Aesthetic practitioners in the UK must maintain accurate, contemporaneous clinical records for every treatment. UK GDPR, the NMC Code, and JCCP standards each impose distinct obligations: what to record, how long to keep it, and how to store it. The minimum retention period for most health records is eight years from the last entry.
This is not an area where good intentions substitute for good systems. Records exist to protect patients, to demonstrate the quality of clinical decision-making, and to provide evidence in the event of a complaint or legal claim. When those systems are weak, the records that should protect a practitioner instead expose them.
What good clinical records in aesthetic practice must contain
The starting point is the NMC Code, which applies to all registered nurses, midwives, and nursing associates practising in any setting. Under "Practise effectively," registrants are required to keep "clear and accurate records relevant to your practice," completed "as soon as possible after an event has occurred." That phrase carries legal weight.
For aesthetic practice, a complete treatment record typically includes:
- Patient identification and contact details, including date of birth
- Medical history, current medications, and known allergies, updated at each visit
- Presenting concerns and the patient's stated reasons for seeking treatment
- Clinical assessment findings and any contraindications noted
- Photographs, taken pre-treatment with explicit, separately documented consent covering storage, retrieval, and any future clinical use
- Psychological screening, including any screening for Body Dysmorphic Disorder or significant anxiety, with documented reasoning if treatment proceeds despite concerns
- Consent process documentation: a record showing that risks were discussed, questions were answered, and the patient had time to decide
- Details of the procedure itself: the product, device, lot number, concentration, and dose (where applicable)
- Any immediate response and post-procedure instructions given
- Adverse events or complications, however minor, with a record of management and any referral or escalation decisions
- Follow-up arrangements
The JCCP and CPSA Code of Practice treats record-keeping not as administrative overhead but as a clinical competency. Pre-procedure photographs, psychological screening, cooling-off period documentation, and complication records are all part of what the Code defines as good practice for cosmetic practitioners.
Records that are vague, incomplete, or written retrospectively leave practitioners exposed to complaints, fitness-to-practise proceedings, and civil claims. They also make safe continuity of care difficult if a patient presents to a different clinician.
Retention periods: how long to keep treatment records
The minimum retention period that most aesthetic practices work to is eight years from the date of the last entry. This aligns with NHS Records Management guidance and the BMA's published advice on health record retention. It reflects the litigation risk window: under the Limitation Act 1980, a claimant in clinical negligence has three years from the date of knowledge of harm to bring a claim. That clock may not start until years after the procedure.
A patient who develops a long-term complication from a procedure carried out in 2024 may bring a claim in 2030 or 2031. If the records have been destroyed, the practitioner has no evidential basis for a defence.
For records created when the patient was a minor, the standard is to retain them until the patient turns 25, or for eight years from the last entry, whichever is later. The prohibition on cosmetic procedures for under-18s narrows this scenario significantly, but it remains relevant for treatments with a legitimate therapeutic indication in younger patients.
These retention periods apply to the full record: consultation notes, consent forms, photographs, correspondence, and any clinical photographs used in governance reviews. Payment records may have different retention requirements under HMRC guidance, typically six years from the end of the relevant tax year.
UK GDPR and data protection in aesthetic practices
Aesthetic practices process special-category data. Health information carries heightened obligations under UK GDPR and the Data Protection Act 2018. Every aesthetic practitioner who holds client records is a data controller and is required, in most circumstances, to register with the Information Commissioner's Office (ICO). For most small practices, the registration fee is £40 per year.
Beyond registration, the key UK GDPR obligations for practices handling health records are:
Lawful basis. For treatment records, the lawful basis is typically contract (you need the data to deliver the service) and legal obligation (professional standards require it). The special-category basis is "health or social care purposes" under Article 9(2)(h) of UK GDPR. This basis should be documented in your records management policy, not decided on the spot when a query arrives.
Data minimisation. Record what you need for the clinical purpose. Records should not include speculative notes on matters unrelated to the treatment being delivered.
