Understanding medical data retention

Medical data retention has to balance the need for care with respect for privacy. It also has to reflect real-world practicalities such as storage, both physical and digital. GDPR also plays a part in medical documentation which needs to be handled and destroyed with care, so as not to compromise the privacy of employees and more importantly, patients.


Laws and guidance

The main laws in this area are the Records Management Code of Practice for Health and Social Care 2016 (England, Wales and NI) and the Scottish Government Records Management: NHS Code Of Practice (Scotland). There is also guidance from the British Medical Association and (UK) GDPR applies. Here is a brief summary of the standard, mandated retention periods.

Type of Record:

Adult Medical Records 

  • Retention Period Scotland – 6 years after the last entry or 3 years after death

GP Records (Paper)

  • Retention Period England/Wales/NI10 years after death or departure from the UK (unless they stay in the EU)
  • Retention Period Scotland3 years after death

GP Records (Electronic) 

  • Retention Period England/Wales/NI – Indefinitely 
  • Retention Period Scotland – Indefinitely

Maternity Records

  • Retention Period England/Wales/NI25 years after the birth of the last child
  • Retention Period Scotland – 25 years after the birth of the last child

Children and Young People

  • Retention Period England/Wales/NI – Until the patient’s 25th birthday or 8 years after their death.
  • Retention Period Scotland – Until the patient’s 25th birthday or 3 years after death.

Mental Health Records 

  • Retention Period England/Wales/NI – 20 years or 8 years after their death

Mentally Disordered Person as defined by the Mental Health Act 

  • Retention Period Scotland20 years after last contact between patient and healthcare professional or 3 years after death.

Medical records for people in the armed forces or in prison, are to be kept indefinitely.

The challenge of paper records

Many industries have either digitized their records or are in the process of doing so. The medical profession is moving in this direction. There are, however, significant challenges in digitizing certain types of medical records such as scans. Losing even the smallest details in the scanning process could have disastrous consequences both medical and legal.

As a result, it can be advisable to hold on to at least some paper records, even if they have already been scanned. Obviously, this requires physical storage space. For practical purposes that is probably going to mean using an offsite storage provider. It’s advisable to choose that provider with great care.

Firstly, you’re going to need to be certain that they can maintain an appropriate level of security. Secondly, you need to consider the possibility that the data may need to be accessed again. This may be for medical reasons, legal reasons or as the result of a subject access request. It will definitely need to be accessed at the end of the retention period to be moved on.


The challenge of digital records

Digital medical records are a prime target for hackers. They are also vulnerable to cyberattacks which aim to cause havoc rather than harvest data (e.g. the WannaCry attack of 2017). Added to all of this, they are vulnerable to damage storage media and general environmental hazards.

This means that all digital medical records should be protected with the highest standards of encryption. They should also be kept backed-up at all times. Ideally, there should be both online and offline backups to cover all eventualities.


Patient data should be streamlined

Although there are pros and cons to both physical and digital records of patient data, there is certainly still room for both and keeping patient data safe can be achieved. Going digital will have more benefits long term in regard to sustainability and cost and that just leaves getting the security part right.

If your doctors’ practice or surgery is currently combatting the task of data retention for medical records, there are safe and secure solutions to ensure you can destroy records safely without private details of individuals getting into the wrong hands.

The complexity of medical records can come in the form of many different media types that contain sensitive information, from paper records to text messages and scans and images, and so understanding which records to destroy, digitise or store will enable the medical industry to work efficiently with patient data security at the forefront.

Joe Muddiman