Retention and protection of information


Retention periods of the information we hold  

We keep personal information as set out in the Scottish Government Records Management: Health & Social Care Code of Practice (Scotland) 2020. The NHS code of practice sets out minimum retention periods for information. This includes personal information, held in different types of records. These could be personal health records and administrative records.  The Scottish Government Code of Practice directs that we maintain a retention schedule. This details the minimum retention period for the information. It also includes procedures for the safe disposal of personal information.  

How we protect personal information 

We take our duty to protect your personal information and confidentiality seriously. We take all reasonable measures to ensure the confidentiality and security of personal data we are responsible for. This applies to electronic or paper data. 

We ensure your personal information is only accessible to authorised people.  Our staff have a legal and contractual duty to keep personal health information secure and confidential. Under the NHSScotland Code of Practice on Protecting Patient Confidentiality all staff are also required to protect patient information. 

The following security measures are in place to protect personal information: 

  • All staff undertake mandatory training in data protection and information security 
  • Organisational policy and procedures on the safe handling of personal information 
  • Access controls and audits of electronic systems 

These resources ensure that staff members are aware of their responsibilities. Support is also available from our Information Governance team. Staff follow best practice on the necessary safeguards and appropriate use of person-identifiable and confidential information. 

Everyone working for the NHS is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised. It will also be and consented to by the service user, unless it is required or permitted by the law. 

Every NHS organisation has a Caldicott Guardian charged with protecting patient identifiable information. Our Caldicott Guardian ensures we protect patient privacy in our work. Contact them, at: 

HIS.ig@nhs.scot