Data handling/retention policy

How we handle, retain and dispose of our information.



While information held by the NHS Counter Fraud Authority (NHSCFA) represents some of the organisation’s most valuable assets; disposal scheduling is an equally important aspect of establishing and maintaining control of corporate information, as not all information should be retained indefinitely.

The General Data Protection Regulation (GDPR), the Data Protection Act (DPA) 2018 and the Freedom of information Act 2000, impose stringent duties on public sector organisations with regard to robust records management practices. Therefore it is essential that all information is not only used, communicated, transferred and stored in a manner that complies with the broader information management and security framework of NHSCFA, but also ensures that the final disposal of records is undertaken in accordance with legislation and key good practice guidance.

The appropriate handling, storage and disposal of information is the responsibility of all NHSCFA members of staff. The organisational processes in place to facilitate this will be ineffective unless the correct procedures are carried out in a careful and consistent manner.

NHSCFA is committed to properly protecting the information that it holds. This policy and associated practice and procedures have been agreed by the NHSCFA Board.

Purpose and scope

This policy sets out the principles governing the retention and disposal of information so that records are not kept longer than they are needed, in compliance with the 2016 records management code of practice and supplementing the organisation’s policies relating to information governance and security management.

The policy is to be read in conjunction with NHSCFA’s policies on:

  • Information Governance
  • Information Security Management
  • Acceptable Use
  • Data protection
  • Mobile Computing
  • Government Security Classification guidance

The policy is concerned with all information systems, digital and non-digital and will cover all information within NHSCFA that is or may be:

  • stored on computers
  • transmitted across networks
  • printed out or written on paper
  • sent internally or externally (by whatever method)
  • stored on removable and other electronic media

The policy applies to all business units within NHSCFA and as appropriate to its contractors and any third-party service providers.



The Board is ultimately responsible for ensuring that the organisation meets its legal responsibilities and the adoption of internal and external governance requirements. These responsibilities include maintaining standards of information governance which ensure the quality of record keeping and record management.

The Board will be informed of any issues via the Board Assurance Framework report, which the areas the Information Governance Lead is responsible for feeds into.

Chief Executive

The Chief Executive has overall responsibility for records management in the organisation. As accountable officer they are responsible for the management of the organisation and for ensuring appropriate mechanisms are in place to support service delivery and continuity.

Operational responsibility for information governance is delegated by Chief Executive to the Information Governance Lead.

Caldicott Guardian

NHSCFA’s Caldicott Guardians have particular responsibility regarding the use of person identifiable information. The organisation’s Guardian has overall responsibility for ensuring person identifiable information is shared in an appropriate and secure manner.

The duties and responsibilities of the Caldicott Guardians are outlined in NHSCFA’s Caldicott Guardian Policy.

Information Governance Lead

Their responsibilities include:

  • those detailed in the Information Governance Policy
  • ensuring the NHSCFA has an appropriate strategy in place to effectively manage corporate records
  • ensuring the implementation and application of the NHSCFA’s document and record retention policy and schedule
  • providing guidance and advice on records management issues to NHSCFA staff
  • agreeing changes to record retention periods
  • appropriately delegating responsibilities to the Information Governance Team

Information Asset Owner (IAO)

All IAOs are directly responsible for:

  • all responsibilities detailed in the Information Governance Policy
  • the creation of appropriate ‘Standard Operating Procedures (SOPs), that will ensure that records created within their units are managed in a way which meets the aims of the organisation’s record management policy
  • ensuring their staff are adequately trained in records management and ensure compliance with the data handling policy and associated good practice guidance
  • ensuring the implementation and application of the NHSCFA’s document and record retention policy and schedule
  • being fully aware of which records are vital to the continuation of their business service and take appropriate measures to ensure their continued availability in a business continuity scenario
  • involve the Information Governance Team at an early stage in assessing the impact of any changes in the management of records
  • appropriately delegate these responsibilities to their staff

All Staff

Are directly responsible for:

  • meeting the responsibilities and principles detailed in the Information Governance Policy
  • managing all records they use or create in the course of their duties to ensure they meet the requirements of this policy and any guidance provided.
  • ensuring that they do not create information outside of NHSCFA authorised systems and equipment
  • not recording business information in systems that do not allow a record to be kept or accessed at a later date
  • being aware that it is a criminal offence to:
  1. alter, deface, block, erase, destroy or conceal any personal data to prevent disclosure of information held by NHSCFA (see also NHSCFA Acceptable Use Policy)
  2. to seek to re-identify individuals from anonymised information without authorisation from NHSCFA or the relevant stakeholder.
  3. to knowingly or recklessly misuse personal information (e.g. retaining personal information they had access to in their role after leaving NHSCFA’s employ).

Retention and disposal of information

The retention periods for all of the categories of information held by the NHSCFA is set out in the organisation’s Data Retention Schedule. This applies to information (originals and duplicates) in all formats and systems.

Information may be subject to one of a number of disposal actions at the end of its permitted life cycle. Typical disposal actions include:

  • internal archive
  • transfer and archive at an external storage facility
  • destruction
  • deletion

Information should only be destroyed in the ordinary course of business, in accordance with the periods stipulated in the Data Retention Schedule. No information subject to ongoing or pending investigations, audit, or litigation should be destroyed.

Physical destruction of digital (and any applicable non-digital) investigation material will be carried out in accordance with the Forensic Computer Unit’s (FCU) Standard Operating Procedures. All other digital material will be deleted or destroyed in accordance with ISA/Capita’s documented procedures.

Where electronic data is to be erased but the medium left intact, it must be deleted to the extent appropriate to the security classification. The destruction processes appropriate to each security classification, for information held in digital or nondigital formats, are set out in the NHSCFA Data Classification Matrix.

Exception for Intelligence Information

What is intelligence Information?

Intelligence information can be described as the ‘product’ resulting from the collection, evaluation and analysis of all information acquired and provided, in respect of specified operational organisational objectives.

The retention periods for all categories of information held by NHSCFA are set out in the organisation’s Data Retention Schedule. The exception to this is information relating to any behaviour, method of operation or unusual practices, linked to potential offences of fraud, bribery or corruption within the NHS and wider health service, that cannot be immediately linked to an identifiable individual(s). This information may be retained for a period beyond those currently set out in the Data Retention Schedule subject to regular reviews while additional information and/or identifiers are sought.

Reporting of incidents

Any incident involving the suspected loss or compromise of any protectively marked material or person-identifiable data must be reported immediately, in accordance with the NHSCFA’s Information Breach Reporting policy.

Validity of this policy

Associated data handling and storage standards will be reviewed at least annually (or as and when, new legislation, codes of practice or national standards are introduced)

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!