Data retention policy

Our data retention policy explains the principles followed by Concentric Health relating to retention and deletion of data within Concentric, and how responsibilities are shared between Concentric Health and the healthcare organisations that use Concentric.

This policy is intended primarily for healthcare organisations acting as data controllers and for their information governance and records-management teams. If you are a patient, please see our privacy notice for information on how your data protection rights are managed.

Last reviewed: 28th November 2025

Roles and responsibilities

The healthcare organisation acts as the data controller when using Concentric. In the context of data retention, controllers determine, in line with their retention schedule, how long records are retained and when they should be deleted or exported. A controller’s local retention schedule will usually be based on a national code or practice, for example, the NHS England Records Management Code of Practice or the Scottish Government’s Health and social care records management: code of practice.

Concentric Health acts as a data processor, processing information on behalf of and under the documented instructions of each controller. We do not set retention periods or delete clinical data independently.

Context and limitations as a downstream system

Concentric is typically one part of a broader digital ecosystem used by a healthcare organisation, often alongside a main electronic health record. As a downstream system, Concentric does not hold all the information needed to determine how long a record should be kept.

In particular:

  • We do not have complete visibility of how each organisation interprets or updates its local retention schedule.
  • We do not know definitively when a treatment took place, nor whether it occurred at all, and therefore what medicolegal limitation period applies.
  • We are not notified of subsequent interactions a patient may have with services, nor are we, in most cases, automatically notified of death, both of which can impact the appropriate retention period.
  • We cannot conduct the records-management review that a data controller performs when a minimum retention period lapses to assess whether the minimum retention period applies or whether an extended period is appropriate, for example, if an extended medicolegal limitation period may apply.

Because of these limitations, Concentric cannot determine when retention periods have expired. The controller must make retention decisions.

Definitions

Description
Consent summary PDFThe consent summary PDF contains the key details about the consent episode and is available for all episodes in which a consent event has occurred. This includes patient demographics, the treatment name, the names of the documented indications, alternatives, and risks, and details of any consent events that occurred (for example, remote consent and 2nd-stage confirmation of consent), including timestamps.

This is the same PDF that is available to view within the Concentric user interface, and send to healthcare organisations as part of a document integration.

Consult view’s print stylesheetConsult view’s print stylesheet is available for all consent episodes, and demonstrates the information shown within the patient-facing views in Concentric. In addition to the details in the consent summary PDF, this includes lay descriptions and additional resources linked to clinical concepts, and notes added by the clinical team.

This can be generated by accessing consult view for the relevant consent episode, and selecting print within the browser.

Audit trailThe audit trail provides an attributed and timestamped event-by-event history of the consent episode within Concentric. This includes details such as:

- The version of a content template used
- Clinician interactions in terms of creation of the episode, selection of each element, and modifications to the template such as addition of custom concepts or clinician notes.
- Sharing and consent events.
- Patient access within the Concentric patient application.

Understanding the audit trail will usually require Concentric Health’s support.

General data retention approach

Concentric deletes data only on instructions to do so from the controller. The practical implication of this is that Concentric retains data until that point, subject to technical and commercial feasibility.

Controllers may also specify a long-stop retention period (for example, 75 years) in the data processing agreement. Where such a long-stop is defined, Concentric can apply it automatically at the appropriate time based on the date of last clinical interaction with the relevant consent episode.

Deletion of specific records held in Concentric

This section describes the process for ‘hard deletion’ of specific records, i.e., the deletion of particular consent episodes or patient records, not the deletion of all tenant data (that is considered separately within the offboarding section below and linked offboarding plan). Hard deletion is the permanent removal of data from Concentric’s database, carried out by Concentric Health staff, and only at the controller’s instruction.

Hard deletion differs from episode deletion actions that clinicians can perform within the Concentric user interface (‘soft deletion’); these remove an episode from view but do not delete it from the database.

Deletion at the episode or patient level

Controllers may request deletion at either the consent episode level or the patient level. A deletion may be requested in a bulk scenario following, for example, an annual records-management review, or at an individual level when, for example, the controller has decided to honour a data subject’s erasure request.

Concentric does not initiate deletion or trigger retention reviews. Deletion instructions are accepted only from individuals authorised by the controller, as set out in the data processing agreement.

What controllers confirm when requesting deletion

Before deletion occurs, an authorised individual must confirm, on behalf of the controller, that:

  1. The request has been reviewed in line with their retention schedule and governance processes.

  2. Relevant considerations have been addressed, including medicolegal, complaints-related, or regulatory needs for the record.

  3. They have exported and securely retained any information they wish to maintain access to, either from within the Concentric user interface (e.g., the consent summary PDF and consult view’s print stylesheet) and/or via a request to Concentric Health. Guidance notes:

    • Where a deletion is occurring in response to a data subject request or as part of a data correction exercise (i.e. not at the end of the organisation-defined data retention period), the controller may request the audit trail for the consent episode from Concentric Health.

  4. They acknowledge that deletion irretrievably deletes some details, including, in most cases, the detailed audit trail. They also acknowledge that, depending on the information exported under point 3, other information contained within the consent episode may also be irretrievably deleted.

  5. They acknowledge that the controller assumes responsibility for any medicolegal and/or evidential implications arising from the deletion of the record from Concentric.

Naturally expiring backups and logs

Please note that naturally expiring backups and logs relating to the episode or patient are not deleted as part of this process. Specifically:

  • Database backups are retained for 28 days, then naturally expire.
  • Application logs, such as API and integration call details, naturally expire at 90 days (these do not contain personal or special-category data)
  • SMS and email delivery logs naturally expire at 45 days (these contain the minimum data required for delivery and do not contain special-category data)

Notifications to clinicians and patients

Concentric Health does not send notifications to clinicians or patients when a record is deleted. Controllers are responsible for any patient or staff communication relating to deletion, as appropriate.

If a patient user attempts to access a deleted record, the application will indicate that the record is no longer available and direct them to contact their healthcare team.

Audit logging of deletion events

For all specific record and tenant-level hard deletions, Concentric Health records a non-identifiable audit entry, detailing:

  • The deletion reference ID
  • The date and time of deletion
  • Whether deletion occurred at the episode, patient, or tenant level

The deletion reference ID is provided to the controller as part of confirming that the deletion has been completed.

Offboarding

In the scenario of tenant offboarding, i.e. when a healthcare organisation stops using Concentric as an active clinical system, there are additional considerations regarding the appropriate data retention approach. These considerations, and the available options, are described in our offboarding plan.

Contact and further information

If you are a patient, questions about how long your record is kept should be directed to your healthcare organisation, which acts as the data controller. You can also read our privacy notice for further information.

If you are part of a healthcare organisation and would like to discuss data retention or deletion arrangements, please contact us via our contact page.

Further reading

Privacy notice

Details of how Concentric collects, processes, and protects patient information, with separate notices for each country where Concentric is used.

Read