Clinical records and information governance policy (independent specialist doctor)

1. Purpose

In a single-handed practice the doctor is usually the data controller, and the records sit in one place with one person responsible for them. Good records support safe care and are a legal and professional duty; poor security or a loss of records can harm patients and breach data protection law. This policy sets out how the practice keeps clear clinical records and protects patient information.

The practice must verify this policy against current GMC records guidance and data protection law before adoption.

2. Sources to verify before adoption

• GMC, Good medical practice (record-keeping standards): https://www.gmc-uk.org/professional-standards/professional-standards-for-doctors/good-medical-practice
• Data Protection Act 2018 and the UK GDPR (health data is special category): https://www.legislation.gov.uk/ukpga/2018/12/contents
• Information Commissioner's Office, registration and guidance for data controllers: https://ico.org.uk/
• The Caldicott Principles and the Records Management Code of Practice
• Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, Regulation 17 (good governance): https://www.legislation.gov.uk/uksi/2014/2936/regulation/17

3. Scope

This policy applies to:

• every clinical record the practice creates and holds, in any form
• the security, sharing, retention and disposal of patient information
• the doctor as data controller and anyone who handles patient information for the practice

4. Record standards

Records are:

• made at the time of, or as soon as possible after, the consultation
• accurate, legible and clear, recording the history, examination, decisions, advice, consent and what was prescribed or done
• attributable, dated and not altered after the event except by a clear, dated amendment that leaves the original visible
• complete enough that another clinician taking over could understand the care

5. The data controller and registration

• the practice is registered with the Information Commissioner's Office as a data controller and keeps that registration current
• the practice has a lawful basis for processing health data and a clear privacy notice for patients
• where the practice uses any processor (for example a records system or a transcription service), there is a written agreement and the processor meets the required standards

6. Security

Because the records are concentrated in one place, security matters especially:

• access to records is limited to those who need it, controlled and, where possible, auditable
• records and devices are protected (for example by encryption and passwords), and not held on unprotected personal devices
• the practice takes regular, secure backups so records survive the loss, theft or failure of a device, and tests that they can be restored
• paper records are stored securely

7. Sharing information

• patient information is shared only with consent or where the law allows, and only to the extent needed (the Caldicott principle of using the minimum necessary)
• where the practice shares information with the patient's GP or another clinician for the patient's care, it does so securely and records what was shared
• a loss or unauthorised disclosure of patient information is treated as a data breach, contained, recorded, and reported to the Information Commissioner's Office and the patient where the law requires

8. Patient access

The practice responds to a patient's request for access to their own records within the time the law allows, providing the information securely, and helps patients who wish to correct an inaccuracy.

9. Retention and disposal

Records are kept for the period the current guidance sets, stored securely throughout, and disposed of securely when that period ends, with the disposal recorded.

10. Continuity of the records

Because the records depend on one person, the practice plans for the doctor being unavailable: it is clear who can access the records in an emergency, how a patient would get their records or continue care, and what happens to the records if the practice closes (see the scope, indemnity and continuity policy).

11. Audit cadence

The practice checks, on a stated cadence, that:

• records meet the standards above and are contemporaneous and attributable
• ICO registration is current and a lawful basis and privacy notice are in place
• security, backups and tested restoration are in place, and access is controlled
• sharing follows consent and the Caldicott principles, and breaches are reported
• access requests are met on time and retention and disposal follow the guidance

The doctor and the Registered Manager review the results and record the improvement actions that follow.