Data Retention Policy
There are legal and regulatory requirements for us to retain certain personal data, usually for a specified amount of time. We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business. This Data Retention Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
This policy is provided in a layered format so you can click through to the specific areas set out below.
Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.
This policy only applies to the retention of documents or records which contain or may contain personal data.
Scope Of Policy
This policy covers all personal data that we hold or have control over. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings. It applies to only personal data. In this policy we refer to this information and these records collectively as “data”
This policy covers data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage.
Guiding Principles
Through this policy, and our data retention practices, we aim to meet the following commitments:
- We comply with legal and regulatory requirements to retain data. With regard to medical data of individuals, we will retain this data in accordance with the NHS Code of Practice 2021 and the Specialist Pharmacy Services Guidance on the Retention and Secure Storage of Pharmacy Data (England) 2020-2021 (as updated)
- We comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle)
- We handle, store and dispose of data responsibly and securely
- We create and retain data where we need this to operate our business effectively, but we do not create or retain data without good business reason
- We allocate appropriate resources, roles and responsibilities to data retention
- We regularly remind employees of their data retention responsibilities
- We regularly monitor and audit compliance with this policy and update this policy when required
Roles And Responsibilities
Responsibility of all employees. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good practices. All employees must comply with this policy, the Record Retention Schedule, any communications suspending data disposal and any specific instructions. Failure to do so may subject us, our employees, and contractors to serious civil and/or criminal liability. It is therefore the responsibility of everyone to understand and comply with this policy.
Data Protection Officer. Our Data Protection Officer (DPO) is responsible for advising on, and monitoring our compliance with, data protection laws which regulate personal data.
Personal Data
Personal data. Both formal or official records and disposable information may contain personal data; that is, data that identifies living individuals. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.1 below for more information on this.
Retention Periods
Personal data. As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where we have listed data in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data.
What to do if data is not listed in the Record Retention Schedule. If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there is an omission in the Record Retention Schedule, or if you are unsure, please contact the dpo@nowpatient.com.
Storage, Back-Up And Disposal Of Data
Storage Personal data must be stored in a safe, secure, and accessible manner. Where appropriate, they should be duplicated and/or backed up at least once per week and maintained off site. Personal medical data must be stored in a manner compliant with the NHS Code of Practice 2021 and the Specialist Pharmacy Services Guidance on the Retention and Secure Storage of Pharmacy Records (England) 2020-2021.
Destruction Our DPO is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of physical documents containing personal data must be conducted by shredding if possible. The destruction of electronic data must be coordinated with the DPO.
The destruction of data must stop immediately upon notification from us that preservation of documents for contemplated litigation is required (sometimes referred to as a litigation hold). This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once our lawyers lift the requirement for preservation.
Special Circumstances
Preservation of documents for contemplated litigation and other special situations. We require all employees to comply fully with our Record Retention Schedule and procedures as provided in this policy. All employees should note the following general exception to any stated destruction schedule: If you believe, or we inform you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until we determine those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.
In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.
Where To Go For Advice And Questions
Questions about this policy. Any questions about retention periods should be raised with the DPO, who is in charge of administering, enforcing, and updating this policy.
In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.
Breach Reporting And Audit
Reporting policy breaches. We are committed to enforcing this policy as it applies to all forms of personal data. The effectiveness of our efforts, however, depend largely on employees. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.
No one will be subject to and we do not allow, any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.
Audits Our DPO will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice) to ensure we are in compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.
Other Relevant Policies
This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our data protection policy.
Definitions
Data: all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to personal data only. In this policy we refer to this information and these records collectively as “data”.
Data Retention Policy: this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
Disposable information this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.
Personal data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Record Retention Schedule: the schedule attached to this policy which sets out retention periods for our formal or official records.
Storage limitation principle: data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the UK GDPR as the principle of storage limitation.
Record Retention Schedule
Infohealth Limited establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example, with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs
Employees should comply with the retention periods listed in the record retention schedule below, in accordance with the Data Retention Policy. With regard to Medical Records, data should be retained for the recommended minimum period set out below, unless there is an appropriate reason for retaining the data for a longer period.
