Effective Date: 1st of May 2025

1. Purpose

This Data Retention Policy outlines how Outpatient Network (“we”, “us”, “our”) manages, retains, and disposes of personal data in line with applicable laws, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and industry best practices.

2. Scope

This policy applies to all personal data processed by Outpatient Network, whether collected directly from individuals, through our website, via third-party platforms, or during service delivery.

3. General Principles

Data Minimisation: We only retain personal data that is necessary for the purposes for which it was collected.

Purpose Limitation: Data is retained only for as long as necessary to fulfil contractual, legal, regulatory, or legitimate business purposes.

Secure Disposal: When no longer required, data is securely deleted or anonymised.

4. Retention Periods

Data Type | Purpose | Retention Period

Client contact details | Service delivery and communication | Up to 7 years after last contact or contract completion

Enquiry forms (website) | Responding to queries and follow-up | 12 months from last interaction

Google Analytics data | Website analytics and improvements | 26 months (default setting)

Marketing email lists | Email communications | Until consent is withdrawn or 24 months after last engagement

Employee data (if applicable) | HR and payroll | 7 years post-employment

Supplier and partner data | Contractual and operational purposes | 7 years after last transaction

5. Exceptions

Certain data may be retained longer if required by:

Law or regulation (e.g., tax or health and safety records).

Ongoing legal claims or disputes.

Explicit consent given by the data subject for extended retention.

6. Data Review and Disposal

We conduct annual reviews of the data we hold to ensure:

Data is still necessary.

Outdated or irrelevant data is securely disposed of.

Any data exceeding the retention period is deleted or anonymised.

Secure deletion methods include secure wiping, shredding of physical records, or using certified data destruction services.

7. Roles and Responsibilities

Data Protection Lead: Responsible for overseeing compliance with this policy.

All Staff: Responsible for adhering to the data retention periods relevant to their role.

8. Policy Review

This policy will be reviewed annually or earlier if required by changes in legislation, business operations, or data processing activities.

9. Contact

For any questions regarding this policy, please contact us.