Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

The health sector handles some of the most sensitive personal data, and patients have the right to expect that information will be looked after.

As part of our role in supporting the sector, the ICO’s Assurance team carries out audits across a broad range of health organisations.

The resources below are based on those experiences. They are practical tools that data protection officers, records managers and information governance specialists can use to help educate colleagues on how to ensure they are operating in line with the Data Protection Act.

The focus of the below resources is on records management. Whether at large NHS hospitals or small private dentists, we often see ineffective logging, tracking or movement of manual records.

Those breaches can lead to ICO investigations. 

ICO Assurance Group Manager Leanne Doherty said:

“Unfortunately, our audits showed a worrying trend of health organisations failing to properly manage the records they held.

“The people we speak to want to get this right. We’ve seen first-hand the professionalism and commitment of people working in information governance in this sector, and we know some of the challenges they face. We’ve looked to create resources that offer them practical support and give them the tools to improve people’s approach to records management in their organisations.”

The resources below are focused on addressing the specific shortfalls we’ve seen.

Not sure where to start?

The ICO’s toolkit helps you to assess your compliance with the Data Protection Act and find out what you need to do. There’s a dedicated records management section, with guidance and links to further reading on:

  • Developing records management policy and procedures
  • Training
  • Outsourcing
  • Records inventories
  • Tracking and off-site storage
  • Security and disposal of data
  • Business continuity 

What we’ve seen

Staff not being vigilant when using fax machines and not checking the correct addresses before posting information to patients. 

Poster: Always check addresses and details before you press send. Click to download PDF version.
Poster: Always check addresses and paperwork before you seal and send it. Click to download PDF version.

What we’ve seen

Staff not following procedures around tracking records.

Training video: why tracking records properly matters, including tips for staff

If your network blocks YouTube, you may not be able to view the above video. Please use another device.

Pressing play on the video above will set a third-party cookie. Please read our cookie policy for more information.

Infographic: top tips to improve your record tracking 

Assign responsibility.
Train, train , train.Know what you've got.Log where it's going.
Check it works.What we’ve seen

Staff not sure what to do when records go missing

Infographic: top tips on when records go missing.
Identify it early.
Know what to do
Learn from your mistakes.

Keep track.
What we’ve seen

Staff not using secure storage.

Poster: When storing physical records, make sure they're secure. Click to download PDF version.

What we’ve seen

Information being unsecure when taken off site.

Poster: All information you work with has value. Think before you take it out of the building. Click to download PDF version.

What we’ve seen

Errors in logging, tracking and movement of records caused by a lack of procedures and no Information Asset Register. 

Case studies

Read about two health organisations that have benefited from implementing Information Asset Registers.


The most common records management errors the ICO sees in the health sector, including advice around Information Asset Registers and Information Asset Owners.

Pressing play on the video above will set a third-party cookie. Please read our cookie policy for more information.