This guide takes you through our advice on retaining and destroying clinical records.

Retaining records

Not all patient records are handled in the same way. When considering how to categorise records and their retention, it can be helpful to think of patients coming under one of four different headings.

Ongoing patients

These patients attend more or less regularly. There is every justification for retaining these records indefinitely, to assist in the ongoing care of the patient.

Patients who have not attended for the recommended minimum retention period

The revised NHS advice on retention provides guidance for people working within NHS organisations in England and Wales. This recommends 11 years as the minimum retention period for adult dental clinical records and that children's records should be retained until the 25th birthday or 26th if the patient was 17 when treatment ended.

The Scottish government provides guidance advising the recommended retention period for general dental services records as 10 years for adults and 10 years or up to the 25th/26th birthday rule, whichever is longer for children.

In Northern Ireland there is guidance on record retention from the Department of Health and contained within the Regulation and Improvement Authority (Independent Health Care) (Fees and Frequency of Inspections) (Amendment) Regulations (Northern Ireland) 2011.

It might be premature to simply destroy the records of patients who haven't attended for more than the minimum retention period and we would not recommend doing so.

Destroying these patients' records could mean any claims about events from more than the minimum retention period are difficult to defend, potentially putting you at risk.

We therefore advise adopting a retention protocol where all records of patients who have not re-attended are reviewed after the minimum retention period.

We doubt the ICO would be too critical of such a protocol, although the Data Protection Act does state that information should not be kept longer than is necessary.

There are arguments for retaining the records of these patients beyond the minimum retention period:

in case the patient re-attends or a subsequent dental professional requests information on past treatments
against the risk of litigation (and we do have experience of claims being made 'out of the blue' many years after the treatment in question)
for forensic identification of the deceased.

Patients who have not attended for the minimum retention period, but where a clear exception justifies continued retention

This category might include patients who have made a claim (or intend to bring one), former child patients who have not yet reached the recommended age for retention of their records, or brain damaged patients to whom the statute of limitations does not apply.

Deceased patients

Where patients have died, there's an argument for disposing of their dental records three years and four months after the date of their death.

Generally speaking, under the statute of limitations a deceased patient's executors or personal representatives have a maximum of three years from the date of death to start legal proceedings in pursuit of any claim made on the patient's behalf, and a further four months to serve those proceedings.

There is a time limit on compensation which is three years from the date of knowledge of an injury or negligence. This may be extended by a court ruling. For minors, this limit is from the age of 18.

Storing records

How you store records should comply with a patient's legal right to confidentiality and your professional obligation to respect confidentiality, especially in view of GDPR.

The GDC says, "you must not leave records where they can be seen by other patients, unauthorised staff or members of the public".

GDPR

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. This requires you not to keep personal data for any longer than necessary, but the ICO's report Information Governance in Dental Practices acknowledged that the previous Data Protection Act of 1998 did not define how long is necessary for any particular type of data - and the same is true of the GDPR.

Data controllers are therefore faced with making a judgement. To do so properly, it's crucial to know what data is held, to have a protocol for its retention (which sets out a retention schedule and rationale), and to regularly review both the retention of data as well as the protocol itself.

To routinely retain records indefinitely, 'to be on the safe side', is no longer an option.

Disposal and destruction of records

Disposing of records should be done in such a way that patient confidentiality is protected, and in accordance with national and local waste disposal requirements. It's worth noting that local authorities have regarded study casts as clinical waste, which must be handled, stored and disposed of appropriately.

Our general advice around destroying records includes these points.

If you do need to destroy records, be sure that they're not needed for dento-legal purposes.
Review all records carefully before destroying them.
Electronic records can be especially difficult to destroy, as files can remain on a hard drive. Seek specialist IT advice when disposing of electronic records.
Disposal of paper records should only be carried out in a way that protects patient confidentiality, such as shredding.
We recommend indefinitely retaining records where there has been an adverse incident or complaint, even if it was satisfactorily resolved at the time.

If you're outsourcing the destruction of records, you should use a licensed confidential waste disposal company and have a suitable written agreement with them. This should acknowledge the records' confidential nature, and confirm the company will take all reasonable steps to protect that confidentiality.

Useful links

Retaining and destroying patient records

Related articles

Membership in your pocket