Data Retention Guide for Therapists
UK Data Retention Regulations (GDPR, DPA)
This article outlines regulations relating to the retention of personal data for therapists in the UK.
The information is provided as a general guide by a data protection specialist and active Data Protection Officer (DPO). It is not formal legal advice. Data protection laws are nuanced, and you should seek advice for your own processing if required.
Data retention is only one aspect of the many data protection obligations, including other principles and documentation obligations. To find out more, buy Practical GDPR for Therapists from Amazon.
The UK Law for Personal Data Retention (GDPR, DPA)
The use of personal data by therapists in the UK is subject to the UK’s data protection laws.
In particular, the UK General Data Protection Regulation and the UK Data Protection Act.
Those laws define how long you can keep personal data for, and yet they don’t!
The law essentially says that you can keep personal data for as long as is reasonably needed, for the purpose the data was collected for.
Those purposes may include your business purpose, to fulfil a legal obligation or to protect yourself from claims.
Therapists should document their planned retention periods, ideally within their Records of Processing Activities (RoPA) document, and also establish technologies and procedures to anonymise (if made transparent to the data subject) or delete personal data, once the end of the retention period ends. To do this, you will also need to consider when the retention period starts!
However, UK authorities and regulators have established recommended practices for personal data retention periods.
Through the rest of this article, we’ll take a look at those recommendations in more detail. We’ll also consider a legal case, in which the courts agreed that an authority should retain some personal data for 35 to 100 years.
The rest of this article is for Operations Professional members only.