You are currently using an unsupported browser which could affect the appearance and functionality of this website. Please consider upgrading to the latest version or using alternatives such as Mozilla Firefox, Google Chrome or Microsoft Edge.

Records management policy and procedures

Creating and managing records efficiently, making them accessible, protecting them and disposing of them safely at the right time

Introduction

This Records Management Policy is the Royal College of Obstetricians and Gynaecologist’s (RCOG) policy regarding the safekeeping of all our records from their creation to their disposal – this includes our procedures for sharing information externally.

The RCOG values its information and records as essential assets fundamental to the delivery of its strategic aims and owns those created in the course of working for the RCOG.

Purpose

The purpose of this Policy is to establish a framework for the creation, maintenance, storage, use and disposal of records, to support continuous improvement in its core activities of teaching and research, to provide evidence of corporate governance, and to facilitate compliance with statutory requirements.

This policy ensures Member, service user, employee and Officer records are:

  • properly created,
  • accessible and available for use
  • disposed of in a secure and timely fashion.

It provides employees and Officers with guidance regarding individual responsibility for accuracy and appropriate storage of records. It covers:

  1. Our Records Management Toolkit for employees and Officers
  2. Management of our merged information asset register (IAR) and Record of Processing Activities (ROPA)
  3. Our transparency procedures
  4. Our information handling procedures – including our procedures for safely and legally sharing information externally
  5. Procedures for individual making requests about their data (GDPR individual data rights)
  6. Our procedures when there is a withdrawal of consent to share.

The RCOG aims to be compliant with international and national standards and codes of practice for Records Management, e.g. BS ISO 15489 Information and documentation — Records management. The benefits of compliance are:

  • RCOG business is conducted in an orderly, efficient and accountable manner, preserving accurate and authentic business records
  • RCOG services are delivered in a consistent and equitable manner with understanding of previous completion of transactions
  • A reliable knowledge base is preserved
  • Business evidence of organisational activities is captured to provide consistency, continuity and productivity
  • Vital records are identified to provide continuity in the event of a disaster
  • Legislative and regulatory requirements are met with retention and provision of access to records
  • RCOG maintains corporate memory through capturing evidence of business activity and identifying records for permanent retention and archiving
  • Current and future research and development activities are supported through documentation.

The RCOG is committed to the efficient and effective management of its records to maximise the benefit they bring to the College, as they are its corporate memory and ensure:

  • good corporate governance
  • accountability
  • compliance with legal requirements
  • evidence of decisions and actions, and
  • provide information for future decision-making.

Scope

This policy applies to:

  • All records processed by the RCOG in either hardcopy or digital copy, including special categories of data
  • All employees of the RCOG (permanent, temporary and voluntary), Officers and Committee members handling College records, contractors and consultants who have access to records, wherever these records may be located. The policy aims to ensure that all employees and Officers are aware of what they must do to manage records in an effective and efficient way and in compliance with legal and regulatory requirements.

This policy is part of the RCOG Data Security and Protection Policy Framework that includes:

  • Data Protection
  • Data Security and Protection Incident Handling
  • Information Governance
  • IT Security (IM&T)

Policy

A record is recorded information, in any form (it may be an electronic file or e-mail, or a paper document), created, received and maintained by the organisation or individual members of employees and Officers to support and show evidence of its activities. Also referred to as an “information asset”.

Although not an exhaustive list, examples of items that can constitute records include:

  • documents (including written and typed documents and annotated copies)
  • computer files (including word processor files, databases, spreadsheets and presentations
  • paper based files
  • electronic mail messages
  • reports
  • Intranet and Internet Web pages.

See Appendix A for more, detailed definitions of a record, and other related terms.

