There are legal and regulatory requirements for us to retain certain personal data, usually for a specified amount of time. We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business. This Data Retention Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
This policy is provided in a layered format so you can click through to the specific areas set out below.
Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.
This policy only applies to the retention of documents or records which contain or may contain personal data.
This policy covers all personal data that we hold or have control over. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings. It applies to only personal data. In this policy we refer to this information and these records collectively as “data”
This policy covers data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage.
Through this policy, and our data retention practices, we aim to meet the following commitments:
- We comply with legal and regulatory requirements to retain data. With regard to medical data of individuals, we will retain this data in accordance with the NHS Code of Practice 2021 and the Specialist Pharmacy Services Guidance on the Retention and Secure Storage of Pharmacy Data (England) 2020-2021 (as updated)
- We comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle)
- We handle, store and dispose of data responsibly and securely
- We create and retain data where we need this to operate our business effectively, but we do not create or retain data without good business reason
- We allocate appropriate resources, roles and responsibilities to data retention
- We regularly remind employees of their data retention responsibilities
- We regularly monitor and audit compliance with this policy and update this policy when required
Responsibility of all employees. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good practices. All employees must comply with this policy, the Record Retention Schedule, any communications suspending data disposal and any specific instructions. Failure to do so may subject us, our employees, and contractors to serious civil and/or criminal liability. It is therefore the responsibility of everyone to understand and comply with this policy.
Data Protection Officer. Our Data Protection Officer (DPO) is responsible for advising on, and monitoring our compliance with, data protection laws which regulate personal data.
Personal data. Both formal or official records and disposable information may contain personal data; that is, data that identifies living individuals. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.1 below for more information on this.
Personal data. As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where we have listed data in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data.
What to do if data is not listed in the Record Retention Schedule. If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there is an omission in the Record Retention Schedule, or if you are unsure, please contact the [email protected].
Storage Personal data must be stored in a safe, secure, and accessible manner. Where appropriate, they should be duplicated and/or backed up at least once per week and maintained off site. Personal medical data must be stored in a manner compliant with the NHS Code of Practice 2021 and the Specialist Pharmacy Services Guidance on the Retention and Secure Storage of Pharmacy Records (England) 2020-2021.
Destruction Our DPO is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of physical documents containing personal data must be conducted by shredding if possible. The destruction of electronic data must be coordinated with the DPO.
The destruction of data must stop immediately upon notification from us that preservation of documents for contemplated litigation is required (sometimes referred to as a litigation hold). This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once our lawyers lift the requirement for preservation.
Preservation of documents for contemplated litigation and other special situations. We require all employees to comply fully with our Record Retention Schedule and procedures as provided in this policy. All employees should note the following general exception to any stated destruction schedule: If you believe, or we inform you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until we determine those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.
In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.
Questions about this policy. Any questions about retention periods should be raised with the DPO, who is in charge of administering, enforcing, and updating this policy.
In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.
Reporting policy breaches. We are committed to enforcing this policy as it applies to all forms of personal data. The effectiveness of our efforts, however, depend largely on employees. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.
No one will be subject to and we do not allow, any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.
Audits Our DPO will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice) to ensure we are in compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.
This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our data protection policy.
Data: all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to personal data only. In this policy we refer to this information and these records collectively as “data”.
Data Retention Policy: this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
Disposable information this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
Personal data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Record Retention Schedule: the schedule attached to this policy which sets out retention periods for our formal or official records.
Storage limitation principle: data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the UK GDPR as the principle of storage limitation.
Infohealth Limited establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example, with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs
Employees should comply with the retention periods listed in the record retention schedule below, in accordance with the Data Retention Policy. With regard to Medical Records, data should be retained for the recommended minimum period set out below, unless there is an appropriate reason for retaining the data for a longer period.
