‘How do I dispose of patient records safely?’

‘How do I dispose of patient records safely?’

Both the CSP and the Information Commissioner’s Office (ICO) offer national guidance for the safe disposal of patient records.

However, questions to the CSP’s professional advice service concerning the disposal of records are common. 

A comprehensive disposal or destruction schedule and policy for patient records is essential to ensure your service complies with ICO guidance. It provides clarity and transparency, and protects an individual if a challenge is made regarding information destroyed as part of your routine disposal process. NHS staff are required to read and implement their employer’s policy before disposing of notes.

Physiotherapists who are self-employed as ‘sole practitioners’ have legal responsibility for their notes, and all data protection issues, including a requirement to register with the Information Commissioner. Failure to comply with such requirements can result in a legal penalty.

Electronic and paper record disposal should be done in such a way that patient confidentiality is protected. 

A common way to dispose of notes is to outsource to a licensed confidential waste disposal company. As the information controller for your records, you are responsible for ensuring the company meets secure destruction requirements. You should have a documented agreement, which acknowledges the records’ confidential nature, and confirms the company will take all reasonable steps to protect that confidentiality. The company should provide you with appropriate assurance that they have securely disposed of the data, for example through audit checks and destruction certificates. 

If you are disposing of identifiable, confidential material in-house, the ICO advises that either cross shredding or incineration should be in place to ensure the records’ complete illegibility.

Electronic records can be difficult to destroy, as files can remain on a hard drive. For information held on electronic devices, wiping, degaussing or secure destruction of hardware (shredding) are all methods of destruction which meet ICO requirements. However, we would recommend you seek specialist IT advice when disposing of electronic records.