Data retention poses a lurking threat in healthcare

Across the globe, healthcare systems are storing patient data for 7-30 years. Sounds responsible? Not really. Over 90% of that data is never reused in clinical care. The "keep everything just in case" mentality is silently inflating storage costs, widening the cyberattack surface, and exposing systems to avoidable legal risk.

New data protection laws like the EU's GDPR and India's DPDP Act enforce a principle the industry has long ignored: store data only as long as necessary. The smartest systems aren't just defending data, they're shrinking what needs to be defended.

Over-retention is the norm, and it's risky

Over half of researched countries mandate retention beyond a decade, France and Brazil 20 years, Estonia up to 30, India and the US legally ambiguous. Legacy records often have no current clinical value but remain sensitive and breach-prone, increasing risk exposure without delivering better care or ROI.

Legal mandates are misaligned with practice

GDPR and DPDP emphasize purpose-bound storage, delete data when no longer needed. In the US, retention laws are patchwork (typically 6-11 years). India's ABDM allows long-term digital access, but DPDP now mandates deletion post-usage. Despite these frameworks, most providers haven't implemented real deletion workflows.

Estonia sets the gold standard

Estonia's federated architecture has no central health data repository; all access is based on patient consent and purpose; only relevant, time-sensitive data is retrievable. This minimizes storage, maximizes security and puts the patient in control, a template for responsible, patient-centric data governance. India's ABDM, by contrast, enables long-term access but doesn't mandate deletion, risking the same over-retention trap in digital format.

What leaders should do now