The RCOG recognises the importance of this essential resource and undertakes to:

  • manage records effectively in line with this policy
  • comply with legal obligations that apply to its records (see the RCOG Data Protection Policy)
  • exercise best practice in the management of records, as outlined in the implementation section below
  • encourage effective access to and use of records as a corporate source of information
  • keep records electronically where appropriate, where possible putting in place provision to ensure their reliability
  • store records efficiently, utilising appropriate storage methods at all points in their lifecycle, and disposing of them appropriately when they are no longer required
  • provide appropriate protection for records from unwanted environmental (fire, flood, infestation) or human impact (alteration, defacement, theft)
  • safeguard records necessary for the continuity and regeneration in the event of a disastrous occurrence
  • identify and make provision for the preservation of records of long term and historical value
  • maintain the following data quality standards:
    • accuracy – all data must be sufficiently accurate for its intended purposes
    • validity – all data must be recorded and used in compliance with College requirements
    • reliability – all data must be stable and, wherever possible, use consistent data collection processes across
    • timeliness – all must be captured as quickly as possible and available for use as per the College’s Retention Schedule
    • relevance – all data captured must be relevant to a specified purpose(s)
    • completeness/integrity – all data processed must be regularly monitored for missing, incomplete or invalid records in order to indicate data quality.

To support the RCOG’s recognition of the importance of Records Management, all people handling RCOG records must comply with this policy by following the procedures listed below.

Procedures

This policy is implemented and supported by the following procedures and ways of working, which have been designed according to the requirements of the international and national standards or records management, such as BS ISO 15489:

  1. Our Records Management Toolkit for – the record keeping procedure from creation to disposal – employees and Officers must:
    1. Understand what constitutes a record (see Policy above) and it’s lifecycle – e.g. be familiar with the definitions contained in this policy, see Appendix A and the diagram below:
       
