Data Retention Policy
Under the GDPR, we must not hold personal data for longer than is necessary for the purpose for which it is being processed. However, it is a fundamental requirement that all of Harley Street (CPC)’s records are retained for certain minimum periods in line with applicable legal, operational, research and / or safety obligations. The length of time for retaining records will depend on the type of record. We have outlined below a summary of the various types of data we hold about you and how long each record will be kept.
Medical Records
Harley Street (CPC)’s retention policy for medical records is 30 years which has been determined with patient safety at the forefront. We may also need occasionally to undertake patient recalls where it is necessary to have access to the original patient medical record to determine, for instance, what was discussed with the patient, to treat the patient or to identify members of staff involved in the patient’s care. We will also use aggregated and anonymised medical records for research purposes using cohort studies – to understand the survival outcomes of our patients. Some non-medical records will also need to be held for this time period as they support the medical records by providing context and further operational information. These are outlined below in the other records section.
| Medical Records | |||
| Type of record | Start of Retention Period | Minimum Retention Period | Comments |
| All medical records | Conclusion of treatment | Retain for 30 years |
Other Records
The following table sets out what other personal data Harley Street (CPC) may hold about you and how long we will retain your personal data for.
| Type of Record | Start of Retention Period | Minimum Retention Period | Comments |
| e-clinic records (this is our patient administration software) | Date of last admission | 30 years | The 30 year retention period is in line with the medical record retention period outlined above. |
| Credit card details where there is no outstanding debt on patient’s account | Receipt of credit card details | 6 months | For instance, when credit card details are taken at registration. |
| Credit card details where there is outstanding debt on patient’s account | Discharge of debt | 6 months | |
| Debtor records cleared | Close of financial year in which debt is cleared | 6 years | |
| Debtor records not cleared | Retain until cleared | ||
| Invoices to patients regarding their treatment | Close of financial year to which the invoice relates | 6 years | |
| Booking tool for managing patient bookings | Creation | 6 years | |
| Patient enquiries – Email | Receipt | 6 years | |
| Patient surveys | Receipt | 6 years | Applies to surveys where patients have consented for their data to be linked back to their patient record. |
| Prospective patient data for marketing purposes (this data is most commonly collected at events) | Receipt | 6 years | |
| Information about healthcare professionals, for marketing purposes | Receipt | 6 years | |
| Complaints case file | Closure of incident | 30 years | Retention period of 30 years is in line with the medical record retention period outlined above. |
| Fraud case files | Case closure | 6 years | |
| Litigation records | Case closure | 30 years | Retention period of 30 years in line with the medical record retention period outlined above. |
| Subject Access Requests (SAR) and disclosure correspondence | Closure of SAR | 3 Years | |
| A subsequent appeal to a SAR | Closure of appeal | 6 Years | |
| Accident forms | Creation | 10 years | |
| Telephone call recordings | Creation | 1 year | Downloaded calls should only be retained long enough for the purpose of their use to be concluded. |
| Information collected by Google analytics cookies. | Creation | 1 year | This is line with our separate Cookies policy which can be accessed here: https://lvlhealth.co.uk/privacy-policy/ |
| Information collected by login cookies | Creation | 14 days | |
| Information collected by session cookies | Creation | 15 minutes |