Some of the guidance in this section relates to the responsibilities of the person in charge of an organisation or practice, as well as to your responsibilities as a practitioner within the practice.

If you are setting up a paperless electronic record system, you or your organisation should:

1. prepare an IT business continuity plan first, including provision for regular backups of data which are stored securely and preferably off-site
2. ensure all members of the team, including locums, can use and access the IT system effectively
3. ensure that you check the accuracy of any patient records entered on your behalf by an assistant. You remain responsible for the contents of the record
4. ensure confidentiality is maintained through:
   • access control measures
   • physical security and privacy of systems
   • secure communication between systems
5. ensure every patient record has an audit trail to identify:
   • time/date of each entry
   • author of each entry
   • additions, changes or deletions
6. set up or use a properly constructed format which:
   • does not constrain data entry
   • allows free text and clinical codes
   • enables all patient contact and significant health events, such as referrals, to be recorded
   • allows attachments, such as a fundus photograph or referral letter, to be part of the record
   • signposts any additional records about the patient which are separate from the main record; however, you should not keep informal patient records
7. ensure you have sufficient security protection.

If you or your practice changes the IT system, audit trails may be lost. Therefore, you should:

1. create and maintain a verified backup of the clinical data from the old system
2. maintain a means to read this backup.

If systems or hardware are replaced, you or your organisation must ensure that any patient identifiable data is backed up and data on the old computer is destroyed. Deleting information may be insufficient as data can remain accessible on storage media. Hardware, including hard disc drives, should be physically destroyed.

You should not maintain both a paper based and an electronic system. However, if this is unavoidable, you should avoid parallel systems that contain the same data as they may not be kept up to date.