NHS Digital is required to fulfil legislative obligations in the management of its records and documents:
Data Protection Act 2018 (particularly principles 5 and 6)
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
General Data Protection Regulation (GDPR)
Article 5 of GDPR has 6 clauses (a) to (f). Clauses (e) and (f) closely mirror the obligations of the UK Data Protection Act (2018) Principles 5 and 6.
Freedom of Information Act 2000
Particularly Section 46 The Lord Chancellor’s Code of Practice on Records Management:
“Authorities should define how long they need to keep particular records, should dispose of them when they are no longer needed and should be able to explain why they are no longer held”.
Public Records Act 1958 (section 3)
It shall be the duty of every person responsible for public records of any description which are not in the Public Records Office or a place of deposit appointed by the Secretary of State under this Act to make arrangements for the selection of those records which ought to be permanently preserved and for their safe-keeping.
Health and Social Care Act 2012 (chapter 2 section 253)
The Information Centre must seek to minimise the burdens on others and exercise its functions effectively, efficiently and economically.