Skip to main content
All CollectionsThe Legal Bits
Data Retention Policy
Data Retention Policy
Raj Patel avatar
Written by Raj Patel
Updated over 3 months ago

Last Updated: 6 September 2024

Version: 1.0

There are legal and regulatory requirements for us to retain certain personal data, usually for a specified amount of time. We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business. This Data Retention Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.

This policy is provided in a layered format so you can click through to the specific areas set out below.

Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.

This policy only applies to the retention of documents or records which contain or may contain personal data.

Scope Of Policy

This policy covers all personal data that we hold or have control over. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings. It applies to only personal data. In this policy we refer to this information and these records collectively as “data”

This policy covers data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage.

Guiding Principles

Through this policy, and our data retention practices, we aim to meet the following commitments:

  • We comply with legal and regulatory requirements to retain data. With regard to medical data of individuals, we will retain this data in accordance with the NHS Code of Practice 2021 and the Specialist Pharmacy Services Guidance on the Retention and Secure Storage of Pharmacy Data (England) 2020-2021 (as updated)

  • We comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle)

  • We handle, store and dispose of data responsibly and securely

  • We create and retain data where we need this to operate our business effectively, but we do not create or retain data without good business reason

  • We allocate appropriate resources, roles and responsibilities to data retention

  • We regularly remind employees of their data retention responsibilities

  • We regularly monitor and audit compliance with this policy and update this policy when required

Roles And Responsibilities

Responsibility of all employees. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good practices. All employees must comply with this policy, the Record Retention Schedule, any communications suspending data disposal and any specific instructions. Failure to do so may subject us, our employees, and contractors to serious civil and/or criminal liability. It is therefore the responsibility of everyone to understand and comply with this policy.

Data Protection Officer. Our Data Protection Officer (DPO) is responsible for advising on, and monitoring our compliance with, data protection laws which regulate personal data.

Personal Data

Personal data. Both formal or official records and disposable information may contain personal data; that is, data that identifies living individuals. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.1 below for more information on this.

Retention Periods

Personal data. As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where we have listed data in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data.

What to do if data is not listed in the Record Retention Schedule. If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there is an omission in the Record Retention Schedule, or if you are unsure, please contact the dpo@nowpatient.com.

Storage, Back-Up And Disposal Of Data

Storage Personal data must be stored in a safe, secure, and accessible manner. Where appropriate, they should be duplicated and/or backed up at least once per week and maintained off site. Personal medical data must be stored in a manner compliant with the NHS Code of Practice 2021 and the Specialist Pharmacy Services Guidance on the Retention and Secure Storage of Pharmacy Records (England) 2020-2021.

Destruction Our DPO is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of physical documents containing personal data must be conducted by shredding if possible. The destruction of electronic data must be coordinated with the DPO.

The destruction of data must stop immediately upon notification from us that preservation of documents for contemplated litigation is required (sometimes referred to as a litigation hold). This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once our lawyers lift the requirement for preservation.

Special Circumstances

Preservation of documents for contemplated litigation and other special situations. We require all employees to comply fully with our Record Retention Schedule and procedures as provided in this policy. All employees should note the following general exception to any stated destruction schedule: If you believe, or we inform you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until we determine those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.

In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.

Where To Go For Advice And Questions

Questions about this policy. Any questions about retention periods should be raised with the DPO, who is in charge of administering, enforcing, and updating this policy.

In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.

Breach Reporting And Audit

Reporting policy breaches. We are committed to enforcing this policy as it applies to all forms of personal data. The effectiveness of our efforts, however, depend largely on employees. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.

No one will be subject to and we do not allow, any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.

Audits Our DPO will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice) to ensure we are in compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.

Other Relevant Policies

This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our data protection policy.

Definitions

Data: all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to personal data only. In this policy we refer to this information and these records collectively as “data”.

Data Retention Policy: this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.

Disposable information this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.

Personal data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Record Retention Schedule: the schedule attached to this policy which sets out retention periods for our formal or official records.

Storage limitation principle: data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the UK GDPR as the principle of storage limitation.

Record Retention Schedule

Infohealth Limited establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example, with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs

Employees should comply with the retention periods listed in the record retention schedule below, in accordance with the Data Retention Policy. With regard to Medical Records, data should be retained for the recommended minimum period set out below, unless there is an appropriate reason for retaining the data for a longer period.

