Home > Topics > Record-keeping > Storage of Records

Storage of Records

To comply with the Data Protection Act 2018 [1] (see Ethical Practice), all dental practices must store personal data securely, not keep records for longer than necessary and dispose of personal data with due regard for their confidential nature.

The General Dental Council (GDC) standards [2] state that patients’ information is not revealed accidentally and that no one has unauthorised access to patients’ information by securely storing it at all times.

Store records securely to minimise the risk of unauthorised access, theft or damage (e.g. fire or water); for example:

  • store paper records in lockable, fire-proof cabinets
  • lock cabinets when not attended by authorised staff
  • store electronic files on password-protected computer systems
  • ‘screen-lock’ unattended computers
  • staff are required to have individuals log ins, and only access the information they require
  • do not share or write down computer passwords. Change password regularly
  • implement security measures on IT systems such as firewalls, virus protection and encryption
  • arrange for staff to have data protection training. NHS practices should have contact details of the Data Protection Officer readily available
  • have a contract with third party suppliers, that sets out confidentiality requirements
  • ensure windows and doors are secured at the end of each day.

Keep records for adults for a minimum of 11 years and keep records for children for either 11 years or until the child is 25 years of age, whichever is longer [3]

Do not keep records for longer than necessary

Dispose of paper records by incineration or shredding, preferably by a recognised company who provides a confidential disposal service and confirms disposal with a receipt. Contact your local NHS board for advice.

Have a documented back up protocol for electronic records. Back ups should be held off site.

Dispose of electronic records by overwriting or destroying computer data and storage devices e.g. USB drives. (Deleting files or reformatting USB drives or hard drives is not sufficient to erase data.)

Have in place a written policy for disposal of data.

Sources of Information

[1] Data Protection Act 2018 (c.12). [Online] London. The Stationery Office.

[2] Standards for the Dental Team General Dental Council (2013)

 [3] Records Management: Health and Social Care Code of Practice (Scotland) Scottish Government (2020)