Data Retention Policy

Retention Summary 

The GDPR requires that personal data should not be held for longer than is necessary for the purpose for which it is being processed. However, it is a fundamental requirement that all of TAG healthcare’s records are retained for a minimum period of time for legal, operational, research and / or safety reasons. The length of time for retaining records will depend on the type of record. Below you will find a summary of the various types of data we hold about you and how long each will be kept. 

1. Purpose 

1.1 The purpose of this policy is to detail the procedures for the retention and disposal of information to ensure that we carry this out consistently and that we fully document any actions taken. Unless otherwise specified the retention and disposal policy refers to both hard and soft copy documents. 

2. Review 

2.1 Review is the examination of closed records to determine whether they should be destroyed, retained for a further period. 

3. How long we should keep our records 

3.1 Records should be kept for as long as they are needed to meet the operational needs of the TAG, together with legal and regulatory requirements. We have assessed our records to: 

•Determine their value as a source of information for the TAG to continue to provide healthcare. 

•Determine their value for fulfilling contract for the delivery of healthcare

•Assess their importance as evidence of business activities /decisions and ensure accounts and billing is accurate and up to date. 

•Establish whether there are any legal and regulatory responsibilities required by law or regulators in providing healthcare  (including: GMC, EU General Data Protection Regulation 2018). 

4. Disposal schedule 

4.1 A disposal schedule is a key document in the management of records and information. It is a list of series or collections of records for which predetermined periods of retention have been agreed between group and the DPO. 

4.2 Records on disposal schedules will fall into two main categories: 

1. Destroy after an agreed period – where the useful life of a series or collection of records can be easily predetermined (for example, destroy after 3 years; destroy 2 years after the end of the financial year). 

2. Review – see 2 above. 

4.3 Records can be destroyed in the following ways: 

Destruction 

• Personal information – cross cut shredded and pulped or burnt.

• Special Categories of personal information– cross cut shredded and pulped or burnt. 

• Electronic equipment containing information – hard drives destroyed by using physical destruction and individual folders they will be permanently deleted from the system. 

4.4 Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques. 

5. Sharing of information 

5.1 Duplicate records should be destroyed. Where information has been shared between business areas, only the original records should be retained. 

5.2 Where we share information with other bodies, we will ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance. 

6. An audit trail 

6.1 You do not need to document the disposal of records, which have been listed on the records retention schedule. Documents disposed of out the schedule either by being disposed of earlier or kept for longer than listed will need to be recorded for audit purposes. 

6.2 This will provide an audit trail for any inspections conducted by the Information Commissioner and will aid in addressing Freedom of Information requests, where we no longer hold the material. 

7. Monitoring 

7.1 Responsibility for monitoring the disposal policy rests with the DPO. The policy should be reviewed annually.

Type of recordStart of retention periodMinimum Retention PeriodComments
Minutes General Meetings  6 years 
Records Management  Until superseded 
Credit Card details with no outstanding debt on patient’s account Receipt of credit card details6 months 
Credit Card details with outstanding debt on patient’s account  Discharge of debt6 months 
Invoices to patients regarding their treatment  Close of financial year to which the invoice relates  6 years 
Contracts  End of contract6 years from end of contract 
Medical Records/Patient LettersConclusion of treatment  8 years 
Litigation records  Case closure  8 yearsRetention period of 8 years in line with medical record retention.  
Patient enquiries – EmailConclusion of treatment8 yearsRetention period of 8 years in line with medical record retention.  
Complaints case fileClosure of incident8 yearsRetention period of 8 years in line with medical record retention.