How long must healthcare records be kept in the UK?

Under the NHS Records Management Code of Practice: adult health records for 8 years after last treatment, children's records until age 25, maternity records for 25 years, mental health records for 20 years, and cancer records for 30 years. These are minimum periods — many organisations retain for longer.

What security is needed for healthcare record storage?

Healthcare records require ISO 27001 certified storage with enhanced DBS-checked staff, zoned access controls with audit trails, gas-based fire suppression, climate control for long-term preservation, encrypted tracking systems, and a legally compliant Data Processing Agreement covering breach notification.

Best Storage Solutions for Healthcare Records

Healthcare records are among the most sensitive documents any organisation holds. They contain intimate personal and medical information protected by UK GDPR, the Data Protection Act 2018, the common law duty of confidentiality, and sector-specific guidance from NHS Digital and professional regulators. Getting storage wrong does not just risk a fine — it risks patient safety and public trust.

What Makes Healthcare Records Different

Medical records are classified as “special category data” under UK GDPR — the highest sensitivity level. This means they require enhanced protection beyond what standard business records need. Processing (which includes storage) must meet one of the specific conditions in Article 9, typically the provision of health or social care.

Healthcare records also have unusually long retention requirements. NHS records management codes of practice specify retention periods that, for some record types, span decades. And unlike financial records where the penalty for premature destruction is a potential tax dispute, losing or prematurely destroying medical records can affect patient care and safety.

Retention Periods for NHS and Healthcare Records

The NHS Records Management Code of Practice (last updated 2021) sets minimum retention periods. Key examples:

Adult health records: 8 years after last treatment or death
Children’s records: Until the patient’s 25th birthday, or 8 years after last treatment if longer
Maternity records: 25 years after the birth of the last child
Mental health records: 20 years after last treatment, or 8 years after death
GP records: 10 years after death, or after patient leaves the practice (transferred to new GP)
Cancer and oncology records: 30 years
Records relating to clinical trials: 15 years after completion of the trial
Surgical records: 8 years (or until patient’s 25th birthday if a child)

Private healthcare providers should follow the same guidance as a minimum, though some professional bodies recommend longer periods.

Security Requirements

The enhanced sensitivity of healthcare records demands higher security standards:

ISO 27001 certification: Non-negotiable for healthcare record storage. The standard ensures comprehensive information security controls are in place
Staff vetting: Enhanced DBS checks for all staff handling healthcare records. Some NHS trusts require staff to have passed NHS-specific training
Access restrictions: Only authorised personnel should be able to access healthcare records. Zoned access within the facility, with audit trails recording every access
Encryption: If any digital index or tracking system references patient data, it should be encrypted at rest and in transit
Data Processing Agreement: A legally required DPA specifying exactly how the provider handles healthcare data, including breach notification procedures

Physical Storage Conditions

Healthcare records often need to be retained for 20-30 years or more. Over these timescales, storage conditions directly affect whether documents remain legible and intact.

Requirements are the same as for any long-term archive but are particularly important given the retention periods: climate control (13-20°C, 35-60% RH), gas-based fire suppression, raised storage to protect against water ingress, pest control, and UV protection. Records stored in damp, uncontrolled conditions for 25 years will deteriorate — and deteriorated medical records can affect patient care.

Retrieval and Access

Healthcare records need to be retrievable at short notice. A patient attending A&E may need their records urgently. A clinical negligence claim requires access to historical records within weeks. A Data Subject Access Request must be fulfilled within one month.

Your storage provider should offer same-day or next-day retrieval as standard, with urgent retrieval available within hours for emergencies. Scan-on-demand — where the provider scans requested documents and sends them electronically — can provide even faster access for non-original enquiries.

Choosing a Provider

Not every document storage provider is equipped to handle healthcare records. When evaluating options, prioritise:

Experience with NHS trusts or private healthcare providers — ask for references
ISO 27001 certification (verified, not just claimed)
Understanding of the NHS Records Management Code of Practice
Ability to manage complex retention schedules with multiple destruction dates
Same-day retrieval capability and scan-on-demand services
Willingness to accommodate NHS-specific audit and inspection requirements

Healthcare records are not a commodity product. Choose a provider who understands the sector, not just one who offers the lowest per-box rate.

Get a Free Quote

Every business is different, so the best way to understand your options is to get in touch with our team. We provide clear, no-obligation advice — usually within the same day.

Call us on 01691 650355 or use the form below.