If you hold data not listed below, please refer to the Data Retention Policy. If you still consider your data should be listed, if you become aware of any changes that may affect the periods listed below or if you have any other questions about this record retention schedule, please contact the dpo@nowpatient.com

MEDICAL RECORDS

Record

Unique record

Reason for keeping

Recommended minimum period

Derivation of recommendation and comments

Clinical governance

Competency/training records

Yes

Reference

Clinical training: until 75th birthday or duration of employment plus 6 years whichever is longer.

Statutory/mandatory training: 10 years after training completed

Other training: 6 years after training completed.

Records Management Code of Practice for Health and Social Care. July 2016 (RMCoP 2016)

Clinical audit

Yes

Reference

5 years

RMCoP 2016

External quality control records

Yes

Audit

12 years

RMCoP 2016

Patient surveys

Yes

Audit

5 years

RMCoP 2016

Patient complaints

Yes

Audit

10 years

RMCoP 2016

Where a legal action has commenced, keep as advised by legal representative.

Clinical

interventions

Minor clinical interventions

Yes

Audit

2 years

Best practice.

Two part paper form recommended, original to be added to the patient record, duplicate kept for 2 years.

Entries made on an electronic database should be reviewed after 2 years, if no longer needed, destroy or permanently delete record.

Significant clinical interventions

Yes

Audit

For 10 years after the death

of the patient

Entries should be recorded directly in the patient notes / PMR.

Medicines Reconciliation (MR)

documentation

Yes

Audit

2 years

See note 5.

Controlled drugs (CD)

CD register (pharmacy, ward, theatre)

Yes

Legal

2 years from date of last entry.

Misuse of Drugs Regulations 2001

Controlled drugs: safe use and management Electronic CD register -see note 2.

In Secure Environments Schedule 3 CDs are also recorded in CD registers

(PSI IDTS 2010/45 ; Professional Standards for optimizing medicines for people in secure environments )

CD prescriptions for NHS patients (incl out-patient and TTA / TTO and those for patients treated under any NHS-commissioned care service)

Yes

Legal

2 years

Misuse of Drugs Regulations 2001 :

All CD prescriptions should be kept for 2 years. (Secure Environments see note 9).

Private CD prescriptions

Yes

Legal

Send to NHSBSA

The Misuse of Drugs (Amendment No. 2) Regulations 2006 : Private prescriptions for Schedule 2 and 2 CDs must be sent to the relevant agency.

Relevant agency – NHS Business Services Authority (NHSBSA)

Record of destruction of patient’s own CDs

Yes

Good practice

7 years

Controlled drugs: safe use and management

Professional guidance on the safe and secure handling of medicines :

Patient’s own drugs can be removed and/or disposed of with the agreement of the patient or in the interest of the patient/general safety.

CD ward orders or requisitions

No

Legal

2 years

Misuse of Drugs Regulations 2001

All CD prescriptions should be kept for 2 years. Keep in original paper form or

computerised form.

Copy of signature for CD ward order or requisition

Yes

Validation

Duration of employment

Safer management of controlled drugs: a guide to good practice in secondary care (England)

Copy of signature of each authorized signatory should be available in the pharmacy department.

Requisitions, orders, order books, delivery note or other record of

receipt

No

Legal

2 years or 2 years from date of last entry for record

books.

Misuse of Drugs Regulations 2001 :

All CD prescriptions should be kept for 2 years. Includes hospice requisitions, health

and justice services & others not sent to NHSBSA. See note 3.

Invoices

Yes

Legal

6 years

Controlled drugs: safe use and management

Limitation Act 1980: 6 complete tax years.

CD transportation by road vehicle

Yes

Audit

Driver ID: 3 months. Recipients’ signature: 6 months in original form; then up to 18 months in reproducible form.

Orders, signed orders, requisitions, private prescriptions: 2 years.

Guidance for the safe custody of controlled drugs and drug precursors in transit.

Extemporaneous CD preparation worksheets

Yes

GMP

5 years

5 years under GMP but consider keeping for longer due to consumer liability legislation – see note 6.

