensure that the County Council has easy and continuing access to vital information concerning its users for as long as necessary. These procedures should be used in conjunction with the procedures relating to recording and record retention. 32 (Proc 06/07 – 21 Feb 2007) GENERAL 9.5.2 RECORDS MANAGEMENT & DATA PROTECTION Basic principles For every open case there should be a named Key Worker who is responsible for ensuring that a paper user file is maintained, and that information is recorded within the Department’s timescales. File size needs to be kept to a minimum, therefore duplication of information on the file should always be avoided. Additional items that do not contain users’ information, such as compliments slips and acknowledgements should either not be filed or should be removed from files at an early date and destroyed. All files should be clearly labelled on the bottom right hand corner with User name, date of birth and SWIFT reference number . Closed files should also be labelled with a destruction or review date. The location of each file, whether active or closed, must be recorded on SWIFT. If the location of the file changes, SWIFT must be changed within one working day. It will be necessary to introduce other measures to ensure that the use and location of files is adequately recorded. Files must be kept securely, with access limited to appropriate staff members. See access matrix for details. The physical arrangement of the records must permit these staff to have swift access to individual user files at all times. A well ordered and tidy filing area must be maintained to ease the process of reviewing, culling and archiving of user files. 9.5.3 The storage of user files Manual records should be stored in centralised filing areas or registries for active files which serve a particular user type or team, or which serve a defined area or floor of the office. The principles governing the use of such a filing area should be the same as those for the storage of closed user files (see below). Closed user files should, if possible, be stored in a central location within the Unit or Area Centre for the duration of the retention period. Files with long retention periods can be transferred to Hampshire Record Office in accordance with procedures set down by the County Archivist. The closed file storage area should be located within a room or rooms dedicated solely to this purpose and which are capable of being locked. If this is not possible, the files should be kept in lockable cabinets. The file storage room should be isolated from major building services, including water pipes, computer servers or wiring. If this is not possible, steps should be taken to minimise risk to the files from fire or flooding. The file storage room should be free from damp and should not be subject to extremes of temperature. 33 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION The file storage room should be fitted with open shelving or shelving units. Advice should be sought about the load bearing capacity of the floor, especially if mobile shelving is contemplated. Closed user files in the storage area should be arranged alphabetically by surname in a single sequence, regardless of user type or closure date. The file cover should be labelled with the destruction or review date of the file on the bottom right hand corner of the folder. This label should be visible without removing the file from the shelf. Files should be held in the storage room or area for no longer than is necessary. When the retention period is over they should either be destroyed or transferred to Hampshire Record Office. 9.5.4 Access and security All filing cabinets or cupboards containing user files, whether active or closed, should be kept locked. Access to these cabinets and cupboards will be controlled by the Records Management Officers who should establish procedures for allowing access to the files that they contain. Access to file storage rooms containing closed user files should also be controlled. These rooms should be kept locked, though a recognised procedure should be in place to allow access to designated personnel at all reasonable times. It is the responsibility of the staff member who removes a closed user file from the file storage room to ensure that details of the new file location are entered on SWIFT within one working day. Staff members who remove files from the storage area will always up-date the P Files tab in SWIFT to ensure a record of the record’s location is maintained. 9.5.5 Transferring Records to Hampshire Record Office Records which need to be kept for long periods (i.e. 75 years or more) can be transferred to the Records Centre at Hampshire Record Office in Winchester. Other records may be accepted subject to agreement with Records Centre staff. The Records Office will hold these records on behalf of Children’s Services for the periods shown on the Retention Schedule. At the end of this period the records will either be destroyed or transferred to the permanent archive of Hampshire County Council. During the retention period the records will only be made available to authorised personnel of the depositing Area, Unit or Section, or to personnel of other Areas, Units or Sections (or of other County Council Departments) with the permission of the depositor. Public access to records will be bound by the rules of the Data Protection Act, 1998. Applications to see personal records can be made through the Subject Access Request process. This is dealt with by the SAR team at Nuance House, Eastleigh who can be contacted on 02380 687338, or email SSHQSAR. Hampshire Record Office should be given notice of intent to transfer records. Prior to transferring records an Official Transfer (OT) number must be obtained from staff at the Records Centre. 34 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION The Record Office will provide boxes for transferring records on request. Only these boxes should be used. All records need to be arranged, boxed and listed by Adult & Children’s Services personnel prior to transfer. The listing of records should be completed onto the Records Management transfer template for importing into the Records Centre database which is known as ‘CALM RM’. When user records are to be transferred, SWIFT must be updated to show the destruction date of the file and the new location (Enter 'HRO' for Hampshire Record Office) and the date that the files have been transferred to the Records Centre. Delivery of records to Hampshire Record Office should be arranged through the HCC courier service -01962 873950. Staff at the Records Centre will issue receipts and consignment lists for all records transferred within 7 working days of receipt of both transfer template (for CALM RM) and of all the boxes. For specific guidance on transferring children's files please see section 9.5.7 9.5.6 Retrieval of records from Hampshire Record Office Records can be retrieved from the Records Centre at Hampshire Record Office on request. Files must be ordered with as much notice as possible. HRO will respond to any requests within 24 hours, but the distance to an area office or unit and frequency of courier service will determine how quickly records are received. To order files you can telephone 01962 847761, request by email to SADERM, or alternatively use the document ordering form to be found on Hantsweb Pages : http://hantsnet2000.hants.gov.uk/TC/record/forms/rmsform.html Records so ordered can: be viewed in the Public Search room at Hampshire Record Office be returned to the depositor (or depositor's nominee) using the County Council's Courier Service. Orders are normally processed within 24 hours of receipt of request. be collected in person by the depositor (or depositor's nominee) be permanently withdrawn Records will only be issued to staff for viewing or collection at Hampshire Record Office on production of a Hampshire County Council Adult & Children’s Services identity card. Withdrawals will initially be for six months, though this period may be extended. This will be followed up by HRO on a six monthly basis. Records can be permanently withdrawn from the Records Centre if there is a need to consult them more frequently than anticipated (eg if a user makes contact again). 35 (Proc 06/07 – 21 Feb 2007) GENERAL 9.5.7 RECORDS MANAGEMENT & DATA PROTECTION Transfer of records to Hampshire Record Office: guidelines for the preparation of Children's case filing Please only include files with a 75 year retention period, in accordance with the Adult & Children’s Services Dept records retention schedule. In practice this should mean most child care files, i.e. files relating to children placed by or in any way looked after by Hampshire County Council. The retention period for such files should be 75 years from date of birth. If a file relates to more than one child the destruction date will be calculated as 75 years from date of birth of the youngest child: All files that are to be transferred should have a skeleton record created for them on the user system if they have not already got one. This should include details of destruction date and location, i.e. ‘Hampshire Record Office’ or ‘HRO’ Files relating to adoption cases should not be directly transferred to Hampshire Record Office. These should be sent to Adoption Services for processing. Children’s files should be transferred to HRO in batches of a minimum of ten boxes. Each batch will be identified by an Official Transfer (OT) number which is allocated by HRO prior to listing and transfer. The files should be arranged in destruction date order and then ideally alphabetically within year of destruction. Files must be packed only in the boxes supplied by Hampshire Record Office. Once the files in each batch have been sorted and are to be boxed, details of each file should be entered onto the ‘CALM RM’ official transfer template used by HRO. The transfer template for the ‘CALM RM’ form is issued by HRO as an email attachment with the allocation of the OT number. Once the listing has been completed please notify the Hampshire Record Office by emailing SADERM. The actual transfer of the filing boxes to HRO is the responsibility of the department. You will need to confirm if Records Centre staff would like the boxes delivered to the main office at Hampshire Record Office, Sussex Street, Winchester or to the off-site store at St.Thomas’ Centre, Southgate Street, Winchester. 9.5.8 Transfer of Records to Hampshire Record Office : Instructions for adding data to the CALM RM transfer template Details of records transferred to the Records Centre for storage need to be captured into the database managed by the Records Management Service which is known as CALM RM. To do this departmental staff will be e-mailed an attachment containing a template of a word document to complete. The procedures for completing the form are as follows: You will receive an e-mail entitled ‘OTxxxx transfer template’ bearing the deposit number or Official Transfer number agreed beforehand with the Records Management Service (RMS). The e-mail will contain an attachment. You will need to open the attachment containing the template and save the document in WORD in a departmental folder of your choice. We would recommend that you set up a specific folder for transferring records to the Records Centre on I:\drive do not save it within DMS. Save file with the file name ‘OTxxxx completed transfer template’: click on File menu, choose Save As option (outside DMS), add file name to file name box, select word document in save as type, select a suitable folder, click on Save. 36 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION You may notice that one or two control boxes appear on screen these can be safely closed by clicking on the cross in the right hand corner of each one. Some details such as your name, department and contact details have already been completed by the RMS at the top of the form. There is no need for you to add anything to this section. Scroll down to the next section below the directive ‘All fields must be completed for each row below’. You will notice that the Transferred field has been completed with the Official Transfer number and a default LoanGroup of All has also been assigned by the RMS. There is no need for you to add anything to these two fields. Beneath these fields are the column headings: RecId, OfficeRef, Title, Date, RetentionFrom and ClassId. These headings relate to those found in the RMS database CALM RM, they are described more fully below. 9.5.9 Completing the record details 9.5.10 RecId – Record Id – this is the full Records Centre reference assigned to each record. You will need to complete the RecId for every record being entered onto the form. The format should be as follows, OT number/box number/item number (eg 8910/12/65). Please note that item numbers run sequentially from the beginning of the deposit to the end (ie if you transfer a total of 65 records the item numbers start at 1 and end at 65). Single digit box or item numbers should be written as follows 8910/1/1 not as 8910/01/01. 9.5.11 OfficeRef – Office reference – this is the full departmental reference given to the record while in current daily use. The OfficeRef should only be completed if you have a departmental reference if you do not please leave this field blank. The departmental reference must be unique for each item if it is not unique then please type it in the title field instead. 