Record Keeping Requirements for Aesthetic Clinics in the UK

Poor record keeping is the second most common finding in CQC inspections of aesthetic clinics, after infection control deficiencies. It is also the factor most likely to determine the outcome of a negligence claim — if you didn't record it, in legal terms, it didn't happen.

This guide covers exactly what you need to record, how long to keep it, and how to build a system that satisfies CQC, GDPR, professional regulators, and your indemnity insurer simultaneously.

What to Record for Every Patient

Initial Consultation Record

Every new patient must have a comprehensive initial record before any treatment:

| Category | Specific Items | |----------|---------------| | Patient identification | Full name, date of birth, address, contact details, emergency contact | | Medical history | Current medications, allergies (drug and non-drug), medical conditions, previous surgeries, previous aesthetic treatments | | Contraindications | Pregnancy/breastfeeding status, blood thinners, autoimmune conditions, active skin infections | | Assessment | Presenting concern, skin type (Fitzpatrick), facial assessment notes, psychological suitability assessment | | Treatment plan | Proposed treatment(s), expected outcomes, alternatives discussed, risks discussed | | Consent | Signed consent form with all risks disclosed, cooling-off period documented, capacity assessment if relevant | | Photography | Standardised before photos (multiple angles) with photo consent form |

Treatment Record (Every Session)

For each treatment session, document:

• Date and time of treatment
• Practitioner name and professional registration number
• Consent confirmation — that consent was re-confirmed on the day
• Pre-treatment check — any changes to medical history, current medications, pregnancy status
• Product details: Brand name, batch/lot number, expiry date, dose administered
• Injection sites: Mark on a facial diagram or use standardised anatomical descriptions. Record depth of injection, technique used, and volumes at each site.
• Complications or adverse events: Any immediate reactions (bruising, swelling, asymmetry, vascular occlusion signs)
• Post-treatment advice: What was communicated to the patient (aftercare instructions, warning signs, contact details for emergencies)
• Follow-up plan: Next appointment date, review plan
• Photographs: Post-treatment photos under same conditions as pre-treatment

The Batch Number Rule

Recording product batch numbers is not optional. If a product is later subject to an MHRA recall or a patient develops a delayed reaction, batch numbers are the only way to trace which patients received which product. Store batch number stickers from product packaging in the patient record or enter them in your digital system.

Record Retention Periods

UK retention requirements come from multiple sources. Apply the longest applicable period:

| Record Type | Minimum Retention | Source | |-------------|------------------|--------| | Adult medical records | 8 years after last contact | NHS England Records Management Code | | Records where patient was a child | Until 25th birthday (or 26th if entry made at age 17) | NHS England | | Records involving cosmetic procedures | 15 years (recommended) | Medical defence organisations | | Consent forms | Same as medical record | CQC / legal best practice | | Photographs | Same as medical record | GDPR / CQC | | Complaint records | 10 years | CQC | | Adverse event reports | 15 years minimum | MHRA / indemnity insurer requirements | | Staff records (including training) | 6 years after employment ends | Employment law | | Financial records | 6 years | HMRC |

Insurer requirements matter: Your professional indemnity insurer may stipulate longer retention periods as a condition of cover. A negligence claim for a cosmetic procedure can be brought years after the treatment (the limitation period runs from when the patient became aware of the damage, not from the treatment date). Keeping records for 15 years provides a defensible position.

GDPR Compliance

Aesthetic clinics process "special category data" (health data) under UK GDPR, which requires enhanced protections.

Your Obligations

1. ICO Registration: Register with the Information Commissioner's Office. Fee is £40 for micro-organisations (fewer than 10 employees and turnover under £632,000) or £60 for small organisations. This is a legal requirement with a £4,350 maximum fine for failure to register.

2. Lawful Basis for Processing: For treatment records, the appropriate lawful basis is typically Article 6(1)(f) legitimate interests combined with Article 9(2)(h) provision of healthcare. For marketing communications, you need explicit consent under Article 6(1)(a).

3. Privacy Notice: Must be provided to patients before or at the time of collecting their data. Include: what data you collect, why, how long you keep it, who you share it with, and their rights.

4. Record of Processing Activities (ROPA): Document all types of personal data you process, the purpose, lawful basis, retention period, and security measures. Not all organisations are legally required to maintain a ROPA, but the ICO recommends it for all healthcare providers.

5. Data Protection Impact Assessment (DPIA): Required if you are introducing new technology (e.g., a new clinic management system) that processes health data. In practice, complete a DPIA before switching systems.

6. Subject Access Requests (SARs): Patients have the right to request all data you hold about them. You must respond within 1 calendar month. Free of charge for the first request.

Data Security

GDPR requires "appropriate technical and organisational measures" to protect personal data:

• Digital: Encrypted storage, unique user logins (not shared passwords), automatic session timeouts, regular backups to encrypted off-site storage, access controls based on role
• Paper: Locked filing cabinets in a secure room, restricted key access, clean desk policy, secure disposal (cross-cut shredding or confidential waste service)
• Devices: Password-protected phones and tablets, encrypted laptops, remote wipe capability for mobile devices, no patient data on personal devices without Mobile Device Management

Data Breach Protocol

If patient data is compromised (lost, stolen, or accessed without authorisation), you must:

1. Assess the risk to individuals
2. If high risk: notify the ICO within 72 hours
3. If very high risk: notify the affected individuals
4. Document the breach, your assessment, and actions taken

Digital vs Paper Records

Paper Records

Advantages: No technology dependence, no cyber risk, no software subscription costs.