Aseptic CD worksheets – adult

paediatric

Yes

Yes

GMP

GMP

5 years

5 years

5 years under GMP, but consider keeping for longer due to consumer liability

legislation – see note 6.

CD clinical trials information

Yes

GMP

5 years

This may be longer for some trials.

Patient safety incidents

Dispensing error records/incidents & associated stats (not serious incidents)

Yes

Audit

10 years for minor harm incidents, 1 year plus current for no harm

incidents

RMCoP 2016 and best practice.

Recommendations only apply to paper records; entries made on electronic databases should be kept permanently.

Dispensing incidents resulting in disability or death (serious

incidents)

Yes

Legal

20 years

RMCoP 2016

Recalls/drug alerts

Recall documentation

Yes

Audit

5 years

Recommendations from the Good Distribution Guide – especially for those with

wholesale dealer’s licence.

Responsible pharmacist

Responsible pharmacist

records/log book

Yes

Legal

At least 5 years

Medicines (pharmacies/responsible pharmacist) Regulations 2008

Can be in hard copy or electronic.

Superseded

documents

Clinical protocols

No

Reference

25 years

RMCoP 2016

Departmental & organisational Policies, strategies, standard operating procedures (SOPs)

No

Reference

Life of organization plus 6 years

RMCoP 2016

Patient Group Directions (PGDs)

No

Reference

For adults aged 18 years and over: 8 years (10 years in cases of implant insertion).

For a child: until the 25th birthday or for 8 years after a child’s death or 10 years in the case of

implant insertion

Retaining PGD documentation

Stock handling

and transfer

Picking tickets/delivery notes

Yes

Reference

3 months

A “reasonable” period of time – for verification of order only.

Old order books

No

Audit

2 years

Current financial year plus 1.

Invoices

Yes

Legal

6 complete tax years

Limitation Act 1980. See note 4.

Wholesale dealing records

Yes

GDP

5 years

EU Guide on Good Distribution Practice (part of the Orange Guide).

Fridge

Fridge temperature

Yes

GMP/GDP

1 year or longer for sites holding a Wholesale Dealer’s Licence

Refrigerator records to be kept for the life of any product stored therein – particularly vaccines. For sites subject to GDP inspection (licensed wholesaler) records should be kept for 5 years as with other GDP records. SOPs detailing

actions required in the event of fridge failure should also be available.

Waste medicines

Destruction of patients’ own drugs (excluding controlled drugs) [See Note 10]

Yes

Audit

6 months

Professional guidance on the safe and secure handling of medicines:

Patient’s own drugs can be removed and/or disposed of with the agreement of the patient or in the interest of the patient/general safety.

Waste – Non-hazardous Transfer notes

Yes

Legal

2 years

Safe management of healthcare waste.

Waste – hazardous Consignment

notes

Yes

Legal

3 years

Safe management of healthcare waste.

Dispensing

Patient Medical Record (Patient

Medication Record)

Yes

Legal

For 10 years after the death

of the patient

RMCoP 2016

Private prescriptions (excluding private CD prescriptions – see Controlled Drugs) or any non- FP10 prescriptions for patients being treated under an NHS-

commissioned care service

Yes

Legal

2 years

MEP Edition 42 July 2018.

Human Medicines Regulations 2012 (regulation 253 (5)).

POM register

No

Legal

2 years from last entry

Human Medicines Regulations 2012 (regulation 253 (5)).

POM-V & POM-VPS records of receipt and supply

Yes

Legal

At least 5 years

Veterinary medicines regulations 2009.

Must keep all documents relating to the transaction. Specific requirements for what information must be included.

Electronic Repeat Dispensing System

Any service for which patient nomination of a pharmacy remains a requirement [See note 11

Yes

Audit

6 months after the last

prescription is collected/delivered.

Best practice.

Specials and unlicensed medicines

Extemporaneously prepared on

the premises with internal
quality control.

Yes

Legal

5 years

Human Medicines Regulations 2012 (regulation 170)

See note 6.

Extemporaneously prepared by another pharmacy/company with

external quality control

No

Legal

5 years

Human Medicines Regulations 2012 (regulation 170).

Should have the certificate of conformity including the source of the product; to whom, and the date on which the product was sold or supplied; the prescriber’s

details; the quantity of each sale or supply; the batch number of the product; details of any adverse reactions to the product sold or supplied. See note 4.