If you hold data not listed below, please refer to the Data Retention Policy. If you still consider your data should be listed, if you become aware of any changes that may affect the periods listed below or if you have any other questions about this record retention schedule, please contact the dpo@nowpatient.com
Medical Records
| Record | Unique record | Reason for keeping | Recommended minimum period | Derivation of recommendation and comments | |
| Clinical governance | Competency/training records | Yes | Reference | Clinical training: until 75th birthday or duration of employment plus 6 years whichever is longer.Statutory/mandatory training: 10 years after training completedOther training: 6 years after training completed. | Records Management Code of Practice for Health and Social Care. July 2016 (RMCoP 2016) |
| Clinical audit | Yes | Reference | 5 years | RMCoP 2016 | |
| External quality control records | Yes | Audit | 12 years | RMCoP 2016 | |
| Patient surveys | Yes | Audit | 5 years | RMCoP 2016 | |
| Patient complaints | Yes | Audit | 10 years | RMCoP 2016Where a legal action has commenced, keep as advised by legal representative. | |
| Clinicalinterventions | Minor clinical interventions | Yes | Audit | 2 years | Best practice.Two part paper form recommended, original to be added to the patient record, duplicate kept for 2 years.Entries made on an electronic database should be reviewed after 2 years, if no longer needed, destroy or permanently delete record. |
| Significant clinical interventions | Yes | Audit | For 10 years after the deathof the patient | Entries should be recorded directly in the patient notes / PMR. | |
| Medicines Reconciliation (MR)documentation | Yes | Audit | 2 years | See note 5. | |
| Controlled drugs (CD) | CD register (pharmacy, ward, theatre) | Yes | Legal | 2 years from date of last entry. | Misuse of Drugs Regulations 2001Controlled drugs: safe use and management Electronic CD register -see note 2.In Secure Environments Schedule 3 CDs are also recorded in CD registers(PSI IDTS 2010/45 ; Professional Standards for optimizing medicines for people in secure environments ) |
| CD prescriptions for NHS patients (incl out-patient and TTA / TTO and those for patients treated under any NHS-commissioned care service) | Yes | Legal | 2 years | Misuse of Drugs Regulations 2001 :All CD prescriptions should be kept for 2 years. (Secure Environments see note 9). | |
| Private CD prescriptions | Yes | Legal | Send to NHSBSA | The Misuse of Drugs (Amendment No. 2) Regulations 2006 : Private prescriptions for Schedule 2 and 2 CDs must be sent to the relevant agency.Relevant agency ? NHS Business Services Authority (NHSBSA) | |
| Record of destruction of patient?s own CDs | Yes | Good practice | 7 years | Controlled drugs: safe use and managementProfessional guidance on the safe and secure handling of medicines :Patient?s own drugs can be removed and/or disposed of with the agreement of the patient or in the interest of the patient/general safety. | |
| CD ward orders or requisitions | No | Legal | 2 years | Misuse of Drugs Regulations 2001All CD prescriptions should be kept for 2 years. Keep in original paper form orcomputerised form. | |
| Copy of signature for CD ward order or requisition | Yes | Validation | Duration of employment | Safer management of controlled drugs: a guide to good practice in secondary care (England)Copy of signature of each authorized signatory should be available in the pharmacy department. | |
| Requisitions, orders, order books, delivery note or other record ofreceipt | No | Legal | 2 years or 2 years from date of last entry for recordbooks. | Misuse of Drugs Regulations 2001 :All CD prescriptions should be kept for 2 years. Includes hospice requisitions, healthand justice services & others not sent to NHSBSA. See note 3. | |
| Invoices | Yes | Legal | 6 years | Controlled drugs: safe use and managementLimitation Act 1980: 6 complete tax years. | |
| CD transportation by road vehicle | Yes | Audit | Driver ID: 3 months. Recipients? signature: 6 months in original form; then up to 18 months in reproducible form.Orders, signed orders, requisitions, private prescriptions: 2 years. | Guidance for the safe custody of controlled drugs and drug precursors in transit. | |
| Extemporaneous CD preparation worksheets | Yes | GMP | 5 years | 5 years under GMP but consider keeping for longer due to consumer liability legislation ? see note 6. | |
