PRIVACY POLICY

Tadcaster Physiotherapy is committed to protecting the privacy of all our patients and website users. This policy explains how we collect, use, store, and protect your Personal Data and, crucially, your Special Category Data (Health Data), in compliance with the UK General Data Protection Regulation (UK GDPR).

​

Effective Date: November 2025

​

1. The Data We Collect

We collect and process data required to provide safe, effective, and legally compliant physiotherapy services.

1.1. Personal Data (Standard)

This data is collected for administrative and communication purposes:

• Contact Information: Name, address, telephone numbers (mobile/landline), email address.

• Administrative Data: Appointment dates, times, payment records, and communications (emails, letters, phone notes).

• Technical Data: Information about how you use our website (IP address, browser type, pages viewed).

1.2. Special Category Data (Health Data)

This data is highly sensitive and requires explicit handling under UK GDPR.

• Clinical Records: Detailed notes on your medical history (past and present), current symptoms, diagnosis, treatment plans, progress updates, test results, and discharge summaries.

• Lifestyle Data: Information on occupation, hobbies, exercise habits, and social history, where relevant to your treatment.

• Referral Data: Details provided by referring GPs, consultants, or specialists.

​

2. Legal Basis for Processing

We use your data based on the following legal grounds required by UK GDPR:

​

Personal Data

Contractual Necessity: To provide the service you have booked (physiotherapy appointment).

​

Personal Data

Legitimate Interests: For running our business (e.g., billing, service improvement, internal audits).

Special Category Data (Health Data) 

Contractual Necessity (for appointment management) & Legal Obligation (for retaining records).

Provision of Health or Social Care: Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, the provision of health or social care, or treatment.

​

Marketing Data 

Consent: For sending you marketing emails (e.g., newsletters), which you must opt-in to receive.

​

3. How We Use Your Information

We use your data for these essential purposes:

• Clinical Care: To assess, diagnose, treat, and manage your condition, ensuring continuity and effectiveness of care.

• Communication: To send appointment confirmations, reminders (as noted in the Terms of Service), and follow-up advice.

• Record Keeping: To maintain accurate medical records as required by our professional bodies (e.g., Chartered Society of Physiotherapy) and insurance providers.

• Billing and Administration: To process payments and maintain accurate accounting records.

​

4. Data Security and Storage

4.1. Confidentiality: All clinical records are treated with the utmost confidentiality. Only your treating physiotherapist and essential administrative staff involved in your care will have access to your clinical records.

4.2. Security Measures: We have implemented appropriate physical, electronic, and managerial procedures to safeguard your data, including secure, password-protected electronic health record systems and secure filing for any paper records.

4.3. Retention: We are legally and professionally required to retain adult patient records for a minimum of 8 years after the last date of treatment, or for children/young people, until they reach age 25 (or 8 years after their last treatment, if later). After this period, records will be securely destroyed.

​

5. Disclosure and Sharing of Your Information

We do not sell your Personal Data or Health Data. We only share information when necessary, strictly on a 'need-to-know' basis, and usually with your consent:

• With Your Consent: We will share necessary clinical information with your GP, consultant, or other healthcare professionals (e.g., Pilates instructor, Occupational Therapist) only after obtaining your explicit consent.

• Third-Party Processors: We use secure external services for booking and payment processing (e.g., booking software, card payment provider). These providers act as data processors and are bound by strict contractual obligations to protect your data.

• Legal/Regulatory Bodies: We may disclose data when legally required by law (e.g., regulatory audits, court orders, or where required by our governing bodies, such as the Health and Care Professions Council (HCPC)).

​

6. Your Rights (UK GDPR)

You have the following rights regarding the personal data we hold about you:

• Right of Access: Request a copy of the data we hold about you (Subject Access Request).

• Right to Rectification: Ask us to correct inaccurate or incomplete data.

• Right to Erasure (Be Forgotten): Request the deletion of your data. (Note: This right is subject to our legal and professional duty to retain clinical records for the retention periods outlined in Section 4.3).

• Right to Restrict Processing: Limit how we use your data.

• Right to Object: Object to us processing your data, particularly for direct marketing.

• Right to Data Portability: Receive your electronic data in a structured, commonly used format.

​

7. Contact Information and Complaints

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a complaint, please contact us:

Tadcaster Physiotherapy

Address: 27e Westgate, Tadcaster LS24 9JB

Email: dave@tadcasterphysio.co.uk

Telephone: 01937 833976

​

If you are unsatisfied with our response, you have the right to complain to the UK’s supervisory authority, the Information Commissioner’s Office (ICO).