Data Retention and Record Keeping Policy

Effective Date: 9th January 2025

Last Reviewed: January 2026

Next Review Date: January 2027

Responsible Person: Johanna Condon, Director and Clinical Lead

1. Purpose

The purpose of this policy is to ensure that all client, clinical, and administrative records are created, maintained, stored, and disposed of in a secure, accurate, and legally compliant manner. Good record keeping is essential to deliver safe, effective, and accountable care within Jo Condon Autism Assessments.

2. Scope

This policy applies to:

  • All employees, associates, and contractors who create or manage records on behalf of Jo Condon Autism Assessments.
  • All forms of records, including paper, electronic, audio, and visual formats.
  • All service users (children, young people, and adults) and staff records.

3. Legal and Professional Framework

This policy complies with the following legislation and standards:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Health and Social Care Act 2008 (Regulated Activities) Regulations 2014
  • Caldicott Principles (2013)
  • Freedom of Information Act 2000 (where applicable)
  • Children Act 1989 & 2004
  • Equality Act 2010
  • Professional Codes of Conduct (e.g. HCPC, NMC, GMC)

4. Key Principles

All records must be:

  • Accurate and factual – written clearly, objectively, and without bias.
  • Timely – Adverse events must be documented immediately following the event or as soon as is practicably possible. Observation and interview reports must be written within 72 hours of the session. Other clinical information must be recorded at the time that it is obtained.
  • Comprehensive – Reports must contain all information provided that is relevant to the assessment.
  • Secure and confidential – Information must be stored in line with our Confidentiality Policy and only accessible by those with relevant authorisation and clinical need to access the information.
  • Owned – It should be clear who has recorded the information and when.

5. Types of Records

Records held by Jo Condon Autism Assessments include (but are not limited to):

  • Clinical Records: Assessment notes, questionnaire responses, reports, correspondence, consent forms
  • Administrative Records: Appointment logs, invoices, referral information, communications.
  • Staff Records: Employment details, training, supervision notes, DBS records.
  • Complaint Records: Details of complaints, investigations, outcomes, and learning actions.

6. Retention Periods

Records will be retained for the following minimum periods in line with professional and legal standards:

  • Online enquiry forms – 6 months after submission
  • Adult client records – 7 years after last contact
  • Child client records – Until 25th birthday (or 26th if aged 17 at last contact)
  • Staff employment records – 6 years after employment ends
  • Financial and billing records – 6 years
  • Complaint records – 10 years
  • Consent forms – Duration of service + 7 years
  • Training and supervision records – 6 years

If legal proceedings, complaints, or regulatory reviews are ongoing, records will be retained until resolution is complete.

7. Record Disposal

  • Paper records: We do not keep paper records. Any paper records provided must be digitised and then destroyed. Any handwritten notes must be anonymously recorded, transferred to the digital record and immediately destroyed. Paper records should be destroyed by shredding or using a certified confidential waste service.
  • Digital records: After the set retention period, or on request of the client, digital records will be permanently deleted using secure erasure software; backed-up copies will also be deleted.
  • A data destruction log will be maintained to record what, when, and by whom digital data was destroyed.

8. Access to Records

Clients have the right to:

  • Access their records under Article 15 of the UK GDPR (Subject Access Request).
  • Request corrections to inaccurate information.
  • Request erasure where legally permissible.

Requests should be made in writing to the Data Protection Lead at admin@jocondon.co.uk. Responses will be provided within one month.

9. Audit and Quality Assurance

  • Regular audits will check record completeness, security, and accuracy.
  • Findings will inform staff training and service improvement.
  • Any non-compliance or breach will be reported to the Data Protection Lead.

10. Responsibilities

All staff and contractors are responsible for:

  • Maintaining accurate and up-to-date records.
  • Ensuring confidentiality and security.
  • Reporting errors, breaches, or incidents immediately.

The Data Protection Lead is responsible for:

  • Policy implementation and compliance monitoring.
  • Coordinating audits and staff training.
  • Reporting serious incidents to the Information Commissioner’s Office (ICO) where required.

11. Breaches and Non-Compliance

Any breach of record-keeping requirements (e.g., lost files, unauthorised disclosure, inaccuracy) will be investigated immediately.

Serious breaches will be reported to the ICO within 72 hours and clients will be notified where necessary.

12. Review

This policy will be reviewed annually or sooner if changes occur in legislation, best practice, or service provision.

Approved by: Jo Condon

Last Reviewed: January 2026

Next Review Date: January 2027