Dear colleagues,
I would be interested to know how long you are keeping consent forms for
the disclosure of personal data to third parties (e.g. police).
In the NHS, the DoH Code of Practice states that "requests for access to
records, other than Freedom of Information or subject access requests"
can be destroyed after 6 years.
However, isn't the principle that we should retain an audit trail of
access to records for as long as the records themselves exist? This
seems contradictory and I wonder if destroying after 6 years is too
short.
On the other hand, perhaps the actual consent form itself is not
necessary to retain as part of the audit trail, only the fact that
consent was received, if this is recorded as metadata against the
records e.g. on a database.
Practically speaking, these consent forms are not always filed onto the
record that they relate to, but may be held in a seperate filing
sequence, making it very difficult to destroy when the record they
relate to is destroyed.
I would be interested to know what others do for these records.
The ICO does not have a particular position on it.
Thank you very much in advance for your help.
Kind regards,
Catherine Redfern
To view the list archives go to: https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=RECORDS-MANAGEMENT-UK
To unsubscribe from this list, send an email to [log in to unmask] with the words UNSUBSCRIBE RECORDS-MANAGEMENT-UK
For any technical queries re JISC please email [log in to unmask]
For any content based queries, please email [log in to unmask]
|