      Records life cycle diagram, showing 4 stages: creation, usage, storage and disposal/archives
    2. Define how your records are classified and managed – e.g.:
      1. Use the Corporate File Plan as a standardised structure and layout for the contents of records with local file plans informed by the RCOG Retention Schedule’s Record Series classification and listed in the Information Asset Register
      2. Use Naming Conventions to consistently name documents and folders with appropriate and version control to ensure ease of access and the application of the Retention Schedule
  • Ensure records are held in accessible but protected locations, both digitally and physically, controlled by up-to-date Access Permission controls
  1. Use the record transfer procedures that ensures you are managing a record throughout its lifecycle from creation, use, retention and disposal or archiving, including recalling Semi-Active Records from offsite storage – see the guidance on the IG Hub.
  2. Be familiar with and apply the RCOG Retention Schedule
    1. By conducting regular data cleansing exercises, applying the appropriate retention periods and recording disposal decisions, in partnership with the Information Governance (IG) Team, using the latest tools and guidance
    2. Provide the IG Team with feedback on the RCOG Retention Schedule as it is under review and will be updated in 2022 to align with NHS record retention and disposal standards
  3. Ensure all records meet RCOG standards of data quality, including:
    1. Accuracy – e.g. maintaining the accuracy of all information held by College by undertaking regular checks with the owners and/or data subjects, such as ensuring contact details are correct
    2. Completeness – e.g. ensuring you have all the data required for a particular purpose and that available for use, such as patient records with missing data could skew analysis being undertaken to improve O&G clinical care
  • Consistency – e.g. ensuring data formats do not conflict with each other within a record or across records and datasets
  1. Timeliness – e.g. ensuring data is available when expected and needed but it can mean different things for different uses, such as: in a hospital, timeliness is critical to ensure the most up-to-date data is being used in the delivery of care; however it may be acceptable to use quarterly figures to forecast care needs
  2. Uniqueness – e.g. avoiding duplication of records which may contain different data, such as two duplicate patient records with different clinical data could again impact the delivery of care and any subsequent analysis
  3. Validity – e.g. the extent to which data conforms to an expected format, type or range, such as postcodes are only valid if they appear on the Royal Mail postcode list.
  1. Follow RCOG Individual Data Subject rights of access, rectification and erasure procedures during the lifespan of a record (see details in Procedure 4 below)
  2. Follow guidance and complete training on the creation and use of records, and their legal responsibilities to share and safeguard personal confidential information
  1. Our information asset register (IAR) and Record of Processing Activities (ROPA) - employees must:
    1. Participate in the IAR/ROPA Update Project, 2021-22
    2. (Information Asset Owners) keep their departmental IAR and ROPA up-to-date, as per the SOP (to follow in 2022)
  2. Our transparency procedures – RCOG must:
    1. Ensure our privacy notice outlines to people why we hold their data, the lawful basis for doing so, and their rights in terms of how we process their data
    2. Ensure our privacy notice is freely available to all people whose data we process and is part of our commitment to transparency and accountability to satisfy the individual’s right to be informed under GDPR
    3. Ensure our privacy notice is available on the footer of every page of the RCOG website: https://www.rcog.org.uk/
    4. Ensure all service users, or their legal representative if necessary, will be informed of their rights regarding their personal data when they sign-up to be an employee, member/trainee, or other service user of the College
    5. Review and update the privacy notice at least annually and obtain Executive Committee sign-off
    6. Provide people with RCOG Privacy Policy, and any supplementary notices developed for specific processing, at the moment we ask them to give us their personal data
    7. Ensure we receive an individual’s personal data from a source other than that individual, we provide them the RCOG Privacy Policy without undue delay and at least within one month.
  1. Our information handling procedures – all employees and Officer must use these tools for the safe and legal sharing of information containing personal data with external partners:
    1. Ensure that RCOG records and information containing personal data are protected and not disclosed inappropriately, either by accident or design, whilst in use or when it is being transferred
    2. In line with legislation, ensure RCOG records and information containing personal data are not processed without a lawful basis being identified. The Record of Processing Activities (ROPA) records all processing of personal data and identifies the legal basis for it being processed
    3. Ensure the processing and sharing of RCOG records and information containing personal data with external, third parties must follow one and/or other of the following processes:
      1. Client (Data Controller) and Contractor (Data Processor) personal data sharing must be governed by a written and signed contract or service agreement that meets RCOG data protection standards, e.g. the RCOG Contract/Service Agreement plus Data Protection Schedule
      2. Equal partner (Data Controller to Data Controller) personal data sharing must be governed by a written and signed Information Sharing Agreement (ISA) that meets RCOG data protection standards, e.g. the RCOG Information Sharing Agreement template
    4. Refer to the following policies regarding the secure use and handling of RCOG records and information containing personal data:
      1. Data Protection policy
      2. IT Security policy
    5. Follow procedures for people making requests about their data (GDPR individual data rights requests) held within College records containing their personal information are detailed in the RCOG Individual Rights Request guidance on the website and the Handling Requests for Information SOP (to follow later in 2022), covering:
    1. The right to be Informed - e.g. fair processing/privacy notices and information
    2. The right of Access - e.g. subject access requests (SARs)
    3. The right to Rectification - e.g. correcting your data
    4. The right to Erasure – e.g. deleting or removing your data
    5. The right to Restrict Processing – e.g. stopping your data being used
    6. The right to Data Portability – e.g. transferring your data easily
    7. The right to Object – e.g. challenging what we’re doing with your data
    8. Rights in Relation to Automated Decision Making and Profiling – e.g. ensuring safeguards are in place so we don’t make potentially damaging decisions about you without any human involvement
  1. Our procedures when there is a withdrawal of consent to share – RCOG must ensure:
    1. All people have the right to withdraw their consent to have their personal data shared at any time – you can withdraw your consent to receive communications at any time by updating your preferences in your account.
    1. Guarantee it is as easy to withdraw consent as it is to give consent – the processes will vary dependent on the nature of consent obtained for data processing
    2. If an individual withdraws their consent to share their personal data, to discuss it in full and explain how this decision may impact the service outcome for which their data is being processed
    3. In certain instances, where legislation or public good outweighs the individual’s right to not consent to information sharing, we may not be able to honour any withdrawal of consent. This needs to be discussed in detail with the IG Team and will only occur if we can demonstrate compelling legitimate grounds where the processing overrides the interests, rights and freedoms of the individual.
    4. The Senior Responsible Officer to keep a log of consent not given or withdrawn the this, adding a note to the individual’s records
  1. RCOG to review this policy and procedures annually to ensure they are adequate and that we continue to keep our records to the highest standards.