Unlicensed imports

No

Legal

5 years

Equality Act

Record of assessment and outcome of patients’ needs in respect of medicines

Yes

Reference

For as long as the assessment remains valid, plus 1 year

Best practice

Assessment should be repeated if patient circumstances change.

Public Health Campaigns

Evidence of participation in local public health campaigns

Yes

Reference

2 years

Where requested by the commissioner to do so, records should be kept to demonstrate compliance with Terms of Service of NHS Pharmacists (Schedule 4, part 2, paragraph 18(b)) to regulation 11(1)(a)(i) of the National Health Service (Pharmaceutical and Local Pharmaceutical Services) Regulations 2013.

Advanced services

Medicines Use Review (MUR)

Yes

Legal

2 years

Records can be kept electronically or in hard copy.

The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least two years after the date on which the consultation to which the record relates is carried out (Direction 5(1)(l)).

New Medicine Service (NMS)

Yes

Legal

2 years

Records can be kept electronically or in hard copy.

The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least two years after the date on which the service intervention is completed or discontinued (Direction 7(1)(n)).

Stoma appliance customisation

Yes

Legal

12 months

Records can be kept electronically or in hard copy.

The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least 12 months or such longer period as the commissioner may reasonably require (Direction 10(2)(d)).

Appliance use review

Yes

Legal

12 months

Records can be kept in electronically or in hard copy.

The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least 12 months or such longer period as the commissioner may reasonably require (Direction 12(5)(e)).

Community Pharmacy Seasonal Influenza Vaccination Advanced Service (CPSIVAS)

Yes

Legal

8 years for adults aged 18 years and over

(2 years for consent forms for post payment verification)

Records can be kept in electronically or in hard copy.

The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013 consolidated directions and subsequent amendments.

Service Specification: Community pharmacy seasonal influenza vaccination advanced service: All relevant paperwork must be managed in line with RMCoP 2016

Pharmacy Influenza Vaccination PGD: Keep records for audit purposes and post payment verification.

NHS Community Pharmacy Consultation Service

Yes

Interim best

practice recommendation

2 years

Records can be kept in electronically or in hard copy.

All relevant records must be managed in line with RMCoP

Enhanced services, locally commissioned services or private services

See Note 7

Sexual Health service forms

Yes

Audit

For adults aged 18 years

and over: 8 years (10 years in cases of implant or device insertion).

For a child: until the 25th birthday or 26th birthday if the patient was 17 years when treatment finished. In cases of implant or device insertion, keep the record as above or for 10 years, whichever is

longer.

RMCoP 2016

Service standards for record keeping

NB The longest licence period for a contraceptive device is 10 years.

No

Reference

Where individual patient records are kept by a

sexual health team and a

shorter minimum period for retaining records may

be stated in the service level agreement.

Smoking cessation service

Yes

Audit

2 years

RMCoP 2016

Supply of Smoking cessation therapy e.g. NRT not via FP10 or

via PGD

Yes

Audit

2 years

RMCoP 2016

Minor ailments service

Yes

Audit

2 years

Recommended best practice.

Immunisation and vaccination records

Yes

Legal

For adults aged 18 years and over: 8 years.

For a child: until the 25th birthday or 26th birthday if the patient was 17 years

when treatment finished.

RMCoP 2016

NHS health check

No*

Audit

2 years

Best practice [*If the results are forwarded to the patients GP]

Yes**

Audit

2 years

Best practice [**Where results are not forwarded to the GP]

Substance misuse service forms

Yes

Audit

2 years

Best practice

Medicines administered under Patient Specific Direction (PSD), Patient Group Direction (PGD) or National Protocol

Yes

Reference

The individual’s clinical record is maintained for 8 years for an adult and up to the 26th birthday if given to a child under the

age of 18.

Invoices and consent forms

All payment claims, invoices and patient consent forms relating to

any advanced or enhanced service

Yes

Audit

6 complete tax years

VAT regulations 2005 for invoices. Individual signed consent forms support the invoiced claim.

NOTE: Enhanced service consent forms represent consent at the point in time the service is provided and are not proof of ongoing consent.

Other records

Any other records pertaining to individual patient care in community pharmacy not covered elsewhere in this document.