If you hold data not listed below, please refer to the Data Retention Policy. If you still consider your data should be listed, if you become aware of any changes that may affect the periods listed below or if you have any other questions about this record retention schedule, please contact the [email protected]
|
Record |
Unique record |
Reason for keeping |
Recommended minimum period |
Derivation of recommendation and comments |
|
|
Clinical governance |
Competency/training records |
Yes |
Reference |
Clinical training: until 75th birthday or duration of employment plus 6 years whichever is longer. Statutory/mandatory training: 10 years after training completed Other training: 6 years after training completed. |
Records Management Code of Practice for Health and Social Care. July 2016 (RMCoP 2016) |
|
Clinical audit |
Yes |
Reference |
5 years |
RMCoP 2016 |
|
|
External quality control records |
Yes |
Audit |
12 years |
RMCoP 2016 |
|
|
Patient surveys |
Yes |
Audit |
5 years |
RMCoP 2016 |
|
|
Patient complaints |
Yes |
Audit |
10 years |
RMCoP 2016 Where a legal action has commenced, keep as advised by legal representative. |
|
|
Clinical interventions |
Minor clinical interventions |
Yes |
Audit |
2 years |
Best practice. Two part paper form recommended, original to be added to the patient record, duplicate kept for 2 years. Entries made on an electronic database should be reviewed after 2 years, if no longer needed, destroy or permanently delete record. |
|
Significant clinical interventions |
Yes |
Audit |
For 10 years after the death of the patient |
Entries should be recorded directly in the patient notes / PMR. |
|
|
Medicines Reconciliation (MR) documentation |
Yes |
Audit |
2 years |
See note 5. |
|
|
Controlled drugs (CD) |
CD register (pharmacy, ward, theatre) |
Yes |
Legal |
2 years from date of last entry. |
Misuse of Drugs Regulations 2001 Controlled drugs: safe use and management Electronic CD register -see note 2. In Secure Environments Schedule 3 CDs are also recorded in CD registers (PSI IDTS 2010/45 ; Professional Standards for optimizing medicines for people in secure environments ) |
|
CD prescriptions for NHS patients (incl out-patient and TTA / TTO and those for patients treated under any NHS-commissioned care service) |
Yes |
Legal |
2 years |
Misuse of Drugs Regulations 2001 : All CD prescriptions should be kept for 2 years. (Secure Environments see note 9). |
|
|
Private CD prescriptions |
Yes |
Legal |
Send to NHSBSA |
The Misuse of Drugs (Amendment No. 2) Regulations 2006 : Private prescriptions for Schedule 2 and 2 CDs must be sent to the relevant agency. Relevant agency – NHS Business Services Authority (NHSBSA) |
|
|
Record of destruction of patient’s own CDs |
Yes |
Good practice |
7 years |
Controlled drugs: safe use and management Professional guidance on the safe and secure handling of medicines : Patient’s own drugs can be removed and/or disposed of with the agreement of the patient or in the interest of the patient/general safety. |
|
|
CD ward orders or requisitions |
No |
Legal |
2 years |
Misuse of Drugs Regulations 2001 All CD prescriptions should be kept for 2 years. Keep in original paper form or computerised form. |
|
|
Copy of signature for CD ward order or requisition |
Yes |
Validation |
Duration of employment |
Safer management of controlled drugs: a guide to good practice in secondary care (England) Copy of signature of each authorized signatory should be available in the pharmacy department. |
|
|
Requisitions, orders, order books, delivery note or other record of receipt |
No |
Legal |
2 years or 2 years from date of last entry for record books. |
Misuse of Drugs Regulations 2001 : All CD prescriptions should be kept for 2 years. Includes hospice requisitions, health and justice services & others not sent to NHSBSA. See note 3. |
|
|
Invoices |
Yes |
Legal |
6 years |
Controlled drugs: safe use and management Limitation Act 1980: 6 complete tax years. |
|
|
CD transportation by road vehicle |
Yes |
Audit |
Driver ID: 3 months. Recipients’ signature: 6 months in original form; then up to 18 months in reproducible form. Orders, signed orders, requisitions, private prescriptions: 2 years. |
Guidance for the safe custody of controlled drugs and drug precursors in transit. |
|
|
Extemporaneous CD preparation worksheets |
Yes |
GMP |
5 years |
5 years under GMP but consider keeping for longer due to consumer liability legislation – see note 6. |
|
|
Aseptic CD worksheets – adult paediatric |
Yes Yes |
GMP GMP |
5 years 5 years |
5 years under GMP, but consider keeping for longer due to consumer liability legislation – see note 6. |
|
|
CD clinical trials information |
Yes |
GMP |
5 years |
This may be longer for some trials. |
|
|
Patient safety incidents |
Dispensing error records/incidents & associated stats (not serious incidents) |
Yes |
Audit |
10 years for minor harm incidents, 1 year plus current for no harm incidents |
RMCoP 2016 and best practice. Recommendations only apply to paper records; entries made on electronic databases should be kept permanently. |
|
