Each practice must keep and maintain full and accurate patient records which should be securely stored. If the records are electronic, backups should be made regularly. The records must adhere to the GDPR and Data Protection Act 2018 and be retained in line with the Records Management Code of Practice for Health and Social Care 2016. The College of Optometrists have useful guidance on patient records including content, retention, ownership and storage.
Right to be forgotten
A person can ask you to delete or remove personal data you hold on them. However, this right does not apply if there is a compelling reason for its continued processing – for example if the data takes the form of health records that you have a legal duty to retain. You should not delete patient records before the usual time limit. However, you should remove the patient from all mailing lists if requested.
National data opt out
On 25 May 2018 NHS England introduced a new, national data opt out. This enables patients to opt out of their confidential patient information being used for purposes other than their direct health care – such as for research or health planning purposes.
The national data opt out will only affect an optical practice if you are planning on using confidential patient information for your own research or planning purposes, in which case you should contact the NHS to establish whether the opt out applies to any of the confidential patient information you plan to use. The opt out does not apply, however, if you have sought explicit consent for the activity.
More on the National Data Opt Out, particularly for patients, is here.