Governance

IGMG

The Information Governance Management Group (IGMG):

  • Oversees the IG function of the College to ensure compliance is retained across the College
  • Chaired by the SIRO
  • Supported by the IG Team.

It is made-up of Directors from departments who process personal data and Subject Matter Experts (SME). The terms of reference are in Appendix B.

IG Leads

The IG Leads are employees nominated by the departmental Information Asset Owners (SLT member) to assist them with their IG responsibilities. Please see Appendix D for their terms of reference.

Performance Monitoring

  • IG Dashboards – RCOG performance against key statutory compliance requirements are monitored at least quarterly, covering:
    • Individual Rights Requests – e.g. Data Subject Access Requests
    • Data Protection and Security Incidents – e.g. numbers logged as live, contained and closed with a severity rating and outstanding actions from lessons learned
    • Data Protection Impact Assessments – e.g. numbers logged with data protection risk rating
  • Audit and Risk Committee – quarterly compliance reports highlighting progress against regulatory (Data Security and Protection Toolkit) and statutory requirements using the IG Dashboards (see above)
  • Executive Committee – quarterly Data Security and Protection Toolkit (DSPT) project reports focusing on progress made against the DSPT for that year.

Roles and responsibilities

The RCOG has a responsibility to ensure that its records are managed well and in accordance with the regulatory environment. Different employees and Officers have different roles in relation to records management and these responsibilities are defined below.

The Executive Committee has high level responsibility for ensuring compliance with this policy lies with the Chief Executive Officer. Individual Executive Directors and Directors have responsibility for ensuring:

  • their teams develop their own procedures and guidance which comply with the records management policy and procedures
  • adequate records of their directorate’s activities are maintained
  • their employees and Officers comply with College-wide records management policy and procedures
  • their employees and Officers attend the necessary IG training available via the Learning and Development Programme.

The Senior Information Risk Officer (SIRO) is delegated authority for information risk and mitigation by the Executive Committee, including responsibility for implementing and leading on IG risk assessment and management processes with the College. They:

  • lead and foster a culture that values, protects and uses records and information for the success of the organisation and benefit of its members, trainees, staff and other stakeholders
  • own the RCOG’s overall information risk assessment processes and ensuring they are implemented consistently
  • ensure the Board of Trustees, Officers and the Executive Committee are adequately briefed on IG issues and associated risks
  • lead on the of security incidents and data protection breaches
  • own the College’s Data Security and Protection Incident Handling policy and procedures
  • provide the final point of resolution for any IG risk issues, and
  • Chair the IGMG (IG Management Group).

The current SIRO is the Executive Director of Membership and Global, Kristen Morgan.

The Deputy SIRO is the Head of Information and Governance and is responsible for the strategic improvement, day-to-day operation and delivery of IG within the RCOG. This includes, but is not limited to:

  • supports the SIRO and Caldicott Guardian
  • leads on the following IG areas – information rights compliance, information asset and records management, and information risk assurance and management
  • manages the handling of requests for information (RFIs) under according to information rights and copyright legislation
  • co-ordinating, maintaining and developing the information asset register (IAR), including information sharing protocols and agreements
  • data security and protection incident reporting and
  • maintenance of the information risk register, ensuring remedial actions have been undertaken
  • leads on the annual Data Security and Protection (formerly IG) Toolkit submission to NHS Digital and the College’s subsequent improvement plan
  • develops and oversees the College’s IG strategy and associated work programmes providing specialist advice and assistant to staff where required on areas of information governance legislation, ensuring specialist knowledge is kept up to date and changes in legislation or national and local policy are communicated effectively to staff at all levels of the organisation
  • establish, develop and deliver both mandatory and discretionary staff training
  • establish, develop and deliver IG policies, procedures, guidance notes and ways of working
  • preserving and providing access to the RCOG’s Archives
  • lead liaison with external regulators, such as the Information Commissioner’s Office (ICO)
  • creation, analysis and presentation of performance indicators, such as a quarterly IG Dashboard
  • provide a public frontline information rights handling and enquiries service
  • deliver a functioning records management service the College’s structured and unstructured records
  • maintain the RCOG Retention Schedule,
  • advising the SIRO and Executive Committee on potentially reportable data security and protection incidents/breaches, and
  • deputising for the SIRO, as required.

