It is advisable to be familiar with the confidentiality, data protection, and record management policies and procedures at your workplace and know where to get advice on these issues. This includes policies on the use of laptops and mobile devices.
If personally responsible for managing patient records or other patient information, it is essential to ensure familiarity with the requirements of the PDPO D and ensure that the records are made, stored, transferred, protected, and disposed of in accordance with the PDPO. As detailed above, the Privacy Ordinance sets out six data protection principles, with one of these principles being Data Security which requires a data user to take practical steps to safeguard personal data from authorised or accidental access, processing, erasure, loss or use.
In general, the PDPO requires a data user (i.e. a doctor holding patient records) to ensure that the personal data collected is not kept longer than is necessary for the fulfilment of the purpose for which it is intended to be used. Therefore, the user must take all practical steps to ensure erasure of personal data held by the data user where the data is no longer required for the purpose for which the data was used.
Based on usual practice within Hong Kong, provided the records are not likely to be required to defend a civil claim, we would advise doctors to retain records for at least 7-10 years from the date of the patient’s last consultation. However, this situation differs in cases which involve minors, patients who do not have mental capacity and deceased patients. In general, records should not be kept for longer than necessary.