Dr Gerard Panting advises on the legal aspects of retaining and protecting electronic and paper medical records

Q One of our patients has requested that her clinical information is held in paper form only, and that all clinical information currently held on computer is copied onto paper and the computer records deleted. She is happy for her administrative details to remain on the computer system. Do we have to comply with this request?

A This is a peculiar request. Under the Data Protection Act 1998, data subjects have a right of access to information held about them and a right to have erroneous data corrected. However, there is no specific provision entitling patients to demand deletion of computerised records when exactly the same data are to be found on manually held records. The fact that it is merely the form in which the record is held that is central to this request suggests that there is nothing wrong with the data itself, thus undermining any argument that correction is required. So the narrow legal answer is no, you do not have to comply with this request.

However, a blank refusal to comply with what the patient wants is most unlikely to be the most constructive way forward. If she is really set on having the computerised records deleted, she could raise a string of enquiries and requests, some of which might require you to make piecemeal changes.

For example, the fifth data protection principle requires that personal data should not be kept for longer than is necessary. Recommended retention periods for personal health data are set out in the Department of Health publication For the record.1 If it transpired that this patient’s data had been retained for longer than recommended, she could demand deletion. In effect, this data principle requires personal medical data to be reviewed regularly and obsolete data to be deleted.

Questions may also be asked about fair and lawful processing (the first data protection principle) and the security of her computerised medical records (the seventh data protection principle).

To avoid becoming embroiled in lengthy correspondence about her records, you may take the view that the pragmatic way out is to accede to her request, retaining only her contact details on computer with a note stating that all health records are held manually.

Q The seventh data protection principle requires that appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data, accidental loss or destruction of or damage to personal data. What does this amount to in practice?

A Sensitive personal data held electronically or on paper must be kept in a secure environment. In practice, this means restricting access to authorised personnel and taking care to maintain the physical integrity of the data. For example, reasonable precautions should be taken such as installing fire alarms and sprinklers, and ensuring that paper records are not stored in a damp basement.

All staff should be aware of their duty not to allow unauthorised disclosure of personal data, and computer terminals should be locked or turned off when left unattended. Passwords, encryption software and restricted access are other obvious aspects that must be considered, as must the policy if equipment has to be taken off site for repair. Ideally, equipment containing personal data should be repaired under supervision on site. If it does have to go off site, a confidentiality agreement should be drawn up and signed.

Identifying potential weak spots in a system requires input from everyone who handles data and would be a very useful practice-based risk management programme to follow.

Q How long should records be held and how can they be expunged from electronic systems?

A The recommended minimum retention period for medical records is set out in Health Service Circular 1998/217, reproduced in Box 1 (below).

Box 1: Recommended minimum retention periods for medical records2
  • Maternity records:
    25 years
  • Records relating to children and young people (including paediatric, vaccination and community child health records):
    Until the patient’s 25th birthday or 26th if an entry was made when the young person was 17; or 10 years after the death of a patient if sooner
  • Records relating to patients receiving treatment for a mental disorder within the meaning of the Mental Health Act 1983:
    20 years after no further treatment considered necessary, or 10 years after the patient’s death if sooner
  • Records relating to those serving in HM Armed Forces:
    Not to be destroyed
  • Records relating to those serving a prison sentence:
    Not to be destroyed
  • All other personal health records:
    10 years after conclusion of treatment, the patient’s death or after the patient has permanently left the country

It is important to remember that information held on computer will not be expunged from the hard disk merely by deleting the file or reformatting the disk. Data can be resurrected using commonly available software, so before deciding to sell an old computer or leave it at the local council tip, it is probably safest to remove and destroy the hard drive or seek advice from an expert on how to make remaining personal data on the disk inaccessible.

Software is available that will generate random data which you can use to overwrite the whole disk, though it is recommended that this is done seven times to be sure that the underlying data is irretrievable.


  1. Department of Health. Health Service Circular 1999/053. For the record: Managing records in NHS Trusts and Health Authorities. London: Department of Health, 1999.
  2. Department of Health. Health Service Circular 1998/217. Preservation, retention and destruction of GP general medical services records relating to patients. London: Department of Health, 1998.


Guidelines in Practice, July 2003, Volume 6(7)
© 2003 MGP Ltd
further information | subscribe