9.5.12 Title – Title – this is the name by which the record is known. The title field will expand to hold as much data as you need so there is no limit on the amount of information you enter. 37 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION 9.5.13 Date – Date – this can refer to the covering dates of the record (i.e. when opened and closed) or it can refer to a single date such as the date of birth of a User. The format for writing dates is as follows 1/04/2004-31/03/2005. There should be no gap between any of the characters. 9.5.14 RetentionFrom – Retention From – this is the date from which the period of retention is calculated. It is usually the first of January following the date of the record. If you are unsure of what to write in here please contact a member of staff at the Records Centre for advice. The retention from date should be written in the following format 1/01/2005. The retention from date needs to be completed for each record and can be copied and pasted if it is the same for each. 9.5.15 ClassId – Class Id – this refers to the class or type of record and must be added to each record, it enables the RMS database to calculate how long the record should be retained and what should happen to it once the period of retention has expired. As far as possible each deposit will contain the same class of record enabling the RMS to assign a single ClassId to all. The ClassId will always be completed by the RMS for the first record except when deposits contain mixed classes of record. Where the ClassId is identical for all records in the deposit it can be copied and pasted to each record. Where the deposit contains mixed classes leave this field blank for the RMS to complete. 9.5.16 Departmental staff must only add data directly into the shaded areas in the cells of the table. To add data, start by placing the cursor into the cell of the first record and click the left hand mouse button. The shaded area will be highlighted a slightly darker colour of grey – it is now safe to add data. You should not be able to add data outside shaded areas as this will not be imported into the RMS database. Continue to the next field by tabbing across. 9.5.17 Once completed save the document and send as an attachment in an e-mail to records.enquiries@hants.gov.uk. Please title the e-mail as ‘OTxxxx completed transfer template’ so it can be dealt with promptly. After the material has been transferred a print-out is made of the list. Once the boxes have been sent and accessioned (this includes checking the contents and locating the boxes) a copy is sent to the depositing department with an official receipt. 38 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION 9.5.18 Transfer of Records to Hampshire Record Office: Guidelines for Boxing records For ease of access please arrange files as you would in a filing cabinet, with the name of the User on the spine of each file. Leave enough space between each file so they can be removed and replaced easily. Economical use should be made of the space within the box but the final weight including the lid, should not be more than 12Kg for Health and Safety reasons. Papers should be removed from ring binders and lever arch files. Add a title front sheet listing family members that the file relates to, and bind with archivist tape (do not use elastic bands as these will eventually perish). Ring binders and lever arch folders are not acceptable for the following reasons: they are too bulky and take up valuable space inside the box they add to the weight of the box the metal rings can rust, marking the paper (particularly bad for long-term storage) Plastic folders or sleeves should also be removed as far as possible as they release chemicals which are harmful to the documents. Replace with cardboard folders. Check for and remove any paperclips. When files are arranged alphabetically, numerically, or by date of destruction within a box it is helpful to indicate this using divider cards. Remember to mark the box with its OT and BOX numbers (a black felt tipped pen works best). While filling the boxes please do not write on any other part of it - use peel off labels if you need to identify them - as one day the box may be re-used for other records 39 (Proc 06/07 – 21 Feb 2007) GENERAL 10. ACCESS TO SYSTEMS 10.1 System User Access Rights RECORDS MANAGEMENT & DATA PROTECTION The key principle is that access to information held in Adult Services & Children’s Services systems will only be granted where that access is a regular requirement of the requester’s role. This principle applies to both computer records and paper records. The type of information that can be accessed will be determined by: the staff member’s role in relation to the User the type of information required to effectively carry out that role Staff profiles will specify what parts of User records are allowed to be accessed by the staff member For very sensitive files, access to all of the file will be granted to a small number of named individuals only. Viewing and Update access will not be granted on the basis of “just in case”. When a new member of Adult Services & Children’s Services staff joins the department, the request for a Hantsweb Id and systems access must be authorised by the line manager. The IS Section arrange for access to systems when an appropriate request is received from the manager. Where access to a particular system has not been requested, this will not be granted. The Data Protection Coordinator for Adult Services & Children’s Services will be the final arbiter where there is a disagreement about the level of access required. The basic principles of access will be applied to all systems, electronic and manual. 10.2 Access Levels Due to the amount of detail now held within system files, special controls have been developed to manage the range of access levels. Similar principles of control will be applied to manual systems. Access rights for updating files are granted on the basis of roles distinguished by different groups eg Team Manager, Key Worker, etc. Each group allows a different level of access, appropriate for someone carrying out that role. Audits are carried out to ensure that users are only given access to the relevant group necessary for their role. 10.3.1 Additional Security Controls Regular reports are run to identify when systems are not being used. When a User has not used the system for a period of time their access will be removed on the basis that this is no longer required. 10.4 Access Requests 40 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION All access requests are centrally managed and access is granted on receipt of a Userid Request Form. All Users must attend relevant training and sign a security form of undertaking for data protection purposes before access is granted. Appendix 5 10.5 Non-SSD Staff Access rights for external agency staff are granted only when a form has been completed by an authorised “nominator” with full justification for the request. External accesses are audited on a regular basis to ensure that all the forms have been received along with a signed security form of undertaking for Data Protection purposes. 10.6 Students and Temporary Staff The majority of students are now managed centrally through the Hampshire Learning Centre who in liaison with the training team arrange the relevant system access and training is arranged. In the case of a non Hampshire Training Centre students or agency staff, the line manager must arrange access on the relevant userid request form. They must also advise when this access is no longer required ID’s will be applied on a personal basis. 11. INFORMATION SHARING WITH OTHER AGENCIES – JOINT PROTOCOLS AND POLICIES Adults Services & Children’s Services are currently working in conjunction with other agencies to produce a framework policy and protocols for information sharing. It is intended that this framework will provide guidance allowing development of detailed protocols for specific areas of the business. Any policy will be likely to contain the following General Principles. 11.1 Sharing with other Agencies Individuals receiving services should be advised that limited sharing of information would normally take place. 11.2 Key Principles of Joint Policy Health and all other Agencies working with Adult Services & Children’s Services have a duty to restrict access to patients’/Users’ files in accordance with the key principles of confidentiality. In all policies, protocols and individual circumstances, the following General Principles should be applied. i) ii) iii) iv) Justify the purpose Don’t use subject identifiable information unless it is absolutely necessary Use the minimum necessary subject identifiable information Access to subject identifiable information should be on a strict need-to-know basis 41 (Proc 06/07 – 21 Feb 2007) GENERAL v) RECORDS MANAGEMENT & DATA PROTECTION Everyone with access to subject identifiable information should be aware of their responsibilities Information should be specifically geared to the task it is intended to serve Information should be shared as part of appropriately planned and managed procedures Information should only be shared within agreed “information communities” Understand and comply with the law vi) vii) viii) ix) All parties in a Joint Working arrangement will be expected to demonstrate that they have established and have operational: Procedures (including forms) for handling user access and consent Documentation for service users which explains their rights of access, the relevance of their consent, rules and limits on confidentiality, and how information about them is treated; Additional documentation for specific situations such as when the user may not be in a position to understand rights of access or to provide consent Procedures for handling records Procedures for implementing and managing the requirements of the Data Protection Act 1998, including designated staff responsibility Staff awareness and development programmes about the Act Guidance and compliance procedures for staff and all who work in or on behalf of the agency An IT security policy and procedures A plan and procedures for regular monitoring and auditing of adherence to the Act Identification of agencies who are working on NHS/SSD behalf and may have authorised access to the agency’s information, and relevant compliance documentation and procedures for them. 11.3 Handling User Information 11.3.1 Personal Information and records: All personal and medical records, any information therein and any information about a person known to Adults Services & Children’s Services and allied services must be regarded as confidential under the key principles of confidentiality 11.3.2 Consent to disclosure Wherever possible the person’s explicit and valid consent must be obtained before disclosure of information is made. The Key worker and staff of other agencies involved in the person’s care have a responsibility for informing the provider of information of the potential need to share information and why, with other members of the person’s Adults Services & Children’s Services and/or Healthcare team. 11.3.3 Restriction of purpose Information given or obtained for one purpose should not be used for a different purpose without the express or implied authorisation of the provider of the information. When wider disclosure of information is being considered the provider should always refer back to the information source for authorisation. 42 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION 11.3.4 Consent and mental incapacity Every effort should be made to obtain the individual’s views on consent to share, where an individual is unable to give informed consent, such consultations should be recorded in writing. 11.3.5 Disclosure without Consent Exceptionally, some information may be shared without prior consultation. In such cases the provider of information should be advised that confidential information has had to be shared and why, except where this would endanger people, or where contact has been lost with the original provider of the information or consent may be absent. A person may positively refuse to give consent to disclosure. A person’s right to confidentiality is not absolute and may be overridden where there is evidence that sharing information is necessary in exceptional cases – because of: the power of the courts the power of certain tribunals as a requirement of legislation eg. Statutory assessment under the Mental Health Act 1983 the need to prevent serious crime the health of the person public health and welfare concerns effective service delivery within the bounds of duty to care There may be circumstances where Officers of the Court are appointed to look at records or there is a need for the police or other departments of the council to have access to a record in order to prevent or detect a crime. This may only be done within the rules set out in Data Protection Law. In these circumstances the record holder should consult fully with their line manager before giving access. Before releasing User information to Officers of the Court or tribunals legal advice should always be sought. 11.3.6 Conditions regarding disclosure Any information disclosed should be: clear regarding the nature of the problem and purpose of sharing information based on fact, not supposition or rumour restricted to those with a legitimate need to know strictly limited to the needs of the situation at that time recorded in writing with reasons stated. NB. Where consent has not been authorised extra care should be taken in recording reasons, decisions and actions taken. Where disclosure of information without a person’s consent has been considered and a decision has been taken not to disclose, the decision should be recorded in writing with reasons given. 