| Aseptic CD worksheets ? adultpaediatric | YesYes | GMPGMP | 5 years5 years | 5 years under GMP, but consider keeping for longer due to consumer liabilitylegislation ? see note 6. | |
| CD clinical trials information | Yes | GMP | 5 years | This may be longer for some trials. | |
| Patient safety incidents | Dispensing error records/incidents & associated stats (not serious incidents) | Yes | Audit | 10 years for minor harm incidents, 1 year plus current for no harmincidents | RMCoP 2016 and best practice.Recommendations only apply to paper records; entries made on electronic databases should be kept permanently. |
| Dispensing incidents resulting in disability or death (seriousincidents) | Yes | Legal | 20 years | RMCoP 2016 | |
| Recalls/drug alerts | Recall documentation | Yes | Audit | 5 years | Recommendations from the Good Distribution Guide ? especially for those withwholesale dealer?s licence. |
| Responsible pharmacist | Responsible pharmacistrecords/log book | Yes | Legal | At least 5 years | Medicines (pharmacies/responsible pharmacist) Regulations 2008Can be in hard copy or electronic. |
| Supersededdocuments | Clinical protocols | No | Reference | 25 years | RMCoP 2016 |
| Departmental & organisational Policies, strategies, standard operating procedures (SOPs) | No | Reference | Life of organization plus 6 years | RMCoP 2016 | |
| Patient Group Directions (PGDs) | No | Reference | For adults aged 18 years and over: 8 years (10 years in cases of implant insertion).For a child: until the 25th birthday or for 8 years after a child?s death or 10 years in the case ofimplant insertion | Retaining PGD documentation | |
| Stock handlingand transfer | Picking tickets/delivery notes | Yes | Reference | 3 months | A ?reasonable? period of time ? for verification of order only. |
| Old order books | No | Audit | 2 years | Current financial year plus 1. | |
| Invoices | Yes | Legal | 6 complete tax years | Limitation Act 1980. See note 4. | |
| Wholesale dealing records | Yes | GDP | 5 years | EU Guide on Good Distribution Practice (part of the Orange Guide). | |
| Fridge | Fridge temperature | Yes | GMP/GDP | 1 year or longer for sites holding a Wholesale Dealer?s Licence | Refrigerator records to be kept for the life of any product stored therein ? particularly vaccines. For sites subject to GDP inspection (licensed wholesaler) records should be kept for 5 years as with other GDP records. SOPs detailingactions required in the event of fridge failure should also be available. |
| Waste medicines | Destruction of patients? own drugs (excluding controlled drugs) [See Note 10] | Yes | Audit | 6 months | Professional guidance on the safe and secure handling of medicines:Patient?s own drugs can be removed and/or disposed of with the agreement of the patient or in the interest of the patient/general safety. |
| Waste ? Non-hazardous Transfer notes | Yes | Legal | 2 years | Safe management of healthcare waste. | |
| Waste ? hazardous Consignmentnotes | Yes | Legal | 3 years | Safe management of healthcare waste. | |
| Dispensing | Patient Medical Record (PatientMedication Record) | Yes | Legal | For 10 years after the deathof the patient | RMCoP 2016 |
| Private prescriptions (excluding private CD prescriptions ? see Controlled Drugs) or any non- FP10 prescriptions for patients being treated under an NHS-commissioned care service | Yes | Legal | 2 years | MEP Edition 42 July 2018.Human Medicines Regulations 2012 (regulation 253 (5)). | |
| POM register | No | Legal | 2 years from last entry | Human Medicines Regulations 2012 (regulation 253 (5)). | |
| POM-V & POM-VPS records of receipt and supply | Yes | Legal | At least 5 years | Veterinary medicines regulations 2009.Must keep all documents relating to the transaction. Specific requirements for what information must be included. | |
| Electronic Repeat Dispensing System | Any service for which patient nomination of a pharmacy remains a requirement [See note 11 | Yes | Audit | 6 months after the lastprescription is collected/delivered. | Best practice. |
| Specials and unlicensed medicines | Extemporaneously prepared onthe premises with internalquality control. | Yes | Legal | 5 years | Human Medicines Regulations 2012 (regulation 170)See note 6. |
| Extemporaneously prepared by another pharmacy/company withexternal quality control | No | Legal | 5 years | Human Medicines Regulations 2012 (regulation 170).Should have the certificate of conformity including the source of the product; to whom, and the date on which the product was sold or supplied; the prescriber?sdetails; the quantity of each sale or supply; the batch number of the product; details of any adverse reactions to the product sold or supplied. See note 4. | |
