Retention Policy

Retention Policy

  1. Introduction

MK Medicals (“we”, “us”, “our”) is committed to processing personal data in accordance with UK data protection laws. This Retention Policy outlines how long we retain different types of data collected during the distribution of nicotine replacement products on behalf of councils, wellness centres, charities, universities and the NHS and describes the procedures for secure disposal when the data is no longer needed.

  1. Scope

This policy applies to all personal data and records—including electronic and paper formats—that we collect, process and store in the course of our business operations. 

This includes, but is not limited to:

  • Patient Data: Personal and contact details, and any information related to the patient’s smoking cessation program.
  • Order and Transaction Records: Details regarding orders for nicotine replacement products.
  • Communications and Correspondence: Emails, phone call records, and other interactions related to the service.
  • Administrative and Contractual Records: Documentation related to our agreements with councils, wellness centres, charities, universities, the NHS and other third parties.
  1. Data Retention Schedule

Data will be retained only for as long as necessary. The following retention periods are applied unless a longer period is required by specific contractual, legal, or regulatory obligations:

Patient Data:

  • Retained for 8 years from the date of the last patient interaction or transaction related to the distribution service.

Order and Transaction Records:

  • Retained for 8 years from the date of order completion.
  • This period allows for resolution of any post-transaction queries, complaints, or audits.

Communications and Correspondence:

  • Retained for 8 years following the date of the last communication, unless the information is directly related to a patient record or order, in which case the retention period for that category applies.

Administrative and Contractual Records:

  • Retained for 8 years after the termination of the contract or business relationship, to satisfy any post-contractual obligations or audits.
  1. Data Disposal and Destruction

Once the applicable retention period has expired, the data will be securely disposed of, ensuring that it can no longer be attributed to an individual. 

Methods include:

  • Electronic Data: Secure deletion or overwriting following industry best practices.
  • Paper Records: Cross-cut shredding and using a secure disposal service.
  • Any exceptions or legal holds (e.g., ongoing investigations) will be clearly documented and will suspend the routine destruction process until resolved.
  1. Roles and Responsibilities

Data Protection Officer (DPO):

  • Responsible for overseeing adherence to this policy.
  • Ensures regular reviews and updates of retention periods and disposal methods.
  • Employees and Contractors:
  • Must comply with this policy when handling personal data.
  • Report any issues or uncertainties regarding data retention to the DPO.

Employees and Contractors:

  • Must comply with this policy when handling personal data.
  • Report any issues or uncertainties regarding data retention to the DPO.
  1. Policy Review

This Retention Policy will be reviewed annually or whenever there is a significant change in legislation or business practices. Any updates or amendments will be documented, and relevant staff will be informed accordingly.

  1. Contact Information

For questions regarding this policy or requests for further details on our data retention practices, please contact:

Data Protection Officer (DPO): 

Mohamed Khalil

MK Medicals (UK) Ltd. 

Unit 9, Capital Industrial Estate

Crabtree Manorway South

Belvedere

DA17 6BJ

T: 0208 126 3333

E: mohamed@mkmedicalsuk.com