How long do we keep your personal data?
Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was collected. In the NHS, all commissioners and providers apply retention schedules in accordance with the Records Management Code of Practice for Health and Social Care (https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016). This code is based on current legal requirements and professional best practice and sets the required standard of practice in the management of records for those who work within or contract to NHS organisations in England.
Destruction of data will only happen following a “review” of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:
- To ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a cross cut shredder or subcontracted to a reputable confidential waste company (as identified in the table below) that complies with European Standard EN15713.
- To ensure that electronic storage media used to hold or process information are destroyed or overwritten to current national cyber security standards.
- To ensure that any arrangement made to sub-contract secure disposal services from another provider, complies with the NHS Standard Contract and with assurance that the sub-contractor's organisational and technical security measures comply with the General Data Protection Regulations (GDPR) and the Data Protection Act 2018.