The GDPR requires that personal data should not be held for longer than is necessary for the purpose for which it is being processed. However, it is a fundamental requirement that all of TAG healthcare’s records are retained for a minimum period of time for legal, operational, research and / or safety reasons. The length of time for retaining records will depend on the type of record. Below you will find a summary of the various types of data we hold about you and how long each will be kept.
1.1 The purpose of this policy is to detail the procedures for the retention and disposal of information to ensure that we carry this out consistently and that we fully document any actions taken. Unless otherwise specified the retention and disposal policy refers to both hard and soft copy documents.
2.1 Review is the examination of closed records to determine whether they should be destroyed, retained for a further period.
3. How long we should keep our records
3.1 Records should be kept for as long as they are needed to meet the operational needs of the TAG, together with legal and regulatory requirements. We have assessed our records to:
•Determine their value as a source of information for the TAG to continue to provide healthcare.
•Determine their value for fulfilling contract for the delivery of healthcare
•Assess their importance as evidence of business activities /decisions and ensure accounts and billing is accurate and up to date.
•Establish whether there are any legal and regulatory responsibilities required by law or regulators in providing healthcare (including: GMC, EU General Data Protection Regulation 2018).
4. Disposal schedule
4.1 A disposal schedule is a key document in the management of records and information. It is a list of series or collections of records for which predetermined periods of retention have been agreed between group and the DPO.
4.2 Records on disposal schedules will fall into two main categories:
1. Destroy after an agreed period – where the useful life of a series or collection of records can be easily predetermined (for example, destroy after 3 years; destroy 2 years after the end of the financial year).
2. Review – see 2 above.
4.3 Records can be destroyed in the following ways:
• Personal information – cross cut shredded and pulped or burnt.
• Special Categories of personal information– cross cut shredded and pulped or burnt.
• Electronic equipment containing information – hard drives destroyed by using physical destruction and individual folders they will be permanently deleted from the system.
4.4 Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.
5. Sharing of information
5.1 Duplicate records should be destroyed. Where information has been shared between business areas, only the original records should be retained.
5.2 Where we share information with other bodies, we will ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance.
6. An audit trail
6.1 You do not need to document the disposal of records, which have been listed on the records retention schedule. Documents disposed of out the schedule either by being disposed of earlier or kept for longer than listed will need to be recorded for audit purposes.
6.2 This will provide an audit trail for any inspections conducted by the Information Commissioner and will aid in addressing Freedom of Information requests, where we no longer hold the material.
7.1 Responsibility for monitoring the disposal policy rests with the DPO. The policy should be reviewed annually.
|Type of record||Start of retention period||Minimum Retention Period||Comments|
|Minutes General Meetings||6 years|
|Records Management||Until superseded|
|Credit Card details with no outstanding debt on patient’s account||Receipt of credit card details||6 months|
|Credit Card details with outstanding debt on patient’s account||Discharge of debt||6 months|
|Invoices to patients regarding their treatment||Close of financial year to which the invoice relates||6 years|
|Contracts||End of contract||6 years from end of contract|
|Medical Records/Patient Letters||Conclusion of treatment||8 years|
|Litigation records||Case closure||8 years||Retention period of 8 years in line with medical record retention.|
|Patient enquiries – Email||Conclusion of treatment||8 years||Retention period of 8 years in line with medical record retention.|
|Complaints case file||Closure of incident||8 years||Retention period of 8 years in line with medical record retention.|