Storage of records

Store records securely to minimise the risk of unauthorised access, theft or damage (e.g. fire or water); for example:

• store paper records in lockable, fire-proof cabinets
• lock cabinets when not attended by authorised staff
• store electronic files on password-protected computer systems
• ‘screen-lock’ unattended computers
• staff are required to have individuals log ins, and only access the information they require
• do not share or write down computer passwords. Change password regularly
• implement security measures on IT systems such as firewalls, virus protection and encryption
• arrange for staff to have data protection training. NHS practices should have contact details of the Data Protection Officer readily available
• have a contract with third party suppliers, that sets out confidentiality requirements
• ensure windows and doors are secured at the end of each day.

Keep adult and child records for 10 years from last contact. The child record should evolve into the adult record.

On death, keep adult records for 3 years. Where the person dies before their 17th birthday, the record should be held until they would turn 25 [3]

Do not keep records for longer than necessary.

Dispose of paper records by incineration or shredding, preferably by a recognised company who provides a confidential disposal service and confirms disposal with a receipt. Contact your local NHS board for advice.

Have a documented back up protocol for electronic records. Back ups should be held off site.

Dispose of electronic records by overwriting or destroying computer data and storage devices e.g. USB drives. (Deleting files or reformatting USB drives or hard drives is not sufficient to erase data.)

Have in place a written policy for disposal of data.