43 (Proc 06/07 – 21 Feb 2007) GENERAL 11.4 RECORDS MANAGEMENT & DATA PROTECTION Joint and Specific Roles and Responsibilities 11.4.1 Sharing of Policy/Protocol Documents – The Role of Commissioners Officers of health and Adults Services & Children’s Services who plan and commission services (commissioners) should ensure that all agencies that are involved in mental health services either under statute, as in the case of the Police and Probation service, or in a voluntary capacity, shall receive a copy of relevant policy and procedure documentation and agree the principles relating to the protection and disclosure of information. Where services are commissioned by health and/or Adults Services & Children’s Services either independently, jointly, or in partnership with other agencies, commissioners shall ensure that the providing agency/agencies has/have copies of relevant policy and procedure documentation, agree the principles relating to protection and disclosure of information and the roles and responsibilities of their staff. Commissioners shall ensure that all contracts with provider services specify compliance with the key principles of protection and disclosure of information and any agreed protocols as stated in policy and procedure documentation. In collaboration with providers, commissioners shall identify specific areas of work that need to be supported by inter-agency protocols. Commissioners shall ensure that protocols are agreed between relevant statutory and voluntary agencies to clarify the process of sharing information eg. In respect of court diversion schemes, prisoners with mental health problems, tackling crime, substance misuse, child protection, elderly mentally frail, housing. Commissioners shall ensure that agencies that provide services under contract or on a voluntary basis are consulted when policy and procedure is reviewed. Appendix 10 Information Sharing Protocols 12. ROLES AND RESPONSIBILITIES 12.1 Corporate (Hampshire County Council) Responsibility It is a Corporate responsibility to ensure that corporate systems are safeguarded from data loss, corruption, or misuse. Security principles will be a fundamental consideration in the development of every system. It is a Corporate responsibility to ensure that systems are notified to the Data Protection Commissioner for the purposes of the Data Protection Act 1998. 12.2 Departmental Responsibility All personal information held in Adult Services & Children’s Services will be kept in accordance with the law and central government guidance and in accordance with the policies contained in this document. The Adult Services & Children’s Services policy framework expresses the values and principles underpinning recording practice and ensures that the Data Protection Act is fully implemented in the way the department records and shares information. 44 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Adult Services & Children’s Services IT strategies need to be explicitly linked with case recording policies and procedures. Development of new systems (manual and electronic) and approval for development should be in line with corporate and departmental policy. In addition to a policy framework which expresses the values and principles underpinning recording practice, staff will receive guidance on best practice in case recording. The Departments will ensure that training, awareness and guidance is readily available. Adult Services & Children’s Services will ensure that personal information is disclosed only with the consent of the subject (except where exemptions of the Data Protection Act 1998 apply). Adult Services & Children’s Services will have adequate safeguards in place to ensure that disclosure of personal information with consent will only occur in limited circumstances on a need to know basis where it is essential and consistent with policy. Adult Services & Children’s Services will regularly review and maintain this policy document and related procedures. 12.3 Roles and Responsibilities for Adult Services & Children’s Services Staff 12.3.1 IS Manager, Operations Manager/Data Protection Coordinator. It is the responsibility of the IS Manager and Operations Manager/Data Protection Coordinator to ensure that in Adult Services & Children’s Services Department there is adequate computer security and compliance with the relevant legislation. It is the responsibility of the Operations Manager/Data Protection Coordinator to provide security procedures so that users of computer facilities are aware of their responsibilities. These procedures will be reviewed in order to respond to changes in legislation. 12.3.2 Area Lead Service Managers and Assistant Directors Lead Service Managers and Service Managers must ensure that these guidelines are understood and followed by all staff using computer systems and facilities within their geographical area/section. 12.3.3 Administration and Process issues Access Administrators, both in Areas and Centrally have a responsibility to monitor and respond to requests and to apply the established policy and procedures for access grants. Human Resources and Line Managers have a responsibility to send prompt and appropriate notification about new starters and to ensure that access is removed when it is no longer required or a member of staff leaves. 12.3.4 Managers All Managers must ensure that these guidelines are understood and followed by all staff using computer systems and facilities within their geographical area. 45 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Adult Services & Children’s Services Team Managers and Line Managers need to demonstrate a commitment to case recording as an important part of the service to users and carers and to ensure that policies and procedures are established. The commitment should be explicit and reflected in recruitment, induction, training, performance appraisal, auditing, monitoring and review. All staff using computer facilities and systems must be trained in their use and sign a Information Services Security: Form of Undertaking Appendix 5. It is the responsibility of the person authorising access to ensure that adequate provision for training is made. 12.3.5 Key Workers Key Workers will abide by the principles outlined in this document and will: advise their Users on the ways in which User information is used and shared reaffirm the principles of confidentiality proactively share the User’s records with the User maintain the standard of data recording ensure that User information is safe and secure at all times For every open case there should be a named Key Worker who is responsible for ensuring that the paper and electronic User files are maintained and that information is promptly recorded. The Key Worker is responsible for the case record and is accountable to his or her line manager for ensuring that the management and quality of that record is in line with the standards set out in this document. The Records Management Officers will ensure that Departmental records management policy and guidance are consistently applied to all records in an Area Office and its managed units and will particularly focus on the management of manual records and ensure that they can be located and retrieved within the prescribed timescales, that they conform to the specified file structure and are stored securely. 12.3.6 All Staff All Staff working for Adult Services & Children’s Services who have access to information about individual Users have a duty of confidence. The individual’s right to confidentiality must be respected. Personal information must be treated with care and this means not disclosing it to people who do not need to know. In normal circumstances the consent of the information provider will always be required for the disclosure of information to third parties. Subjects and donors must be satisfied that information supplied for social work purposes will not normally be disclosed without their permission. All staff are required to be familiar with the law and this policy and procedures guidance and will be subject to supervision which will include the review of the quality of recording against standards identified in this document. All staff will comply with corporate standards for the use of e-mail and the Internet. These standards can be found in Hantsweb. (See also Appendices 1 & 4 for further details) All Staff are responsible for ensuring that records are kept up-to-date and the maintenance of records is a high priority for all teams and units. 46 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION All Staff who receive an enquiry from the media about a service user related matter must refer the enquirer to the Adult Services & Children’s Services Press Officer. Maintaining Security All Staff using electronic and/or manual records must be aware of and comply with : The principles of the Data Protection Act 1998 The specific requirements of Hampshire County Council and HCC Adult Services & Children’s Services Caldicott Principles Staff using electronic information systems must be aware of and comply with: The principles of the Computer Misuse Act 1990 The principles of the Copyright, Designs and Patents Act 1988 Key principles are shown below: The Data Protection Principles 1. Personal data shall be processed fairly and lawfully. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in a manner incompatible with that purpose, or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, wherever necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than it is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The Computer Misuse Act 1990 This Act introduced offences in relation to computer security. It is an offence to logon to a computer where there is no authority to do so (Even though the motive is only curiosity) It is also an offence, even while logged on legitimately, to access parts of the system which are not covered by the existing legislation. (Even though the motive is only curiosity). 47 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION A more serious offence is committed if, in either of the two cases above, the motive is malicious. The Copyright Designs and Patents Act 1988 This act provides the same rights to authors of computer programs as to those of literary, dramatic and musical works. It permits the author to charge a fee for the publication or performance of the work in question; copyright is normally assigned to the company who employs the author(s). Copying, publishing or adaptation of software is an offence. Therefore, it is definitely an offence to copy a program for several users in a company without gaining specific authority from the copyright holders. All Adult Services & Children’s Services Staff are responsible for the safe keeping and storage of records and it is expected that All Staff will abide by the following principles. i) ii) iii) iv) v) vi) Files must not be left on desks overnight When not in use paper files must be stored away in lockable cabinets When not in use computer files must be closed and subject to password security When in use files must not be left unattended for passers by to observe Paper files in transit must be enclosed in appropriate envelopes and marked confidential Files must not be displayed in public places (eg on trains) or left in vehicles at any time Confidentiality i) ii) iii) viii) x) The aimless scanning of personal records or browsing through files is forbidden. Use of personal data should be related solely to work procedures. Do not mislead others about the reasons why they are providing information, how it will be held and with whom it will be shared. The passing of information from the system to any person not entitled to such information is forbidden. Knowingly making available information from the systems to such people may result in disciplinary proceedings. Confidential information should not be released as the result of a telephone enquiry. The identity of the caller and the telephone number should be established and an offer made to call them back. The authenticity of the caller can then be checked by reference to the telephone number and it can be verified that they are entitled to the information before calling back. It may happen that a member of staff becomes aware of information relating to people known to him/her personally. The confidentiality of this information should be respected and not divulged unless required in the course of their work. In all cases of doubt, a supervisor should be contacted. All data must be as accurate as possible: regular verification of data and culling of obsolete records must be carried out on all records to ensure that data is correct, complete, up-to-date and not held for longer than necessary. Only hold data which is relevant for work purposes. Do not elaborate! Adequate steps must be taken to safeguard data from loss or corruption. 13. DATA QUALITY STANDARDS iv) v) vi) vii) Case recording policy and procedure, the resulting case records and access to them are all part of our services to users and carers. 48 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION This section picks out some key features of quality data. Further detail and examples addressing particular User groups can be found in the “Recording Practice Guidelines” section. 