Yes

Audit

2 years

Best practice. This recommendation only applies for paper records. It is accepted that, where appropriate, records relating to patient care (e.g. self-care, signposting, telephone queries) should be entered on the PMR, either directly or transferred from paper records. Entries made on the PMR should be kept permanently. For further guidance see Guidance for registered pharmacies providing pharmacy services at a distance, including on the internet. General Pharmaceutical Council 2019

KEY

GMP = good manufacturing practice; GDP = good distribution practice; GCP = good clinical practice; MR = medicines reconciliation; MUR = medicines use review

Where GMP is given as the reason for keeping the record, this would be legally enforceable for all unlicensed medicines and for any manufacturing of medicines under an MHRA licence. Any reason for keeping other than ‘legal’ can be regarded as best practice.

scrollable

Topic Specific Notes

Note 1

The sponsor of the trial is responsible under current legislation for keeping trial records. All clinical trial records should be retained for a longer (up to 15 years) if required by the applicable regulatory requirement(s) or if needed by the Sponsor as per Annex 1 to Directive 2001/83/EC and GCP requirements EMA/CHMP/ICH/135/1995.

Note: The provisions of Directive 2001/83/EC are brought into UK law by the Human Medicines Regulations 2012.The HMR 2012 do not, however, reproduce the detail of the

2001 directive, so the original directive text should be referred to.

Note 2

Once electronic CD registers are in widespread use, the Government intends to require anyone required to keep secure copies of a CD register for up to 11 years.

(Department of Health. Safer management of CDs: Changes to the record keeping requirements, guidance for England only. Last revised February 2008)

Note 3

Every requisition, order or private prescription on which a CD is supplied must be preserved by the pharmacy department for a minimum of 2 years from the date on which the last delivery under it was made. Although the mandatory period for keeping requisitions is 2 years, health care organisations may wish to store them for longer periods, as cases often come to court at a much later date. Future regulations may increase the period of time for the storage of records. (Department of Health/RPSGB, Safer management of controlled drugs – a guide to good practice in secondary care. (England) Oct 2007). In secure environments that do not have an in-house dispensing pharmacy, HO advice is that CD requisitions are still required where the requisitioning organisation is a different legal entity to the supplier. The national CD requisition can be used but is not mandatory.

HJ providers must ensure that a Practitioner (i.e. a medical Doctor) signs the requisition where this is needed to comply with the regulation.

Note 4

The 6-tax-years limit relates to disputes over simple contract (Limitation Act 1980). Manufacturers, and sometimes others involved in a product’s supply chain, are liable for their

products under the Consumer Protection Act 1987. Therefore, it is recommended to keep delivery notes or invoices for 11 years as product liability records – see note 6.

Note 5

Where the electronic system has the capacity to destroy records in line with the retention schedule, and where a metadata stub can remain demonstrating that a record has been destroyed, then the Records Management Code should be followed in the same way for electronic records as for paper records with a log being kept of the records destroyed. If the system does not have this capacity, then once the records have reached the end of their retention periods they should be inaccessible to users of the system and upon decommissioning, the system (along with audit trails) should be retained for the retention period of the last entry related to the schedule.

(Records Management Code of Practice for Health & Social Care, Jul 2016)

Note 6

Consumer Protection Act (CPA) 1987 allows patients to claim for injury due to a defective product (medicine) up to 10 years after a medicine has been administered.

Records of manufactured products (e.g. worksheets) can prove that the product was / was not defective. The prescription / other clinical records will only indicate that the patient was prescribed / dispensed an item but will not give any indication how the product was made and from what ingredients. If the problem is a contaminated ingredient, it is possible to partially pass the responsibility to the supplier of the defective ingredient.

Adult patients (18 years and over)

Keep manufacturing records for 11 years (10 years as part of CPA + 1 year best practice safety margin)

Paediatric patients

If a child suffers from a medications, they’ve got:

  • any time up to 3 years after their 18 birthday to sue in negligence (up until they’re 21 years)

  • 10 years from taking the medicine to sue under CPA

RMCoP 2016 states that records relating to children should be kept until the child’s 25th birthday (26th birthday if 17 years old at time of treatment), unless there are other factors which indicate the record should be kept for longer. Therefore, in line with RMCoP recommendation, keep all paediatric manufacturing records for 25 years.

