Changes to NHS guidance on Retaining Dental Records
On 8th April 2022 the NHS sent out an email stating:
“A review into our purposes for holding identifiable dental records was conducted in early 2021, and we accepted a recommendation to shorten the length of time that we store patient identifiable dental records from 10 years to 8 years. This change will take effect from Friday 29 April 2022.“
It is not clear what information was assessed during the 2021 review to prompt this change. We have submitted a Freedom of Information act request to the NHS to find out more about the reasoning behind this decision.
Under data protection laws, personal data should not be kept for any longer than is necessary. The length of time to retain data will depend on what that data is and why it was processed. For example, companies often keep contractual and payment information for 6 years as that is the limitation period for a breach of contract claim. However, clinical negligence claims have a much shorter limitation period, namely 3 years, but dental records are kept for much longer.
In our view this is a welcome update to the guidance. Practices do not want to be unnecessarily retaining personal information.
Whilst you still have an obligation under GDPR to consider retention periods, we recommend following the advice from the NHS. If you are a private practice, we do not consider you would be criticised for following this advice also.
If your practice does amend its retention periods in line with the NHS review you will need to amend your policies and procedures to reflect the change.
You will also need to update your privacy notice to patients. Under data protection laws you have a duty to provide data subjects with details about how their personal data will be processed before you start processing the data. You must also notify them of material changes to how you process data. This is a material change as you are reducing the period you will hold their records for. You will need to notify them in advance of the changes and why they are taking place.
Going forward, any patient who has received the updated privacy notice, you will then need to comply with the reduced retention period. For ex-patients who have not been sent the update, the old retention period will apply. We do not consider it would be feasible or proportionate to send emails to all your ex-patients updating them of this change.
Ensure staff understand their duties when undertaking data retention reviews.
If you need advice or assistance with amending your privacy notice or other GDPR polices, please contact our lawyers on 020 7 388 1658 or at email@example.com.
Laura Pearce, senior solicitor