13.1 Accuracy and Completeness It is expected that records will be accurate and complete. Inaccurate or incomplete records will jeopardise a consistent standard of care for the User and may even put them at risk. The User has the right to request correction of any factual inaccuracies. Where the User and Case holder disagree about recorded facts, the User’s view should be recorded. Elements of data recorded in electronic systems are used to supply Management Information, for the purposes of planning and commissioning and for statutory returns which may influence the amount of grant received by the department. Inaccurate, or incomplete data will have an impact on all of these. 13.2 Clarity and Style of Language The User’s record should be written as if the User were reading it with you. Language should be clear, concise and free of jargon. Abbreviations should not be used. User files should reflect anti-discriminatory practice and demonstrate sensitivity to the needs of all people in the community. Accurate and respectful language should be used. A professional standard of language in the User’s file is expected at all times. If derogatory, or offensive terms are used in any part of the User’s record, disciplinary proceedings will be considered. You should note emails are also considered part of a user’s records please follow the link to the Corporate guidance notes (appendix 4) 13.3 Timeliness Every contact with a user, or about a user must be recorded within one working day. This is necessary because memories are unreliable and accurate recording is essential. When there are changes in, for example, the User moves to another address, or dies, this must be recorded promptly. The recording of death is of particular importance because of the potential to cause distress to families. Deaths should be recorded in SWIFT as soon as we are informed. In exceptional circumstances where delaying recording is necessary, the reasons for the delay must be recorded. 13.4 Recording Decisions Any decision that affects the user and signifies the department’s intentions towards the user must be recorded on the form appropriate to the situation. 49 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION The people involved in making the decision should be identified and the reasons for making the decisions should be clear. If there is a link between the decision made and departmental policy, legislation or research, this should be explained in the record. The person responsible for the decision should make the record. However, there will be occasions when decisions are made in meetings. In this event the decision should be recorded by the Key Worker in the profile note, together with information about the date the meeting was held and the nature and purpose of the meeting. 13.5 Recording the Sharing of Information When information has been shared with another agency, or organisation, this should be recorded on the User file. Case records should also contain details of when service users and carers have seen and been offered and/or given copies of papers. 13.6 Monitoring Managers will ensure that practitioners achieve good professional standards and adhere to Adult Services & Children’s Services policies and guidance by routinely monitoring the quality of case records and efficiency of case recording practice. 14. TRAINING AND AWARENESS FOR STAFF 14.1 The nature of the requirement Effective records management requires an integrated approach to improving performance. Thus alongside developing the systems and processes, the techniques and equipment, it is essential that the knowledge, skills, attitudes and behaviours of the staff who operate and influence the systems are similarly developed and addressed. In order to achieve this, the training and development will be a multi-faceted approach which is firmly set in the Performance Development and Supervision framework, emphasising that the line management responsibility for managing and developing staff is paramount. To support managers and staff in achieving the standards and development required, a range of mechanisms will be available, including information and guidance, an induction checklist as well as a range of courses and specific interventions. All training and development will encourage a positive attitude to Records Management. It will set the activity in a context where staff are able to recognise that caring about effective data recording and management is an essential way in which they truly care about their Users. 14.2 Induction All new starters requiring access to Hampshire County Council electronic systems will attend a one day Information Services induction before being given their USERID A local induction will be arranged by the manager to set the scene for the new recruit. 50 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION The importance of and attitude to recording and Managing data will be demonstrated by the manager during the induction process and subsequently. It is essential that managers design a comprehensive local induction specific to the role of each new recruit that enables a recruit to conclude that: Careful records management matters very much Managers will check individual recording practice frequently at first and continue to monitor standards actively It is a written objective that will be reviewed in Performance Development interviews Staff receive support through a variety of means to reach the required standard. Coaching by the manager, reading documentation and guidance, peer group support and local team development activities will be most effective in promoting quality records management. 14.3 Performance Management The departmental objective of achieving the standards set for data recording quality, maintenance and storage will cascade through the Performance Management system. The objective will appear in the Performance Objectives and Development Plans of all relevant senior, middle and first line management and finally in the objectives and Performance Development plans set for each individual according to their particular responsibilities. Initiatives will combine and reinforce one another to introduce a monitoring aspect within the approach to records management, training and development. The Information Governance Team objectives will be used as part of the documentation submitted for Investors in People assessment. For this purpose an audit will be conducted with respect to Performance Development and Records Management through the department. 14.4 Competencies Training and development strategies will move towards a competency based approach. When recruiting, attention will be paid to developing Role Profiles and Person Specifications. This will enable the recruitment of staff whose knowledge, skills and attitude is commensurate with achieving the desired competencies, supported by an appropriate induction and development programme. 15. MONITORING AND ENFORCEMENT 15.1 Monitoring Monitoring will be carried out at a number of levels 15.1.1 Monitoring of systems access and use A regular audit of systems accesses will be carried out to ensure that these are appropriately applied. 51 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Incidents of users leaving machines logged on, or repeatedly trying to gain access to systems where they have no authorisation are monitored and followed-up. Line managers will ensure that the security and confidentiality principles in this document are known and understood by their staff and will monitor the application of these principles. 15.1.2 Monitoring of recording standards Line Managers will monitor recording standards in regular supervision sessions with staff. Case file audit tools will be available to assist with this. The tools to audit both recording and practice quality are contained in Quality practice case file auditing policy and procedure (adults)(23/05). Regular “spot check” audits will be carried out across the County to ensure that recording standards are being maintained. Results of monitoring will be routinely reported to Area Centres and to Headquarters. Regular production and analysis of accuracy reports for key items of data, followed by correction of inaccurate/incomplete data where this is identified. Feedback from training sessions and workshops which highlights issues will be monitored and reported through the appropriate channels. To help assess the quality of recording the Social Services Inspectorate in “Recording with Care” (published 1999) suggests the following criteria: Poor. No record of work, or it is so partial it is of little value Weak. The record indicates the dates the people were contacted/seen and gives brief details of actions taken/ decisions but is incomplete or superficial. Good. The record indicates the dates, purpose and outcomes of contacts (i.e. meetings/interviews/ telephone conversations) and who was present. It presents all the information and at intervals brings it together as part of the assessment, planning and review cycle. Superior. In addition to the requirements for good recording it presents all the salient information, both past and present, about the service user/child and family. This information is analysed and used as a basis for deciding what the current risk to service user/child; what plans need to be made to reduce risks and rationale for these; details the work being offered to the service user/ child and family, work being undertaken and by whom. 15.2 Remedial Action Where failure to comply with the principles of this document can be seen as a lack of awareness or understanding, this should be rectified immediately with the appropriate training and guidance. Where there is failure to comply because of some system failure of a system, or lack of appropriate facilities, this should be reported immediately through the appropriate channels. 52 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Where there is repeated failure to comply, or deliberate misrepresentation or noncompliance with the policies and principles outlined in this document, then sanctions will be considered. 15.3 Sanctions Where it is observed that there is a breach of security procedures, depending on the severity, access to electronic systems, data and equipment may be withdrawn and disciplinary measures taken. Unless employees can show that they acted in good faith, disciplinary procedures will be considered where confidentiality has been breached. Repeated failure to comply with the standards for recording of User information may result in disciplinary action. Deliberate misuse of information may result in dismissal. 53 (Proc 06/07 – 21 Feb 2007) GENERAL 16. RECORDS MANAGEMENT & DATA PROTECTION GLOSSARY ACCESS ARCHIVE CULLING DATA PROTECTION COORDINATOR DATA SUBJECT Ability to use different systems. Access is only granted by authorised personnel to staff who will need to access systems regularly as part of their role. To copy files to a long term storage medium when these are no longer required for regular use, but should not be deleted. Destruction of electronic or manual records according to retention and deletion criteria. Responsible for policy and procedures relating to the security and handling of information and checking compliance with the Data Protection Act. Any individual who is the subject of personal data DATA USER Any member of staff authorised to process or use personal data held by the department ISO Information Services Officer – Support, Training, KEYTEAM A team linked to a budget. A User file in SWIFT is placed in a Key team which will relate to the team/budget which will provide the bulk of the services for that User. (Eg. Havant Older Persons Team). PC/PERSONAL COMPUTER A computer, comprising screen, keyboard and local processor, which is able by virtue of additional programs, to process data locally without using the facilities of the network PERSONAL DATA Any information from which a living individual may be identified, including, for example, any expression of opinion or data stored on a word processing file, or in a manual file for future use or reference. PROFILE/GROUP Staff will be allocated a user profile which describes their role, work base type. the group defines the levels and types of information they can access and document restrictions which should be applied RMO Records Management Officer RESTORE If a electronic file is deleted in error IT services must be contacted for a restore SYSTEM USER A member of staff who uses our systems USER A member of the public for whom we are providing services USER FILE The computer and paper file which contains the complete User record LOGON ID/ Hantsweb ID A computer user’s code name identity, used to gain access to HCC’s computer network systems. VIRUS Computer programs with the ability to corrupt other programs and data WIN TERM A computer, comprising a screen and keyboard, which can only process data if connected to the central network via communication links. 54 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION APPENDIX 1 Guidance for Outlook users 1. Outlook users are expected to apply the same conventions and procedures to Outlook as they would to other forms of communication. 2. Authorised Outlook users must have at least basic training in the use of Outlook. 3. Managers should not share their passwords with other so that they can maintain their diaries. Outlook has an inbuilt facility for diary sharing for this purpose. (Contact the Helpdesk for further advice). 