GDPR Data Retention
This post was written by Dr Adil Sarwar on May 25, 2018
Policy title: GDPR Data Retention.
Outcome: All data relating to individual confidential health held within patients’ healthcare records at Skin Science Clinic are stored and handled securely and confidentially in line with current legislation.
Authorised by: Dr Adil Sarwar MBBS, BSc, MRCGP
Medical Director and CQC Registered Manager
Issue date: 25 May 2018
Review date: 31 March 2019
(or before if there is a change in practice or circumstances)
Data Protection Officer – Dr Adil Sarwar, Medical Director
1.1 This policy sets out the obligations of Adahsa Ltd. (t/a Skin Science Clinic) a company registered in England (Companies House registration number: 08922021 whose registered office is at Adahsa Ltd., 23 Porters Wood, St Albans, Hertfordshire AL3 6PQ) regarding the retention of patients and employees’ personal data collected, held, and processed in accordance with EU Regulation 2016/679 General Data Protection Regulation (‘GDPR’).
1.2 The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (for the purposes of this policy, this is a ‘patient’ or an ‘employee’).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.3 The GDPR also addresses ‘special category’ personal data (also known as ‘sensitive’ personal data). Such data includes, but is not necessarily limited to, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation.
1.4 Under the GDPR, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).
1.5 In addition, the GDPR includes the right to erasure or ‘the right to be forgotten’. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:
- where the personal data is no longer required for the purpose for which it was originally collected or processed
- when the data subject withdraws their consent
- when the data subject objects to the processing of their personal data and Skin Science Clinic has no overriding legitimate interest
- when the personal data is processed unlawfully (i.e. in breach of the GDPR)
- when the personal data has to be erased to comply with a legal obligation, or
- where the personal data is processed for the provision of information society services (i.e. an online service) to a child.
1.6 This policy sets out the type/s of personal data held by Skin Science Clinic, the periods for which that personal data is to be retained, and when and how it is to be deleted or otherwise disposed of.
For further information on other aspects of data protection and compliance with the GDPR, please refer to the ‘GDPR Data Protection (Patient data)’ policy and the ‘GDPR Data Protection (Employee data)’ policies.
- Aims and objectives.
2.1 The primary aim of this policy is to set out limits for the retention of patients and employees personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with.
By extension, this policy aims to ensure that Skin Science Clinic complies with its obligations and the rights of data subjects under the GDPR.
2.2 In addition to safeguarding the rights of data subjects under the GDPR, by ensuring that excessive amounts of data are not retained by Skin Science Clinic, this policy also aims to improve the speed and efficiency of managing data.
3.1 This policy applies to all patient and employee personal data held by Skin Science Clinic and by relevant third-party data processors processing personal data on Skin Science Clinic’s behalf.
3.2 Patient and employee personal data, as held by Skin Science Clinic is stored in the following ways and in the following locations:
- Physical paper records stored in lockable filing systems in the Skin Science Clinic premises.
- Password protected computer systems in the Skin Science Clinic premises (where applicable).
- Third-party computer servers, operated by TBC and located in TBC (where applicable).
- Data subject rights and data integrity.
4.1 All personal data held by Skin Science Clinic is held in accordance with the requirements of the GDPR and data subjects’ rights thereunder, as set out in the ‘GDPR Data Protection (Patient data)’ policy and ‘GDPR Data Protection (Employee data)’ policies.
4.2 Data subjects are kept fully informed of their rights, of what personal data Skin Science Clinic holds about them, how that personal data is used, and how long the personal data will be held (or, if no fixed retention period can be determined, the criteria by which the retention of the data will be determined).
4.3 Data subjects are given control over their personal data held by Skin Science Clinic including the right to have incorrect data rectified, the right to request that their personal data be deleted or otherwise disposed of (notwithstanding the retention periods otherwise set by this Data Retention Policy), the right to restrict Skin Science Clinic’s use of their personal data, and further rights relating to automated decision-making as set out in Parts 14 to 20 of the ‘GDPR Data Protection (Patient data)’ policy and ‘GDPR Data Protection (Employee data)’ policies.
- Technical and organisational data security measures.
5.1 The following technical measures are in place within Skin Science Clinic to protect the security of personal data. Please refer to Parts 22 to 26 of the ‘GDPR Data Protection (Patient data)’ policy and ‘GDPR Data Protection (Employee data)’ policies for further details:
- all emails containing sensitive personal data (either in the body of the email or as an unencrypted attachment) should be encrypted
- all emails containing employees’ personal data must be marked ‘Confidential’
- where relevant, personal data should be transmitted over secure networks only
- personal data should not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable
- personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely; the email itself should be deleted; all temporary files associated therewith should also be deleted
- where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data
- where personal data is to be transferred in hardcopy form it should be passed directly to the recipient
- all personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked ‘Confidential’
- no personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of Skin Science Clinic requires access to personal data that they do not already have access to, such access should be formally requested from the Data Protection Officer
- no personal data may be transferred to any other employees, agents, contractors, or other parties, whether such parties are working on behalf of Skin Science Clinic or not, without the authorisation of the Data Protection Officer
- personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time
- if personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it
- where personal data held by Skin Science Clinic is used for marketing purposes, it shall be the responsibility of the Data Protection Officer to ensure that the appropriate consent is obtained and that no patients have opted out
- all electronic copies of personal data should be stored securely using passwords
- all hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar
- all personal data stored electronically should be backed securely in encrypted format and the backup copy stored separately and remotely from the live information
- no personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to Skin Science Clinic or otherwise, and
- no personal data should be transferred to any device personally belonging to a Skin Science Clinic employee, and personal data may only be transferred to devices belonging to external contractors, or other parties working on behalf of Skin Science Clinic where the party in question has agreed to comply fully with the letter and spirit of this data retention policy and of the GDPR (which may include demonstrating to Skin Science Clinic that all suitable technical and organisational measures have been taken).