| Unlicensed imports | No | Legal | 5 years | ||
| Equality Act | Record of assessment and outcome of patients? needs in respect of medicines | Yes | Reference | For as long as the assessment remains valid, plus 1 year | Best practiceAssessment should be repeated if patient circumstances change. |
| Public Health Campaigns | Evidence of participation in local public health campaigns | Yes | Reference | 2 years | Where requested by the commissioner to do so, records should be kept to demonstrate compliance with Terms of Service of NHS Pharmacists (Schedule 4, part 2, paragraph 18(b)) to regulation 11(1)(a)(i) of the National Health Service (Pharmaceutical and Local Pharmaceutical Services) Regulations 2013. |
| Advanced services | Medicines Use Review (MUR) | Yes | Legal | 2 years | Records can be kept electronically or in hard copy.The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least two years after the date on which the consultation to which the record relates is carried out (Direction 5(1)(l)). |
| New Medicine Service (NMS) | Yes | Legal | 2 years | Records can be kept electronically or in hard copy.The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least two years after the date on which the service intervention is completed or discontinued (Direction 7(1)(n)). | |
| Stoma appliance customisation | Yes | Legal | 12 months | Records can be kept electronically or in hard copy.The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least 12 months or such longer period as the commissioner may reasonably require (Direction 10(2)(d)). | |
| Appliance use review | Yes | Legal | 12 months | Records can be kept in electronically or in hard copy.The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013: Keep records for at least 12 months or such longer period as the commissioner may reasonably require (Direction 12(5)(e)). | |
| Community Pharmacy Seasonal Influenza Vaccination Advanced Service (CPSIVAS) | Yes | Legal | 8 years for adults aged 18 years and over(2 years for consent forms for post payment verification) | Records can be kept in electronically or in hard copy.The Pharmaceutical Services (Advanced and Enhanced Services) (England) Directions 2013 consolidated directions and subsequent amendments.Service Specification: Community pharmacy seasonal influenza vaccination advanced service: All relevant paperwork must be managed in line with RMCoP 2016Pharmacy Influenza Vaccination PGD: Keep records for audit purposes and post payment verification. | |
| NHS Community Pharmacy Consultation Service | Yes | Interim bestpractice recommendation | 2 years | Records can be kept in electronically or in hard copy.All relevant records must be managed in line with RMCoP | |
| Enhanced services, locally commissioned services or private servicesSee Note 7 | Sexual Health service forms | Yes | Audit | For adults aged 18 yearsand over: 8 years (10 years in cases of implant or device insertion).For a child: until the 25th birthday or 26th birthday if the patient was 17 years when treatment finished. In cases of implant or device insertion, keep the record as above or for 10 years, whichever islonger. | RMCoP 2016Service standards for record keepingNB The longest licence period for a contraceptive device is 10 years. |
| No | Reference | Where individual patient records are kept by asexual health team and a | |||
| shorter minimum period for retaining records maybe stated in the service level agreement. | |||||
| Smoking cessation service | Yes | Audit | 2 years | RMCoP 2016 | |
| Supply of Smoking cessation therapy e.g. NRT not via FP10 orvia PGD | Yes | Audit | 2 years | RMCoP 2016 | |
| Minor ailments service | Yes | Audit | 2 years | Recommended best practice. | |
| Immunisation and vaccination records | Yes | Legal | For adults aged 18 years and over: 8 years.For a child: until the 25th birthday or 26th birthday if the patient was 17 yearswhen treatment finished. | RMCoP 2016 | |
| NHS health check | No* | Audit | 2 years | Best practice [*If the results are forwarded to the patients GP] | |
| Yes** | Audit | 2 years | Best practice [**Where results are not forwarded to the GP] | ||
| Substance misuse service forms | Yes | Audit | 2 years | Best practice | |
| Medicines administered under Patient Specific Direction (PSD), Patient Group Direction (PGD) or National Protocol | Yes | Reference | The individual?s clinical record is maintained for 8 years for an adult and up to the 26th birthday if given to a child under theage of 18. | SPS ? Recommendations for retention of records of covid 19 vaccinations | |