The Caldicott Guardian is primarily responsible for the protection of confidential, personal information and ensure it is used in line with the Caldicott Principles, with responsibility for the following:

  • protecting the confidentiality of patient information
  • enabling appropriate information-sharing
  • ensuring the College satisfies the highest practical standards for handling patient identifiable information
  • acting as the 'conscience' of the organisation
  • actively supporting work to enable information sharing where it is appropriate to share, and
  • advising on options for lawful and ethical processing of information.

The current Caldicott Guardian is the Director of Clinical Quality, Daniel Wolstenholme.

The Information Governance Management Group (IGMG) has responsibility for ensuring that the RCOG's record keeping supports Information Governance compliance.

The Information Governance (IG) team is made up of the Head of Information and Governance who is the RCOG Deputy SIRO and the Records and IG Officer with additional subject expertise brought in when necessary (see below) who are responsible for maintaining and implementing the Records Management policy, including management of the off-site storage for non-active and archive paper records.

The Records and Information Governance Officer (RIGO) is responsible for the following:

  • ensuring that the records management policy and procedures, guidance and training are kept up to date and relevant
  • raising employees and Officers awareness of records management
  • providing advice and guidance to all employees and Officers
  • developing and maintaining retention and disposal schedules and documenting disposal activity
  • maintaining the Information Asset Register (IAR) and Record of Processing Activities (ROPA)
  • provides advice and support to the IG Leads, Information Asset Owners and the wider organisation
  • investigate security incidents and breaches
  • coordinate IG Team managed Requests for Information (RFIs) such as Individual Rights requests, e.g. Subject Access Requests (SARs).

The Information Asset Owners (IAOs) across the College have been delegated to Directors or Head of Service. They are responsible for enabling effective IG within their respective areas and teams, such as making decisions about how information is processed e.g. what is collected, how it is used, whom it is shared with, when it is deleted, and whether information risks are mitigated further or accepted by us. They:

  • understand what information assets their team(s) process(es)
  • understand its value to the College and the related approach, appetite and capacity for risks and opportunities in conjunction with the College’s risk management standards
  • make sure the information is managed according to this and all relevant IG, Data Security and Protection Policies
  • nominate a local Information Governance Lead (IG Lead) provide senior management support to IG Lead in discharging their role, and
  • identify, oversee and support the work of information asset administrators within their areas of responsibility.

The Information Asset Administrators (IAAs) people nominated by Information Asset Owners to assist with the operational responsibility for information asset management within their respective service areas. This involves the:

  • application of IG rules
  • identification of information assets to the IG Team, and
  • up-dating RCOG records and information to ensure data integrity and quality.

In some departments, the IG Lead is also the IAA.

The Information Governance (IG) Leads are employees nominated by the departmental Information Asset Owners (SLT member) to assist them with their IG responsibilities. Please see Appendix D for their terms of reference.

The Director of IM&T is responsible for ensuring that adequate technical provision is in place to support record keeping across the organisation.

The Building Manager is responsible for providing adequate and appropriate storage and disposal facilities to support record keeping across the organisation.

 

The Corporate Governance Team and Personal Administrators are responsible for maintaining records of their committees and managing their disposition in line with the instructions provided in the Retention Schedule.

