The policy applies to all personal data held by NowPatient, both physical records (such as letters, contracts, and invoices) and electronic records (such as emails, documents, and audio or video recordings).
It also covers personal data held on NowPatient's behalf by third parties, such as cloud storage providers.
The policy balances two obligations: the legal and regulatory requirement to retain certain records for defined minimum periods, and the data protection principle of storage limitation which requires that personal data is not kept for longer than is necessary for the purpose for which it was collected.
The full policy is available here
Why Does NowPatient Keep My Data?
NowPatient retains personal data for a number of legitimate reasons, including:
Legal and regulatory compliance — certain records must be kept for defined periods under UK law, NHS Codes of Practice, pharmaceutical regulations, and data protection legislation.
Clinical safety — medical and prescription records are retained to ensure continuity of care and to provide evidence in the event of a patient safety incident or legal claim.
Business operations — records such as invoices, order history, and customer service interactions are kept to operate the business effectively and to meet accounting and tax obligations.
Audit and quality assurance — records of clinical audits, complaints, and service delivery are retained to support ongoing quality improvement.
NowPatient does not retain data without a clear business or legal reason, and does not keep data longer than necessary.
How Long Does NowPatient Keep My Medical Records?
Retention periods for medical records are set in line with the NHS Records Management Code of Practice 2021 and the Specialist Pharmacy Services Guidance on the Retention and Secure Storage of Pharmacy Records (England) 2020-2021. The key periods for common record types are summarised below.
Record Type | Minimum Retention Period | Basis |
Patient Medical Record (PMR) | Until 10 years after death of patient | NHS Records Management Code of Practice 2016 |
Private prescriptions (non-CD) | 2 years | Human Medicines Regulations 2012 |
Controlled drug (CD) prescriptions | 2 years | Misuse of Drugs Regulations 2001 |
Controlled drug register | 2 years from date of last entry | Misuse of Drugs Regulations 2001 |
CD destruction records | 7 years | Best practice guidance |
Patient complaints | 10 years | NHS Records Management Code of Practice 2016 |
Serious incidents (death or disability) | 20 years | NHS Records Management Code of Practice 2016 |
Minor clinical interventions | 2 years | Best practice |
Significant clinical interventions | 10 years after death of patient | NHS Records Management Code of Practice 2016 |
New Medicine Service (NMS) records | 2 years | NHS Pharmaceutical Services Directions 2013 |
Smoking cessation service records | 2 years | NHS Records Management Code of Practice 2016 |
Immunisation / vaccination records (adults) | 8 years | NHS Records Management Code of Practice 2016 |
Immunisation / vaccination records (children) | Until 25th birthday (or 26th if aged 17 at end of treatment) | NHS Records Management Code of Practice 2016 |
Responsible pharmacist log | At least 5 years | Medicines (Pharmacies) Regulations 2008 |
Clinical protocols (superseded) | 25 years | NHS Records Management Code of Practice 2016 |
Invoices (pharmacy/financial) | 6 complete tax years | Limitation Act 1980 |
Clinical training records | Until 75th birthday or employment plus 6 years (whichever is longer) | NHS Records Management Code of Practice 2016 |
Clinical audit records | 5 years | NHS Records Management Code of Practice 2016 |
External quality control records | 12 years | NHS Records Management Code of Practice 2016 |
For records relating to children, NowPatient follows the NHS Records Management Code of Practice requirement to retain records until the child's 25th birthday (or 26th birthday if the patient was 17 years old at the time treatment was concluded).
How Long Does NowPatient Keep My Account and Marketing Data?
For non-medical personal data, NowPatient applies the following retention periods:
Type of Data | Retention Period | Reason |
Customer account / relations records | 6 years from last contact | Business need and limitation period |
Marketing database records | 2 years from last contact | Business need |
Customer complaints (non-clinical) | 6 years from settlement or closure | Business need and limitation period |
Order fulfilment records | 6 years from completion | Limitation period and accounting requirement |
Evidence of marketing consent | While consent is valid; 6 years from withdrawal | Limitation period |
Opt-out / suppression lists | Indefinitely | Business and compliance need |
Website analytics (cookies) | 2 years | Business need |
Bought-in mailing lists | 1 year (list); 6 years (contracts) | Best practice / limitation period |
IT support / helpdesk requests | 3 years from end of support | Business need / contractual obligation |
Technical user account information | 1 year from account closure | Business need / contractual obligation |
How is My Data Stored and Disposed of Securely?
NowPatient takes the security of personal data seriously at every stage of its lifecycle — from collection through to disposal.
Storage
All personal data must be stored in a safe, secure, and accessible manner. Electronic data is backed up at least weekly and maintained offsite. Personal medical data is stored in compliance with the NHS Code of Practice 2021 and Specialist Pharmacy Services Guidance on the Retention and Secure Storage of Pharmacy Records (England) 2020-2021. All data is encrypted in transit and at rest using AES-256 encryption.
Disposal
Once data has reached the end of its required retention period, it is securely destroyed. Physical documents containing personal data are shredded. Electronic data is destroyed in coordination with NowPatient's Data Protection Officer (DPO). A record of destruction is maintained.
Destruction of data is suspended immediately if NowPatient is notified that records are required for active or contemplated litigation, a government investigation, or another legal proceeding. This is known as a litigation hold. Destruction may resume only once the requirement for preservation is formally lifted.
Who is Responsible for Data Retention at NowPatient?
Responsibility for data retention sits across the organisation:
All employees and contractors are required to comply with the Data Retention Policy and Record Retention Schedule. Failure to comply can result in serious civil or criminal liability for the organisation and individuals.
The Data Protection Officer (DPO) is responsible for advising on and monitoring compliance with data protection laws, administering the retention schedule, supervising the destruction of data that has met its retention period, and periodically reviewing and updating the policy. The DPO can be contacted at dpo@nowpatient.com.
NowPatient regularly monitors compliance with the policy and conducts internal and external audits to ensure adherence.
Can I Request Deletion of My Data?
Yes. Under UK GDPR and the Data Protection Act 2018, you have the right to request erasure of your personal data (the 'right to be forgotten') in certain circumstances. However, this right is not absolute and cannot override NowPatient's legal and regulatory obligations to retain certain records for defined periods.
For example, NowPatient is legally required to retain medical records, prescription records, and controlled drug registers for minimum periods set by NHS and pharmaceutical regulations. These records cannot be deleted on request before the end of their mandatory retention period.
If you wish to submit a data subject request — including a request for erasure, access, or correction of your data — please contact the Data Protection Officer:
Email: dpo@nowpatient.com
Post: NowPatient c/o Infohealth Ltd, 28 Chipstead Valley Road, Coulsdon, Surrey, CR5 2RA
Your request will be processed within 7 days. If you are a UK user who has received NHS services from NowPatient, please note that data relating to those services is subject to NHS data retention policies, which may require retention beyond what you have requested.
What Happens if There is a Data Retention Breach?
NowPatient is committed to enforcing its Data Retention Policy across all forms of personal data. If an employee, contractor, or any person believes that the policy has been breached, or suspects that personal data has been retained, handled, or destroyed improperly, they are required to report the incident immediately to their supervisor.
NowPatient operates a strict non-retaliation policy: no individual will face discipline, reprisal, or intimidation for reporting a potential breach in good faith or for cooperating with any related investigation.
The DPO will investigate reported breaches and take appropriate corrective action. Where required by law, NowPatient will notify the Information Commissioner's Office (ICO) and affected individuals of any personal data breach within the required timeframes.