Skip to main content

Part of Records and document management policy

Retention and disposal - personal data considerations

Previous Chapter

Legal obligations

Current Chapter

Current chapter – Retention and disposal - personal data considerations

View all

Next Chapter

Retention and disposal form and destruction certificate
Page contents

GDPR Article 5(1)(e) - storage limitation

GDPR Article 5(1)(e) about storage limitation specifies that personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR.

Periodic review of personal data

Personal data must be periodically reviewed in accordance with NHS Digital’s retention schedule guidelines and if it is no longer needed, at any point in time, it shall be deleted or anonymised as appropriate. Anonymised data is not subject to GDPR or the Data Protection Act 2018.

Challenges to the retention of personal data

Any challenges to the retention of personal data must be considered in accordance with GDPR Article 17 (Right to erasure), or the equivalent sections in the DPA 2018 if the processing is for law enforcement purposes. The right to erasure does not apply where we are legally obliged to process personal data or where the processing is necessary for performing our functions.

Lawful basis for processing personal data and information on rights of the data subject

NHS Digital lawful basis for processing personal data and information on rights of the data subject are set out in our Transparency Notice.

Erasure of personal data where personal data must be maintained as evidence or if important for public interest

Where NHS Digital would be required to erase personal data but the personal data must be maintained as evidence for legal purposes or for reasons of important public interest, NHS Digital must, instead of erasing the personal data, restrict its processing.

Data processing, storage and destruction of records by third parties

Data processing, storage and destruction of records can be undertaken by third parties contracted for those purposes, provided that it is compliant with GDPR, DPA 2018 and any relevant/specified NHS Digital Policy. All parties must agree on who owns the data, what data is shared, levels of information security, who shall have access, how records/documents are to be managed and what the disposal arrangements are, for example, destruction or return of data.

Records pending audit, litigation or investigation

Processes must be in place to ensure that records pending audit, litigation or investigation are not destroyed.

Destruction of records

Records must be securely destroyed in accordance with the relevant security policy.

Processes must be in place to ensure that all backups and copies are included in the destruction of records, or that data is put beyond use.

Last edited: 13 October 2022 1:31 pm

Previous Chapter

Legal obligations

Next Chapter

Retention and disposal form and destruction certificate

Chapters

  1. Records and document management policy
  2. Why we need this policy
  3. What this policy covers
  4. Who needs to know this policy and why
  5. Terminology
  6. Policy
  7. What you shall do if you cannot comply with this policy
  8. How we manage, monitor and review the application of this policy
  9. Roles and responsibilities
  10. Legal obligations
  11. Retention and disposal - personal data considerations
  12. Retention and disposal form and destruction certificate