Security. Records must be protected against unauthorised access, loss, and destruction. For electronic records, this means encryption at rest and in transit, access controls, and regular tested backups. For paper records, locked storage. Practices using cloud-based practice management software should review their vendor's data processing agreement to confirm that data remains within the UK or an adequate jurisdiction.
Retention limits. The ICO's storage limitation principle requires that personal data is not kept for longer than necessary. Indefinite retention of client records is a UK GDPR breach. Practices must set defined retention periods, document the legal basis for those periods, and have a scheduled deletion or anonymisation process in place.
Subject access requests. Patients have the right to request copies of all personal data held about them. The response window is one calendar month, and no charge may be applied in most cases. Practices should have a procedure for handling these requests before one arrives.
The most common complaints the ICO investigates about aesthetic clinics involve records: lost notes, refusal to provide access, or the discovery that information was shared without consent. A clear, documented records management policy addresses all three risks.
The NMC Code on documentation for nurse practitioners
For nurses working in aesthetics, whether in NHS settings or independent clinics, the NMC Code is the overarching professional framework. It applies regardless of setting, employer, or commercial arrangement.
On documentation, the Code is direct. Registrants must:
- Keep "clear and accurate records relevant to your practice"
- Complete records "as soon as possible after an event has occurred"
- Attribute every entry to themselves
- Never tamper with, or allow the tampering of, original records
The attribution requirement matters in aesthetics, where a consultation may be conducted by a nurse while prescribing is carried out by an independent prescriber. Each clinician must enter their own record of their own clinical decisions. A single undifferentiated treatment note written by one person but covering the clinical decisions of several is non-compliant under the Code.
The NMC's position intersects with the MHRA's remote prescribing ban. Where botulinum toxin or other prescription-only medicines are administered, the records must show that the prescribing clinician conducted a direct face-to-face or appropriate video assessment before the prescription was issued, and that their own assessment is documented separately from the administering clinician's notes. A record that shows only the treatment administered, without documenting the prescribing assessment, is both an NMC record-keeping failure and a potential medicines regulation issue.
The NMC's fitness-to-practise cases include a recurring pattern: nurses who administered treatments they could not demonstrate had been appropriately prescribed, in part because the records did not show what had been assessed and by whom.
JCCP standards: record-keeping as a clinical competency
The JCCP and CPSA Code of Practice frames record-keeping as a clinical standard, not an administrative one. Registrants are expected to maintain records that demonstrate safe, evidence-based, and consent-led practice.
Several requirements in the Code are worth examining in detail:
Photographic documentation. Pre-treatment photographs are required for most procedures, with explicit consent that covers storage, retrieval, and potential future use in clinical governance, audit, or teaching. The consent for photographs should be documented separately from the consent for treatment. A photograph taken without that documented consent, even if the treatment consent form has a checkbox, does not meet the standard.
Psychological and emotional screening. For procedures with higher aesthetic or psychological risk, the Code requires evidence of screening for Body Dysmorphic Disorder, significant anxiety, and other presentations that would affect the appropriateness of treatment. If a practitioner proceeds despite concerns, the clinical reasoning must appear in the record. If treatment is deferred or declined, the record should show that decision and any referral made.
Cooling-off period. The duration of the cooling-off period offered, and whether the patient chose to use it, should be documented. A patient who returns after a week of reflection presents a different risk profile from one who waives the cooling-off period at their first appointment. Neither decision is inherently wrong. Both should be in the record.
Complication records. Any adverse event, however minor in clinical terms, requires a contemporaneous entry. Where complications require escalation to a prescriber, an emergency department, or a clinical lead, the record must show what was done, at what time, and who was notified.
As the licensing scheme for cosmetic procedures in England develops and begins to set formal compliance expectations, record quality will be one of the audit trails used to demonstrate that a practice is operating within its licensed scope. The regulation overview at /regulation sets out where the licensing scheme currently stands across the various regulatory bodies involved.
