When patients give you their personal information, they expect you to keep it securely and use it appropriately. The Information Commissioner’s Office (ICO) is the body that ensures compliance with the Data Protection Act in the UK.
The Information Commissioner
The ICO’s role includes registering people and organisations that process personal data, acting to improve their behaviour, and handling concerns about data management.
It has the power to issue fines of up to £500,000 for breaches of data security. The ICO provides advice and guidance to help organisations and people who run their own businesses, such as osteopathic practices, to comply with data protection requirements.
General Data Protection Regulation
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and meant some changes to previouse requirements. For more information see the ICO website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
People and organisations who process personal information are data controllers and must register with the Information Commissioner’s Office, so you need to establish who the data controller is for your patient records.
To find out if you are a data controller and how to register see https://ico.org.uk/for-organisations
Retention of patient records
Osteopathic Practice Standard D6 (3) says that you should keep patient records:
- for a minimum of eight years after their last consultation;
- if the patient is a child, until their 25th birthday.
The ICO also provides guidance on:
- direct marketing: https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf
- information security: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security