| Invoices and consent forms | All payment claims, invoices and patient consent forms relating toany advanced or enhanced service | Yes | Audit | 6 complete tax years | VAT regulations 2005 for invoices. Individual signed consent forms support the invoiced claim.NOTE: Enhanced service consent forms represent consent at the point in time the service is provided and are not proof of ongoing consent. |
| Other records | Any other records pertaining to individual patient care in community pharmacy not covered elsewhere in this document. | Yes | Audit | 2 years | Best practice. This recommendation only applies for paper records. It is accepted that, where appropriate, records relating to patient care (e.g. self-care, signposting, telephone queries) should be entered on the PMR, either directly or transferred from paper records. Entries made on the PMR should be kept permanently. For further guidance see Guidance for registered pharmacies providing pharmacy services at a distance, including on the internet. General Pharmaceutical Council 2019 |
| KEYGMP = good manufacturing practice; GDP = good distribution practice; GCP = good clinical practice; MR = medicines reconciliation; MUR = medicines use reviewWhere GMP is given as the reason for keeping the record, this would be legally enforceable for all unlicensed medicines and for any manufacturing of medicines under an MHRA licence. Any reason for keeping other than ?legal? can be regarded as best practice. |
Notes
| Topic Specific Notes | |
| Note 1 | The sponsor of the trial is responsible under current legislation for keeping trial records. All clinical trial records should be retained for a longer (up to 15 years) if required by the applicable regulatory requirement(s) or if needed by the Sponsor as per Annex 1 to Directive 2001/83/EC and GCP requirements EMA/CHMP/ICH/135/1995.Note: The provisions of Directive 2001/83/EC are brought into UK law by the Human Medicines Regulations 2012.The HMR 2012 do not, however, reproduce the detail of the2001 directive, so the original directive text should be referred to. |
| Note 2 | Once electronic CD registers are in widespread use, the Government intends to require anyone required to keep secure copies of a CD register for up to 11 years.(Department of Health. Safer management of CDs: Changes to the record keeping requirements, guidance for England only. Last revised February 2008) |
| Note 3 | Every requisition, order or private prescription on which a CD is supplied must be preserved by the pharmacy department for a minimum of 2 years from the date on which the last delivery under it was made. Although the mandatory period for keeping requisitions is 2 years, health care organisations may wish to store them for longer periods, as cases often come to court at a much later date. Future regulations may increase the period of time for the storage of records. (Department of Health/RPSGB, Safer management of controlled drugs ? a guide to good practice in secondary care. (England) Oct 2007). In secure environments that do not have an in-house dispensing pharmacy, HO advice is that CD requisitions are still required where the requisitioning organisation is a different legal entity to the supplier. The national CD requisition can be used but is not mandatory.HJ providers must ensure that a Practitioner (i.e. a medical Doctor) signs the requisition where this is needed to comply with the regulation. |
| Note 4 | The 6-tax-years limit relates to disputes over simple contract (Limitation Act 1980). Manufacturers, and sometimes others involved in a product?s supply chain, are liable for theirproducts under the Consumer Protection Act 1987. Therefore, it is recommended to keep delivery notes or invoices for 11 years as product liability records ? see note 6. |
| Note 5 | Where the electronic system has the capacity to destroy records in line with the retention schedule, and where a metadata stub can remain demonstrating that a record has been destroyed, then the Records Management Code should be followed in the same way for electronic records as for paper records with a log being kept of the records destroyed. If the system does not have this capacity, then once the records have reached the end of their retention periods they should be inaccessible to users of the system and upon decommissioning, the system (along with audit trails) should be retained for the retention period of the last entry related to the schedule.(Records Management Code of Practice for Health & Social Care, Jul 2016) |