4. Increased use of Outlook has led to many users returning to an excessively large in –tray after a period of absence. All users can help to reduce this by: Using the Away facility Avoiding copying notes and documents to a wide audience just in case they are interested. Restrict distribution to those users who have a genuine need to know. If a member of staff is unexpectedly absent, for example on sick leave, a “Away” message can be set up on their userid. (Contact Helpdesk for further advice). Outlook in-trays should be opened at least twice daily, or when absent an “Away” message should be set up. All Outlook users must maintain Outlook calendars so that other users can make full use of the facility. However, there are occasions when care needs to be taken when adding personal data to a diary entry in Outlook. The Information Commissioner, who is responsible for compliance with this Act, has asked us to remind staff that they should be aware of the data protection legislation in relation to personal information when using the Outlook diary facilities. Staff are reminded that they are required to work according to the eight principles of the Data Protection Act 1998. All information that is included in your meeting notice can be read by any other Outlook user, unless for example, you mark your notes as `Private'. It is recommended that on certain occasions you should use the `Private Appointment' facility, particularly if sensitive personal data is part of the entry e.g. a disciplinary case meeting. When entering the meeting title or adding details containing personal data (anything that identifies a living individual) as part of scheduling an appointment with other Hantsweb 2000 users, take care. Examples: · Setting up a meeting to discuss a User, or a member of staff - the subject box should not contain the name of the User unless your note is being sent to a restricted audience. (e.g. between solicitors). Only as much information as necessary in order to identify the case/User or meeting purpose should be included in the title line. Try to use initials, an abbreviation, perhaps a case number, or file reference, or more general description. You may also wish to mark the entry as Confidential or Private. If you add names or anything that identifies the User when entering additional information, you need to be aware of the need to maintain confidentiality, and must tick the `Private Appointment' box located at the bottom right hand of your screen when creating your meeting note. You may wish to advise a manager if your meeting is out of normal office hours, or in the home of a User. Another person should be aware of the location and times if your 55 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION meeting is one to one, or perhaps within a family group and away from the office. Providing information such as `Home Visit' and a case number in the meeting/diary entry will enable others to track your commitments when you have early morning or evening work appointments. · You may choose to tick the `Private Appointment' box if you are attending a hospital appointment or visiting the dentist and do not wish others to see this information. These guidelines are intended to help you understand the need to consider which of the facilities you should select when using the diary in Outlook. Contact your departmental data protection co-ordinator if you require further assistance. 56 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION APPENDIX 2 Ethnic recording policy For complete information read document 31/98. This procedure is to assist our commitment to equity and best practice as outlined in our Race Policy Statement. We are committed to; “Combating racism. Failure to observe this stance in the workplace will result in disciplinary action. All staff taking positive action to eliminate discrimination in service delivery linked to a person’s racial and ethnic background. Ensuring that members of black and ethnic minority groups are seen as individuals and not in terms of racial stereotypes. Providing services that will be culturally appropriate and equally accessible to those who need them. No one will have to refuse or forfeit services because his or her cultural, religious or dietary needs are different or unusual. Ensuring the quality of the service is the same irrespective of the racial origin, culture, religion and language of the recipients.”` The recording process; The person collecting the information says “ We now ask all users of our services about their ethnic origin. This helps us to plan services that meet the needs of all groups in the community. Could you please indicate what you consider to be your ethnic origin? “ The user indicates his or her response verbally or with a mark. The response is entered onto the appropriate form. The response may be requested but unable to provide. This may be in SWIFT or paper form. Please note it very important to record this sensitive information accurately. http://intranet.hants.gov.uk/social-services/equalities-2.htm 57 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION APPENDIX 3 REQUESTING SYSTEM ACCESS – ‘ONE STOP SHOP’ – FOR YOUR USERID AND IT SYSTEMS ACCESS REQUIREMENTS The ‘One Stop Shop’ Userid Request form includes access to the following: Hantsnet Userid Outlook MS Office, eg Word, Excel etc Swift SAP – Finance E Works and Other Specialist Applications Automatic nomination for IS Induction Course, initial Swift Training Course and SAP Overview Managers are reminded that requests to provide a new/change of user ID should be submitted in plenty of time to ensure the ID & Training is available when new staff join the team. User ID Request Form - including changes, deletions, enabled/disabled userids etc What to do when you have a new member of staff, someone leaves or moves to another team The IS Section has an electronic form which is available online for requesting User IDs (including changes, deletions, enabled/disabled userids etc) and relevant systems access including automatic nomination for IS Induction Course, initial Swift Training Course and SAP Overview. This intuitive form offers a simply and speedy method for you to submit your user ID requests. System accesses include Outlook, Swift, E Works, SAP Finance and Other Specialist Applications. You will need to request SAP HR access (including ESS and MDT) using the HR form accessed via the SAP link on the Adult and Children’s Services home page and send to your usual HR contact. A link to instructions for SAP HR/ESS access is provided for you in a confirmation email sent at the end of the new form each time you submit it. Please note, although Swift access must be requested at time of submitting Userid Request, access is not granted until appropriate Swift training has occurred. The link to the request form can be found by choosing Adult and Children’s Services Homepage from your main Hantsnet homepage, then choose Process (Forms). The same form is available via several names in the Process (Forms) intranet page to make it easier to find, eg Userid Request form, Deletion of a Userid Request form. 58 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Here it is! For external users A Userid Request form can also be accessed externally via the web for those who do not have access to Hantsnet. Details below:http://eformsext.hants.gov.uk/AF3/an/default.aspx/RenderForm/?F.Name=PzzZP4Rb2vH However, for requests made via this route, please note that SAP access and Swift Training will need to be requested via the existing routes. Links to the appropriate nominate/instruction pages for SAP access and Swift training are provided for you at the end of the form each time you submit it. If your external Network does not allow access to this form or you have any problems using it, please contact IT Help who will raise a Heat call to contact the Support team. And finally, but just as important……. Please do remember to submit a 'Delete an ID' form when staff leave the Department to ensure all accesses are withdrawn. There are many tasks to do when someone leaves your team, it is important that you don’t forget the IT systems at this time. There is a £420.00 pa charge for each Hantsnet (IT2000) account Similarly we are charged licence fees for SAP and SWIFT and we need to be prudent in closing these accounts down when a person leaves. Delete a Userid Request forms can be found in the same location as requesting a new Userid form. 59 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION If a Userid is unused for 45 days, then the Userid will be disabled for a further 30 days at which time the Manager will be contacted to see whether there is a genuine reason for the Userid to remain disabled eg long term sickness. Unless otherwise advised, the Userid will then be deleted. 60 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION APPENDIX 4 Guidance for use of Internet and E-mail Personal Data in e-mails In accordance with the 1998 Data Protection Act, you will have to disclose personal data contained in e-mails which you have filed if Hampshire County Council receives a subject access request from an individual who suggests that it is likely that you will have copies of e-mails sent, or received, containing personal data about that individual. If you act unlawfully you may face disciplinary proceedings and possible prosecution. When creating an e-mail using Hampshire County Council applications it is important to follow these guidelines: · Take care about the content of your e-mail. If you are processing personal data about someone else do not express opinions or add comments that you would not be prepared to share with that person, or put in a formal letter. When a Subject Access Request is received you may be required to disclose personal data contained in your e-mails, unless an exemption within the Data Protection Act applies. · Remember to check the title line of your e-mail As a general rule, User names or other identifying personal details relating to them should not be included in the title line. It may occasionally be necessary to place User personal information in the title line but the audience should be restricted. (e.g. between solicitors, or on a need to know basis between a User department and a member of Treasurer's assessment team). Only as much information as necessary in order to identify the case/User should be included in the body of the email text. It is however essential that enough accurate details are provided in order to deliver the service to the correct User. · Think about marking emails as `Confidential' When necessary mark emails as Confidential and consider reminding recipients not to forward the note without reference to the sender. · Be aware your note can be passed on to others by the recipient and perhaps reach a far wider audience than you intended. · If you do save any electronic records containing personal data (e.g. e-mails and any form of attachments), your intention is to process the document at a later date. · Always question why you are saving an e-mail. When you have finished the processing required on an individual, delete the data unless you intend to archive the note electronically. · Be aware that personal data should not be kept longer than necessary under the Data Protection Act 1998. (Principle 5) · Review the content of note-logs/sent items regularly and delete those that are obsolete. 61 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION · There should be no reason to retain e-mails containing personal data permanently. If it is essential to retain the note, print it and place the note on a file where it will be reviewed as part of the retention process. However, if you use electronic filing and archiving facilities remember that these documents are also covered by retention policy requirements. · You are responsible for managing your electronic data. This guidance should be read in conjunction with the corporate guidance on using email and any departmental policy. 62 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION APPENDIX 5 - Adults & Children’s Services Departments Information Services Security: Form of Undertaking - Individual UserIDs Name: Internal Name You have been issued a personal Userid UserID The Adult & Children’s Services Departments currently use various computer systems which contain information of a confidential, sensitive or personal nature. It is vital that only those people who need such information in order to carry out their work have access to the information. Security of the information held on the Departments’ computer systems is achieved by the issue of personal userids and passwords to members of staff who need access. These userids and passwords control the level of access granted to each individual to each system It is, therefore, important that you read the procedures: “Records Management and Data Protection Act 1998 policy and procedure” and “Computer Security & Data Protection Guidelines” All users should additionally be aware of Corporate guidelines for the use of e-mail and other Information Systems including the internet. These procedures can be found in the County’s web pages under IT Security within the IT Information section. DECLARATION I have been directed to the departmental procedures: “Records Management and Data Protection Act 1998 policy and procedure” and “Computer Security & Data Protection Guidelines”. I acknowledge that I must abide by these and other corporate and departmental guidelines governing the use of Information Systems. I also acknowledge my password for access to computer systems is personal to me and must not be divulged to any other person. I appreciate that contravention of computer security may be a disciplinary offence. I accept that my access to computer systems may be revoked or adjusted if my employment changes or if I contravene these procedures. I have been made aware under the Hampshire County Council e-mail, Internet, Intranet and Monitoring Policy that in the event of absence or leaving the Department or Authority my user account may be accessed and that all personal information should be removed at the earliest opportunity. Signed: _____________________ Date: ____________ Designation: ____________________________________ Work base/Agency: ____________________________________ After you have signed this form, please return it to the trainer. 