Data handling, record keeping and disposal
Published on: 21st January 2021 | Updated on: 7th April 2022
Data handling is the process of ensuring that data is stored, archived and disposed appropriately.
The Data Security and Protection Toolkit (‘Toolkit’) includes questions related to data security handling, record keeping and disposal.
Community Pharmacy England’s data security guidance sets out how data can be handled within and outside of the pharmacy.
In some cases clinical digital data that helps care of the patient may be kept for the lifetime of the patient plus additional time (at minimum). NHS England set out recommended minimum retention periods within their Records Management Code of Practice for Health and Social Care. The Specialist Pharmacy Service (SPS, sps.nhs.uk) also recommend minimum retention periods for many types of pharmacy data.
If there is no longer a valid reason to keep personal data (and the data is outside of the minimum retention period you have set) there are methods for destruction. There are three common types of items that may require destruction:
- paperwork;
- digital data; and
- electronic hardware (e.g. a computer hard drive).
Most pharmacy contractors have arrangements with third party expert disposal companies. When using such disposal companies, a written contract should be in place and certificates of destruction should be provided for any data taken away.
Top tips for data disposal (external companies)
Work out your criteria for selection of a disposal company:
- Is it important for your shredding to be done in front of your eyes (on-site) or off-premises? Some waste contractors will provide this option even if you do not need to view each destruction.
- Is the company recommended by others?
- Does the company website provide you with reassurance?
- If the waste contractor will destroy your hard drives or old computers, have they advised the method for how they will do this?
Other tips:
- Seek Certificates of Destruction (electronic or paper) for any data taken away from the pharmacy.
- Plan how many waste data collections are needed (e.g. one per month).
- Cloud data may also be overwritten or deleted, when this is required. Your cloud data provider should have made available policies regarding data integrity and destruction or may have detailed their processes within the contract.
Templates
Pharmacy contractors may wish to download, adapt and use:
DSPTK Template 4: Data handling, record keeping and disposal procedures (see DS templates webpage).
Community Pharmacy England’s GDPR WB will also assist contractors with matters that relate to data handling.
Further info
If you have queries on this webpage or you require more information please contact comms.team@cpe.org.uk.
Quality and regulations; Return to the Pharmacy IT hub; Data security hub or IT a-z index
For more information on this topic please email comms.team@cpe.org.uk
