The GDPR includes a right for an individual to have personal data erased. How does the new legislation sit alongside NHS data retention guidelines for general practice?
Under the new data law, individuals can request to have personal data erased. Does this mean you must delete medical records if a patient asks to have their data erased?
The Information Commissioner's Office website contains detailed information about the right to erasure. We recommend you take a look to see a full description of this aspect of the GDPR.
If you don't have time to read the detail, the right to erasure only applies in certain circumstances. Relevant exceptions include processing data that is for:
- medical diagnosis
- the provision of health or social care
- the management of health or social care systems or services
NHS data retention policy
There are various legal and medical requirements about retention periods for patient data. Standard NHS data retention policy is to keep GP records for at least ten years after death.
The expert view is that the NHS requirements take precedence over the GDPR right to erasure.
More on the GDPR and medical records
The new legislation is complicated, so we're not able to offer you legal advice on the GDPR. To save you time, here's a list of relevant resources that will help you understand the changes.
The NHS is encouraging collaboration across multidisciplinary teams. Find out if you need patient consent before you share medical records?