63 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION APPENDIX 6 Courses supporting effective records management can be found on the Hampshire Learning Centre Link below http://www3.hants.gov.uk/learningzone.htm 64 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION APPENDIX 7 Full List of Legislation Adoption and Children Act 2002 Adoption Agency regulations 1983 (still in force in some respects) Adoption Agency Regulations 2005 Arrangement for Placement of Children (General) Regulations 1991 Association of Directors of Social Services, Draft Code of Practice Autumn 1999 Carers (Recognition and Services) Act 1995 Children Act 2004 Every Child Matters Children’s Homes Regulations 1991 (no longer current but still referred to) Choosing with Care – Report of the Committee of enquiry into selection, development and management of staff in Children’s Homes 1992 DOH Computer Misuse Act 1990 Copyright, Designs and Patents Act 1988 Data Protection Act 1998 The Data Protection Act Explained, James Mullock and Piers Leigh – Pollitt Data Protection Act 1998, Guidance to Social Services March 2000 Local Authority Circular 88 (17) Personal Social Services Confidentiality of Information Mental Health Act 1983 National Health and Community Care Act 1990 Protecting and Using Patient Information, NHS Executive 1999 Recording with Care, Social Services Inspectorate 1999 Care Standards Act 2000 Care Homes Regulations and National Minimum Standards The boarding-out of Children (Foster Placement) Regulations 1988 65 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Hampshire County Council And Adult Services & Children’s Services Department References Joint Approved List Of Domiciliary (Personal) Care Providers: Terms And Contract Conditions Safeguarding Our Children The policy and procedural requirements of Hampshire, Isle of Wight, Portsmouth and Southampton Child Protection Committees 2004 http://www.4lscb.org/userimages/4ACPCProceduresApril04.pdf Mental Health Practice Handbook 1983 66 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION APPENDIX 8 List of relevant leaflets, guides, systems manuals and who gets them; Manual/ leaflet/ guide Distribution Your Records leaflet Records Management Officers SWIFT Manual On-Line Care management competencies Available to Team Managers and Key Workers in Adult teams. 67 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION APPENDIX 9 File Structures File Structure for Occupational Therapy (ALL Sections to be filed in Book Form only) 1 Key Information 2 Departmental Administration 3 Recording 4 Legal 5 Reviews 6 Correspondence 7 Third party information / Confidential 8 Finance 9 Any other paperwork 10 CR1, CR2, CR3, CR10, permission to share, current Gen 2 and assessment DP1, DP2, DP3, DP8, DP9, DP15, request to Environmental health for disabled facilities grant, equipment request forms. Hoist record of issue. CR6a, CR6b, previous Gen 2 and assessments Any legal papers Any review paperwork Subject Access Request (CR11) paperwork Any information in this section will require the permission of the author, prior to disclosure. To be divided into 2 sections: a) Confidential b)Legal Privilege – do not disclose, seek management advice DP14, DP19 Housing Plans and adaptations Any e-mails should be filed in the relevant section according to content 68 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION File Structure for Nursing Homes (ALL Sections to be filed in Book Form only) 1 Key information (Current Information) Resident personal details, Next of Kin, permission to share, Swift Assessments 2 Departmental Administration (Current and Historic) Initial Assessments, Swift details, Term’s and Condition’s, CT returns, old care plan 3 Recording (Historic) Daily Diary Notes, GP recordings 4 Medical/Care Assessment (Historic) Barthel, Waterlow, Moving and Handling, Occupational Therapy, Medication, Nutrition, Night Assessment, Continence Assessment, Observations 5 Reviews (Historic) In house(6 weeks), Care Management 6 Correspondence ( Current and Historic) All general letters not relating to other areas in the file, Subject Access Request (CR11) paperwork 7 Confidential (Current and Historic) 8 Complaints ( Current and Historic) Any information in this section will require the permission of the author prior to publication To be divided into 2 sections: a) Confidential b)Legal Privilege – do not disclose, seek management advice Details of complaints, action taken, resolutions 9 Financial 10 Legal ( Current and Historic) SAP information, assessment from income, power of attorney Reg 37, Property Discharge, Any legal papers, CSCI returns Any emails should be filed in the relevant section according to content 69 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION File Structure: Child’s Adoption File (ALL sections to be filed in book form only) 1 2 Key Information / personal details 3 Recording/Contact Sheets CR1, CR2, CR3, CR10, Gen6, Current Gen 2 Departmental Administration/Finance (Separate finance file to be set if there is an ongoing adoption allowance – copies on this file) Orders, finance CR26, VA3, CC11, CC12, CA9, CA10, DP1 CR6a, CR6b, CR8, Form E, chronology-unless confidential 4 Legal 5 Reviews / Stat reviews of child placed for adoption if necessary open a separate file, all items from date adoption became plan (only do this if amount of paperwork warrants another file). Court orders, legal advice form, copies of birth certificates, consent to adoption AF222, court application forms (adopters), court notification of adoption order. To be in chronological order; also Minutes of meetings, consultation documents, planning meetings, inter area agreement AF232 6 Correspondence 7 Third Party information/confidential 8 9 10 Adoption Information Exchange All correspondence unless confidential; notifications of placement/ adoption Forms AF229, AF244. Acknowledgement AF222c Complaints, Police Checks, Education ,Health reports. Panel Decision AF218, Minutes of Panels, memos from panel, Schedule 2 report. Copies of A1E forms Other Items e.g. Copy of Life Story Work When closing file ensure all paperclips and plastic pockets are removed (use manila envelope if hole punching not possible). Also destroy Police Checks and Panel Agendas. Form F (adopters) should not be on this file unless the adopters are from another agency. In which case file report in sec 7 – confidential. Any emails should be filed in the relevant section according to content Amended 10/06 70 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION File Structure for Closed Adopters File (ALL sections to be filed in Book Form only) 1 Key Information/Personal Details CR1,CR2,CR3,CR10,Gen6,Current Gen 2 2 Departmental Administration/Finance 3 Recording/Contact Sheets Orders, finance CR26, VA3, CC11, CC12, CA9, CA10, DP1 CR6a, CR6b, CR8, Form F, (not referee visits) 4 Legal 5 Reviews / Stat reviews 6 Correspondence Court notification of adoption order. Any other relevant legal documents, consent CA14. Copies of reviews on child placed for adoption, Minutes of Meetings, Consultation documents, Planning meeting, Inter-area meeting AF232. Six month updates AF220. All correspondence unless confidential. 7 Third Party information/ confidential Complaints, Police Checks, Referee reports AF210 (a +b); Panel Decision AF218, Minutes of Panels, Panel memos, Schedule 2 report. 8 9 10 When closing file ensure all paperclips and plastic pockets are removed (use manila envelope if hole punching not possible). Also destroy Police Checks and Panel Agendas. Child Permanence report (formerly Form E) on the child should not be on this file unless the child is being placed by another agency. Any emails should be filed in the relevant section according to content 71 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION File Structure for Adult Services (ALL Sections to be filed in Book Form only) 1 Key Information / Personal details 2 Departmental Administration 3 Recording 4 Legal Documents 5 Reviews 6 Correspondence 7 Third party information / Confidential Current Care Plans and assessments signed by users, CR10, permission to share, current Gen 2 Referrals for other services, E2, DP1, day centre returns, previous care plans and assessments, quality care reports, Health & Safety forms, risk assessments Any written contact sheets not on Swift, previous Gen 2, previous referrals Any contracts with providers etc, orders, court of protection orders, power of attorney evidence Copies of review forms signed by user Subject Access requests (CR11) paperwork Any information in this section will require the permission of the author, prior to disclosure. To be divided into 2 sections: a) Confidential GP medical form, Barthel chart, complaints, Nursing assessments, Health summary form, incident reports (VIR), case conference minutes of meetings. E10, E10a (adult abuse forms) b)Legal Privilege – do not disclose, seek management advice 8 Finance NRC temporary adjustments, SSD421, VA3, SAS4, SAS10, Panel applications & decisions, Benefits Agency related paperwork 9 Occupational Therapy 10 Other Services Hearing Impaired, Blind/Disabled Registration, Disabled Parking Badges, MOW, Residential Units Records and Adult Placement Any e-mails should be filed in the relevant section according to content 72 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION File Structure for Children and Families (ALL Sections to be filed in Book Form only) 1 Key Information / Personal details 2 Finance 3 Recording / Contact Sheets 4 Legal Documents CR1, CR2, CR3, CR10, GEN6, Permission to share, chronology of events. Keeping track form, Current Gen 2, current core and initial assessments Orders / finance, CR2b, GEN10, VA3, CC11, CC12, CA9, CA10, CA54, DP1 Risk Assessments In chronological order: CR6a, CR6b, CR8, Assessments, CR5, CR7. Previous Gen 2, previous core and initial assessments If necessary open a separate file and cross reference on CR9 for location. See separate filer structure for legal file CR9, LAC parental agreement to accommodation form, court orders, copies of birth certificates. Tribunals 5 Care Reviews - Non LAC/CP 6 Correspondence 7 Third party information / Confidential Minutes of meetings, consultation documents, planning meetings Access to records, volunteer job sheets, any other letters not relating to other areas of the file, Subject Access Request (CR11) paperwork Any information in this section will require the permission of the author, prior to disclosure. To be divided into 2 sections: a) Confidential Complaints, police checks, CYP referrals, Educational Statements Medical /Health VIR‘s b)Legal Privilege – do not disclose, seek management advice 8 Looked After Children 9 Child Protection EIR1 and EIR2 - it may be useful to keep these in a plastic sleeve as it should be in constant use! Placement forms - plus all other LAC and DOH forms, Statutory (ordinary) Reviews. CP1, minutes of meetings 10 Other Services Residential / Day Care / Family support teams / Family Link. For Adoption files use this section for all AF forms E-mails should be filed in the relevant section according to content 73 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION File Structure for Children and Families (Swanwick Lodge)All files to be filed in Book form only 1 Key Information / Personal details 2 Departmental Administration 3 Recording / Contact Sheets 4 Legal 5 Reviews 6 7 Correspondence Admission details, Key names and addresses, Parent Consent Form, Record of Property. Swanwick Lodge Care Plan, Swanwick Lodge Risk Assessment, Swanwick Lodge Positive Behavior Management Plan Initial Referral, Essential Information Record 1 & 2 (Welfare) Placement Plan Parts 1 & 2 (Welfare) Local Authority Care Plan (Welfare) Assessment and Action Record (Welfare) Asset forms (YJB) T1:V&VR (YJB) Post Court Report (YJB) T4 Supervising Officer’s report (YJB) Contact Sheets Chronology Legal Module Form, Original Secure Order/Warrant Regulation 15 Panel Decision Form Secure Application Court Reports, DTO Production Orders, DTO Pre-Sentence Report, YJB Sentence Calculations Initial Planning Meeting Minutes, Regulation 15 Review Minutes (Welfare) DTO review/Remand/Sec.91 review/Planning Meeting Minutes, T1:AR (YJB), C&Y/P consultation Form (YJB) T1:P & T1:PR (YJB) T2 (YJB) T3 (YJB) T4 (YJB) T1:FR (YJB), TC1:C(YJB) Letters/E-mails/faxes, Subject Access Request (CR11) paperwork Third party information / Confidential Any information in this section will require the permission of the author, prior to disclosure. To be divided into 2 sections: a) Confidential Third party information, Incidents Reports, Reports with privileged information Child Protection Documentation, b)Legal Privilege – do not disclose, seek management advice 8 9 Complaints 10 Medical Education Statement