Records retention policy
1. Purpose
This policy ensures that HG practitioners manage client records in line with the GDPR and best practice guidance, thereby supporting clinical decision-making, safeguarding, legal, insurance and regulatory queries, and professional audit or supervision purposes.
Record retention protects both clients and practitioners by ensuring evidence of therapy and decisions is available if needed. The GDPR requires personal information to be kept only as long as necessary for the purpose it was collected. This policy provides guidance on:
- How long records should be retained
- Pseudonymisation, anonymisation, and eventual destruction
- Secure records handling
Records are important in the event of:
- Complaints or professional challenges
- Legal, medical, or insurance queries
- Safeguarding investigations
- Professional audits or regulatory requirements
2. Retention period – adults
- Case notes and associated documents (letters, emails, etc.) should be retained for 7 years after therapy ends.
- The 7-year rule applies regardless of ceasing to practise, including retirement or termination of HGI membership.
- Records should not be kept beyond 7 years without a lawful basis; clients must be informed if you plan to retain their records beyond 7 years.
3. Retention period – under-18s
- For clients under 18, case notes and associated documents must be retained until 7 years after the client’s 18th birthday.
- The 7-year rule applies regardless of ceasing to practise, including retirement or termination of HGI membership.
- Records should not be kept beyond 7 years without a lawful basis; clients must be informed if you plan to retain their records beyond 7 years.
4. Pseudonymisation, anonymisation and data destruction
Pseudonymised records are those in which records (such as initial enquiry or registration documents) containing personal identifiers such as names, addresses or email addresses are stored completely separately from case notes, but are linked to them through the use of a unique ‘pseudonym’, such as a number. This process is made substantially easier if the therapist is in the habit of not including such identifying details within the session case notes themselves, and simply refers to the client in these notes by using their initial (eg ‘P stated that…’ as opposed to ‘Paul stated that …’
Pseudonymising records adds an extra layer of security because it reduces the risk of breaching confidentiality, inadvertent or otherwise. Any breach is less serious because the individual to whom the record refers cannot be identified from the notes alone.
Anonymous records are those in which an individual cannot possibly be identified. These are generally retained beyond 7 years only for research, supervision, or case study purposes.
Best practice
- The HGI recommends that, if practicable, therapists pseudonymise records 1 year after therapy ends. This can be easily organised for notes stored online. Written notes may be organised with a top sheet containing identifying details only. This can be removed at a later date and given a number. The number is then added to the first sheet of the now-anonymised notes.
- The pseudonymised notes should be kept for the remainder of the 7-year retention period.
- At the end of 7 years, records should either be securely destroyed or fully anonymised if there is a lawful reason to retain them – such as having explicit client consent for research, supervision, or case study purposes.
5. Privacy notices and client contracts
Practitioners must clearly state in client contracts and privacy notices:
- How long records will be retained.
- What will happen to them after this period – e.g. destruction, anonymisation.
Retaining records beyond 7 years must be explicitly justified and communicated to the client.
6. Use of digital records systems (such as Pragmatic Tracker)
Practitioners using electronic systems (e.g. Pragmatic Tracker) must follow the platform’s data retention and deletion policies. Default deletion is usually within 12 months unless ongoing consent is obtained.
7. Ceasing to practise
Arrangements must be in place to ensure that, in the event that a practitioner retires, become incapacitated or dies, records of therapy are retained in accordance with these guidelines. Such arrangements should ensure:
- Secure storage, transfer, or destruction of client records.
- Ongoing confidentiality.
- Access for lawful purposes – e.g., safeguarding, legal queries.
The arrangements should be documented and communicated as appropriate. See also Clinical will guidelines (in the members area – login required).
8. Policy review and compliance
This policy should be reviewed every three years or sooner if regulations, professional guidance, or insurance requirements change. Practitioners are responsible for ensuring compliance with GDPR, HGI guidance and any relevant insurance or regulatory requirements.
Summary table
| Record type | Retention period | Notes |
|---|---|---|
| Adult client case notes | 7 years after therapy ends | Includes emails, letters, and summaries |
| Under-18 client case notes | Until 7 years after 18th birthday | Safeguarding and legal protection |
| Pseudonymised records | Up to 7 years | Destroy or anonymise after 7 years unless lawful basis to retain |
| Anonymised research & supervision material | Indefinite if unidentifiable | Must not contain personal data |
| Digital archives – e.g. Pragmatic Tracker | 7 years | Follow platform’s data retention policy |
| Records on ceasing practice | 7 years or arrangement to transfer records to responsible third party | Ensure secure storage, transfer, or destruction |
Clinical Governance Group
January 2026