The GDPR includes a right for an individual to have personal data erased. How does this legislation sit alongside NHS data retention guidelines for general practices?
Under the GDPR data law, individuals can request to have personal data erased. Does this mean you must delete medical records if a patient asks to have their data erased?
The Information Commissioner's Office website contains detailed information about the right to erasure. We recommend you take a look to see a full description of this aspect of the GDPR.
If you don't have time to read the detail, the right to erasure only applies in certain circumstances. Relevant exceptions include processing data that is for:
NHS data retention policy
There are various legal and medical requirements about retention periods for patient data. Standard NHS data retention policy is to keep GP records for at least ten years after death.
The expert view is that the NHS requirements take precedence over the GDPR right to erasure.
More on the GDPR and medical records
The GDPR legislation is complicated, so we're not able to offer you legal advice on the GDPR. To help you understand the changes, you can find a list of relevant resources here.