Dispensing incidents resulting in disability or death (serious incidents) |
Yes |
Legal |
20 years |
RMCoP 2016 |
|
|
Recalls/drug alerts |
Recall documentation |
Yes |
Audit |
5 years |
Recommendations from the Good Distribution Guide – especially for those with wholesale dealer’s licence. |
|
Responsible pharmacist |
Responsible pharmacist records/log book |
Yes |
Legal |
At least 5 years |
Medicines (pharmacies/responsible pharmacist) Regulations 2008 Can be in hard copy or electronic. |
|
Superseded documents |
Clinical protocols |
No |
Reference |
25 years |
RMCoP 2016 |
|
|
No |
Reference |
Life of organization plus 6 years |
RMCoP 2016 |
|
|
Patient Group Directions (PGDs) |
No |
Reference |
For adults aged 18 years and over: 8 years (10 years in cases of implant insertion). For a child: until the 25th birthday or for 8 years after a child’s death or 10 years in the case of implant insertion |
Retaining PGD documentation |
|
|
Stock handling and transfer |
Picking tickets/delivery notes |
Yes |
Reference |
3 months |
A “reasonable” period of time – for verification of order only. |
|
Old order books |
No |
Audit |
2 years |
Current financial year plus 1. |
|
|
Invoices |
Yes |
Legal |
6 complete tax years |
Limitation Act 1980. See note 4. |
|
|
Wholesale dealing records |
Yes |
GDP |
5 years |
EU Guide on Good Distribution Practice (part of the Orange Guide). |
|
|
Fridge |
Fridge temperature |
Yes |
GMP/GDP |
1 year or longer for sites holding a Wholesale Dealer’s Licence |
Refrigerator records to be kept for the life of any product stored therein – particularly vaccines. For sites subject to GDP inspection (licensed wholesaler) records should be kept for 5 years as with other GDP records. SOPs detailing actions required in the event of fridge failure should also be available. |
|
Waste medicines |
Destruction of patients’ own drugs (excluding controlled drugs) [See Note 10] |
Yes |
Audit |
6 months |
Professional guidance on the safe and secure handling of medicines: Patient’s own drugs can be removed and/or disposed of with the agreement of the patient or in the interest of the patient/general safety. |
|
Waste – Non-hazardous Transfer notes |
Yes |
Legal |
2 years |
Safe management of healthcare waste. |
|
|
Waste – hazardous Consignment notes |
Yes |
Legal |
3 years |
Safe management of healthcare waste. |
|
|
Dispensing |
Patient Medical Record (Patient Medication Record) |
Yes |
Legal |
For 10 years after the death of the patient |
RMCoP 2016 |
|
Private prescriptions (excluding private CD prescriptions – see Controlled Drugs) or any non- FP10 prescriptions for patients being treated under an NHS- commissioned care service |
Yes |
Legal |
2 years |
MEP Edition 42 July 2018. Human Medicines Regulations 2012 (regulation 253 (5)). |
|
|
POM register |
No |
Legal |
2 years from last entry |
Human Medicines Regulations 2012 (regulation 253 (5)). |
|
|
POM-V & POM-VPS records of receipt and supply |
Yes |
Legal |
At least 5 years |
Veterinary medicines regulations 2009. Must keep all documents relating to the transaction. Specific requirements for what information must be included. |
|
|
Electronic Repeat Dispensing System |
Any service for which patient nomination of a pharmacy remains a requirement [See note 11 |
Yes |
Audit |
6 months after the last prescription is collected/delivered. |
Best practice. |
|
Specials and unlicensed medicines |
Extemporaneously prepared on |
Yes |
Legal |
5 years |
Human Medicines Regulations 2012 (regulation 170) See note 6. |
|
Extemporaneously prepared by another pharmacy/company with external quality control |
No |
Legal |
5 years |
Human Medicines Regulations 2012 (regulation 170). Should have the certificate of conformity including the source of the product; to whom, and the date on which the product was sold or supplied; the prescriber’s details; the quantity of each sale or supply; the batch number of the product; details of any adverse reactions to the product sold or supplied. See note 4. |
|
|
Unlicensed imports |
No |
Legal |
5 years |
||
|
Equality Act |
Record of assessment and outcome of patients’ needs in respect of medicines |
Yes |
Reference |
For as long as the assessment remains valid, plus 1 year |
Best practice Assessment should be repeated if patient circumstances change. |
|
Public Health Campaigns
|
Evidence of participation in local public health campaigns |
Yes |
Reference |
2 years |
Where requested by the commissioner to do so, records should be kept to demonstrate compliance with Terms of Service of NHS Pharmacists (Schedule 4, part 2, paragraph 18(b)) to regulation 11(1)(a)(i) of the National Health Service (Pharmaceutical and Local Pharmaceutical Services) Regulations 2013. |
|
Advanced services |
Medicines Use Review (MUR) |
Yes |
Legal |
2 years |
Records can be kept electronically or in hard copy. The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least two years after the date on which the consultation to which the record relates is carried out (Direction 5(1)(l)). |
|
New Medicine Service (NMS) |
Yes |
Legal |
2 years |