Disadvantages: Legibility issues (the number one reason CQC inspectors flag paper records), vulnerable to fire/flood/theft, difficult to search, bulky storage, harder to demonstrate audit trails, cannot be backed up easily.

Digital Records

Advantages: Legible, searchable, backed up automatically, audit trails built in, accessible from multiple locations, easier to comply with SARs, integrated with booking and consent workflows.

Disadvantages: Subscription costs (£50-300/month), require reliable internet, cyber security responsibility, staff training needed, vendor dependency.

The CQC's View

The CQC does not mandate digital over paper, but their inspection reports consistently highlight paper records for legibility problems, missing entries, and poor organisation. Digital systems with proper access controls and audit trails make it significantly easier to demonstrate compliance.

If you choose digital, ensure the system:

• Is hosted in the UK or EU (GDPR data residency)
• Provides time-stamped, tamper-evident audit trails
• Supports role-based access controls
• Includes automatic encrypted backup
• Allows data export (to avoid vendor lock-in)
• Has a clear data processing agreement

CQC Inspection: What They Check

CQC inspectors assess record keeping under the "Safe" and "Well-Led" key questions. Specific areas they examine:

"Safe" Domain

• Are patient records complete and accurate?
• Do records include all required elements (consent, medical history, treatment details, product batch numbers)?
• Are records kept securely (locked cabinets for paper, password protection for digital)?
• Are adverse events documented and reported?
• Can you demonstrate a clear trail from consultation to consent to treatment to follow-up?

"Well-Led" Domain

• Is there a records management policy?
• Are staff trained on record-keeping requirements?
• Is there a regular audit of record quality?
• Are records stored in accordance with retention schedules?
• Is there a process for handling Subject Access Requests?

Common Inspection Findings

Based on published CQC reports for aesthetic clinics:

1. Missing batch numbers — the most frequent specific finding
2. Incomplete consent documentation — consent forms without specific risks listed or missing signatures
3. No photographic records — or photos taken under inconsistent conditions
4. Missing allergy documentation — allergies not prominently recorded or checked
5. No audit trail — inability to show who wrote what and when, particularly in paper records
6. Poor medicine records — gaps in the controlled drug register or fridge temperature logs

Building Your Record-Keeping System

Minimum Viable System

If you are starting out, your system needs:

1. Patient registration form — captures demographics and medical history
2. Consent form — procedure-specific, listing all material risks
3. Treatment record template — standardised format including all required fields
4. Facial mapping diagram — for marking injection sites
5. Photography SOP — standardised conditions, equipment, and naming convention
6. Adverse event form — structured template for documenting and escalating
7. Retention schedule — documented policy for how long each record type is kept
8. Data breach procedure — step-by-step response plan

Audit Your Records Quarterly

Run a quarterly audit on a random sample of 10-20 records:

• Is every required field completed?
• Are batch numbers recorded for every product administered?
• Is there a signed consent form for every treatment?
• Are before-and-after photos present and standardised?
• Are follow-up notes documented?
• Are any entries illegible (paper records)?

Document the audit findings and any corrective actions. CQC inspectors specifically ask to see evidence of internal quality audits.

Common Mistakes to Avoid

1. Relying on memory instead of contemporaneous notes — Record at the time of treatment or immediately after. Notes written days later are both clinically unreliable and legally weak.
2. Generic consent forms — A one-size-fits-all consent form listing every possible treatment does not constitute informed consent for a specific procedure. Use treatment-specific consent forms.
3. Not recording what advice was given — "Aftercare advice given" is insufficient. Record the specific advice: "Advised to avoid exercise for 24 hours, avoid alcohol for 48 hours, apply arnica, and contact clinic immediately if experiencing vision changes or blanching."
4. Sharing login credentials — Every user must have a unique login. Shared credentials destroy audit trails and violate GDPR.
5. No backup strategy — If your laptop is stolen or your system fails, can you recover patient records? Automatic daily backup to encrypted cloud storage is the minimum.
6. Keeping records indefinitely without policy — GDPR requires you to not keep data longer than necessary. Have a documented retention policy and destroy records securely when the retention period expires.

Record Keeping Checklist

• [ ] Patient registration form captures all required demographics and medical history
• [ ] Treatment-specific consent forms in use
• [ ] Treatment record template includes all required fields
• [ ] Batch number recording system in place (stickers or digital entry)
• [ ] Standardised photography protocol with consent
• [ ] Adverse event documentation and escalation procedure
• [ ] Retention schedule documented and followed
• [ ] ICO registration current
• [ ] Privacy notice provided to all patients
• [ ] Data security measures in place (encryption, access controls, backup)
• [ ] Staff trained on record-keeping and GDPR requirements
• [ ] Quarterly record audit scheduled
• [ ] Subject Access Request procedure documented

For broader regulatory requirements, see our CQC registration guide and advertising rules guide.

---

Written by Dr. Shane McKeown, former NHS doctor and founder of Aestheticc. Last reviewed March 2026. This guide provides general information about record-keeping requirements for UK aesthetic clinics. Data protection law is complex — consult the ICO's guidance and a GDPR specialist for specific compliance questions. This is not legal advice.