FOI/DPA Records and Information

records & information management policy


1. Introduction

2. Personal Data

3. Corporate Information

4. Security

5. Records Retention

6. Disposal


This policy summarises how the UKFPO manages its records, from initially creating or obtaining records to the retention and eventual disposal of these records. The policy also includes UKFPO retention periods for specific categories of information.

In managing its records, the UKFPO complies with the Data Protection Act (DPA) 1998, the Freedom of Information Act (FOIA) 2000, other relevant legislation and the Department of Health “Records Management: NHS Code of Practice”, 2006.

Note - this policy covers all types of records, whether held on paper, electronically or in any other media.


The UKFPO holds records which are defined by the DPA as “personal data”.  These records will relate to:-

• persons applying for positions within the Foundation Programme  (applicants)
• employees of the UKFPO.

This personal data will be:-

• processed fairly and lawfully (see our Privacy Statement)
• used only for defined purposes
• relevant to these purposes
• accurate and up to date
• retained for no longer than is necessary
• processed in compliance with the rights described within the DPA
• held securely
• processed within the UK.

The UKFPO Privacy Statement will be made available via the UKFPO website, and provides a summary of the purposes for which UKFPO processes personal data.

See also to the UKFPO “Policy and Processes for Handling Freedom of Information and Data Protection Requests”.


Corporate information refers, broadly, to information held by the UKFPO which is not personal data and will include, for example, policies, guidance, minutes of meetings or financial records.

Corporate information is, in general, covered by the FOIA and relevant details are provided on the UKFPO website via its publication scheme.


Security of information is paramount and the UKFPO is dedicated to ensuring all its employees recognise the imperatives of following established procedures to ensure that none of the information held by the UKFPO is at risk of improper use.

• Confidential paper records, CDs, and other “hard copy” records must be held in locked drawers or filing cabinets in the UKFPO office. A ‘clear desk policy’ has been implemented in relation to any records which contain personal data of any kind.

• Archived records of Eligibility Office applicants are held in secure off-site storage facilities.

• Electronic records, e.g. Word documents, email etc, are processed securely using the NHS IT Network. This IT service is provided by Leicester Health Informatics Service, part of the University Hospitals of Leicester NHS Trust.

• Records will not be held on local PC hard drives.

• Laptops used by UKFPO are secured by means of encryption software.

• USB sticks and other portable devices will not be used in any circumstances to store personal records.


The schedule below, based on the Department of Health “Records Management: NHS Code of Practice”, defines the retention periods for various categories of documents held by the UKFPO.

Note – copies of, or additional records relating to some of these documents (for example, those of applicants) may also be held by other organisations (for example, foundation schools). Their retention schedules may differ from those of the UKFPO.

Category of Documents  Minimum Retention Period
Eligibility Office records  i. 12 months from the start of the applicant’s Foundation Programme
ii. 12 months following completion of the eligibility checking process (unsuccessful candidates)
Handbooks, guides etc  12 months following supersession by a  new version
Minutes of meetings of formal committees and groups 24 months from date of meeting
UKFPO HR (on-site) records 12  months from termination of employment


These procedures relate to any records held by the UKFPO, either within their Cardiff office, or remotely by means of electronic or off-site storage facilities.
The destruction process of all information, in any format, must have due regard for the confidentiality of UKFPO employees, clients and customers.
When sensitive or confidential records or files are identified for disposal by the Records and Information Management Policy, a register of such records must to be kept.


i. Paper records

All sensitive or confidential paper records must be mechanically shredded in such a way that they are rendered incomprehensible and cannot be put back together again.

NOTE – Staff must ensure that shredders and similar equipment are used safely and in accordance with their operating instructions.

All other non-confidential and non-sensitive paper can be disposed of in the boxes or bins provided in offices for environmentally-friendly disposal.

ii. Electronic records

The procedure for the destruction of sensitive or confidential waste on electronic media such as disk, cassette/cartridge, hard drives and CD-Rom is as follows:-

a) sensitive and/or confidential records held on the NHS network will be deleted by an authorised UKFPO user

b) media that are being destroyed because they are showing signs of damage or are obsolete should be physically destroyed by being cut into pieces or other approved ways prior to disposal

c) redundant or broken PCs and laptops are securely disposed of under a Service Level Agreement with the Leicester Health Informatics Service ( Digg Reddit Facebook Stumble Upon Follow UKFPO on Twitter