Skip to main content

Warning notification:Warning

Unfortunately, you are using an outdated browser. Please, upgrade your browser to improve your experience with HSE. The list of supported browsers:

  1. Chrome
  2. Edge
  3. FireFox
  4. Opera
  5. Safari

Record Retention Policy

The HSE National Records Retention Policy provides guidance on how to manage records, including how long to keep each type or category of record. This policy replaces earlier versions. In revising this policy, the HSE acknowledges its responsibility to adhere to the GDPR 'storage limitation' principle.

All HSE employees are responsible for:

  • managing records properly
  • being familiar with the sections of the policy that apply to their area

You must manage records in accordance with the HSE's retention periods outlined in the policy, and any relevant laws or regulations.

Our responsibilities for managing HSE records in accordance with this policy includes old files in locations that might not be in use.

HSE National Records Retention Policy

Record Retention FAQs (PDF, 426 KB, 3 pages)

Policy purpose

The policy sets out the management of retention periods that consider the HSE's clinical, operational, business, and legal requirements.

What are records and data?

A record, as defined in this policy, is any type of documentation containing information about a past event. Examples of records (page 21).

Data is individual pieces of information. Records are made up of information and data.

See list of records and their definitions covered in this policy in Appendix 1 (page 24).

How long to keep records

The length of time to keep records varies according to the type of data or record, and the reason for keeping it.

The reason for keeping information could be clinical, business, legal, statutory, or operational.

Records Retention and General Data Protection Regulation [GDPR] Principles (page 12) and records retention benefits and risks 3.3 (page 12)

Retention schedules and data owners for record categories in Appendix 2 (page 29) and roles and responsibilities section 3.1 (page 10)

Factors to consider when revising or updating your retention schedules in Section 3.6 (page 10)

Data retention risks

In accordance with the GDPR principle of 'storage limitation', you should only keep data for as long as it is required.

Ensuring that records are destroyed when no longer needed reduces the risk of information becoming irrelevant, excessive, inaccurate, or out of date.

Retaining records beyond the required period increases the risk of a data breach.

Record of Processing Activity

The retention period of records containing personal information must be recorded in that service’s Record of Processing Activity (ROPA). This is a legal requirement under Article 30 of the GDPR.

Guidance and template for completing a ROPA

Implementing the policy

Each service area is responsible for applying this policy to their records and creating a local implementation plan. Both physical and digital records should be managed properly.

Training and useful tools

Training materials and practical tools, including a self-assessment tool, are being developed and will be made available as soon as they are ready.

Policy exceptions

If you're unable to comply with any part of this policy, contact us for support at nrrp@hse.ie.

Related content

Data protection

Record of processing activities (ROPA)

Record Retention FAQs (PDF, 426 KB, 3 pages)

Contact

Ann Sheehan, Policy Programme Lead for National Records Retention

Email: nrrp@hse.ie

Back to Procedures and guidelines