Records form a legal record of treatment and therefore must be retained safely and securely in accordance with the Data Protection Act 1998 c.29.
The legal requirement to retain records for a certain period relates to the legal period for bringing civil claims under either Personal Injury law or Contract law as defined by the Limitation Act 1980 c.58 and The Limitation (Northern Ireland) Order 1989.
An individual has three years to bring a personal injury claim (with some exceptions) and six years if they wish to bring a claim under contract law.
Therefore records must be retained at least until the limitation period has expired.
Each UK country sets out minimum retention periods for NHS health records. Local NHS organisations may decide to retain records for longer, so physiotherapy staff must consult their employer’s guidance before disposing of any records.
However, it’s important to consider that the fifth principle of the Data Protection Act 1998 prohibits the retention of personal data for longer than is necessary.
The minimum retention periods apply to all formats/mediums which contain components of information relating to the health record.
Although the retention periods quoted apply to the health departments in the devolved nations, private practitioners would be advised to apply the same retention periods.
NHS retention schedule information
Detailed NHS retention schedule information can be found in the retention of health records summary and in the following documents:
- NHS England Records Management NHS Code of Practice
- NHS Northern Ireland Department of Health, Social Services and Public Safety (Northern Ireland) Good management Good Records
- NHS Scotland Records Management best practice in relation to the creation, use, storage, management and disposal of NHS records
Security of records
Good practice in relation to keeping patient information secure can be found in Department of Health. Confidentiality: NHS Code of Practice.
Records must be stored securely (whether they are in paper or electronic format) to ensure patient confidentiality is upheld.
Records must also be stored in such a way that they are easily accessible when required i.e. filed in a systematic way to aid swift retrieval.
Specific information on electronic records and security can be found under ‘The move to electronic records’ and ‘Electronic Record keeping and the cloud’ in Documenting a health record.
Dealing with a data breach
The Information Commissioner’s Office has a useful publication on managing a data breach. Depending on the size and nature of the data loss, the data controller may need to:
- notify the patients affected about what was lost, how it was lost, and what the organisation is doing to rectify the situation
- notify the insurer of the loss in case any patient decides to take action at a future date because of the loss
- contact the Information Commissioner and report the data loss;
- engage with software developers to resolve the problem if the problem was caused by a software issue;
- contact the recipient of the data to see if it can be retrieved
Damage to data
Where notes are damaged, such as by fire or flood, there are companies which can restore/repair original records as far as possible.
The original record (or aspects of it) should be retained as far as is practicable.
Where records are totally irretrievable, they should be recreated.
- As far as reasonably possible, a list of the names of patients whose records have been destroyed should be made and new records created for them.
- A statement should be included that “original notes destroyed by <reason> (for example flood) on <date>; notes recompiled from memory on <date>”
- For some patients it may only be possible to recreate name and (approximate) dates of treatment, but if any clinical detail can be remembered it should be recorded where possible, accepting the limitation of memory; members should not ‘make up’ or ‘invent’ records.
Deliberately destroyed data and the law
If records have been deliberately destroyed and are not available to present as evidence to a court, then this may count against the person or organisation that caused the loss.
In cases where records are lost or misplaced by accident, the law looks to other forms of evidence to make appropriate judgements.
When patients hold their own records and damage or lose the records by their own actions, the individual circumstances of any claim would need to be considered.