PERSONAL DATA RETENTION POLICY
This policy statement is a reaffirmation of our commitment to a high level of professional and ethical conduct and standards in conjunction with the mission and values of the Heart Clinic.
Introduction to Data Retention and the obligations and requirements of the Heart Clinic
The Data Protection Act 1988 & 2003 states that Personal Data belonging to Data Subjects should be “retained for no longer than is necessary for the specified purposes”. Similar provision is made in Article 5 of the General Data Protection Regulation. Personal data may also be retained if there is a separate statutory obligation to do so – for example, employment law requires records to be kept of hours worked and holidays taken.
It is clear that different data has different specific purposes and retention periods, such as medical records, or financial data that is subject to audit.
Data cannot be retained just because we want to keep it or that we may possibly have some unspecified use for it in the future. Failure to preserve records for long enough or retaining personal data beyond the necessary period creates risks for the Heart Clinic, its staff and its service users. These include:
- Risks of non-compliance with legal obligations, including data protection, working time, health & safety, Revenue, etc;
- Flawed decisions based on out-of-date and inaccurate data;
- Increased storage costs and greater security risks;
- Greater effort and difficulty in responding to data subjects’ requests for access to copies of their data.
- To ensure The Heart Clinic complies with legislative requirements
- To clarify the types of records maintained and the type and location of their storage
- To stipulate the length of time data of each type will be retained
- To document roles and responsibilities within the organisation
This policy statement is a reaffirmation of our commitment to a high level of ethical conduct and standards in conjunction with the mission and values of The Heart Clinic.
The Data Protection Officer will monitor the implementation of this policy. The Practice Manager is responsible for making sure that all records retained in the clinic are periodically and routinely reviewed to ensure systematic implementation of this retention policy. Managers are designated owners of categories of data and these designations will be recorded in the Personal Data Inventory. They will be responsible for identifying data to be destroyed and reporting new types of Personal Data that the Heart Clinic may from time to time begin collecting.
The Heart Clinic processes large amount of Sensitive and non-Sensitive Personal Data relating to patients. The Heart Clinic also processes a variety of other Personal Data relating, for example, to its own staff and the other health professionals with whom it works.
The Heart Clinic operates a Retention Schedule in keeping with GDPR regulations. A retention schedule is a key document in a healthcare records management system which outlines:
- The types of healthcare records held within the organisation
- The operating unit
- The format of the data
- The means by which the data is fairly obtained
- Whether the data is sensitive
- The legal basis for processing
- The agreed data predetermined periods of retention.
Destruction of Personal Data on expiry of retention period:
The Heart Clinic engages in a robust destruction policy. Personal Data and organisational data of all types that is no longer required will be efficiently and verifiably destroyed under confidential conditions.
Periodically the following tasks will be performed:
- This policy document and each Section Retention Schedule will be reviewed and updated as required.
- The respective data owners will identify Personal Data requiring deletion.
- The Department Manager will monitor the deletion/destruction of Personal Data
- Electronic records are reviewed on a regular basis and deleted once the term of the relevant retention period has expired.
- Organisation of shared folders will be reviewed and updated.
- A record of data destruction will be maintained for verification purposes.
Destruction of paper records:
- Documents will be shredded and disposed of in a secure manner by The Heart Clinic’s own staff using, if necessary, a reputable agency to assist in same. Records will not be taken offsite for destruction.
- A record will be kept on the data of destruction and the reputable agency who will dispose of the data will provide a certificate of compliance with Data Protection Obligations.
Destruction of end-of-life computer storage media (Compact Discs, Hard Disc Drives, External Storage devices, USB memory sticks, end-of-life equipment, etc.)
When the media or equipment concerned have reached the end of their useful lives, they will be destroyed in house and disposed of in a secure manner using a reputable agency to assist in same. Computer equipment and storage media will not be taken offsite for destruction. A record will be kept on the data of destruction and the reputable agency who will dispose of the data will provide a certificate of compliance with Data Protection Obligations.
Deletion of computer-based records:
- This could be information stored in a structured way, such as the patient information management system; or unstructured data, such as correspondence saved as word processor files, or as attachments to or in the body of emails.
- These records will be deleted in accordance with the relevant retention periods above, depending on the nature of the Personal Data concerned.
- If the Heart Clinic is unable to delete an individual record for technical reasons the Data Subject’s details will be anonymised.
- Great care must be taken to keep track of any backups made of Personal Data and the media used – for example, removable media such as tapes or external disc drives, or cloud-based backup services – to ensure these records are also only retained for as long as required and that any copies of data are properly deleted or destroyed when their retention periods have expired.
Related Policies and Procedures:
- Data Protection Policy
- Subject Access Request Procedure
- Data Loss Incident Log
- Data Loss Notification Procedure
- Records Management Policy
- Personal Data Inventory