PURPOSE — This policy sets out the retention periods for personal data held by Be Elite Aesthetics, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Under the data minimisation principle (Article 5(1)(e) UK GDPR), personal data must not be kept for longer than is necessary for the purposes for which it is processed.
MEDICAL AND TREATMENT RECORDS — Retention period: 8 years from the date of the last treatment or consultation. Basis: NHS Records Management Code of Practice; professional body guidance (GMC, NMC); Limitation Act 1980 (6-year limitation period for personal injury claims, extended to allow for late discovery). For patients treated under the age of 18: records are retained until the patient's 25th birthday or 8 years from the last treatment, whichever is later, in accordance with the Limitation Act 1980 (Section 28) which extends the limitation period for minors. Records include: consultation notes, treatment records, clinical photographs, consent forms, medical history questionnaires, and practitioner notes.
FINANCIAL AND TRANSACTION RECORDS — Retention period: 7 years from the end of the financial year in which the transaction occurred. Basis: HMRC requirements under the Taxes Management Act 1970 and VAT Regulations 1995. Records include: payment records, invoices, deposit and refund records, and gift voucher transactions.
CONSENT RECORDS — Treatment consent records: retained as part of the medical record (8 years). Marketing consent records: retained for the duration of consent plus 1 year after withdrawal, to evidence that marketing was conducted lawfully. Cookie consent records: retained for 12 months.
COMPLAINTS AND INCIDENT RECORDS — Retention period: 10 years from the date of resolution. Basis: to enable investigation of any subsequent related concerns and to comply with professional indemnity requirements.
STAFF AND PRACTITIONER RECORDS — Retention period: 6 years after the end of employment or contract. DBS check records: a record that a check was carried out is retained; the certificate itself is destroyed within 6 months in accordance with the DBS Code of Practice.
AUDIT LOGS AND SYSTEM RECORDS — Retention period: 36 months. Basis: legitimate interest in maintaining system security and investigating potential data breaches.
ANALYTICS DATA — Retention period: 26 months. Basis: website improvement purposes. Data is anonymised and aggregated.
CORRESPONDENCE AND ENQUIRIES — Retention period: 3 years from the date of last communication, unless the correspondence relates to a treatment, complaint, or other matter with a longer retention requirement.
SECURE DISPOSAL — When personal data reaches the end of its retention period and there is no lawful basis for continued retention, it will be securely and permanently deleted (digital data) or confidentially destroyed (physical records). We use secure deletion methods that prevent data recovery. Anonymisation may be used as an alternative to deletion where the anonymised data has continuing legitimate value.
REVIEW — This policy is reviewed annually. Data retention periods are assessed against current legal requirements, regulatory guidance, and business necessity.