Records can be kept electronically or in hard copy. The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least two years after the date on which the service intervention is completed or discontinued (Direction 7(1)(n)). |
|
|
Stoma appliance customisation |
Yes |
Legal |
12 months |
Records can be kept electronically or in hard copy. The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least 12 months or such longer period as the commissioner may reasonably require (Direction 10(2)(d)). |
|
|
Appliance use review |
Yes |
Legal |
12 months |
Records can be kept in electronically or in hard copy. The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least 12 months or such longer period as the commissioner may reasonably require (Direction 12(5)(e)). |
|
|
Community Pharmacy Seasonal Influenza Vaccination Advanced Service (CPSIVAS) |
Yes |
Legal |
8 years for adults aged 18 years and over (2 years for consent forms for post payment verification) |
Records can be kept in electronically or in hard copy. The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013 consolidated directions and subsequent amendments. Service Specification: Community pharmacy seasonal influenza vaccination advanced service: All relevant paperwork must be managed in line with RMCoP 2016 Pharmacy Influenza Vaccination PGD: Keep records for audit purposes and post payment verification. |
|
|
NHS Community Pharmacy Consultation Service |
Yes |
Interim best practice recommendation |
2 years |
Records can be kept in electronically or in hard copy. All relevant records must be managed in line with RMCoP |
|
|
Enhanced services, locally commissioned services or private services See Note 7 |
Sexual Health service forms |
Yes |
Audit |
For adults aged 18 years and over: 8 years (10 years in cases of implant or device insertion). For a child: until the 25th birthday or 26th birthday if the patient was 17 years when treatment finished. In cases of implant or device insertion, keep the record as above or for 10 years, whichever is longer. |
RMCoP 2016 Service standards for record keeping NB The longest licence period for a contraceptive device is 10 years. |
|
No |
Reference |
Where individual patient records are kept by a sexual health team and a |
|||
|
shorter minimum period for retaining records may be stated in the service level agreement. |
|||||
|
Smoking cessation service |
Yes |
Audit |
2 years |
RMCoP 2016 |
|
|
Supply of Smoking cessation therapy e.g. NRT not via FP10 or via PGD |
Yes |
Audit |
2 years |
RMCoP 2016 |
|
|
Minor ailments service |
Yes |
Audit |
2 years |
Recommended best practice. |
|
|
Immunisation and vaccination records |
Yes |
Legal |
For adults aged 18 years and over: 8 years. For a child: until the 25th birthday or 26th birthday if the patient was 17 years when treatment finished. |
RMCoP 2016 |
|
|
NHS health check |
No* |
Audit |
2 years |
Best practice [*If the results are forwarded to the patients GP] |
|
|
Yes** |
Audit |
2 years |
Best practice [**Where results are not forwarded to the GP] |
||
|
Substance misuse service forms |
Yes |
Audit |
2 years |
Best practice |
|
|
Medicines administered under Patient Specific Direction (PSD), Patient Group Direction (PGD) or National Protocol |
Yes |
Reference |
The individual’s clinical record is maintained for 8 years for an adult and up to the 26th birthday if given to a child under the age of 18. |
||
|
Invoices and consent forms |
All payment claims, invoices and patient consent forms relating to any advanced or enhanced service |
Yes |
Audit |
6 complete tax years |
VAT regulations 2005 for invoices. Individual signed consent forms support the invoiced claim. NOTE: Enhanced service consent forms represent consent at the point in time the service is provided and are not proof of ongoing consent. |
|
Other records |
Any other records pertaining to individual patient care in community pharmacy not covered elsewhere in this document. |
Yes |
Audit |
2 years |
Best practice. This recommendation only applies for paper records. It is accepted that, where appropriate, records relating to patient care (e.g. self-care, signposting, telephone queries) should be entered on the PMR, either directly or transferred from paper records. Entries made on the PMR should be kept permanently. For further guidance see Guidance for registered pharmacies providing pharmacy services at a distance, including on the internet. General Pharmaceutical Council 2019 |
|
KEY GMP = good manufacturing practice; GDP = good distribution practice; GCP = good clinical practice; MR = medicines reconciliation; MUR = medicines use review Where GMP is given as the reason for keeping the record, this would be legally enforceable for all unlicensed medicines and for any manufacturing of medicines under an MHRA licence. Any reason for keeping other than ‘legal’ can be regarded as best practice. |
|||||
|
Topic Specific Notes |
|
|
Note 1 |
