BG PHYSIO Data Protection Policy

BG PHYSIO - Barns Green Physiotherapy Clinic – Health and Sports
55 The Hordens, Barns Green, Horsham, West Sussex. RH13 0PH.


General statement of the Company’s Duties and Scope

BG PHYSIO is a private physiotherapy company. We collect and process personal data as part of our operation and take all reasonable steps to do so in accordance with our policies. This policy has been written to ensure that we comply with the relevant provisions of the Data Protection Act 1998, the Freedom of Information Act 2000 and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679). It has been written with reference to the information provided by the Information Commissioner’s Office (ICO).

Data Protection

BG PHYSIO is registered with the Information Commissioners Office (ICO) and will act as the Data Controller determining the purposes and means of handling personal data for Physiotherapy patients at the practice. The Practice Manager has been given the role Data Protection Officer and has overall responsibility for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

The Principles of GDPR

We shall ensure that your information will be:

Data Controller and Physiotherapy Patients

The Company is the Data Controller responsible for information in respect of physiotherapy patients and personnel. Clinical staff and will process data in association with their role are responsible for following their relevant professional and legal obligations. Whilst data processors have legal responsibility for their actions the Controller has an obligation to ensure that they comply with GDPR. All data processors are bound by their contractual obligations regarding client and patient confidentiality.

Clinical Associates

All personal information belonging to patients and clients seen by Clinical Associates (other than Physiotherapists) will be the responsibility of the individual clinician. They will assume the role of Data controller for their own records and The Company will process data on their behalf solely for the purposes of booking appointments and day to day administration. Clinical Associates have made an undertaking to The Company confirming that they comply with GDPR.

External Processors

The Company will ensure that, where data is processed externally, for example by service providers, Cloud services or storage facilities, all external processors are compliant with this policy and relevant legislation.

What kinds of personal information do we process?

Personal and contact details

Staff are required to collect personal data for making appointments and day to day administration. These details will be recorded on the clinical notes and diary system. It is a legal requirement for us to record attendance. Reception staff are required to handle sensitive personal data but will never share this.

Sensitive Personal Data

Clinical records contain sensitive personal information and will be recorded by clinicians in accordance with the relevant professional standards and legal obligations. Consent is obtained before sensitive personal data is shared for example with General Practitioners, other health professionals or insurers. Sharing information with other parties will not be done without your written consent specifying what details you wish to share and who you would like to share it with. You can ask to see a copy of any correspondence before it is sent.

How will we collect your information?

  • We will ask you to give your title, full name and date of birth, telephone number and payment basis when you book your initial appointment
  • When you come to your initial appointment you will be asked to complete our full patient registration form and sign that you have read our privacy notice to confirm your consent allowing us to process your information. If the client is under 18 years old a parent or guardian will be required to sign the registration form and be present throughout the treatment sessions, acting as a chaperone.
  • Your physiotherapist will collect all the medical information that they need to treat you during your assessment. The assessment will be recorded on the clinical record and not will be shared without consent.
  • Ownership of Clinical Records

    Physiotherapy Records

    The Company will be the owner of all physiotherapy treatment records. Individual Physiotherapists will use the same patient record. This is considered to be the most appropriate means of ensuring that sensitive data is managed in accordance with GDPR governance rules and yet still enable records to be freely shared by all of the practitioners involved in each episode of care.

    Other Therapy Associates (Clinical Associates)

    Therapists working in disciplines other than physiotherapy are separate businesses and have their own GDPR responsibilities. All other allied health professionals (Clinical Associates) working at the clinic will retain ownership of their patient records and will be considered as the Data Controller for those records.

    Privacy Notice and Consent

    Every Physiotherapy patient (or their guardian if aged under 18 years old) will be asked to read the Privacy Notice at the start of each new episode of care and be required to sign the data consent section at the bottom of the registration form. This will be attached to the clinical record. All associates from other disciplines are responsible for obtaining their own relevant consent and documentation.

    Right of Access to Information

    You have the right of access to information held by The Company. The Company will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days for access to records and 21 days to provide a reply to an access to information request. This is known as a subject access request - SAR). An initial copy of your information will be provided at no charge. Requests for access to information held by our other Clinical Associates should be made directly to them.


    The Company will endeavour to ensure that all data held is accurate. We ask you notify us of any changes to information held about you and you have the right to request that inaccurate data is corrected or erased. This does not apply where there is a legal requirement to retain records of corrections or mistakes in the interest of all parties to which they apply, and no alterations can be made to the clinical record.

    Monitoring Data Protection

    We will conduct a GDPR Risk Assessment annually. An annual data processing and information audit will be conducted to document:

    Data Retention and Destruction

    Your information is securely retained in accordance with legal and operational requirements. Your clinical notes will be securely stored for 10 years and any financial information is retained for 7 years. Data will be securely destroyed once the retention period has expired.

    Information sharing

    We will not share your personal information with anyone without your consent. If you are making a claim to pay for your treatment through a health insurer they will require us to share information. It will not be possible to process your claim without this but if you wish you can ask to see any information or reports before they are shared.

    Is your information transferred outside the UK or EEA?

    Your written consent will be required to transfer data outside of the UK or EEA.


    We will not use your data for marketing ourselves unless we obtain your specific consent first. We will not pass any of your information on to anyone for external marketing purposes.

    Any questions regarding the GDPR policies of therapy professionals working at BG PHYSIO should be directed to the individual practitioner concerned.


    May 2018