| Note 6 | Consumer Protection Act (CPA) 1987 allows patients to claim for injury due to a defective product (medicine) up to 10 years after a medicine has been administered.Records of manufactured products (e.g. worksheets) can prove that the product was / was not defective. The prescription / other clinical records will only indicate that the patient was prescribed / dispensed an item but will not give any indication how the product was made and from what ingredients. If the problem is a contaminated ingredient, it is possible to partially pass the responsibility to the supplier of the defective ingredient.Adult patients (18 years and over)Keep manufacturing records for 11 years (10 years as part of CPA + 1 year best practice safety margin)Paediatric patientsIf a child suffers from a medications, they?ve got:any time up to 3 years after their 18 birthday to sue in negligence (up until they?re 21 years)10 years from taking the medicine to sue under CPARMCoP 2016 states that records relating to children should be kept until the child?s 25th birthday (26th birthday if 17 years old at time of treatment), unless there are other factors which indicate the record should be kept for longer. Therefore, in line with RMCoP recommendation, keep all paediatric manufacturing records for 25 years. |
| Note 7 | For locally negotiated services, if the minimum retention period stated in the contractual arrangement of the service level agreement (SLA) exceeds the recommendations of this document contractors must adhere to the SLA. |
| Note 8 | NHS England directly commissions healthcare in all residential Secure Environments (prisons, Immigration Removal Centres and Secure Training Centres). Prescriptions generated in these settings are therefore NHS prescriptions and not private prescriptions. The expectations for prescriptions and other record retention for these settings are in the main as for hospital settings. A wing or treatment room is considered equivalent to a hospital ward. Health and justice (HJ) prescriptions are all now held on the HJIS EPR system and thus retention of the actual hand signed prescription can be reduced to 3 months (please also see the RPS Professional Standards for optimizing medicines forpeople in secure environments 2017). The community pharmacy section of this document is also relevant where dispensing takes place in-house and where advanced services or additional enhanced services are delivered. |
| Note 9 | In addition to retaining the CD prescription a copy of the current CD prescription (i.e. Schedule 2 and 3) for a patient should be available on patient transfer to another secure setting. To achieve this either a scanned e-copy or a hard copy transferred with the patient is needed. This is essential for enabling continuity of supply on transfer until the prescription is reviewed. (PSI IDTS 2010/45 and RPS Professional Standards for optimizing medicines for people in secure environments, Feb 2017). |
| Note 10 | The T28 exemption from the Environment agency allows pharmacies and similar places to denature controlled drugs to comply with Misuse of Drugs Regulations 2001. T28 Exemption guidance. NHSE&I may require evidence of valid exemption from some pharmacycontactors from whom they commission services. |
| Note 11 | Patient nomination was previously required for EPS but is no longer under EPS4. |
| Note 12 | For general information about data protection see Guide to Data Protection, ICO. |
Sales, Marketing And Customer Records
| TYPE OF DATA | RETENTION PERIOD | REASON | COMMENTS |
| Marketing database records (e.g. lead generation, meeting feedback, contact data etc.). | 2 years from last contact | Business need | Depends on the nature of the business. |
| Customer relations database records (e.g. call centre records, queries, meeting feedback, account history etc.). | 6 years from last contact | Business need and limitation period. | |
| Bought in mailing lists and associated contracts. | 1 year for mailing lists.6 years from expiry or termination for contracts (12 years for contracts executed as a deed). | Best practice for mailing listsLimitation period for contracts | Consult ICO guidance on bought-in lists; ICO Direct Marketing Code recommends that organisations should not rely on indirect consent given more than 6 months ago. |
| Order fulfilment records. | 6 years from completion | Limitation period and accounting requirement. | |
