Data Retention Policy

Under the GDPR, we must not hold personal data for longer than is necessary for the purpose for which it is being processed. However, it is a fundamental requirement that all of Harley Street (CPC)’s records are retained for certain minimum periods in line with applicable legal, operational, research and / or safety obligations. The length of time for retaining records will depend on the type of record. We have outlined below a summary of the various types of data we hold about you and how long each record will be kept.

Medical Records

Harley Street (CPC)’s  retention policy for medical records is 30 years which has been determined with patient safety at the forefront. We may also need occasionally to undertake patient recalls where it is necessary to have access to the original patient medical record to determine, for instance, what was discussed with the patient, to treat the patient or to identify members of staff involved in the patient’s care. We will also use aggregated and anonymised medical records for research purposes using cohort studies – to understand the survival outcomes of our patients. Some non-medical records will also need to be held for this time period as they support the medical records by providing context and further operational information. These are outlined below in the other records section.

Medical Records
Type of recordStart of Retention PeriodMinimum Retention PeriodComments
All medical recordsConclusion of treatmentRetain for 30 years 

Other Records

The following table sets out what other personal data Harley Street (CPC) may hold about you and how long we will retain your personal data for.

Type of RecordStart of Retention PeriodMinimum Retention PeriodComments
e-clinic records (this is our patient administration software)Date of last admission30 yearsThe 30 year retention period is in line with the medical record retention period outlined above.
Credit card details where there is no outstanding debt on patient’s accountReceipt of credit card details6 monthsFor instance, when credit card details are taken at registration.
Credit card details where there is outstanding debt on patient’s accountDischarge of debt6 months 
Debtor records clearedClose of financial year in which debt is cleared6 years 
Debtor records not cleared Retain until cleared 
Invoices to patients regarding their treatmentClose of financial year to which the invoice relates6 years 
Booking tool for managing patient bookingsCreation6 years 
Patient enquiries – EmailReceipt6 years 
Patient surveysReceipt6 yearsApplies to surveys where patients have consented for their data to be linked back to their patient record.
Prospective patient data for marketing purposes (this data is most commonly collected at events)Receipt6 years 
Information about healthcare professionals, for marketing purposesReceipt6 years 
Complaints case fileClosure of incident30 yearsRetention period of 30 years is in line with the medical record retention period outlined above.
Fraud case filesCase closure6 years 
Litigation recordsCase closure30 yearsRetention period of 30 years in line with the medical record retention period outlined above.
Subject Access Requests (SAR) and disclosure correspondenceClosure of SAR3 Years 
A subsequent appeal to a SARClosure of appeal6 Years 
Accident formsCreation10 years 
Telephone call recordingsCreation1 yearDownloaded calls should only be retained long enough for the purpose of their use to be concluded.
Information collected by Google analytics cookies.Creation1 yearThis is line with our separate Cookies policy which can be accessed here:
Information collected by login cookiesCreation14 days
Information collected by session cookiesCreation15 minutes