top of page

Record Keeping

Record-Keeping Policy

(for DVSP ltd trading under UK ME/CFS specialist clinic)


1. PurposeThis policy sets out the clinic’s approach to the creation, storage, security, and management of clinical records to ensure compliance with GMC guidance, UK GDPR, and best practice in medical governance.

2. ScopeThis policy applies to all patient records created or held by the clinic, including electronic clinical notes, consultation records, correspondence, and related documentation.

3. Record System

  • The clinic uses PKB and Smilenotes as its primary electronic patient record systems.

  • Video consultations are conducted via Doxy.me.

  • No consultations are recorded.

  • All clinical notes are entered into PKB and Smilenotes contemporaneously or as soon as practicable after each consultation.

4. Record Content StandardsEach patient record includes, where applicable:

  • Patient identification details

  • Presenting complaint and clinical history

  • Assessment findings

  • Diagnosis or working diagnosis

  • Management plan and advice given

  • Follow-up arrangements

  • Consent and capacity notes

  • Correspondence and test results (if relevant)

5. Accuracy and Timeliness

  • Records are created promptly following each consultation.

  • Entries are factual, objective, and clinically relevant.

  • Amendments are clearly dated, time-stamped, and attributable.

6. Security and Access Control

  • PKB and Smilenotes access is restricted to the Clinic Director only.

  • Multi-factor authentication is enabled.

  • All devices used to access clinical records are encrypted and password-protected.

  • Systems use encrypted connections for data in transit.

  • Backups are performed automatically by the system provider.

7. Confidentiality

  • All patient information is treated as confidential.

  • Data are shared only where clinically necessary, legally required, or with patient consent.

  • No third-party access is permitted without a valid data processing agreement.

8. Data Retention

  • Adult patient records are retained for a minimum of 8 years following the last consultation.

  • Records relating to serious incidents or medico-legal matters are retained for longer as appropriate.

9. Data Breach Management

  • Any suspected or actual data breach is reported immediately to the Clinic Director.

  • The incident is assessed, documented, and managed in line with the clinic’s Data Breach Response Policy.

  • Where required, breaches are reported to the ICO and affected patients within statutory timeframes.

10. Patient Rights and Access Requests

  • Patients may request access to their records via a Subject Access Request (SAR).

  • Requests are responded to within one calendar month unless an extension is justified.

11. Audit and Review

  • This policy is reviewed annually or upon material changes to systems or services.

  • Periodic spot checks are undertaken to ensure record completeness and quality.

12. ResponsibilityResponsibility for compliance with this policy rests with the Clinic Director, who oversees information governance, data protection, and clinical record quality.


bottom of page