Persistence

There are rules on how long records must be kept. Most primary records must be kept for eight years, but cancer records must be kept for the patient's lifetime, and records of genetic diseases may be kept even longer. In any case, prudence dictates maintaining access to records until after a lawsuit for malpractice could possibly be brought. So our next principle is:

Principle 5: No-one shall have the ability to delete clinical information until the appropriate time period has expired.

However, these rules are still not fully worked out, and so our use of the word `appropriate' covers a number of outstanding issues:

• our formulation allows the destruction of old records, but does not mandate it; there are many cases (such as chronic illness) in which it is appropriate to keep records for longer than the law requires;
• the sixth principle of the Data Protection Act [DPA84] states that personal information `shall not be held for longer than is necessary'. This may mean that once a clinician is no longer the primary record holder (e.g., if the patient has moved) then the record should be destroyed. However, before doing this, she may wish some assurance that it can be made available if necessary (e.g., in the event of a lawsuit);
• patient consent is not immutable, but rather a continuing dialogue between the patient and the clinician [Som93]. It is therefore quite possible that a patient might withdraw consent and insist that a record be destroyed. No case has come to our attention yet; perhaps such cases might be dealt with by transferring the primary record to a clinician of the patient's choice for the rest of the statutory period;
• with temporary copies of records, the appropriate time period will be shorter. For example, where a general practice grants access to a night-time deputising service, it is typically a condition that all copies of records be deleted within a set period of time. Similar considerations apply to copies of records held by a safehaven, an auditor or a researcher; for example, consent to record sharing for research should be renewed every five years [Som93], so copies of records made by researchers should persist no longer than that (and should normally be destroyed much sooner). The design and enforcement of such volatility requirements has an impact on aggregation control, which is discussed below.

Preserving records is not completely straightforward; we do not want information that has been identified as inaccurate, such as simple errors and subsequently revised diagnoses, to be mistakenly acted on. However, we do not want to facilitate the traceless erasure of mistakes, as this would destroy the record's evidential value. So (as with many financial systems) information should be updated by appending rather than by deleting, and the most recent versions brought first to the clinician's attention. Deletion should be reserved for records that are time expired.

An equivalent expression of the above principle may be found in the current requirements for accreditation of GP systems which state that `the system must not allow records ... to be altered or deleted unless a secure mechanism is provided to reconstruct these records as they were on any specified day in the past' [RFA93].