Company | MedBrief Records Retention and Archiving Policy

MedBrief Records Retention and Archiving Policy

Last Updated: 27 October 2025

1. Purpose and Scope

This Records Retention and Archiving Policy (the "Policy") details the principles and procedures MedBrief ("we", "us") follows for the retention and deletion of Personal Data processed on behalf of our clients (each, a "Data Controller").

MedBrief is committed to the secure and compliant management of all data, adhering to the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Policy addresses the dual obligations of MedBrief:

As a Data Processor: To securely delete Personal Data from active systems in accordance with the Data Controller's verified instructions.
As a Business Entity: To meet our own legitimate and legally mandated requirements to retain specific records for a limited period, purely for the purposes of legal defence, insurance, and regulatory compliance.

This Policy is intended to provide transparency to our Data Controllers as part of their due diligence process.

2. Definitions

Data Controller: The entity (our client) that determines the purposes and means of processing Personal Data.
Data Processor: MedBrief, the entity that processes Personal Data on behalf of the Data Controller.
Personal Data: Any information relating to an identified or identifiable natural person, including Sensitive Personal Data (Special Category Data) as defined under UK GDPR.
Active Systems: The client-facing web application, databases, and associated infrastructure used by MedBrief to provide active services to the Data Controller and its authorised users.
Disaster Recovery (DR) Systems: Backups and other systems maintained for business continuity and resilience, which are not live or accessible for active processing.
Matter means a distinct collection of data, which may include Personal Data, that is hosted by MedBrief for a Data Controller
Secure Archives: An information store not made available to or accessible to end-clients and that is used only by MedBrief for its own business purposes. Data in Secure Archives is subject to strict access controls.
Anonymisation: The process of irreversibly altering Personal Data in such a way that a data subject can no longer be identified, directly or indirectly.
Pseudonymisation: The processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information. Such additional information (attribution data) is kept separately and is subject to technical and organisational measures to ensure non-attribution, as contemplated by UK GDPR Article 4(5).

3. Data Retention and Deletion Schedule

MedBrief has a multi-stage data lifecycle to ensure data is deleted from active use upon the Controller's request, while simultaneously safeguarding the information required for MedBrief's own legal and compliance obligations.

3.1. Stage 1: Deletion from Active Systems

After closure of a Matter, and upon receiving a verified and confirmed instruction from a Data Controller to delete Personal Data (e.g., at the end of a contract or for a specific erasure request), MedBrief will permanently delete the relevant Personal Data from its Active Systems within ten (10) business days of the expiry of a thirty (30) day cooling-off period, during which cooling-off period a Data Controller may cancel a deletion request.

Following this action, the data will no longer be visible or accessible to the Data Controller or its users via the client-facing application.

3.2. Stage 2: Deletion from Disaster Recovery (DR) Systems

MedBrief maintains DR systems to ensure service availability. These systems are, by design, not live. Following deletion from Active Systems, the same Personal Data will be permanently purged from all Disaster Recovery (DR) Systems within twenty (20) business days.

3.3. Stage 3: Retention in Secure Archives

MedBrief has a legitimate interest and, in some cases, a legal obligation (e.g., under the Limitation Act 1980) to retain a static, non-operational record of services performed. This is a limited and necessary processing activity for which MedBrief acts as a Data Controller, separate from its primary role as a Data Processor. Notwithstanding the provisions of this Policy relating to Stage 1 and 2 above, MedBrief reserves its right to retain longer term records of the information processed by it in the performance of its services, which may include Personal Data, financial records, correspondence, reports and other business documents. Where MedBrief secures any such information in its archives, the provisions of this retention policy shall apply.

Justification: The purpose of this retention is strictly limited to:

The establishment, exercise, or defence of potential legal claims.
Compliance with our professional indemnity and insurance policies.
Responding to audits or binding requests from regulatory bodies.
Business continuity through preserving records of our past activities, transactions and communications as a necessary part of managing an enterprise and protecting and advancing our legitimate interests.

We apply safeguards, such as those described in UK GDPR Article 6(4)(e), including pseudonymisation where reasonably practicable and technically feasible, to protect data subject rights during this retention period.

Process:

Prior to transfer to Secure Archives, MedBrief will, where reasonably practicable, apply data minimisation techniques, including anonymisation or pseudonymisation, to the Personal Data.
Where pseudonymisation is applied, any additional information (attribution data) required to re-identify the data is stored separately and securely from the pseudonymised data, in accordance with UK GDPR Articles 4(5) and 32(1)(a).
A final, static copy of the data (which may be anonymised or pseudonymised) relating to the completed services is then transferred to our Secure Archives.

Retention Period: Personal Data stored within the Secure Archives (and any associated attribution data) will be permanently and securely deleted within six (6) years of the completion of the performance of the services provided to the Data Controller to which that Personal Data relates, unless a further retention or legal-hold obligation has commenced as a result of any other law. This retention period is based on the 6-year statutory limitation period for negligence or breach of contract claims, plus a one-year administrative period to ensure secure and orderly destruction.

4. Security of Archived Data

All Personal Data held in our Secure Archives is subject to the same high standards of security as data in our Active Systems. This includes, but is not limited to, encryption at rest and in transit, strict access controls, and regular security audits.

These security measures, including technical and organisational controls as contemplated by UK GDPR Article 32(1)(a), apply to all archived data, whether in its original form or pseudonymised, and to any separately stored attribution data.

5. Policy Review

This Policy is reviewed at least annually, or as required by significant changes in legislation or business or technology systems, standards and practices, to ensure its ongoing suitability and compliance.

6. Contact

For any questions regarding this Policy or MedBrief's data retention practices, please contact the MedBrief Trust Centre.

MedBrief Secure Site

MedBrief Plus

Let us transform the way you work.

For Legal Professionals

For Healthcare Providers

For Insurers

For Risk Officers

Medical Records Requesting

Medical Records Collation

Medical Chronologies

Early Case Assessments

Medical Data Asset Management

Meet the tools that are changing medico-legal workflows.

About MedBrief

Careers

Blog

Trust Centre

Understanding chronologies in medico-legal contexts

We’re upgrading our radiology viewer

Contact Us

Schedule a Demo