top of page

Data Retention Policy

Purpose

Medical Practice: The Thomas Clinic (Registered as Dr B R Thomas Ltd)

Effective Date: 17 February 2025

Review Date: 16 February 2026

Scope

This policy applies to all personal data processed by [Medical Practice Name], including but not limited to:

  • Patient medical records

  • Staff employment records

  • Supplier and business contacts

  • Financial records

Data Retention Principles

Under GDPR, personal data must be:

  1. Lawfully and fairly processed

  2. Collected for legitimate medical, legal, or operational purposes

  3. Adequate, relevant, and limited to necessity

  4. Accurate and kept up to date

  5. Stored securely and protected against unauthorized access

  6. Retained only for as long as necessary

Retention Periods

  1. Patient Medical Records - Retained until the practice ceases operations or until consent is withdrawn

  2. Staff Records (HR, payroll, contracts) - 6 years after employment ends

  3. Supplier and Business Contact Information - Until no longer required or practice ceases

  4. Financial Records (Invoices, Insurance, Billing) - 7 years

  5. Marketing and Communication Data (where consent is required) - Until consent is withdrawn

Data Subject Rights

Individuals have the right to:

  • Withdraw consent at any time where processing is based on consent.

  • Request deletion of their data ('right to be forgotten'), except where legal obligations override this request.

  • Access, rectify, or restrict processing of their data.

Secure Disposal of Data

Once the retention period expires, personal data will be securely deleted or anonymized. Methods include:

  • Electronic data: Secure erasure and destruction of backups.

  • Paper records: Shredding or incineration under controlled conditions.

Data Protection and Security Measures

  • Access controls to ensure only authorized personnel can access patient data.

  • Encryption and security protocols for electronic data.

  • Regular audits to ensure compliance with GDPR principles.

Policy Review

This policy will be reviewed annually or upon significant changes in legal or operational requirements.

Contact Information
 

For questions about this policy or to exercise data protection rights, please contact:

Data Protection Officer (DPO): Bjorn R Thomas

Email: support@thethomasclinic.com

Phone: 020 3376 4580

bottom of page