Mental health institutions: destroying client records
A mental health institution processes the most sensitive data there is. Diagnoses, treatment plans, session notes, medication and sometimes crisis and risk assessments. This data falls under a long statutory retention period, but it may not sit around forever either. This guide shows how long you keep a client record, what the client's right to destruction means and how to have the record destroyed confidentially afterwards.
The quick answer. The WGBO sets a retention period of 20 years, counted from the last change to the record. A client may also ask for destruction. What may go disappears confidentially and with a certificate, whether it is paper or a digital data carrier.
Two frameworks that apply side by side
At a mental health institution two regimes run together. The WGBO requires you to keep a record and to retain it for 20 years, so that a client and the practitioner can fall back on the treatment history. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary and gives special-category data extra protection. The WGBO sets the floor for what you must keep, the GDPR the ceiling for what you may not keep too long.
Those 20 years are not a loose guideline. In the WGBO 20-year patient files guide you can read how the period is counted and when good care practice calls for keeping longer. For mental health care the starting point is the last change to the record, not the first appointment. As long as a treatment pathway runs, the clock therefore stands still.
Retention periods by part
A client record is not a single homogeneous whole. The period differs per type of data. The overview below gives the main line. Count the WGBO period from the last change and the tax period from the end of the financial year.
| Part | Starting point | Period |
|---|---|---|
| Treatment record | WGBO retention obligation | 20 years from last change |
| Financial administration | Tax retention obligation | 7 years |
| Referrals and correspondence | Part of the record | follows the record |
| Practitioner personnel file | Own periods | separate from the client record |
| Digital records and backups | Same period as the original | then wipe or destroy |
| Drafts and working versions | No retention obligation | clear out at once |
Use this as a guideline, not a substitute for your own policy or legal advice. Keep the client record and the practitioner's personnel file strictly apart. They carry different periods and different legal bases and should not run together in the same archive.
The client's right to destruction
Alongside the retention obligation there is a right that often comes up in mental health care. A client may ask for the record to be destroyed. You honour such a request in principle within three months, unless a statutory rule stands in the way or another person has a compelling interest in keeping the data. For that last point, think of a live complaint or a legal procedure.
A destruction request is therefore not a formality you tuck away in a drawer. You assess it case by case, record your reasoning and carry it out where there is no bar. If you do carry it out, the same applies as for an ordinary clear-out. The record disappears confidentially and you keep proof of the destruction, so that you can later demonstrate you handled the request with care.
Special-category data and extra care
Data about mental health are special-category personal data. They enjoy heightened protection under the GDPR, because a breach can have serious consequences for someone's life, work and relationships. That calls for extra care at every stage. Limit who has access, keep no more than necessary and treat the data at the end of its life with the same care as during treatment.
In concrete terms this means you do not throw an old client record in with the ordinary waste paper and you do not simply put a decommissioned server with records out with the bulk rubbish. The road to destruction should be as closed as the cabinet the record stood in. Anyone who wants to destroy data demonstrably for the GDPR arranges that chain from start to finish.
How to handle it in 6 steps
- Determine the last change per record and count the 20 years from there.
- Separate client and personnel files and keep the financial administration apart.
- Assess destruction requests case by case and record your reasoning.
- Include digital data carriers in the clear-out, backups and old servers too.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Client records are destroyed confidentially, because they contain health data of the most sensitive kind. The paper and the data carriers travel sealed and stay that way until destruction, so the chain is closed. An old treatment computer, a loose hard drive or a backup with records belongs with it just as much as the paper folders.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and the client that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Client records to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Counting the 20 years from the first appointment. The period runs from the last change.
- Leaving destruction requests unanswered. A client is entitled to an assessment within three months.
- Forgetting digital data carriers. An old server with records is as sensitive as the paper folder.
- Keeping client and personnel files together. They carry different periods and legal bases.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long must a mental health institution keep a client record?
The WGBO sets a retention period of 20 years, counted from the last change to the record. In some cases you keep it longer where good care practice requires it. The financial administration has its own tax period of seven years.
Can a client ask for the record to be destroyed?
Yes. A client has the right to ask for the record to be destroyed and such requests are honoured in principle within three months. Only where a statutory rule or a compelling interest of another person stands in the way may you refuse.
Are treatment data special-category personal data?
Yes. Data about mental health are special-category personal data and call for extra care. Limit access, keep no longer than necessary and have it destroyed in a way that matches the sensitivity.
How do I destroy client records and data carriers in line with the GDPR?
Confidentially and with a certificate of destruction. Paper records and digital data carriers travel sealed and stay that way until destruction. You record the act in your record of processing as proof.
Conclusion
A mental health institution works with the most sensitive data there is, between a long statutory retention obligation and the GDPR. Keep to the WGBO period of 20 years from the last change, assess clients' destruction requests within three months and treat treatment data as the special-category data it is. Include digital data carriers in every clear-out. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect the people behind the records.
Read also: occupational health services: destroying medical files, home care: destroying client records, allied health: destroying treatment records and the WGBO and the GDPR retention periods cheatsheet.
Have client records collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.