Health Data Retention: Towards New Rules

The way in which the healthcare sector manages patients’ personal data remains one of the most complex and sensitive issues in Portugal. In a context of significant digitalisation and pressure to strengthen privacy protection, the absence of clear and uniform deadlines for health data retention periods has led to legal uncertainty, increased costs, and heightened risks of non-compliance.

Order No. 10918/2025, of 16 September (“Order”), which establishes a working group dedicated to this matter, thus represents a necessary – albeit belated – response to a legislative gap that has long undermined the responsible management of health data in both the public and private sectors.

The current problem: uncertainty and risks

Despite the regulatory efforts of recent years, legislation continues to leave data controllers with the difficult task of determining appropriate retention periods.  In practice, this results in three main challenges:

• Fragmented and uncertain criteria – private sector entities lack uniform guidance and, out of fear of non-compliance, often end up adopting overly conservative solutions.
• Misalignment with the digital reality – many retention periods are inherited from frameworks designed for physical archiving and do not address the needs of current information systems.
• Risks of breaching the General Data Protection Regulation (“GDPR”) – retaining data beyond what is necessary contravenes the storage limitation principle (Article 5(1)(e) of the GDPR), increasing exposure to unauthorised access and security breaches.

Consequently, healthcare institutions – particularly those in the private sector – operate in a state of uncertainty that benefits neither the protection of patients, nor operational efficiency.

The Order, thus, emerges as an initial response to the lack of clear and uniform criteria for the retention of health data within the information systems of primary and hospital healthcare services, promoting the establishment of a working group dedicated to defining these retention periods.

What is the purpose of the working group?

The working group, composed of representatives from various sector entities, will be tasked with defining clear and well-founded retention periods for health data stored in the information systems of SPMS – Shared Services of the Ministry of Health (“SPMS - Serviços Partilhados do Ministério da Saúde”) and used in both primary and hospital healthcare services.

Among the expected outcomes are:

• Identification of differentiated retention periods for clinical, administrative, genetic, and other types of information;
• Proposals for secure deletion procedures once the retention period has elapsed;
• Recommendations for updating information systems, including appropriate technical and organisational measures;
• Suggestions for training healthcare and administrative professionals, strengthening the culture of data protection.

The Order takes effect as of 17.09.2025, and the working group’s initial mandate is for 12 months, extendable by up to 6 months. It provides for the submission of reports that may serve as a national reference and, potentially, as a basis for public consultation.

Expected impact on the healthcare sector

If the objectives are achieved, the effects could be highly positive:

• Greater legal certainty for healthcare providers;
• Reduction of legal and reputational risks through the elimination of excessive data retention practices;
• Increased trust among patients, who will see greater transparency in the way their data is processed;
• Enhanced efficiency in the management of digital systems by avoiding unnecessary data accumulation.

Nevertheless, success will depend on the ability to balance the protection of data subjects’ rights with the practical requirements of healthcare provision and the technological realities of the sector.  To this end, the support of healthcare institutions, which already have significant experience in this area, will be essential.

Conclusion

The creation of this working group represents a decisive step towards addressing one of the most significant gaps in national legislation concerning the protection of health data.

Sector entities should, however, view this moment as an opportunity: to assess their internal data retention policies now and to prepare their systems for adaptation to future guidelines.