Recording and Escalation

Good records both demonstrate candour and drive improvement. The aim is completeness for learning and proportionality for privacy. ^[6][4]

What to document

Records commonly capture the event description, harm or risk grading, immediate actions, and who was informed when. ^[4][2]

The verbal apology is noted, with a written follow-up summarising facts, impact, and next steps. ^[3][8]

Practical remedies offered and accepted are logged, alongside preferences for updates. ^[1][8]

Clinical notes and incident analysis are usually kept separate, with cross-references to link the two. A decision log explains why candour was triggered (or not), who approved, and when reviews will occur. Documents are stored securely with role-based access, as complaint and incident files are personal data. ^[6][2][5]

• Minimum dataset: date/time; people involved; factual account; apology given; patient preferences; actions and owners; review date; learning items routed to governance. ^[3][2]
• Tools to standardise: candour letter templates; triage flowchart; learning register showing change, owner, due date, and a verification plan. ^[4][6]

When to escalate

External routes

External escalation can be required by contracts or regulation. This includes: ^[2][4][7][5]

• CQC statutory duty events in England
• NHS reporting routes
• Safeguarding concerns
• Significant data breaches to the ICO

Indemnity providers are often informed early where harm may lead to claims. For example, an incorrect contact lens fitting that caused corneal damage might be reported both to indemnity and NHS systems. Where criminality is suspected, such as tampering with records, legal advice is sought and evidence preserved. ^[9]

Internal escalation

Internally, leadership is alerted when patterns emerge. Risks are added to the register with controls and review dates. De-identified learning is shared promptly so practice changes are not delayed by full root-cause analysis. For example, repeated near misses with equipment calibration could be flagged before harm occurs. ^[4][6]

Keeping patients informed

Patients are kept informed of escalations that affect them, with contacts for complaints or ombudsman routes, and reassurance that local support continues alongside formal processes. For example, a patient may be told that a data breach has also been reported to the ICO, while being reassured that the practice remains their main contact for ongoing care. ^[2][8]

References (numbered in text) Why we include references

1. What is the professional duty of candour — General Optical Council Find (opens in a new tab)
2. Regulation 20: Duty of candour — Care Quality Commission Find (opens in a new tab)
3. Openness and honesty when things go wrong: The professional duty of candour — General Medical Council Find (opens in a new tab)
4. Patient Safety Incident Response Framework (PSIRF) — NHS England Find (opens in a new tab)
5. Personal data breaches: a guide — Information Commissioner's Office Find (opens in a new tab)
6. Records management: code of practice for health and social care — Department of Health and Social Care / NHS England Find (opens in a new tab)
7. Working together to safeguard children — Department for Education Find (opens in a new tab)
8. Saying sorry when things go wrong — NHS Resolution Find (opens in a new tab)
9. Forensic science activities: statutory code of practice (version 2) — GOV.UK Find (opens in a new tab)