| Opt-out/suppression lists. | Indefinite | Business and compliance need. | Only sufficient information to enable the opt out should be retained. |
| Evidence of consent to marketing (including electronic marketing). | While consent valid6 years from date consent withdrawn or ceases to be valid | Business needLimitation period | Consent can be withdrawn at any time and may not necessarily remain valid indefinitely although how long it remains valid will depend on the context. |
| Market research, marketing campaigns | 2 years from completion | Business need | DMA suggests two years from last campaign. |
| Customer complaints handling | 6 years from settlement or closure | Business need and limitation period | |
| Website analytics reports from cookies and other similar technology | 2 years | Business need | This refers to the output from information obtained via cookies. No firm period recommended by the ICO, although the French regulator recommends 25 months from collection and, for Google Analytics the DMA recommends 2 years.Cookies themselves may be set for different periods depending on the function of the cookie. |
IT Records
| TYPE OF DATA | RETENTION PERIOD | REASON | COMMENTS |
| Technical support and help-desk requests. | 3 years from end of supportConsider whether record can be fully anonymised after this period (or no personal data collected in first place) where there is a need to keep these requests for a longer period (for example, 7 years to align with limitation periods) | Business need.Contractual obligation.Limitation period. | No statutory period so organisation can balance need to retain these records against data minimisation principle.Consider whether support services are provided to external customers, in which case contractual obligations and limitation periods may be relevant. |
| Technical information relating to external customer user accounts. | 1 year from account closure.Consider whether record can be fully anonymised after this period (or no personal data collected in first place) where there is a need to keep these plans for a longer period. | Business needContractual obligationLimitation period | No statutory period so organisation can balance need to retain these records against data minimisation principle.Consider whether contractual obligations and limitation periods may be relevant. |
Can I Trust NowPatient
Our product and services are certified to international healthcare, medical device and data security standards
Medicines Experts
Meet our medical team
We are a broad skilled and passionate group of clinicians with experience of operating in health systems in the United Kingdom & United States. Providing excellent care and advice is at the heart of everything we do. You can read more about our medical team by visiting the medical team page or learn more about how we curate content by visiting our editorial process
WHY WE BUILT NOWPATIENT
We are committed to helping everyone, everywhere live healthier lives
The NowPatient virtual care platform provides you with access to trusted health information, affordable treatments, management of chronic health conditions and continuous monitoring for health risks. NowPatient can be accessed by downloading the App or using your web browser.
Download our app today
Your Questions Answered
For your peace of mind, we can answer your questions quickly
What does NowPatient do?
NowPatient is a digital health-technology platform functioning as both an online pharmacy and telehealth service. Packaged as a Class I software medical device, it’s accessible via web browser or mobile app (iOS and Android), and offers users worldwide on-demand access to virtual consultations, prescription services, and AI-powered health tools.
What It Does
- NHS Online Pharmacy: Order NHS-approved prescriptions (UK)
- Drug Savings: Access major US drug-savings programs (coupons, savings cards, manufacturer assistance, Canadian drug savings).
- Virtual Consultations: Get treated for a wide range of medical conditions by expert clinicians using a secure telehealth link.
- Medication Management: Set up refill & dose reminders, view private treatment plans, and track chronic conditions like diabetes or hypertension.
- Health-Monitoring Tools: Use AI-driven assessments for genetic risk tests, home test kits and blood-pressure monitoring.
- Wellness Insights: Access real-time pollen counts, air-quality data, BMI and type 2 diabetes risk scores, plus comprehensive health-condition information.
