Documentation and Confidentiality

Complaint files are sensitive. They should be accurate, proportionate, and secure, with access limited to those who need to know. ^[1][9]

What to record

It helps to capture the complaint verbatim where possible, the issues agreed, timelines, evidence gathered, findings, remedy, and learning. ^[6][1]

Notes should remain factual and avoid personal commentary. ^[6]

Date, time, and sign entries. Any addenda should be recorded transparently. ^[1]

Storing and sharing

Files should be stored in a secure system with role-based access. ^[1] Personal accounts or chat apps are not suitable for complaint files. ^[7] When sharing with an ombudsman or regulator, disclose only what is necessary and redact third-party data that is not relevant. ^[5][2][9]

Record-keeping checklist:

• complaint intake
• acknowledgement
• investigation notes
• interviews
• evidence references
• response
• remedy
• escalation information
• learning actions with owners and review dates ^[6][1]

Data protection principles

A lawful basis will typically be legitimate interests or public task for NHS providers. ^[3] Data subject rights - including access, rectification, and, where applicable, restrictions - should be honoured. ^[4] Retention should align with policy, and any variation needs to be justified in writing. ^[1][3]

Informal vs formal records

Even informal complaints and feedback (verbal comments) can carry learning.

A brief note that captures the point and the action taken is useful, especially if a pattern is emerging. Trends should be written down so systems can change. ^[6][1]

Capacity, consent, and representation

Where a representative raises a complaint, consent or lawful authority should be confirmed. ^[5] For children or adults lacking capacity, legal frameworks must be followed and decision-making recorded clearly. Interpreters should be used where needed, and that step documented. ^[9]

Linking to safety systems

Related incident reports can be cross-referenced without duplicating sensitive data. If a complaint indicates a safety risk, it should be raised through governance so that action is tracked. ^[8][1] The complaint file stays focused while ensuring safety actions are visible.

• Two practical tools: a short intake form that captures essentials; learning log that routes actions to the right owner with a date. ^[1][8]

References (numbered in text) Why we include references

1. Records Management Code of Practice — NHS Transformation Directorate (NHS England) Find (opens in a new tab)
2. Pseudonymisation / Anonymisation guidance — Information Commissioner's Office Find (opens in a new tab)
3. What is a lawful basis for processing? (Lawful basis guidance) — Information Commissioner's Office Find (opens in a new tab)
4. A guide to subject access — Information Commissioner's Office Find (opens in a new tab)
5. Our privacy notice: What happens to the information you give us — Parliamentary and Health Service Ombudsman Find (opens in a new tab)
6. Dealing with complaints — The College of Optometrists Find (opens in a new tab)
7. Using mobile messaging — NHS Transformation Directorate Find (opens in a new tab)
8. Patient Safety Incident Response Framework (PSIRF) — NHS England Find (opens in a new tab)
9. Disclosing confidential information — General Optical Council Find (opens in a new tab)