The sponsor of the trial is responsible under current legislation for keeping trial records. All clinical trial records should be retained for a longer (up to 15 years) if required by the applicable regulatory requirement(s) or if needed by the Sponsor as per Annex 1 to Directive 2001/83/EC and GCP requirements EMA/CHMP/ICH/135/1995. Note: The provisions of Directive 2001/83/EC are brought into UK law by the Human Medicines Regulations 2012.The HMR 2012 do not, however, reproduce the detail of the 2001 directive, so the original directive text should be referred to. |
|
Note 2 |
Once electronic CD registers are in widespread use, the Government intends to require anyone required to keep secure copies of a CD register for up to 11 years. (Department of Health. Safer management of CDs: Changes to the record keeping requirements, guidance for England only. Last revised February 2008) |
|
Note 3 |
Every requisition, order or private prescription on which a CD is supplied must be preserved by the pharmacy department for a minimum of 2 years from the date on which the last delivery under it was made. Although the mandatory period for keeping requisitions is 2 years, health care organisations may wish to store them for longer periods, as cases often come to court at a much later date. Future regulations may increase the period of time for the storage of records. (Department of Health/RPSGB, Safer management of controlled drugs – a guide to good practice in secondary care. (England) Oct 2007). In secure environments that do not have an in-house dispensing pharmacy, HO advice is that CD requisitions are still required where the requisitioning organisation is a different legal entity to the supplier. The national CD requisition can be used but is not mandatory. HJ providers must ensure that a Practitioner (i.e. a medical Doctor) signs the requisition where this is needed to comply with the regulation. |
|
Note 4 |
The 6-tax-years limit relates to disputes over simple contract (Limitation Act 1980). Manufacturers, and sometimes others involved in a product’s supply chain, are liable for their products under the Consumer Protection Act 1987. Therefore, it is recommended to keep delivery notes or invoices for 11 years as product liability records – see note 6. |
|
Note 5 |
Where the electronic system has the capacity to destroy records in line with the retention schedule, and where a metadata stub can remain demonstrating that a record has been destroyed, then the Records Management Code should be followed in the same way for electronic records as for paper records with a log being kept of the records destroyed. If the system does not have this capacity, then once the records have reached the end of their retention periods they should be inaccessible to users of the system and upon decommissioning, the system (along with audit trails) should be retained for the retention period of the last entry related to the schedule. (Records Management Code of Practice for Health & Social Care, Jul 2016) |
|
Note 6 |
Consumer Protection Act (CPA) 1987 allows patients to claim for injury due to a defective product (medicine) up to 10 years after a medicine has been administered. Records of manufactured products (e.g. worksheets) can prove that the product was / was not defective. The prescription / other clinical records will only indicate that the patient was prescribed / dispensed an item but will not give any indication how the product was made and from what ingredients. If the problem is a contaminated ingredient, it is possible to partially pass the responsibility to the supplier of the defective ingredient. Adult patients (18 years and over) Keep manufacturing records for 11 years (10 years as part of CPA + 1 year best practice safety margin) Paediatric patients If a child suffers from a medications, they’ve got:
RMCoP 2016 states that records relating to children should be kept until the child’s 25th birthday (26th birthday if 17 years old at time of treatment), unless there are other factors which indicate the record should be kept for longer. Therefore, in line with RMCoP recommendation, keep all paediatric manufacturing records for 25 years. |
|
Note 7 |
For locally negotiated services, if the minimum retention period stated in the contractual arrangement of the service level agreement (SLA) exceeds the recommendations of this document contractors must adhere to the SLA. |
|
Note 8 |
NHS England directly commissions healthcare in all residential Secure Environments (prisons, Immigration Removal Centres and Secure Training Centres). Prescriptions generated in these settings are therefore NHS prescriptions and not private prescriptions. The expectations for prescriptions and other record retention for these settings are in the main as for hospital settings. A wing or treatment room is considered equivalent to a hospital ward. Health and justice (HJ) prescriptions are all now held on the HJIS EPR system and thus retention of the actual hand signed prescription can be reduced to 3 months (please also see the RPS Professional Standards for optimizing medicines for people in secure environments 2017). The community pharmacy section of this document is also relevant where dispensing takes place in-house and where advanced services or additional enhanced services are delivered. |