of Education Needs, Personal Education Plan, Swanwick Lodge Education Report/Assessment External Educational Reports Admission and subsequent Body Maps, Authorization to give consent for Medical Treatment Form, Psychiatric/Psychological Reports, RTT Reports, Swanwick Lodge Health Care Plan, SASH Forms Mental Health Screening Forms, Swanwick Lodge Parents/Carers questionnaire E-mails should be filed in the relevant section according to content 74 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION File structure for Day Services (ALL sections to be filed in Book Form only) 1 Key Information/Personal Details CR 1 - case file modules ,CR 2 - key information sheet CR 3 - names and addresses, CR 5 - assessment sheet CR 7 - reassessment sheet, Client support banding sheet Permission to share form 2 Departmental Administration/Finance MH 1 Assessment and care plan agreement FMS orders 3 4 5 6 7 Recording CR 6(a) contact sheets only Legal Documents CR 9 and copy of order Reviews and meeting minutes Correspondence Subject Access Request (CR11) paperwork Confidential/Third party information Any information in this section will require the permission of the author, prior to disclosure. To be divided into 2 sections: a) Confidential b)Legal Privilege – do not disclose, seek management advice 8 Assessment/Day service information Timetables IPPs Session recordings General assessments Copies of non-medical referrals Non-medical referral reports Guidelines for supporting client Care plans Risk assessments 9 Health/ Medical Issues Health/medical referrals/reports/assessments SALT/OT/physio/dietician/art therapist - all WSHT referrals Accident forms 10 Other Services Event records. Respite. CR 6 (b). Residential Issues. Any emails should be filed in the relevant section according to content 75 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Appendix 10 Information Sharing Protocols http://www.hantsfish.org.uk/index/practitioners/practitioners-informationsharing.htm 76 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Appendix 11 Retention Schedule http://intranet.hants.gov.uk/rh/recordoffice/rh-recordoffice-recordsmanagement/rhrecordoffice-retintro/rh-recordoffice-as.htm Introduction This is a collaborative document between Adult and Children’s Services Records Management Service and the corporate Records Management Service based at Hampshire Record Office. It is read-only and although it will be superseded in time, it should not be revised and replaced without either party consulting the other. It is important that earlier versions of retention schedules are kept long-term to provide an audit trail of decisions made about record-keeping, for Freedom of Information purposes. It is designed to give guidance to staff in all sectors of Adult and Children’s Services, as well as the Records Management Officers who are dealing with retention issues on a frequent basis. To find a particular type of record select “Edit”, “Find” and type in the name of the type of record you require and click on “Find Next”. Click on “Cancel” to exit. 77 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION CHILDREN AND FAMILIES Adoption Record of Adopted Child: manual records – individuals adopted before 30 Dec 2005, including step parent adoptions Record of Adopted Child: manual records – individuals adopted 30 Dec 2005 onwards, including step parent adoptions 75 y from date of Adoption Order (or the date of birth of the youngest child being adopted, where more than one child is on the same file, whichever is the longer) 100 y from date of Adoption Order (or the date of birth of the youngest child being adopted, where more than one child is on the same file, whichever is the longer) Destroy Adoption Agency regs., 1983 Reg 14 (3) Destroy Record of child placed 20 y from closure of case (ie for adoption but no order not long-term foster care) made Destroy Record of Adoptive parents Destroy The Disclosure of Adoption Information (PostCommencement Adoptions) Regulations 2005 2 (6) Departmental procedure based on Adoption Agency regs. Adoption Agency regs., 1983 Reg 14 (3) Departmental procedure Departmental procedure (No statutory time period) 75 y from date of Adoption Order Record of Birth parents 75 y from date of Adoption Order Birth records counselling 10 y from last contact with (formerly Sect 51 client records, Adoption Act 1976): clients adopted outside Hants Birth records counselling 75 y from date of Adoption (formerly Sect 51 Order or 75 y from date of records, Adoption Act birth if date of adoption order 1976): clients adopted unknown within Hants before 30 Dec 2005 Birth records counselling 100 y from date of Adoption (formerly Sect 51 Order records, Adoption Act 1976): clients adopted within Hants after 30 Dec 2005 78 Destroy Destroy Destroy Departmental procedure (to ensure clients are not deleted from computer system) Destroy Departmental procedure (to ensure clients are not deleted from computer system) (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION CHILDREN AND FAMILIES (cont) Adoption (cont) Other post-adoption service client records Record of Adoption Assessment withdrawn or not approved Records of Approved Adopters who withdraw Child Protection Child Protection investigation records Child placed on Child Protection Register. 10 y from last contact with client 10 y after case closed subject to discussion with adviser 10 y after case closed 6 y from last entry or until 18 y old (or 15 y from death if child is deceased) 43 y from birth (or 15 y from death if child is deceased) [each individual child] 100 y from date of birth or 3 y after death if known. Schedule I Offenders’ lists Children’s Home records Individual case files (as 75 y from date of birth or 15 described in schedule 2 y from date of death of the Regulations) Destroy As above Review and destroy if no longer required Destroy Departmental procedure Destroy Departmental procedure Destroy Departmental procedure Destroy Departmental procedure Destroy The Children’s Homes Regulations, 2001 Reg 28 Children’s Homes Regulations, 2001 reg 29 applies but record may also have historical research value Departmental procedure due to child protection concerns Departmental procedure due to child protection concerns Children’s Homes Regulations, 2001 reg 29 Admission and discharge register Permanent 15 y from closure: transfer to RMS to review Records of accidents and violent incidents 75 y from last record Destroy Record of administration of medicine 75 y from last record Destroy Record of every fire drill or test 15 y Destroy 79 Departmental procedure (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION CHILDREN AND FAMILIES (cont) Children’s Home Records (cont) Menus of food served in 1 y children’s homes Children’s Homes Regulations, 2001 reg 29 Children’s Homes Regulations, 2001 reg 29 Destroy Records of all money and valuables deposited by child for safe-keeping 15 y Destroy Record of all other accounts relating to clients 15 y Destroy Children’s Homes Regulations, 2001 reg 29 Record of staff duty roster 15 y Destroy Daily log of events in home/ Message books 15 y or longer After 15 y transfer to RMS to review Visitors’ books/registers 15 y Destroy Children’s Homes Regulations, 2001 reg 29 15 y is minimum statutory requirement, but may have long-term child protection and possible historical value Children’s Homes Regulations, 2001 reg 29 Other records Brochure/user guide to home 2 copies: permanent Transfer one copy to Social Care Library at HQ, and one to RMS Destroy Inspection records (originals) 25 y 80 Now kept by National Care Standards Commission (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION CHILDREN AND FAMILIES (cont) County Manager for C & F 5y Children’s Fund Board minutes General 6 y from closure of file or 3 y Case files not already from date of death covered eg for counselling or family consultancy NOT relating to adopted, fostered, or looked after children Fostering 75 y from date of birth or 15 Records of children y from date of death (including records of inspections by HCC of privately fostered children) Transfer to RMS to review Possible historical interest Destroy Departmental procedure and Statute of Limitations, 1980 Destroy The Boarding Out of Children (Foster Placement) Regs 1988 Reg 15; the Children (Private Arrangements for Fostering) Regulations, 1991 Fostering Service Regulations, 2002 Departmental procedure for child protection reasons (Law only requires 15 y - Fostering Service Regulations, 2002) 15 y from last action Destroy 75 y from date of birth of carer (or 15 y from date of death of carer or 15 y from end date of last placement whichever is longer) Destroy 3 y from closure Destroy Departmental procedure 10 y from closure Destroy Departmental procedure Accident records Record of foster carers or other person paid an allowance for looking after a child (including private foster carers, family link carers and kinship carers) Application for foster care not pursued any further Withdrawn application or refused registration 81 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION CHILDREN AND FAMILIES (cont) Looked After Children and Related Orders Case files for children in 75 y from date of birth or 15 care where Hampshire y from date of death. is the responsible Where there is more than authority, including one looked after child in a respite care and prefamily unit, retention is 75 y 1989 legislation, or from date of birth or 15 y otherwise looked after, from date of death of on a: care order, youngest looked after child. residence order, custodianship order, or supervision order Client record for children 6 y + cy from end of service who reside in Hampshire but another authority is responsible Case file for child on 25 y from 18th birthday Family Assistance Order Youth Offending Team a) 25 y from date of files birth* a) Not looked after/adopted/ fostered b) Looked b) 75 y from date of after/adopted/ birth or 15 y from fostered date of death (including new clients) YOT duty books 6 y from last entry in book 82 Destroy The Children (Leaving Care) Regulations, 2001, sec 10 and common procedure Destroy Departmental procedure Destroy Departmental procedure * Follow guidance from Youth Justice Board where records relate to sex offenders Destroy* Destroy Departmental procedure (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ADULTS (all relevant sectors) HCC records on Adult Placement Carers 6 y after ceasing role; 25 y after cancellation of registration, or refusal to register; or 3 y from date of death, if sooner. 6 y after closure of file or 3 y after death where no matters outstanding Destroy Departmental procedure Case files for adult and Destroy older persons service (excluding vulnerable adults and mental health service) users Care Homes and Nursing Homes for adults including older persons Case files for individual 6 y from closure of file or 3 y Destroy service users (including from death where no matters medical records) outstanding Admission and discharge register (monthly/annual) 3 y from last entry Transfer to RMS to review A copy of the statement of purpose. One copy: permanent Other copies – 3 y from becoming superseded Transfer to RMS to review A copy of the service user's guide One copy: permanent Other copies: 3 y from becoming superseded Transfer to RMS to review A record of all other accounts kept in the care home Variable – 3 y minimum: see Hantsnet http://hantsnet2000. hants.gov.uk/TC/ctdept/guid e180400.html Destroy 83 Departmental procedure Care Homes Regulations, 2001, sec 17 plus departmental procedure Care Homes Regulations, 2001, sec 17 plus possible historical value Care Homes Regulations, 2001, sec 17 but also likely to be of historical value Care Homes Regulations, 2001, sec 17 but also likely to be of historical value Audit requirements apply (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ADULTS (cont) Care Homes and Nursing Homes for adults (cont) A copy of any report 3y made under regulation 26(4)(c) (reviewing the quality of care) A copy of the duty roster 3 y from last entry of workers, and a record of alterations (weekly/monthly) Destroy Care Homes Regulations, 2001 sec 17 Destroy Care Homes Regulations, 2001 sec 17 Care Homes Regulations, 2001 sec 17 Care Homes Regulations, 2001 sec 17 plus audit requirements Care Homes Regulations, 2001 sec 17 Day sheets/daily reference sheets 3 y from creation Destroy A record of the care home's charges to service users 6 y from last entry Destroy A record of all money or other valuables deposited by a service user for safekeeping 3 y from service user leaving the home Destroy A record of furniture brought by a service user into their room 3 y from service user leaving home Destroy Care Homes Regulations, 2001 sec 17 A record of all complaints made by service users or their representatives or by persons working at the care home and any actions taken 10 y from last action Destroy Departmental procedure 84 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ADULTS (cont) Care Homes and Nursing Homes for adults (cont) A record of any of the 7 y from last entry where no following events that matters outstanding occur in the care home – Destroy Care Homes Regulations, 2001 sec 17 plus Statute of Limitations, 1980 (a) any accident; (b) any incident detrimental to the health or welfare of a service user, including the outbreak of infectious disease; (c) any injury or illness; (d) any fire; (e) any occasion on which the fire alarm equipment is operated, (except tests); (f) theft/burglary. Records of the food provided for service users and of any special diets for individual service users (weekly/monthly). 