 

All Employees and Officers that create, receive, maintain or delete records are responsible for ensuring that they do so in accordance with the RCOG's records management policy and procedures.

Policy Waiver

The College has a risk based approach to govern those situations that require the processing of personal data to deviate from this policy. In summary:

  • The situation needs to be fully described
  • The risks and mitigations captured
  • The agreed waiver reviewed and signed off by the Information Asset Owner and Executive Director.

The Policy Waiver form in Appendix E must be completed and approved by senior management.

For further advice concerning any aspect of this policy, please contact the Information Governance (IG) Team by email at dataprotection@rcog.org.uk or call +44 20 7772 6309.

Appendices

Appendix A: Glossary of Terms

An Active Record is one that is in “active” use or open, e.g. records created and used throughout an individual’s membership with or employment at the College and stored on the following systems:

  • Cascade
  • Open Engage
  • Corporate file plan.

An Archive Record is a record that has reached the end of its retention period (as per the College Retention Schedule - see below) and is permanently because of its continuing business, evidential, historical or informational value to the College, e.g. minutes from Board of Trustees meetings.

 

Business Information Systems are databases, or other software, that create or capture information in relation to RCOG business. They are primarily used for reference but can be used for workflow or data sharing. Systems that hold information the RCOG would rely on as evidence should be able to manage their content as records and be Record Keeping Systems.

Data: is the raw input from which information of value is derived.

A Data Controller is an individual or organisation who:

  • decides to collect or process personal data
  • decides what the purpose or outcome of processing is to be
  • decides what personal data should be collected
  • decides which individuals to collect personal data about
  • obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller
  • processes personal data as a result of a contract between us and the data subject
  • whose data subjects are the employees
  • makes decisions about the individuals concerned as part of or as a result of the processing
  • exercises professional judgement in the processing of the personal data
  • has a direct relationship with the data subjects
  • has complete autonomy as to how the personal data is processed
  • has appointed processors to process the personal data on our behalf.

Joint Data Controllers are two or more individuals or organisations who:

  • has a common objective with others regarding the processing
  • processes the personal data for the same purpose as another controller
  • use the same set of personal data (e.g. one database) for this processing as another controller
  • designs the processing with another controller
  • has common information management rules with another controller.

A Data Processor is an individual or organisation who:

  • follows instructions from someone else regarding the processing of personal data
  • is given the personal data by a customer or similar third party, or told what data to collect
  • does not decide whether to collect personal data from individuals
  • does not decide what personal data should be collected from individuals
  • does not decide the lawful basis for the use of that data
  • does not decide what purpose or purposes the data will be used for
  • does not decide whether to disclose the data, or to whom
  • does not decide how long to retain the data
  • make some decisions on how data is processed, but implements these decisions under a contract with someone else
  • is not interested in the end-result of the processing.

The Data Protection Act 2018 is an Act of Parliament that enacted GDPR 2016 and established UK only derogations.

Data quality is a recognition that the accuracy, coverage, timeliness and completeness of data can significantly impact on the value of its use.

A Data subject is a living individual who can be identified from the personal data or from additional information held, or obtained, by the RCOG. For example, a CCTV image which can identify someone when linked to building access control codes.

A File is a collection of records stored in one unit, identified by a filename. It can be a document, picture, audio or video stream, data library, application, or other collection of data.

A File Plan is a governance tool that classifies RCOG records in terms of function and activity; it acts as the baseline to connect this policy, and its related guidance and procedures, to the business processes that create, manage, use and dispose of College records.

The Freedom of Information Act 2000 provides the public with a general right of access to all information held by, or on behalf of, public authorities. Any individual or organisation may request any information held by a public authority. The public authority must tell the applicant (normally within 20 working days) whether it holds the information. If it does, it must supply it, unless an exemption applies. The RCOG, as an independent charity, is not a public authority, and is not directly subject to the Act. However, the College may hold information ‘on behalf of’ a public authority since it performs work for them under contract. Information relating to these activities may be caught by the Act.

