Data handling, record keeping and disposal

Published on: 21st January 2021 | Updated on: 7th April 2022

Data handling is the process of ensuring that data is stored, archived and disposed appropriately.

The Data Security and Protection Toolkit (‘Toolkit’) includes questions related to data security handling, record keeping and disposal.

Data handling

Community Pharmacy England’s data security guidance sets out how data can be handled within and outside of the pharmacy.

Record keeping

In some cases clinical digital data that helps care of the patient may be kept for the lifetime of the patient plus additional time (at minimum). NHS England set out recommended minimum retention periods within their Records Management Code of Practice for Health and Social Care. The Specialist Pharmacy Service (SPS, also recommend minimum retention periods for many types of pharmacy data.

Disposal of data and related contracts

If there is no longer a valid reason to keep personal data (and the data is outside of the minimum retention period you have set) there are methods for destruction. There are three common types of items that may require destruction:

  • paperwork;
  • digital data; and
  • electronic hardware (e.g. a computer hard drive).

Most pharmacy contractors have arrangements with third party expert disposal companies. When using such disposal companies, a written contract should be in place and certificates of destruction should be provided for any data taken away.

Top tips for data disposal (external companies)

Work out your criteria for selection of a disposal company:

  • Is it important for your shredding to be done in front of your eyes (on-site) or off-premises? Some waste contractors will provide this option even if you do not need to view each destruction.
  • Is the company recommended by others?
  • Does the company website provide you with reassurance?
  • If the waste contractor will destroy your hard drives or old computers, have they advised the method for how they will do this?

Other tips:

  • Seek Certificates of Destruction (electronic or paper) for any data taken away from the pharmacy.
  • Plan how many waste data collections are needed (e.g. one per month).
  • Cloud data may also be overwritten or deleted, when this is required. Your cloud data provider should have made available policies regarding data integrity and destruction or may have detailed their processes within the contract.



Pharmacy contractors may wish to download, adapt and use:

DSPTK Template 4: Data handling, record keeping and disposal procedures (see DS templates webpage).

DSPTK Template 21: Supplier list of processors including waste disposal companies (see DS templates webpage).

Community Pharmacy England’s GDPR WB will also assist contractors with matters that relate to data handling.

Further info

If you have queries on this webpage or you require more information please contact



Quality and regulations; Return to the Pharmacy IT hub; Data security hub or IT a-z index

For more information on this topic please email

Latest Digital & Technology news

View more Digital & Technology newsSee all