3 y from last entry Destroy Care Homes Regulations, 2001 sec 17 A record of every fire practice, drill or test of fire equipment (including fire alarm equipment) conducted in the care home and of any action taken to remedy defects in the fire equipment. 3 y from last entry Destroy Care Homes Regulations, 2001 sec 17 85 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ADULTS (cont) Care Homes and Nursing Homes for adults (cont) A record of the length of 1 year from creation Destroy Format: print-out from system. Departmental procedure time taken by staff to answer clients’ buzzers A statement of the procedure to be followed in the event of a fire, or where a fire alarm is given. One copy: permanent Other copies: destroy 3 y from being superseded Send to Social Care Library at HQ Care Homes Regulations, 2001 sec 17 but may be needed to defend against claims A statement of the procedure to be followed in the event of accidents or a service user becoming missing. One copy: permanent Other copies: destroy 3 y from being superseded Send to Social Care Library at HQ Care Homes Regulations, 2001 sec 17 but may be needed to defend against claims A record of all named visitors to the care home (monthly/annual) 3 y from last entry Destroy Care Homes Regulations, 2001 sec 17 Records of equipment use and inspection (eg boiler house) 6 y from last entry Destroy Audit requirements Delivery notes 2 y plus current Destroy Audit requirement Staff handover log sheets 1 month from date of handover Destroy Information should be duplicated elsewhere Photograph albums showing life in the home 10 y from last entry Possible historical interest Inspection records (originals) 7y Transfer to RMS to review Destroy 86 Now kept by the National Care Standards Commission (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ADULTS (cont) County Managers Hampshire Domiciliary Care Association minutes 5y Transfer to RMS to review Held by County Manager for Older Persons – contracts Direct payments policy file 5y Transfer to RMS to review Nursing care investment strategy project board minutes 5y Transfer to RMS to review Held by County Manager for Older Persons: Ops Possible historical value Held by County Manager for Older Persons: Delayed Transfer of Care Domiciliary care records Details of every 10 y from last entry allegation of abuse or other harm made against HCC care workers including details of the investigations made, the outcome and any action taken in consequence. Destroy Departmental procedure Details of any physical restraint used on a service user by a person who works as a domiciliary care worker 7y Destroy Departmental procedure based on Statute of Limitations, 1980 The service user plan devised for each service user and a detailed record of the personal care provided to that service user. 6 y after closure of file or 3 y after death where no matters outstanding Destroy Departmental procedure 87 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ADULTS (cont) Mental Health Records for users of mental health services 20 y Destroy Unallocated mental health referrals 8y Destroy Departmental procedure (based on Department of Health practice) As above Records of deceased users of mental health services 8y Destroy As above Records of investigations* of homicide by mental health service users Main copy held by Complaints Officer: 20 y Additional copy held by County Manager for Mental Health Strategy: 6 y Review within dept and destroy if no longer required *Final report to be held permanently in Social Care Library Other Files where ‘Vulnerable Adult Abuse’ investigations have taken place. 10 y from closure of file (or 10 y from date of death whichever is the longer) Destroy Departmental procedure 88 Departmental procedure (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ALL SECTORS Other client-based records 6 y from closure of case Asylum seeker records Destroy Departmental procedure Bereavement support records 3 y from last contact Destroy Departmental procedure Disabled Car Parking Badges 3 y after expiry date. Destroy Disability registrations/Visual impairment 6 y from closure of record, or until client is 18 y old whichever is the longer. 6 y from last entry or 3 y from death if sooner Destroy Departmental procedure (now dealt with by Co Treasurer) Departmental procedure Destroy Departmental procedure Occupational Therapy records which have adaptation plans. 10 y from closure of record or 3 y from death if sooner Destroy Departmental procedure OT Direct and SSD Direct tape recordings of telephone calls 1y Destroy Records on receivership 6 y from last entry or 5 y from death if sooner Destroy Departmental procedure (unindexed therefore cannot be kept longer) Departmental procedure Referral books 6 y from last entry Destroy Departmental procedure Unallocated referrals (previously known as miscellaneous referrals) including educational statements where no service provided 3y Destroy Departmental procedure 10 y from last entry Destroy Departmental procedure Financial assessment files Complaints Formal complaints records kept by Complaints Officer at HQ 89 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ALL SECTORS (cont) Complaints (cont) Informal complaints records held by HQ or area offices 3 y from last entry Minutes (Keep in electronic form where possible) 5 y from last entry Minutes of meetings with external and other partners (except where mentioned for specific county managers above): minutes dealing with general policy and strategy 7 y plus possible annual As above: minutes review thereafter detailing implementation of care of individuals Minutes of internal Adult One copy per team: 7 y and Children’s Services team meetings containing decisions which impact on health and safety of staff and service users Minutes of internal team meetings which do not include health and safety issues or relate to implementation of care of individuals 3y Destroy Departmental procedure Review within dept and destroy if safe to do so* * If minutes refer to an on-going project, may be advisable to keep until 7 y from completion of project Review within dept and destroy* Statute of Limitations, 1980 Review within dept and destroy* Review within dept and destroy* 90 * provided no outstanding matters Statute of Limitations, 1980 *provided no outstanding matters Departmental procedure * provided no outstanding matters (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ALL SECTORS (cont) Policies and project records (see below for DMT) 2 copies: permanent Published policies, Remainder: 1 year from reports, strategies, guidelines, procedures, being superseded and all departmental publications General subject-based project and policy files, e.g. containing mix of correspondence and general background information 5 y, then annual review until no matters are outstanding Transfer one copy to Social Care Library at Trafalgar House HQ. Transfer second to RMS to review Review within dept and destroy when safe to do so Policy: Directors of Adult & Children’s Services and DMT members Policy files relating to 5y Contact initiatives in which HCC RMS to took pioneering role, or review relating to major records changes in the structure jointly of the Adult and Children’s Services Departments Possible historical interest, plus needed long-term to defend against claims for compensation. Will be part of SSD publication scheme for FOI purposes, unless exemption applies. Departmental procedure Possible historical value to some records: most material however will either be covered by HCC (Committee) records or central government records (eg Dept of Health) (Files of the service directors are likely to be more general and less detailed and operational than the files of county managers on similar topics) 91 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ALL SECTORS (cont) Personnel Records Personnel Records kept by personnel units Volunteers’ records CRB checks for any part of Adult Services inspected by C.S.C.I. Until the ex-employee is 75 y old, if they have ever worked with children (including all home care staff.) Otherwise: 7 y from date of termination of employment Destroy Until the ex-volunteer is 75 y old, if they have ever worked with children. Otherwise: 7 y from last volunteering 1y Destroy Destroy Departmental procedure based on the recommendation of the Warner Committee. (Revised to take into account longer working life of some employees) As above Dispensation from CRB for C.S.C.I inspectors to be able to see checks during inspections Departmental procedure Recruitment records and 6 months interview notes for unsuccessful applicants Staff Diaries 5 y. Destroy Training records kept by Learning Unit: relating to child protection, abuse of vulnerable adults, manual handling and COSHH Training records kept by Learning Unit: other courses not covered above Individual flexitime/Signing-in sheets Staff daily signing-in sheets/roll-call sheets 40 y Destroy 7y Destroy Statute of Limitations, 1980 2 y. Destroy 1 month Destroy Working Time Directive Regulations. Not used for recording time keeping Destroy 92 Departmental procedure. Based on guidance from HCC legal services, for defence against claims (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION ALL SECTORS (cont) Personnel records (cont) Annual leave records 3y Travel claims 3 y plus current Travel warrant records 2 y plus current Child minder and 6 y plus current from end of playgroup registration/ registration inspection records Personnel records: health and safety Staff sickness records 3 y plus current Destroy Destroy Destroy Destroy Common practice Audit/tax regulations Audit Current cases are now dealt with by OFSTED. Destroy Statutory sick pay regulations, 1999 Statutory maternity pay regulations, 1999 Control of Lead at Work Regulations, 1998; Control of Substances Hazardous to Health 1999 and the Control of Asbestos at Work Regulations, 1998 Ionising Radiation Regulations, 1999 Statutory maternity pay records Medical records under the Control of Lead at Work; the Control of Substances Hazardous to Health; and the Control of Asbestos at Work Regulations 3 y plus current Destroy 40 y + current Destroy Medical records under the Ionising Radiation Regulations Accident books and violent incident reports 50 y + current Destroy 7 y (40 y if COSHH involved) Destroy Reporting of injuries, diseases and dangerous occurrences at work regulations, 1995 Destroy Departmental procedure Destroy Departmental procedure Resources and Support Services Information Services Subject Access Request 6 months files (these duplicate material in existing case files) Area Offices Visitor books/signing in 3 y from last entry registers 93 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION Appendix 12 Recording in Adult protection Basic Principles The following are some key steps and issues which need to be followed when recording intervention in situations of abuse of vulnerable adults: Refer to Adult services Procedure no 24/00 “Recording Practice and Guidance. Records Management and Data Protection Act 1998. this contains relevant general advice and principles http://www3.hants.gov.uk/proc2400.doc Refer to Adult Protection Policy and Procedures to ensure the Protection of Vulnerable Adults from Abuse (procedure 16/05. In particular section 10.10 on recording www.hants.gov.uk/adult-services/adult-protection-policy Record everything, being careful to separate fact from opinion/impression. It is imperative that information is not left out of records for fear of issues surrounding confidentiality or requests for information/records. If you are concerned or unsure about what you are recording contact the Children and Adult Services Subject Access Request Team via email SSHQSAR . The Subject Access Request Team prepare requests from service users and their representatives in accordance with the Data Protection Act 1998 any information which falls within an exemption or is deemed would cause significant physical or mental harm to self or others would be remove prior to disclosure. Everything needs to be recorded or referred to in profile notes. Give brief details of letters or meetings as key bullet points. Signpost using profile notes to other paper or electronic files eg held on I drive so information can be found easily. In respect of other files ensure that file location can be ascertained without difficulty by entering information in the SWIFT Pfiles Tab and making sure it is kept up to date. If solely SWIFT records exist then in Pfiles this should be clearly recorded as “SWIFT only”. Hold a separate Adult Protection paper record for anything which cannot be recorded in SWIFT eg correspondence and signpost to this from profile notes and add Pfiles Tab location. On closure the Adult Protection record should be placed with the Care Management record in confidential section. The ability to cut and paste into SWIFT from other functions is developing. Wherever possible cut and paste letters; minutes; outlook notes etc. into SWIFT records. Internal email should be via SWIFT not outlook wherever possible to ensure there is a clear chronology of events All files where there has been an investigation under the adult protection procedures must be retained for 10 years from the date of closure of the case. 94 (Proc 06/07 – 21 Feb 2007) GENERAL RECORDS MANAGEMENT & DATA PROTECTION DEPARTMENTAL DISTRIBUTION LIST All managers 95 (Proc 06/07 – 21 Feb 2007)