Privacy Statement


Privacy Statement

Pinewood Neuro Physio (we/us/our) are committed to ensuring the safety and security of your personal information which may be shared and used in the delivery of our services to you. 


In line with our requirements as part of UK GDPR, this Privacy Statement tells you about the kinds of information we collect, store and process to provide our services, and how and why we do this.  It also sets out your rights in relation to data protection.  By using our services, you accept processing your personal data in accordance with this Privacy Statement.  This statement is reviewed annually, with updates made as required.  You will be notified of any changes by email and our most recent statement can be found on our website www.pinewoodneurophysio.co.uk.


Who are we?

Name:  Pinewood Neuro Physio

Main contact:  Sarah Macdonald (Lead Physiotherapist)

Telephone:  07759 406 526

Email:  info@pinewoodneurophysio.co.uk

ICO registration:  ZB539554


What information we collect, use, and why

We collect or use the following personal information to provide physiotherapy services:

  • Name, address and contact details
  • Gender
  • Pronoun preferences
  • Date of birth
  • NHS number
  • Registered GP practice and their contact details
  • Key safe details (where applicable and only with explicit consent)
  • Next of Kin details including any support networks
  • Emergency contact details
  • Names of other professionals/services involved in your care
  • Photographs and video (only with prior explicit consent)
  • Health information (including medical conditions, allergies, medical history, physiotherapy assessment and treatment notes)
  • Information about your care needs (including disabilities, home conditions, medication and general care provisions)
  • Test results (including scans, bloods, x-rays and other medical investigations)
  • Records of meetings and decisions
  • Records of communications between us (e.g phone calls, text messages, emails)

We collect the following special category information to provide physiotherapy services:

•             Racial or ethnic origin

•             Health information

 

Where we may receive personal information from:

  • Directly from you
  • Family members or carers (where a family member or carer provides information, they must ensure they are legally entitled to do so i.e they either have your consent, or they have a legal authority such as Lasting Power of Attorney for Health & Welfare, or Court of Protection Deputy)
  • Other health and care providers (e.g. your GP, Consultant etc)
  • Social services

Who we share information with:

Our data processor is WriteUpp.   WriteUpp provides secure, encrypted cloud storage and Practice Management software.  See “Storing your Information” for further information.  As the Lead Physiotherapist for Pinewood Neuro Physio, Sarah Macdonald has access to the information we store.  If your input is provided by an Associate Physiotherapist, they would also have access to the information we store.  Pinewood Neuro Physio staff/associates regularly complete Data Security training.


Others we may share information with include:

  • Other health and care providers
  • Organisations we need to share information with for safeguarding reasons
  • Emergency services
  • Professional advisors
  • Legal bodies or authorities (e.g in the event of legal proceedings, or criminal investigation)
  • Local authorities or councils
  • Organisations we’re legally obliged to share personal information with
  • Professional Consultants
  • Only with your separate, explicit consent, we may share photos or videos publicly on our website, social media or other marketing and information media for the purpose of advertising

When sharing information by email, these are sent securely and encrypted via either Egress or Proton Mail.  Sensitive information e.g your physiotherapy summary letter will be sent to you via email from WriteUpp with a separate access code required to access.

We will never share your information with anyone without a legitimate reason to do so.


When we may receive or share personal information:

  • During an enquiry from you, or someone acting on your behalf (they must ensure they are legally entitled to do so)
  • During the assessment and treatment process
  • At the end of our input, for example with a discharge letter

 

Duty of confidentiality

We are subject to a duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:

  • you’ve provided us with your consent (we have taken it as implied where you seek healthcare provision, or you have given it explicitly for other uses)
  • we have a legal requirement (including court orders) to collect, share or use the data
  • the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime)
  • to action safeguarding for you, or another person if indicated
  • In England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied

 

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information.  You have several rights regarding your personal data, including the right to access, rectification, erasure, restriction of processing, portability and the right to withdraw consent. Which lawful basis we rely on may affect your data protection rights, for example, the right to erasure may not apply when the data is necessary for legal obligations or medical records. You can find out more about lawful bases, your data protection rights and the exemptions which may apply on the Information Commissioner’s Office website www.ico.org.uk.


