Records Management Policy

This cosmetic practice holds and maintains information about the business and its patients that is necessary for the efficient running of the practice and the effective provision of cosmetic treatments. This policy describes the information that must be retained, how it must be stored, archived and disposed of to ensure that the practice complies with the requirements of the Data Protection Act.

 

The practice Confidentiality policy describes the need for all members of the cosmetics team to keep client information confidential and practice procedures for handling information about clients. It must be followed at all times. The arrangements for keeping information safe are described in the practice data security policy, which includes the measures for physical and electronic security.

 

The practice data protection code of practice helps clients understand how the practice uses and protects their personal information.

Retaining information

 

Information about the business and its clients is kept for no longer than required.

  • Client records are maintained and kept up to date while the individual remains a practice client. When they cease to be a client of the practice, their records are retained for at least six years following their last visit to the practice.

  • Personnel records are maintained and kept up to date whilst the individual works at the practice as an employee or self-employed contractor. Following their departure from the practice their records are retained for six years from the date of leaving the practice. Records relating to workplace accidents or injuries are retained indefinitely.

  • Financial records are retained for at least six years.

  • Business records, including contracts with suppliers, are retained for at least six years.

Secure storage

 

All members of the team must protect information held by the practice and store it securely. Information is only accessed on a need-to-know basis: where it is necessary to carry out required tasks; in the delivery of treatments to clients; or upon the direct instruction of a senior person within the practice.

 

For records held electronically, access is password protected and restricted to those who, as part of their work duties, require the information. Electronic records are regularly backed-up to cloud storage

 

Financial information and personnel records are stored securely.

Archiving of records

 

Where records need to be retained but are no longer required on a day-to-day basis, they are archived. Records will be stored in a way that ensures easy identification and retrieval. The final decision on archiving information is taken by Louise Oatley.

 

Electronic records that need to be retained but are not required on a day-to-day basis are, in the first instance, archived within the IT system. Archived electronic data will be copied to secure secure backup and copies also uploaded to secure cloud storage for off-site storage.

 

The practice is assessing systems for reviewing archived information that is no longer required.

Secure disposal of old records

 

Paper records that are no longer required are disposed of securely by shredding. 

 

Records held electronically and backups of electronic information are disposed of using the secure deletion option on the practice computer system. 

The final decision on disposing of records will be taken by Louise Oatley

Updates to this policy 

Date: 19th July 2019

Review date: July 2020