The HSE National Records Retention Policy provides guidance on how to manage records, including how long to keep each type or category of record. This policy replaces earlier versions. In revising this policy, the HSE acknowledges its responsibility to adhere to the GDPR 'storage limitation' principle.
All HSE employees are responsible for:
- managing records properly
- being familiar with the sections of the policy that apply to their area
You must manage records in accordance with the HSE's retention periods outlined in the policy, and any relevant laws or regulations.
Our responsibilities for managing HSE records in accordance with this policy includes old files in locations that might not be in use.
HSE National Records Retention Policy
Record Retention FAQs (PDF, 426 KB, 3 pages)
Policy purpose
The policy sets out the management of retention periods that consider the HSE's clinical, operational, business, and legal requirements.
What are records and data?
A record, as defined in this policy, is any type of documentation containing information about a past event. Examples of records (page 6).
Data is individual pieces of information. Records are made up of information and data.
See list of records and their definitions covered in this policy in Appendix 1 (page 13).
How long to keep records
The length of time to keep records varies according to the type of data or record, and the reason for keeping it.
The reason for keeping information could be clinical, business, legal, statutory, or operational.
Record retention obligations and principles in Section 5.0 (page 8)
Retention schedules and data owners for record categories in Appendix 2 (page 15) and Section 6.0 (page 9)
Factors to consider when revising or updating your retention schedules in Section 8.0 (page 10)
Data retention risks
In accordance with the GDPR principle of 'storage limitation', you should only keep data for as long as it is required.
Ensuring that records are destroyed when no longer needed reduces the risk of information becoming irrelevant, excessive, inaccurate, or out of date.
Retaining records beyond the required period increases the risk of a data breach.
Record of Processing Activity
The retention period of records containing personal information must be recorded in that service’s Record of Processing Activity (ROPA). This is a legal requirement under Article 30 of the GDPR.
Guidance on how to complete a ROPA, including a template.
Implementing the policy
Each service area is responsible for applying this policy to their records and creating a local implementation plan. Both physical and digital records should be managed properly.
Training and useful tools
Training materials and practical tools, including a self-assessment tool, are being developed and will be made available as soon as they are ready.
Policy exceptions
If you're unable to comply with any aspects of this policy, email nrrp@hse.ie for support.
Related content
Record of processing activities (ROPA)
Record Retention FAQs (PDF, 426 KB, 3 pages)
Contact
Ann Sheehan, Policy Programme Lead for National Records Retention
Email: nrrp@hse.ie