Data handling, record keeping and disposal
Published on: 21st January 2021 | Updated on: 13th January 2025
Managing data properly is essential for safe and efficient pharmacy practice. Data handling covers how information is stored, archived, and securely disposed of when it is no longer needed.
The Data Security and Protection Toolkit (Toolkit) includes questions on data handling, record keeping, and disposal.
Community Pharmacy England’s guidance explains how data should be managed both inside and outside the pharmacy. This ensures patient information is kept secure and handled in line with NHS requirements.
Clinical digital records that support patient care may need to be kept for the patient’s lifetime plus additional time. NHS England sets minimum retention periods in its Records Management Code of Practice for Health and Social Care.
The Specialist Pharmacy Service (SPS, sps.nhs.uk) also provides recommended retention periods for specific types of pharmacy records.
Pharmacies must comply with legal and professional requirements for retaining records, ensuring patient safety and adherence to data protection laws. Guidance sets out how long different types of records should be kept and stresses the importance of accurate record-keeping to support regulatory compliance and service quality.
Read more:
When personal data is no longer needed and has passed the minimum retention period, it must be securely destroyed. Items that may require disposal include:
- paperwork
- digital data
- electronic hardware (such as computer hard drives)
Most pharmacy owners use specialist disposal companies. A written contract should be in place, and certificates of destruction must be provided for any data removed.
Top tips for choosing a disposal company
- Decide whether you want shredding done on-site or off-site. Some contractors offer both options.
- Check if the company is recommended by other pharmacies.
- Review the company’s website for reassurance about their processes.
- If disposing of hard drives or computers, ask how they will carry out the destruction.
Other tips
- Always request certificates of destruction (electronic or paper).
- Plan how often collections are needed (for example, once a month).
Cloud data can also be securely deleted or overwritten. Your cloud provider should have clear policies on data integrity and destruction, usually set out in your contract.
Pharmacy owners may find the following resources useful:
- DSPTK Template 4: Data handling, record keeping and disposal procedures (see DS templates webpage)
- DSPTK Template 21: Supplier list of processors, including waste disposal companies (see DS templates webpage)
Community Pharmacy England’s GDPR Workbook, which supports pharmacy owners with data handling and compliance
For more information on this topic please email it@cpe.org.uk
