Privacy Policy

Privacy Policy

JT Physiotherapy

Effective Date: December 2025

 

1. Data Controller

JT Physiotherapy (“the Practice”) is the Data Controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

 

Practice address: 5 Bunting Place, Kilmarnock, KA1 3LE
Email: jtfootballphysiotherapy@gmail.com

The Practice complies with the Health and Care Professions Council (HCPC) Standards of Conduct, Performance and Ethics and the Chartered Society of Physiotherapy (CSP) Code of Members’ Professional Values and Behaviour, including duties relating to confidentiality, record keeping, and data protection.

 

2. Purpose of This Policy

This Privacy Policy explains how the Practice collects, processes, stores, and protects personal and special category data in the course of providing physiotherapy services, and outlines the rights of patients in relation to their personal information.

 

3. Personal Data We Process

The Practice may process the following categories of data:

 

3.1 Personal Data

• Full name

• Date of birth

• Address

• Email address

• Telephone number

• Emergency contact details

3.2 Special Category Data (Health Data)

• Medical history and relevant health information

• Clinical assessment findings

• Diagnosis, treatment plans, and progress notes

• Correspondence with other healthcare professionals

• Reports, referrals, and test results (where applicable)

3.3 Administrative and Financial Data

• Appointment records

• Invoices and payment records

• Insurance details (where applicable)

4. How Data Is Collected

Data is collected directly from patients via:

• Registration, consent, and medical history forms

• Verbal information provided during consultations

• Written or electronic correspondence

• Online booking or practice management systems (if applicable)

5. Lawful Basis for Processing

The Practice processes personal data under the following lawful bases:

• Article 6(1)(b) – performance of a contract (provision of physiotherapy services)

• Article 6(1)(c) – compliance with a legal obligation

• Article 6(1)(f) – legitimate interests (practice administration and service delivery)

Special category health data is processed under:

• Article 9(2)(h) – provision of health care, diagnosis, and treatment

Where consent is relied upon, it will be obtained explicitly and may be withdrawn at any time.

6. Use of Personal Data

Personal data is used to:

• Provide safe, effective, and appropriate physiotherapy care

• Maintain accurate, contemporaneous clinical records in line with HCPC and CSP standards

• Communicate with patients regarding appointments and treatment

• Liaise with other healthcare professionals involved in a patient’s care

• Manage billing, payments, and insurance claims

• Comply with legal, regulatory, and professional obligations

7. Confidentiality and Information Sharing

The Practice adheres to strict confidentiality principles in accordance with HCPC and CSP requirements.

Personal data will not be disclosed to third parties without the patient’s consent unless:

• It is necessary for the patient’s direct care

• There is a legal or regulatory obligation

• There is a safeguarding concern or risk of serious harm

Where information is shared, only the minimum necessary data will be disclosed.

8. Data Storage and Security

The Practice implements appropriate technical and organisational measures to ensure data security, including:

• Secure, password-protected electronic record systems

• Encrypted devices where appropriate

• Secure storage of paper records

• Restricted access to confidential information

All records are maintained in accordance with HCPC standards for record keeping.

9. Data Retention

Clinical records are retained in line with CSP guidance, HCPC standards, and UK legal requirements:

• Adult records: minimum of 8 years after last treatment

• Children’s records: until the patient reaches 25 years of age (or 26 if treated at age 17)

Records are securely destroyed once retention periods expire.

10. Data Subject Rights

Under UK GDPR, patients have the right to:

• Access their personal data

• Request rectification of inaccurate or incomplete data

• Request erasure of data where legally permissible

• Restrict or object to processing

• Withdraw consent at any time

• Lodge a complaint with the Information Commissioner’s Office (ICO)

Requests should be submitted in writing to the Practice.

11. Website and Cookies (if applicable)

The Practice website may use cookies for functionality and analytics purposes. Cookies do not collect health data. Users may manage cookie preferences via their browser settings.

12. Policy Review

This Privacy Policy is reviewed regularly to ensure ongoing compliance with legislation and professional standards. The most current version is available upon request or on the Practice website.

13. Contact Details

For questions regarding this Privacy Policy or the handling of personal data, please contact:

JT Physiotherapy
Email: jtfootballphysiotherapy@gmail.com