General Data Protection Regulation Statement

The new General Data Protection Regulation (GDPR) came into place on the 25th May 2018. This legislation replaces the previous data protection law, giving more rights to you as an individual and more obligations to organisations holding your personal data. GDPR applies to the following:

Personal Data
The ‘GDPR’ applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. In this case, this is relevant to you as the patient.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.

GDPR applies to both automated personal data and to manual filling systems where personal data are accessible according to specific criteria. For example – medical records containing personal data.

Sensitive Personal Data.
GDPR also refers to sensitive personal data including genetic data, and biometric data where processed to uniquely identify an individual.
Who we are
The Physio Joint Ltd is a private physiotherapy clinic specialising in both the private sector with self-paying patients and the occupational health sector with musculoskeletal injuries.
The Physio Joint Ltd has appointed Mr. Craig Percival as it’s Data Controller and is registered with the Information Commissioner’s Office (the regulator for data protection)
The Physio Joint Ltd
115A Lapwing lane, Didsbury M20 6UR
Contact us at email:
IPO reference number: – ZA427583

A lawful basis for processing personal data
The Physio Joint Ltd is compliant under Article’s 6 & 9 of the GDRP and uses patient ‘consent’ (article 6) and explicit consent (article9) as a lawful basis for processing data.
The GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and therefore it is not a precondition of signing up for a service.
The Physio Joint Ltd will keep clear records to demonstrate consent.

The GDPR gives a specific right to withdraw consent. Therefore we tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.

Public authorities, employers and other organisations in a position of power may find it more difficult to show valid freely given consent.

We are continually reviewing existing consents and consent mechanisms to check that they meet the GDPR standard.

Why is consent important?

Consent is one lawful basis for processing, and explicit consent can also legitimise use of special category data. Consent may also be relevant where the individual has exercised their right to restriction, and explicit consent can legitimise automated decision-making and overseas transfers of data.
Genuine consent should put the individual in control, build trust and foster engagement.

When is consent appropriate?

Consent is one lawful basis for processing, but there are alternatives. Consent is not inherently better or more important than these alternatives.

The Physio Joint Ltd uses consent as a lawful basis to offer patients real choice and control over how we use their data, and in order to build their trust and engagement. Your consent to our services should be given freely with an ongoing choice.

What is valid consent?

Consent must be freely given; this means giving patients genuine ongoing choice and control over how we use your data.
Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly. Furthermore, consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
Explicit consent must be expressly confirmed in words, rather than by any other positive action.
There is no set time limit for consent. How long it lasts will depend on the context, therefore we will review this throughout a course of treatment or service.

How should we obtain, record and manage consent?

The Physio Joint Ltd has a prominent & concise request that is separate from other terms and conditions, and easy to understand. The following information is stated and as to what we need to collect:-

– the name of our organisation;
– the name of any third party controllers who will rely on the consent;
– why we need the data;
– what we will do with it; and
– that individuals can withdraw consent at any time.

We will also ask patients/ people to actively opt-in using non-ticked boxes, opt-out boxes or other default settings. Wherever possible we will give separate (‘granular’) options to consent to different purposes and different types of processing.

The Physio Joint Ltd will keep records to evidence consent – who consented, when, how, and what they were told.

We will also make clear that it is your right to withdraw consent at any time and continue to keep consents under review and refresh them if anything changes.

Personal Data Collected
The Physio Joint Ltd will collect data from you that is deemed to be standard personal data and also special category data. In terms of special category data (Article 9 {2} of the GDPR), this is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee (patient), the provision of health or social care care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards set out in the Data Protection Act 2018.
Standard category data includes name, address and contact details, date of birth, next of kin, occupation, GP and medical contacts & employment details.

Special category data includes health, sex, medical history including diagnostic information (i.e. x rays, Ultrasound scans, blood tests, MRI scans) race & genetic history.

How do we collect data?
Via secure video E-conference or emails.
Face to face
Medical reporting via mail
For example, if you get in touch with us via telephone to make an appointment, we will collect your personal data, such as your name, email address, date of birth etc and we will collect special category data face to face during consultations. Your data may also be collected from any diagnostic tests you supply to us such as medical reports from other health care professionals, MRI scans, x rays or blood tests.

How long do we keep data?
The Physio Joint Ltd retains medical- health data in accordance with the NHS Records Management Code for Retention. As stated in Appendix 3 of the code for retention all standard adult data, records will be retained for 8 years. Certain patient records may be kept for a longer duration. For further information please access the link below: –

Your rights as a patient

  1. The right to be informed. We will inform you on the consent sheet of how The Physio Joint Ltd will use and collect your data.
  2. The right of access to your data. You have the right to ask us for the data that we keep on you. This is also known as a Subject Access Request.
  3. The right to rectification. This is where the patient may ask to have their data altered.
  4. This right is not absolute, for example, we are unable to change the diagnosis data for instance. However, we are able to correct data if there is an inaccuracy, for instance, if we have written the wrong address or stated Mr when we should have stated Mrs.
  5. The right to erasure. Patients have the absolute right to be erased from any sort of marketing system however they do not have the absolute right to have their patient records disposed of. As stated previously The Physio Joint is bound by legal obligation to keep medical data for 8 years and in certain cases longer. It is however to raise the matter and object should you have any concerns.
  6. The right to restrict data processing. It is your right to restrict/stop data processing, however, if we are instructed to do this we can not add to your records and we would be no longer able to treat you. As stated in point 4 The Physio Joint Ltd has a legal obligation to record and keep medical data.
  7. The right to data portability. The right to data portability gives individuals (the patient) the right to receive personal data they have provided to a controller (the designated controller at The Physio Joint Ltd) in a structured, commonly used and machine-readable format. It also gives them the right to request that a controller transmits this data to another controller (for instance transferring medical information to another controller). This right applies when the lawful basis for processing is consent or for the performance of a contract, and when carrying out the processing by automated means (i.e. excluding paper files).
  8. The right to object. You have the right to object to data being used for any illegitimate interest or marketing including in an automated decision -making and profiling way.
    The right to lodge a complaint. You have the right to lodge a complaint with a supervisory authority. In this case, The Physio Joint Ltd is registered with the Information Commissioners Office. Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.


Who do we share your data with?
Your personal/special data is only shared with other clinicians involved in your care subject to your consent. This may include Surgeons, GP’s, Physiotherapists & Physicians. We also share your personal and special data should we be advised by law as in the case of a public health issue such as smallpox.

How is your data stored?
Your data is stored in paper form, at present in a locked cabinet and room. Any personal data that is transmitted by email is encrypted. We will advise further should our storage policy change to online storage or management software data storage.

Technology & Organisational Security
Personal & Special category personal data is encrypted. The Physio Joint Ltd uses a Google mail account with GDPR compliant encryption software. – Virtru.
Any data sent via Google mail is transported out of the country by Google who is fully compliant with GDPR data protocols. Please see the following links for more information and clarification.

Display screens are locked when away from the desk for any length of time.

Please contact us with any queries at:-
FAO Mr Craig Percival
The Physio Joint Ltd
115A Lapwing lane, Didsbury M20 6UR
Email :-