Health data – How long can / should I keep it?

Whether you are a data controller deciding which data should be used or a data processor in charge of keeping the health data in the cloud for example, how long you you should keep data for is something you should be proactively thinking about. The general principle is that you only keep it as long as is necessary, which of course can be open to debate and also regional variations.

The purpose for which the data has been collected will help you decide how long to store data so that you are not exposing yourself to a data breach for longer than needed. If you are developing an app then that time should be specified clearly in the terms and conditions. When looking at health data, for individual patient treatment and diagnostics, the concept of “as long as is needed” could be thought, from a clinicians point of view, to be for the duration of the individual’s life. For research, it can be and is argued that the data should be kept beyond an individual’s life. Theses decisions are often taken by the organisation’s data protection officer or DPO.

WIth health data, as long as you still have some responsibility for that patient, and the patient has recognised it, then you can and should keep their health data. As ever it is up to you to make sure that it is accurate and up to date. This includes making sure that contact details are current. Once you have decided which data you are collecting, the amount of time you decide to keep it is the easy bit.