5.2 The following organisational measures are in place within Skin Science Clinic to protect the security of patients’ and employees’ personal data:
- all employees and other parties working on behalf of Skin Science Clinic shall be made fully aware of both their individual responsibilities and Skin Science Clinic’s responsibilities under the GDPR and the ‘GDPR Data Protection (Patient data)’ policy and ‘GDPR Data Protection (Employee data)’ policies
- only employees and other parties working on behalf of Skin Science Clinic that need access to, and use of, personal data in order to perform their work shall have access to personal data held by Skin Science Clinic
- all employees and other parties working on behalf of Skin Science Clinic handling personal data will be appropriately trained to do so
- all employees and other parties working on behalf of Skin Science Clinic handling personal data will be appropriately supervised
- all employees and other parties working on behalf of Skin Science Clinic handling personal data should exercise care and caution when discussing any work relating to personal data at all times
- methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed
- the performance of those employees and other parties working on behalf of Skin Science Clinic handling personal data shall be regularly evaluated and reviewed
- all employees and other parties working on behalf of Skin Science Clinic handling personal data will be bound by contract to comply with the GDPR and the ‘GDPR Data Protection (Patient data)’ policy and ‘GDPR Data Protection (Employee data)’ policies
- all agents, contractors, or other parties working on behalf of Skin Science Clinic handling personal data must ensure that any and all relevant employees are held to the same conditions as those relevant employees of Skin Science Clinic arising out of the GDPR and the ‘GDPR Data Protection (Patient data)’ policy and ‘GDPR Data Protection (Employee data)’ policies, and
- where any agent, contractor or other party working on behalf of Skin Science Clinic handling personal data fails in their obligations under the GDPR and/or the ‘GDPR Data Protection (Patient data)’ policy and ‘GDPR Data Protection (Employee data)’, that party shall indemnify and hold harmless Skin Science Clinic against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
- Data disposal.
6.1 Upon the expiry of the data retention periods set out below in Part 7 of this policy, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:
- Personal data stored electronically (including any and all backups) shall be permanently deleted.
- Personal data stored in hardcopy form shall be permanently shredded.
- Data retention.
7.1 As required by law, Skin Science Clinic shall not retain any personal data for any longer than is necessary in light of the purpose for which that data is collected, held, and processed.
7.2 Different types of personal data, used for different purposes, will necessarily be retained for different periods as set out below.
7.3 When establishing and/or reviewing retention periods, the following shall be taken into account:
- the objectives and requirements of Skin Science Clinic
- the type of personal data in question
- the purpose/s for which the data in question is collected, held, and processed
- Skin Science Clinic’s legal basis for collecting, holding, and processing that data, and
- the category or categories of data subject to whom the data relates.
7.4 If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.
7.5 The following data retention periods will apply at Skin Science Clinic as an independent healthcare provider:
- For adult patients (i.e. patients aged 18 years and over) attending Skin Science Clinic, their healthcare records will be kept for a minimum period of 8 years from the date of the last entry in their healthcare record.
(Ref: Records Management Code of Practice for Health and Social Care 2016 (Information Governance Alliance, July 2016)
- For staff who have been recruited to work at Skin Science Clinic but have been unsuccessful in their application, their personal records (including application forms, CVs, and interview notes) will be stored securely on file for a minimum period of 1 year.
- For staff who have been successfully recruited to work at Skin Science Clinic and subsequently left their position, their personal records will be kept for a period of 6 years after they have left or until their 75th birthday if a staff record summary has been made (whichever is sooner).
The staff record summary should contain the employee’s:
- date of birth
- job title
- start and end dates, and
- reason for leaving.
Notwithstanding the above defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within Skin Science Clinic to do so (whether in response to a request by a data subject or otherwise).
(In limited circumstances, it may also be necessary to retain personal data for longer periods where such retention is for archiving purposes that are in the public interest, for scientific or historical research purposes, or for statistical purposes. All such retention will be subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects, as required by the GDPR.)
- Roles and responsibilities.
8.1 The Skin Science Clinic Data Protection Officer is Dr Adil Sarwar, Medical Director.
8.2 The Data Protection Officer shall be responsible for overseeing the implementation of this policy and for monitoring compliance with this policy, other data protection-related policies, and with the GDPR, and other applicable data protection legislation as it applies to the Skin Science Clinic independent healthcare service.
8.3 The Data Protection Officer shall be directly responsible for ensuring compliance with the above data retention periods throughout the Skin Science Clinic independent healthcare service.
8.4 Any questions regarding this policy, the retention of personal data, or any other aspect of GDPR compliance should be referred to the Data Protection Officer.
- Policy review.
9.1 This policy will be reviewed on an annual basis.
9.2 Any changes made to the policy as a result of review, will be communicated to all Skin Science Clinic staff without delay.
Signature ……………..……..……………………………..……. Date ………………..….…………
Dr Adil Sarwar, Medical Director, Skin Science Clinic