|
Note 9 |
In addition to retaining the CD prescription a copy of the current CD prescription (i.e. Schedule 2 and 3) for a patient should be available on patient transfer to another secure setting. To achieve this either a scanned e-copy or a hard copy transferred with the patient is needed. This is essential for enabling continuity of supply on transfer until the prescription is reviewed. (PSI IDTS 2010/45 and RPS Professional Standards for optimizing medicines for people in secure environments, Feb 2017). |
|
Note 10 |
The T28 exemption from the Environment agency allows pharmacies and similar places to denature controlled drugs to comply with Misuse of Drugs Regulations 2001. https://www.gov.uk/guidance/waste-exemption-t28-sort-and-denature-controlled-drugs-for-disposal. NHSE&I may require evidence of valid exemption from some pharmacy contactors from whom they commission services. |
|
Note 11 |
Patient nomination was previously required for EPS but is no longer under EPS4. |
|
Note 12 |
For general information about data protection see Guide to Data Protection, ICO. https://ico.org.uk/for-organisations/guide-to-data-protection/ |
SALES, MARKETING AND CUSTOMER RECORDS
|
TYPE OF DATA |
RETENTION PERIOD |
REASON |
COMMENTS |
|
Marketing database records (e.g. lead generation, meeting feedback, contact data etc.). |
2 years from last contact |
Business need |
Depends on the nature of the business. |
|
Customer relations database records (e.g. call centre records, queries, meeting feedback, account history etc.). |
6 years from last contact |
Business need and limitation period. |
|
|
Bought in mailing lists and associated contracts. |
1 year for mailing lists. 6 years from expiry or termination for contracts (12 years for contracts executed as a deed). |
Best practice for mailing lists Limitation period for contracts |
Consult ICO guidance on bought-in lists; ICO Direct Marketing Code recommends that organisations should not rely on indirect consent given more than 6 months ago. |
|
Order fulfilment records. |
6 years from completion |
Limitation period and accounting requirement. |
|
|
Opt-out/suppression lists. |
Indefinite |
Business and compliance need. |
Only sufficient information to enable the opt out should be retained. |
|
Evidence of consent to marketing (including electronic marketing). |
While consent valid 6 years from date consent withdrawn or ceases to be valid |
Business need Limitation period |
Consent can be withdrawn at any time and may not necessarily remain valid indefinitely although how long it remains valid will depend on the context. |
|
Market research, marketing campaigns |
2 years from completion |
Business need |
DMA suggests two years from last campaign. |
|
Customer complaints handling |
6 years from settlement or closure |
Business need and limitation period |
|
|
Website analytics reports from cookies and other similar technology |
2 years |
Business need |
This refers to the output from information obtained via cookies. No firm period recommended by the ICO, although the French regulator recommends 25 months from collection and, for Google Analytics the DMA recommends 2 years. Cookies themselves may be set for different periods depending on the function of the cookie. |
IT RECORDS
|
TYPE OF DATA |
RETENTION PERIOD |
REASON |
COMMENTS |
|
Technical support and help-desk requests. |
3 years from end of support Consider whether record can be fully anonymised after this period (or no personal data collected in first place) where there is a need to keep these requests for a longer period (for example, 7 years to align with limitation periods) |
Business need. Contractual obligation. Limitation period. |
No statutory period so organisation can balance need to retain these records against data minimisation principle. Consider whether support services are provided to external customers, in which case contractual obligations and limitation periods may be relevant. |
|
Technical information relating to external customer user accounts. |
1 year from account closure. Consider whether record can be fully anonymised after this period (or no personal data collected in first place) where there is a need to keep these plans for a longer period. |
Business need Contractual obligation Limitation period |
No statutory period so organisation can balance need to retain these records against data minimisation principle. Consider whether contractual obligations and limitation periods may be relevant. |
Now Patient is a first of its kind regulated digital health service that uses predictive analytics and artificial intelligence to provide you with personalised care and resources that can help improve your health outcomes, FREE of charge.
Prescriptions, healthcare resources & live video consultations all in one place for FREE
Yes, the delivery to your chosen address is completely FREE. You will not have to pay any delivery charges for your prescription order, nor will the NHS.
Our clinicians will only ever inform your GP if they have concerns following the consultation and only if you give them explicit consent to do so.