Storage of records

Store records securely to minimise the risk of unauthorised access, theft or damage (e.g. fire or water); for example:

• store paper records in lockable, fire-proof cabinets
• lock cabinets when not attended by authorised staff
• store electronic files on password-protected computer systems
• ‘screen-lock’ unattended computers
• staff are required to have individuals log ins, and only access the information they require
• do not share or write down computer passwords. Change password regularly
• implement security measures on IT systems such as firewalls, virus protection and encryption
• arrange for staff to have data protection training. NHS practices should have contact details of the Data Protection Officer readily available
• have a contract with third party suppliers, that sets out confidentiality requirements
• ensure windows and doors are secured at the end of each day.

Keep records for adults for a minimum of 11 years and keep records for children for either 11 years or until the child is 25 years of age, whichever is longer [3].

Do not keep records for longer than necessary.

Dispose of paper records by incineration or shredding, preferably by a recognised company who provides a confidential disposal service and confirms disposal with a receipt. Contact your local NHS board for advice.

Have a documented back up protocol for electronic records. Back ups should be held off site.

Dispose of electronic records by overwriting or destroying computer data and storage devices e.g. USB drives. (Deleting files or reformatting USB drives or hard drives is not sufficient to erase data.)

Have in place a written policy for disposal of data.