Requirements for Information Communication (2007 Edition)

Data security and data retention

Page last updated: 14 January 2008


The laboratory must take reasonable steps to protect the information it holds from misuse, loss, and from unauthorised access, modification or disclosure.


Access to health records should be protected by robust password control and regular changes of passwords.


Data security should be part of the organisation’s data management policy that includes retention, storage and disposal of health information. It should also include management of electronic and physical aspects, with steps taken to protect against intentional and inadvertent loss and/or breach.


The laboratory must retain (and therefore must not delete or destroy) health information relating to an individual, even if it is later found or claimed to be inaccurate, unless the deletion or destruction is permitted or required by law.
The laboratory must retain records according to the requirements given in the appropriate NPAAC document addressing the retention of records and as required by relevant legislation.


Given the relative ease with which large amounts of data can now be electronically stored and retrieved, laboratories are encouraged (in the interests of patient care, future epidemiology and research) to consider long-term retention and secure storage of laboratory data beyond the mandated requirements in standard

The retention of records relates to both data that are used solely by the laboratory and those that are communicated to other organisations or individuals. Patient health information must be kept for at least seven years from the date of the last entry in the record. However, if the patient was less than 18 years old at the date of the last entry in the record, the record must be kept until the patient attains or would have attained 25 years of age..
The laboratory may choose to retain health records, even though deletion or destruction is permitted under standards S1.9 and S1.10, where those records are needed for either the primary purpose or any secondary purpose permitted under these standards..
The laboratory must create and maintain a register of data that have been deleted or destroyed including:
(a) the individual to whom the data related
(b) the period of time that the data covered
(c) the date that the data were deleted or destroyed
(d) the person who authorised the data to be deleted or destroyed.
The laboratory must create and maintain a register of data that have been transferred to another individual or organisation including:
(a) the individual to whom the data relate
(b) the name of the organisation or individual to whom the data were transferred
(c) the person who authorised the transfer of data.


The laboratory should have a records management policy incorporating data management and protocols relating to retention, storage and disposal of both electronic and paper clinical records.
Where a laboratory wishes to retain old health information (as defined by standard S1.10) for statistical reasons, the data should be de-identified, if possible..
All result data on individuals should have electronic audit trails to record: .
(a) the original data with time and date of entry.
(b) the name of the person authorising the result, with time and date of authorisation unless the result has been auto-validated .
(c) the date and time of each report and to whom it was reported, each time a report is issued includes preliminary, amended and verbal reports.
(d) details of any data modification after authorisation, together with the time, date and identity of the person who modified the data..
Surplus personal computers and other media storage devices should be retired or disposed of in such a way as to ensure that health information that may have resided on them can no longer be accessed. .
Computer screens and fax machines should be positioned so that they cannot be seen by unauthorised people (e.g. members of the public)..