Data Retention Policy

Under the GDPR, we must not hold personal data for longer than is necessary for the purpose for which it is being processed. However, it is a fundamental requirement that all of Care Oncology Clinic’s records are retained for certain minimum periods in line with applicable legal, operational, research and / or safety obligations. The length of time for retaining records will depend on the type of record. We have outlined below a summary of the various types of data we hold about you and how long each record will be kept.

Medical Records

Care Oncology’s retention policy for medical records is 30 years which has been determined with patient safety at the forefront. We may also need occasionally to undertake patient recalls where it is necessary to have access to the original patient medical record to determine, for instance, what was discussed with the patient, to treat the patient or to identify members of staff involved in the patient’s care. We will also use aggregated and anonymised medical records for research purposes using cohort studies – to understand the survival outcomes of our patients. Some non-medical records will also need to be held for this time period as they support the medical records by providing context and further operational information. These are outlined below in the other records section.

Medical Records
Type of record Start of Retention Period Minimum Retention Period Comments
All medical records Conclusion of treatment Retain for 30 years

Other Records

The following table sets out what other personal data Care Oncology may hold about you and how long we will retain your personal data for.

Type of record Start of Retention Period Minimum Retention Period Comments
Meddbase records (this is our patient administration software) Date of last admission 30 years The 30 year retention period is in line with the medical record retention period outlined above.
Credit card details where there is no outstanding debt on patient’s account Receipt of credit card details 6 months For instance, when credit card details are taken at registration.
Credit card details where there is outstanding debt on patient’s account Discharge of debt 6 months
Debtor records cleared Close of financial year in which debt is cleared 6 years
Debtor records not cleared Retain until cleared
Invoices to patients regarding their treatment Close of financial year to which the invoice relates 6 years
Booking tool for managing patient bookings Creation 6 years
Patient enquiries – Email Receipt 6 years
Patient surveys Receipt 6 years Applies to surveys where patients have consented for their data to be linked back to their patient record.
Prospective patient data for marketing purposes (this data is most commonly collected at events) Receipt 6 years
Information about healthcare professionals, for marketing purposes Receipt 6 years
Complaints case file Closure of incident 30 years Retention period of 30 years is in line with the medical record retention period outlined above.
Fraud case files Case closure 6 years
Litigation records Case closure 30 years Retention period of 30 years in line with the medical record retention period outlined above.
Subject Access Requests (SAR) and disclosure correspondence Closure of SAR 3 Years
A subsequent appeal to a SAR Closure of appeal 6 Years
Accident forms Creation 10 years
Telephone call recordings Creation 1 year Downloaded calls should only be retained long enough for the purpose of their use to be concluded.
Information collected by Google analytics cookies. Creation 1 year This is line with our separate Cookies Policy.
Information collected by login cookies Creation 14 days
Information collected by session cookies Creation 15 minutes