Building a record-keeping system that holds up to scrutiny
Record-keeping failures in aesthetics tend to follow recognisable patterns. The most common are:
Incomplete consent documentation. Consent forms that list generic risks without evidence that the specific risks were discussed with this patient, at this appointment. A signed form alone does not demonstrate a consent process.
Retrospective entries. Notes written hours or days after treatment, without a timestamp showing when they were made. In a complaint or legal claim, the timing of records can be as significant as their content. Electronic records create automatic timestamps that are discoverable; paper records should always carry the time as well as the date.
Fragmented storage. Some records on paper, some in practice management software, some in email threads, photographs on personal devices. When a complaint arrives, a practitioner cannot quickly assemble the full picture.
No retention schedule. Records are kept indefinitely (a data protection breach) or deleted as storage fills up (a litigation risk). Both extremes are avoidable with a written policy.
Undifferentiated entries in shared systems. In clinics with multiple practitioners sharing a record system, entries are not attributed to the individual clinician responsible for each decision.
The practical fix is a written clinical records policy, reviewed at least annually, that covers: what to record and when, where records are stored, who has access, the retention period for each category, and the deletion or destruction process. This document is part of the clinical governance framework that both the JCCP and the incoming licensing scheme will expect to see in an organised practice.
Records are not a bureaucratic obligation. They are the contemporaneous account of what happened in the consultation room. They protect patients. They demonstrate clinical thinking. And they are the first thing a regulatory body, a solicitor, or an insurer asks for when something goes wrong.
From Regulation to Reputation™ covers record-keeping, consent, scope of practice, and the full regulatory framework in depth. The programme was built on Bernadette's book, Regulation to Reputation: mastering successful aesthetic practice. From Regulation to Reputation is £200 off until 20 July, £299 instead of £499, with code REG299. If you want a first look at the regulatory landscape before committing, the free two-day RAG mini-course covers the framework from the start.
FAQ
Do aesthetic practitioners have to register with the ICO?
Yes, in most cases. Any aesthetic practice that holds client data, including consultation notes, consent forms, treatment records, and photographs, is a data controller under UK GDPR. Data controllers must register with the ICO unless a specific exemption applies. Most small aesthetic businesses do not qualify for exemption. The annual registration fee for most sole practitioners and small practices is £40.
How long should aesthetic treatment records be kept?
The standard most aesthetic practices follow is eight years from the date of the last entry, in line with NHS Records Management guidance and BMA advice on health record retention. For patients treated as minors, records should be kept until they turn 25, or for eight years from the last entry, whichever is later. The chosen retention period and the legal basis for it should be documented in a written records management policy.
What does the NMC Code require from nurses on record keeping?
The NMC Code requires registered nurses, midwives, and nursing associates to keep clear, accurate, and contemporaneous records, attributed to themselves and completed without unnecessary delay. In aesthetic practice, this means each clinician documents their own assessments and decisions separately, even where multiple clinicians are involved in a single treatment pathway. The Code applies in private practice as it does in NHS settings.
Is photographic documentation required for aesthetic treatments?
The JCCP and CPSA Code of Practice treats pre-treatment photography as a clinical standard for cosmetic procedures. Photographs must be taken with explicit consent that covers storage, retrieval, and any potential future use. While statutory requirements vary by procedure type, photographic records are strong evidential protection in a dispute and are expected under JCCP registration standards.
What happens if a patient submits a subject access request?
Under UK GDPR, practitioners must respond within one calendar month, providing copies of all personal data held, including treatment records, photographs, consent forms, and correspondence. A charge may only be applied where requests are manifestly unfounded or excessive. Practices should have a process ready before the first request arrives. The ICO publishes template guidance for data controllers.
Will the UK licensing scheme change record-keeping requirements?
The licensing scheme for cosmetic procedures in England sets out compliance expectations across safety, training, consent, and clinical governance. Documentation standards, covering what is recorded before, during, and after a procedure, form part of the governance framework licensed practitioners must demonstrate. The scheme is being rolled out progressively; the regulation page covers the current state of implementation.
