Home care: destroying client records
A home care organisation works with the most sensitive data there is: care records, care plans, medication overviews and notes about each client's health. Part of that literally travels to the client's home and sometimes sits on the table there for weeks. The care record has a long statutory retention period, but what may go should disappear confidentially. This guide shows, by part, what you keep, when it may go and how to keep the chain closed from the living room to the shredder.
The quick answer: you keep the care record for twenty years under the WGBO, counted from the last change. The financial administration falls under the tax seven years. Single working copies, schedules and drafts you keep no longer than necessary for the care. What may go disappears confidentially and with a certificate.
Two frameworks: WGBO and GDPR
In home care two things run together. The WGBO requires you to keep the care record for a long time, so the care stays traceable and a client or a subsequent carer can consult it later. The period is twenty years, counted from the last change to the record. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The WGBO sets the floor for the record, the GDPR the ceiling for everything around it.
So treat the client data per type. The formal care record has a different status than a single working copy in the car or an expired schedule. How the twenty-year period works out in practice you can read in the practice of the WGBO 20-year retention period. If you make that distinction, you keep exactly what you must and clear out the rest on time.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the WGBO period from the last change to the record and the tax period from the end of the financial year.
| Part | Starting point | Period |
|---|---|---|
| Care record and care plan | WGBO retention duty | 20 years |
| Medication overview | Part of the record | follows the record |
| Financial administration | Tax retention obligation | 7 years |
| Single working copies at the client | Only during the care | clear out at once |
| Schedules and route lists | Purpose-bound | as briefly as possible |
| Data carriers and tablets | End of life | wipe or destroy |
Use this as a guideline, not a substitute for a concrete assessment per situation. When in doubt, consult your data protection officer or a privacy adviser. A broader overview is in the GDPR retention periods cheatsheet.
Files that travel to the client's home
What makes home care special is that the data leaves the building. A paper care folder sits on the client's table, a member of staff has a printout in the car and notes travel from home to home. Every handover is a moment when a file can go missing. So make sure of a closed chain, from the living room to the shredder. Take the paper fully back at the end of the care and leave nothing behind at the client that contains personal data.
Do not gather the returned paper with the ordinary waste paper, but in a sealed container at the office. That way it stays protected until destruction. Why every link matters you can read in chain of custody: from archive to shredder. The fewer hands a file passes through, the smaller the chance of a leak.
Medication overviews and care plans
Medication overviews and care plans belong to the care record and follow the same retention period. Even so, many single versions arise in practice: an outdated medication overview, an old care plan after a reassessment or a printout left behind after a team meeting. Those single copies have no retention ground of their own once they are processed into the current record. Clear them out confidentially instead of stockpiling them.
That way you avoid a shadow archive of outdated versions arising alongside the real record. That shadow archive is exactly what causes problems during an audit or data breach, because no one knows any more which version is the leading one.
Staff data carriers and tablets
Home care no longer works on paper alone. Staff report on a tablet or phone, use a USB stick or have a laptop with client data. Each of those devices is a data carrier. At the end of its life, on replacement or when a member of staff leaves, such a device is destroyed confidentially or wiped demonstrably. Handing it in through an ordinary trade-in or leaving it in a cupboard is no safe solution.
Think too of staff who report or view records from home. Paper and devices in the home setting call for the same care as at the office. Practical arrangements for this are in working from home with confidential documents.
How to handle it in 6 steps
- Split the data into care record, financial administration and single working copies.
- Keep the care record for the WGBO period of twenty years.
- Take paper at the client fully back at the end of the care.
- Clear out single copies once they are processed into the current record.
- Collect what may go in sealed containers, not with the waste paper.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Client records are destroyed confidentially, because they contain health data and that is special-category personal data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old office laptop, tablet or backup with client data belongs with it too. The approach is the same as for other care records, such as with destroying a physiotherapy client record.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Client records to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Leaving paper behind at the client. Take everything back at the end of the care.
- Stockpiling outdated versions. Single copies you clear out after processing into the record.
- Forgetting tablets and phones. A data carrier with client data belongs with it.
- Throwing away unshredded. A client record on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long must home care keep client records?
The care record falls under the WGBO retention period of twenty years, counted from the last change to the record. The financial administration falls under the tax seven years. Single working copies and drafts you keep no longer than necessary for the care.
What do I do with paper files kept at the client's home?
Take them back at the end of the care in a closed chain. The paper travels sealed and stays that way until destruction, so a file never ends up loose with the waste paper or is left behind with the client.
Do staff tablets and phones fall under this too?
Yes. A tablet, phone or USB stick with client data is a data carrier and at the end of its life is destroyed confidentially or wiped demonstrably, not simply handed in or thrown away.
How do I destroy client records in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
Home care works with health data of every client, between the WGBO and the GDPR. Keep the care record for twenty years, keep the administration seven years and clear out single working copies once they are processed. Take paper at the client fully back and keep the chain closed from the living room to the shredder. Do not forget the tablets and phones of staff. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect your clients' data.
Read also: occupational health services: destroying medical files, mental health institutions: destroying client records, allied health: treatment records and the WGBO and the GDPR retention periods cheatsheet.
Have client records collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.