Get started today and benefit from Medication Reminders, Get Treated Privately, NHS Online Pharmacy, GP Appointment Booking, Rx Savings Card, Drug Coupons, US Drug Savings Programs, Health Conditions Information, Genetic Testing, Home Test Kits, BMI Risks, Type 2 Diabetes Risks, Pollen Meter, Air Quality Monitor, and lots more!
Our service is operated by experienced medical professionals in the United States and the United Kingdom.
You can view the online services we provide by clicking the link below:
Where is NowPatient located?
NowPatient has offices in the United Kingdom and United States.
In the UK, we are located at:
NowPatient
28 Chipstead Valley Road
Coulsdon
Surrey
CR52RA
In the US, we are located at:
NowPatient
8911 North Capital of Texas Highway
Suite 4200 #1263
78759
Austin, TX
How can I contact NowPatient?
To contact NowPatient, please use the contact form available on the Contact Us page.
Alternatively, if you need to speak to us, you can reach us on the following numbers:
UK telephone number – 020 388 51 500
US telephone number – 1-866-967-1977
Who owns NowPatient?
NowPatient is owned and operated by Infohealth Ltd, a licensed online pharmacy with services spanning the UK, US and Rest of the World. Infohealth Ltd is registered in England and Wales under company number 04004930 and our registered office is at Lynwood House, 373 – 375 Station Road, Harrow, England, HA1 2AW.
Our website is www.nowpatient.com. Our App is called “NowPatient” and can be downloaded from the App Store (for Apple devices) or Google Play (for Android devices).
Can you tell me more about your NHS online pharmacy?
NowPatient’s Pharmaceutical services in the UK are provided by Infohealth Limited trading as ‘Infohealth Pharmacy’.
Our dispensing pharmacy is regulated and authorized for internet sales by the General Pharmaceutical Council (GPhC), registration number 1036487. You can view our license credentials on the General Pharmaceutical Council website. Our superintendent pharmacist who is responsible for the safe and effective oversight of medicines supplies is Mr Amish Patel (Registration Number 2042705).
Medicines are not ordinary items of commerce. All medicines or healthcare product sales are made under the supervision of a registered pharmacist who is licensed by the GPhC. At all times, we endeavour to provide a professional and transparent service whose primary goal is to ensure that the best interests of the patient are served.
How do I make a complaint?
From time to time, we accept that our service levels may not be up to your expectations. NowPatient welcomes concerns, compliments and complaints as valuable feedback that will help us learn from your experiences and make improvements. Feedback can be provided via our clear and transparent Complaints Procedures.
Can you tell me more about NowPatient’s prescribing services for treatments offered?
Our prescribing services are regulated by the General Pharmaceutical Council (GPhC). We provide the following regulated activity:
• treatment of disease, disorder, or injury
• transport services, triage, and medical advice are provided remotely
• caring for adults over 65 years old
• caring for adults under 65 years old
NowPatient prescribing services are run by Infohealth Limited. The Clinical Safety Officer and nominated individual is Mr Navin Khosla.
Can you tell me more about NowPatient’s US services?
Our head of US services is Dr. Jamie Winn.
You can lower the cost of your prescription medications using our various savings programs which include drug coupons, savings card and manufacturer-sponsored patient assistance programs.
Is NowPatient legit and can I trust information from NowPatient?
Yes. NowPatient provides trustworthy and accessible clinical, health education and prescription services. We are also trusted by the NHS to deliver clinical and NHS repeat prescription dispensing across the whole of England. In the United States, we work with over 65,000 pharmacies to deliver considerable costs savings for our users.
NowPatient is operated by experienced licensed medical professionals in the United Kingdom and United States. Our Medical Team can be found here.
Our service is trusted by thousands of patients worldwide. You can read their reviews on our Trustpilot:
What are NowPatient’s opening hours?
Our office hours are:
UK – Monday-Friday 9am-6pm GMT
US – Monday-Friday 8am-5pm EST
Please note that we are closed at weekends.
In the event of a medical life-threatening emergency please call:
UK – 999
US – 911
In the event of a medical emergency which is not life-threatening please call:
UK – 111