Note 7

For locally negotiated services, if the minimum retention period stated in the contractual arrangement of the service level agreement (SLA) exceeds the recommendations of this document contractors must adhere to the SLA.

Note 8

NHS England directly commissions healthcare in all residential Secure Environments (prisons, Immigration Removal Centres and Secure Training Centres). Prescriptions generated in these settings are therefore NHS prescriptions and not private prescriptions. The expectations for prescriptions and other record retention for these settings are in the main as for hospital settings. A wing or treatment room is considered equivalent to a hospital ward. Health and justice (HJ) prescriptions are all now held on the HJIS EPR system and thus retention of the actual hand signed prescription can be reduced to 3 months (please also see the RPS Professional Standards for optimizing medicines for

people in secure environments 2017). The community pharmacy section of this document is also relevant where dispensing takes place in-house and where advanced services or additional enhanced services are delivered.

Note 9

In addition to retaining the CD prescription a copy of the current CD prescription (i.e. Schedule 2 and 3) for a patient should be available on patient transfer to another secure setting. To achieve this either a scanned e-copy or a hard copy transferred with the patient is needed. This is essential for enabling continuity of supply on transfer until the prescription is reviewed. (PSI IDTS 2010/45 and RPS Professional Standards for optimizing medicines for people in secure environments, Feb 2017).

Note 10

The T28 exemption from the Environment agency allows pharmacies and similar places to denature controlled drugs to comply with Misuse of Drugs Regulations 2001. T28 Exemption guidance. NHSE&I may require evidence of valid exemption from some pharmacy

contactors from whom they commission services.

Note 11

Patient nomination was previously required for EPS but is no longer under EPS4.

Note 12

For general information about data protection see Guide to Data Protection, ICO.

SALES, MARKETING AND CUSTOMER RECORDS

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

Marketing database records (e.g. lead generation, meeting feedback, contact data etc.).

2 years from last contact

Business need

Depends on the nature of the business.

Customer relations database records (e.g. call centre records, queries, meeting feedback, account history etc.).

6 years from last contact

Business need and limitation period.

Bought in mailing lists and associated contracts.

1 year for mailing lists.

6 years from expiry or termination for contracts (12 years for contracts executed as a deed).

Best practice for mailing lists

Limitation period for contracts

Consult ICO guidance on bought-in lists; ICO Direct Marketing Code recommends that organisations should not rely on indirect consent given more than 6 months ago.

Order fulfilment records.

6 years from completion

Limitation period and accounting requirement.

Opt-out/suppression lists.

Indefinite

Business and compliance need.

Only sufficient information to enable the opt out should be retained.

Evidence of consent to marketing (including electronic marketing).

While consent valid

6 years from date consent withdrawn or ceases to be valid

Business need

Limitation period

Consent can be withdrawn at any time and may not necessarily remain valid indefinitely although how long it remains valid will depend on the context.

Market research, marketing campaigns

2 years from completion

Business need

DMA suggests two years from last campaign.

Customer complaints handling

6 years from settlement or closure

Business need and limitation period

Website analytics reports from cookies and other similar technology

2 years

Business need

This refers to the output from information obtained via cookies. No firm period recommended by the ICO, although the French regulator recommends 25 months from collection and, for Google Analytics the DMA recommends 2 years.

Cookies themselves may be set for different periods depending on the function of the cookie.

scrollable

IT RECORDS

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

Technical support and help-desk requests.

3 years from end of support

Consider whether record can be fully anonymised after this period (or no personal data collected in first place) where there is a need to keep these requests for a longer period (for example, 7 years to align with limitation periods)

Business need.

Contractual obligation.

Limitation period.

No statutory period so organisation can balance need to retain these records against data minimisation principle.

Consider whether support services are provided to external customers, in which case contractual obligations and limitation periods may be relevant.

Technical information relating to external customer user accounts.

1 year from account closure.

Consider whether record can be fully anonymised after this period (or no personal data collected in first place) where there is a need to keep these plans for a longer period.

Business need

Contractual obligation

Limitation period

No statutory period so organisation can balance need to retain these records against data minimisation principle.

Consider whether contractual obligations and limitation periods may be relevant.


Did this answer your question?