The UK General Data Protection Regulation (UK GDPR): sets out data protection and privacy rights of all individuals within the UK since exiting the European Union. It also applies to transfer (export) of personal data outside the UK. UK GDPR came into force on 01 January 2021.

An Information Asset is a body of information defined and managed as a single unit or aggregate so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

The Information Asset Register is a governance tool that lists the RCOG’s key information assets and a mandatory requirement of the DSPT.

The Information Commissioner or ICO is responsible for the regulation of the Information Rights legislation across the UK, such as UK GDPR and DPA 2018. The Information Commissioner is appointed by the Queen and is independent of the UK Government.

Information Governance:

  • encompasses the multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an organisation level,
  • supports its immediate and future regulatory, legal, risk, environmental and operational requirements
  • determines the balance point between two potentially divergent organisational goals: extracting value from information and reducing the potential risk of information
  • defines the roles and responsibilities of all stakeholders involved in handling and managing College information.

Information governance compliance: ensures compliance with all statutory requirements governing the management of information, including rights of access under Freedom of Information and Data Protection legislation.

Information security ensures that RCOG information is not compromised by unauthorised access, modification, disclosure or loss.

Information sharing ensures that RCOG information is shared in a compliant, controlled and transparent manner.

Open data is accessible (usually via the internet), in a machine-readable form, free of restriction on use. It supports transparency and accountability, effective services and economic growth.

The Payment Card Industry Data Security Standards are a set of minimum standards produced by Visa, MasterCard and Amex to be applied by anyone handling payments using credit and debit cards to ensure the safety of payment card transactions called PCI-DSS.

Personal data is all information that relates to an identifiable living person who can be identified from that information or from additional information held, or obtained, by the RCOG. Examples of personal data are contained in paper files, electronic records and visual and audio recordings.

Processing is all actions relating to personal data. Gathering, recording, analysing, amending, using, sharing, disclosing, storing and destroying personal data are all covered by this definition.

RCOG Records are defined as:

  • recorded information in any format (including paper, microform, electronic and audio-visual formats);
  • which are created, collected, processed, and/or used by RCOG employees and Officers , Trustees, Council, Officers, FMTs and other stakeholders when undertaking RCOG business, predecessor bodies (e.g. Velindre NHS Trust, RC Psych) or contractors performing an RCOG function or service; and
  • are then kept as evidence of that business.

A RCOG record lifecycle covers the lifespan of a record throughout the following stages:

  • Creation – e.g. the creation of new trainee/Member case file
  • Usage = Active – e.g. a current Member case file
  • Storage = Semi-Active – e.g. retained for 5 years following a Member ending their membership and their case file closing
  • Disposal/Archives – e.g. the destruction of the Member case file at the end of the retention period or permanent retention in the College Archives.

Records management is a set of processes and practices that ensure RCOG records are systematically controlled and maintained, covering the creation, storage, management, access, and disposal of records, in compliance with best practice, legal obligations and policy requirements.

A Record Series is a collection of records with a connection that are grouped together to be accessed and managed as a single item. The RCOG Record Series is contained with the Retention Schedule.

A Retention Schedule contains:

  • the categories of records held by an organisation – the Record Series
  • the start and end of the time-period that record is held for – the Retention Period
  • a definition of the activity that triggers the beginning of the retention period – the closure of an active record.

A Semi-Active Record: is a record that is no longer in “active” use and has triggered the beginning of its retention period as per the College Retention Schedule.

Special Categories of personal data: include data revealing:

  • race or ethnicity
  • religious or philosophical beliefs
  • trade union membership
  • a person’s health
  • sex life or sexual orientation
  • genetic or biometric data.

A Subject Access Request is the right given, by Data Protection legislation, to an individual to ask for a copy of personal data processed by the College. The information must be supplied in an intelligible and permanent form unless this involves a disproportionate effort or the individual agrees otherwise. The RCOG may have to consider the Disability Discrimination Act requirements when providing personal data to an individual who may require the information to be provided in a certain format to consider a special need. Individuals have a right to correct inaccuracies in that information too – please see the RCOG Individual Rights Requests guidance for details.