If you make a request relating to your data protection rights, we must respond to you within one month.  To make a request, please contact us using the details at the top of this privacy notice.


Our lawful bases for the collection and use of your data

We process personal data under UK GDPR’s lawful bases, including consent (where required), contract (to provide our services), legal obligations (such as record-keeping), and legitimate interests (business efficiency and service improvement). Below are specific examples:


1. Consent (6(1)(a)) Processing occurs only with the client’s explicit consent.  Where we rely on consent, you can withdraw it at any time by contacting us. This does not affect processing carried out before the withdrawal of consent.

  • When handling enquiries, to assess the suitability of our service and to provide service information we may process name, contact details, and health information.  The Special Category Condition for this processing is Healthcare Provision (9(2)(h)).
  • To manage safety & security we process Next of Kin/ emergency contact name, relationship, contact details and Key Safe details with your explicit consent.
  • To monitor the response to treatment, we may process photographs/videos of your posture and movement.  Separate explicit consent will be sought.  The Special Category Condition for this processing is Healthcare Provision (9(2)(h)).
  • For service promotion (via website, social media, advertising materials etc.) we may process photographs/videos and health information.  Separate explicit consent will be sought for this use, and you can refuse without this affecting your treatment. The Special Category Condition for this processing is Explicit Consent (9(2)(a)).

If a client lacks the capacity to consent, we may obtain consent from a legally authorized representative (such as a Lasting Power of Attorney for Health and Welfare, a court-appointed deputy, or a legal guardian). If no such representative exists, processing may proceed under a different lawful basis where necessary for healthcare provision.


2. Contract Performance (6(1)(b)) Processing is necessary to deliver physiotherapy services.

  • For the provision of Physiotherapy triage, assessment, treatment, we process personal details & health information.  The Special Category Condition for this processing is Healthcare Provision (9(2)(h)).
  • For appointment scheduling, reminders by email and invoicing for our services we process your name and contact details.  You can opt out of email appointment reminders by contacting us.

3. Legal Obligation (6(1)(c)) Processing is required by law and professional regulations.

  • To maintain client records we process personal details & health information, correspondence, treatment notes.  The Special Category Condition for this processing is Healthcare Provision (9(2)(h)).
  • To complete audits for regulatory compliance & quality assurance we process anonymized/pseudonymized data.  The Special Category Condition for this processing is Healthcare Provision (9(2)(h)).

4. Legitimate Interests (6(1)(f)) Processing supports service improvement.

  • To complete Client Feedback Surveys, we process personal details and health information.  You can opt out of receiving surveys at any time by contacting us. The Special Category Condition for this processing is Healthcare Provision (9(2)(h)).

  

Storing your information

Your information is stored electronically and securely with ISO27001 certified, practice management software provider WriteUpp, with whom we have Data Processing Agreement.  They provide cloud-based storage for healthcare providers with their data centres located within the European Union.  Data is encrypted and transfer processes are compliant with UK GDPR.  Passwords to access WriteUpp are held securely and are not shared. 


Data Processor name: WriteUpp

Category of recipient: Cloud Storage Provider and Practice Management Software

Country the personal information is sent to: Ireland, EU.

How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)


Your name and telephone number are stored securely on a password protected mobile phone.


How long we keep information

As a registered Health Care Professional, we are obliged to store your health care record for a minimum of 8 years from your last contact with our service. In the event of a complaint or legal proceedings, the record will be kept until the complaint/case is resolved, or until 8 years after your last contact with us, whichever is longer.  This is in line with the Records Management Code of Practice 2021. Following this retention period, your records will be securely destroyed.

Key safe information will be deleted at the end of the active treatment episode.


Your contact details will be deleted from our mobile phone when your active episode of care has closed.


Where an enquiry does not proceed to provision of input from us, and there is no contractual agreement between us, we will retain your information (name, email address, details of the enquiry) securely for a period of 12months after your enquiry, in case of return of contact.  After this time the information will be securely destroyed.


How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.


If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:          

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint




Version: 2025v1

Last updated: Feb 2025

This Privacy Statement will be reviewed annually.  If we make any significant changes to the ways in which we process personal information, we will make the required changes to this statement and notify you by email.  Please see our website for our most up to date statement.

Sarah Macdonald BSc(Hons) MCSP

Privacy | Contact