NHSX advice on managing medical records: 5 takeaways

In August 2021, NHSX published the new Records Management Code of Practice 2021 (the “CodedThe 2021 Code builds on the 2016 version. The Code aims to provide guidance on the management, storage and disposal of NHS and adult social services records.

We have highlighted our 5 key takeaways – these will be essential for any organization working within or under contract to the NHS in England (including cloud service providers), or within adult social care and of public health.

  1. From paper to digital: Wherever possible, organizations should move away from paper to the use of digital documents.
  2. Updates to reflect UK GDPR: The code has been updated to reflect the UK GDPR and the Data Protection Act 2018. The code indicates that organizations may be required to undertake a privacy impact assessment Datas (DPIA) when establishing a new document management function or changing an existing function (such as offsite document storage). Good records management will help organizations demonstrate compliance with the principle of accountability. Data privacy concerns are also key when moving records to the cloud, including DPIAs, audit rights and clear controller instructions, including on destruction.
  3. Retention periods: As a general rule, retention periods for key medical records remain unchanged. For example, adult health records will typically be retained for 8 years, antenatal/postnatal records for 25 years after care, and GP records will normally be retained for 10 years after a patient’s death. A full list of retention periods can be found in Appendix II of the Code.
  4. Retention periods for GP records: NHSX plans to review the retention period for de-registered GP records (i.e. patient records that are no longer in the GP practice system). Currently, these records are retained for 100 years, and NHSX will consider whether the significant cost of such retention is justified. They will consider various factors to reach their conclusion, such as the number of records recalled and the reasons for the recall.
  5. Retention in the context of public inquiries: Appendix I of the Code provides new guidance on document management in relation to public inquiries. Any records relating to inquiries should not be destroyed until the relevant investigation team has provided clear instructions for such destruction to take place. There are two relevant independent inquiries at the time of writing: (i) the Independent Child Sexual Abuse Inquiry; and (ii) tainted blood investigation. According to the government, an investigation into the COVID-19 pandemic is also forthcoming.

Organizations must ensure that they comply with the standards set out in the Code – the CQC will carry out inspections to ensure that organizations have effective management systems in place.

The code can be found here.

The Code provides a framework for consistent and effective records management based on established standards. It includes guidelines on topics such as legal, professional, organizational, and individual responsibilities when managing records.


The content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as “lawyer advertising” requiring notice in some jurisdictions. Prior results do not guarantee similar results. For more information, please visit: www.bakermckenzie.com/en/disclaimers.