A USB (Universal Serial Bus) is an industry standard that defines the cables, connectors and communications protocols used in a communication system for connection, communication, and power supply between computers and electronic devices.

Appendix B: IGMG Terms of Reference

  • To provide strategic leadership for information governance and information risk management throughout the College, reporting into the Executive Committee, Officers (as appropriate) and Audit and Risk Committee with Director representation from key departments, namely those handling large volumes or high risk personal data, such as Clinical Quality, Membership, Education, Exams and People.
  • To support, monitor and authorise the development of the Information Governance Framework and its implementation, including all accompanying policies, guidance and tools.
  • To support the College’s Information Governance network of IG Leads.
  • To oversee the College’s annual Data Security and Protection Toolkit Submission (formerly known as the IG Toolkit).
  • To agree, support and monitor the annual Data Security and Protection Improvement plan to drive change, including plan revision and realignment to mitigate risk.
  • To take ownership of information risk management, including monitoring compliance with the Information Governance Framework, reporting and escalating information risks as appropriate, taking corrective actions where necessary, and maintaining the IG Risk Register.
  • To receive and consider reports into breaches of confidentiality and security and, where appropriate, undertake or recommend remedial action.
  • To develop solutions and implementation programmes (including training and raising awareness) to ensure that the RCOG complies with developing information governance requirements.
  • To ensure that each directorate fulfil their responsibilities and apply relevant information governance policies and controls.
  • To support directors and managers with the implementation of information governance standards and policies, the management of information risks, and in promoting awareness throughout their areas.
  • To support audit and assessment arrangements for information governance (internal and external).
  • To ensure that the College’s approach to information governance and information risk is effective in terms of resource, commitment and execution, and that it is communicated to all staff.
  • To liaise with boards, committees and other working groups to ensure compliance with the College’s Information Governance Framework.
  • To provide a focal point for the resolution and/or discussion of information governance and risk issue.

Appendix C: IGMG Forward Plan

The remit of the IGMG is broad and requires detailed monitoring of information risk. As such, the following forward plan is in place to ensure there is sufficient time to complete this work and to assist with the IGMG meeting agenda.

The following “standing items” are included in the agenda for every meeting:

  • Data Security and Protection (DSP) Submission and Improvement Plan – quarterly progress report
  • IG Dashboards
  • DSP Incident Register – review and escalation

The following “standing items” are only included in the agendas of these quarterly meetings:

  • January
    • Review and sign-off the revised DSP policy and procedures framework
  • March
    • Review and sign-off the revised DSP ways of working, staff training and communications framework
    • Review the Information Risk Register
  • June
    • Review and sign-off updates to the Information Asset Register
  • October
    • Review and approve the proposed DSP Toolkit Submission Plan for the next year.

Appendix D: IG Leads Terms of Reference

  • To represent the IG needs of their department and be either a Head of Service or Team Lead role, supporting and deputising for the SLT Information Asset Owner
  • To champion IG within their departments, including data protection and records management
  • To be the first point of contact on all IG related matters, including data protection and records management, within their departments
  • To develop a good knowledge and understanding of relevant IG, including familiarity with the policies and ways of working
  • To complete all relevant IG training over and above the College’s mandatory requirements, including Advanced Data Protection and relevant modules
  • To raise and monitor awareness of good IG practice within their departments, especially the processing of personal data
  • To attend IG Team organised meetings and events
  • To actively engage with and contribute to the internal IG consultations, including the annual DSPT submission and DSP policy reviews to act as a contact point with the IG Team concerning the retention, disposal and transfer of records within the department
  • To assess the records management procedures as they relate to each business function within their departments

To assist employees and Officers on team records management procedures.

Appendix E: Policy Waiver Form

Download the Policy Waiver Form (Word document)