A PCT hit the headlines in September 2011 after mistakenly sending a CD containing information about 1.6m patients to landfill during an office move.
The PCT's chief executive was obliged to give an undertaking to the Information Commissioner's Office (ICO) that action had been taken to tighten its policies and procedures, although in a separate statement, it said she stressed the data stored was 'not current'.
GPs regularly ask the Medical Defence Union (MDU) about 'inactive' patient records: how long such records should be retained, how they should be stored and how they can be safely disposed of.
This is important because while the ICO can fine organisations for serious, deliberate or reckless breaches of the Data Protection Act 1998, GPs could also face a GMC investigation if identifiable patient data is mislaid.
According to the DH, medical records should kept for at least 10 years after the conclusion of treatment, the patient's death or after the patient has permanently left the country.
Other material, such as maternity records, records relating to the treatment of under 18s or patients receiving treatment under the Mental Health Act should be kept for longer. A table showing the recommended retention periods can be found in Annex D1 of Records management: NHS code of practice part 23.
The MDU advises GPs to retain patient records for as long as possible, particularly where there has been an adverse incident or complaint. We have assisted members with incidents that occurred 40 years earlier.
Without medical records it is difficult to respond to a request for information or defend a claim successfully.
The DH's 2011 guidance The good practice guidelines for GP electronic patient records, version 4, echoes this point, recommending practices should keep electronic records and the associated audit trails indefinitely for medico-legal reasons.
Patient records should be locked away and protected against accidental loss or damage. For example, leaving them unprotected in a damp-prone cellar or garage is inadvisable.
Now that electronic records are more commonplace, storage is less of an issue. However, controls should be in place to prevent inappropriate access.
GPs need to be satisfied that their arrangements for incinerating or shredding paper records are secure as far as possible. The DH guidance also covers destruction of records.
If you use contractors for disposal they should sign confidentiality undertakings, produce written certification as proof of destruction and adhere to the approved British Standard for secure destruction of confidential material.
When disposing of old IT equipment, bear in mind that data on hard disks is notoriously difficult to erase.
- Dr Phillips is a medico-legal adviser at the Medical Defence Union, www.the-mdu.com