About your privacy
Heaton Moor Physiotherapy is obligated and committed to protecting your privacy and upholding your legal rights when dealing with your personal information.
Heaton Moor Physiotherapy is registered with the Information Commissioners Office, registration number ZA465263/
Our data controller is Mark McGillian and is contactable on the following address:
Our full details are:
Data Protection Officer: Mark mcGillian
Full name of legal entity: Heaton Moor Physiotherapy
Email address: email@example.com
Postal address: 50a Shaw Road, Heaton Moor, SK4 4AL
Telephone number: 0161 9759299
How we protect your personal data
We’re committed to keeping any data you provide to us safe and secure. All of our staff therefore undergo comprehensive data protection training.
The following list shows some of the measures we put in place to ensure your personal data is protected
- Our clinical and administrative staff are trained in the appropriate handing of personal information and how to respond to a data breach
- We practice common sense cybersecurity requirements, such as locking screens when away from them and ensuring all security upgrades are applied.
- Where possible, we use two factor authentication for key systems
- We ensure passwords are changed regularly
- We use email encryption technology to when we are required to email personal data
- Our third party providers of systems used to process your personal data are compliant with data protection laws and requirements, and also have effective data restore capabilities to ensure your data can be recovered
How we collect personal information from you
We collect personal information from you or any third parties that are acting on your behalf.
We will collect Standard and Special Category personal information from you, or other third parties. We will collect the information from the following sources:
- Your parent or guardian, if you are under 18 years of age
- A family member, or someone elseacting on your behalf
- Your interpreter, acting on your behalf
- From yourself, either in face to face consultations, or via electronic communications such as email, via the telephone, or via postal communications
- When you have given explicit consent to subscribe to educational or marketing email correspondence
- Manually, when you fill in referral, assessment, registration and other forms
- Via postal communications, via electronic or postal communications, or records completed by clinicians involved in your care, and their administrators
- When given directly by social services, carers, relatives and friends – over the phone or in person
- From providers of medical imaging and diagnostic testing involved in your care
- From your private medical insurance provider or referring Embassy
- In emergency situations by the social services, police or ambulance service staff
Categories of personal information that we process
Standard personal information which can include (but not limited to)
- Email address
- Telephone number
- Date of birth
- Next of kin or similar contact details
- Details of any complaints or grievances raised that relate to the provision of our services
- Financial details that relate to payments for our services (note we do not store card details)
- Account details relating to your private medical insurance provider
Special Category personal information This is personal information specifically relating to your:
- Health, both physical and mental
- Race or ethnicity
- Religious or philosophical beliefs
- Sex life
- Sexual orientation
- Political opinions
- Information about your health and genetic and biometric data.
Special Category personal information relating to health can include clinical notes, examination findings, medical imaging data related to your care, diagnostic test results, correspondence and communications from other clinical professionals which relates to your current or past clinical care.
What we use your personal information for
For ‘’Standard’ personal information
We process Standard personal information about you if it is determined:
- It is in our Legitimate Interests. Details of what constitutes Legitimate Interests are detailed below.
- It is our Legal Obligation – this means we are required to process your Standard personal information in order for us to comply with the law. Details of the Legal Obligation are detailed below.
- We have your Explicit Consent – this only applies when you’ve subscribed and opted in to receive our email newsletters, blogs and marketing offers, or you’ve provided consent to receive email newsletters, blog and marketing offers via our marketing consent form via an opt in checkbox.
Standard personal information – Legitimate Interests
The law requires us to our balance the processing of your Standard personal information against your interests, rights, and freedoms. We conduct a legitimate interests assessment to ensure we ensure the Standard personal information we process does not override your interests, rights or freedom that relate to your information.
The Legitimate Interests we have identified that allow us to process your Standard personal information are:
- To enable us to take sufficient information in order to record who you are when booking appointments
- To ensure we can email you with basic information about your appointments
- To manage our personal relationship with you, with respect to discussing invoices, requesting insurer authorisation codes
- To communicate with you if we need to cancel or rearrange appointments
Standard personal information – Legal Obligation
We process Standard personal information to fulfil our Legal Obligation, which requires us to maintain complete records relating to the health care services we supply to you. The records that we maintain require that we process a subset of your Standard personal information, with the lawful basis being a Legal Obligation. The Standard personal information we will then process under a Legal Obligation is your:
- Full name;
- Date of birth;
- Contact details (such as an email address or telephone number);
- Your parent(s) or legal guardian details if you are a minor;
For ‘Special Category’ personal information
We process this information in line with Data Protection Laws. and process Special Category personal information about you when it is our Legal Obligation. We are not able to provide Healthcare Services without processing Special Category information.
The conditions under which we need to process your Special Category personal information are:
- Processing is necessary for the purposes of preventive or occupational medicine, for medical diagnosis or the provision of health care or treatment, including for the purposes of preventive or occupational medicine, on the basis of Union or Member State law or pursuant to contract with a health professional
- Processing is necessary for the establishment, exercise or defence of legal claims (for example, to process a legal claim against us, including your personal information provided to our regulatory body if lawfully requested)
People directly involved in your healthcare that are designated as being regulated by the regulatory bodies as listed in the Medical Act 1983 or the Health Professionals Order 2001 are legally required to record information about you, that relate to preventive or occupational medicine, for medical diagnosis or the provision of health care or treatment.
We are required to demonstrate that we follow the legal requirements as listed in The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014
We are also required by our Regulatory body, the Health & Care Professions Council (the HCPC) to take and process medical records, which are required to support safe and effective care. As our regulatory body is covered by UK law, this also demonstrates a legal requirement to record and maintain clinical records that relate to your clinical care.
Sharing your personal information
We sometimes need to share your information with other people or organisations for the purposes set out in this Privacy Notice. We will share the minimal amount of your personal data as appropriate with the other people or organisations we are communicating with:
- Doctors, surgeons, clinicians and other health-care professionals, hospitals, clinics and other health-care providers;
- Their administrative staff such as secretaries;
- People or organisations that we are required by law or our regulatory body to share your personal information with;
- The police or other law enforcement agencies, where we are either required by law or a court order;
- A parent or legal guardian if you are a minor;
- Any person that you have authorised us to share information with
Moving data outside the EEA
Countries outside of the European Economic Area (EEA) do not always offer the same levels of protection to your personal data, so European law has prohibited transfers of personal data outside of the EEA unless the transfer meets certain criteria.
Some of our third parties service providers are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever we transfer your personal data out of the EEA, we do our best to ensure a similar degree of security of data by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or
- Where we use certain service providers, we may use specific contracts or codes of conduct or certification mechanisms approved by the European Commission which give personal data the same protection it has in Europe; or
- Where we use providers based in the United States, we may transfer data to them if they are part of the EU-US Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
If none of the above safeguards is available, we may request your explicit consent to the specific transfer. You will have the right to withdraw this consent at any time.
How long will we keep your data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity,Treatment notes, External medical notes, Financial and Transaction Data) for seven years after they cease being customers for tax purposes. For children, we keep data for seven years after their 18th birthday or until they are 25 years old.
In some circumstances you can ask us to delete your data: see below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
You have the following rights, however please note, that the rights are not absolute. The only absolute right you have is to request that we do not use your personal information for direct marketing.
The right to be informed
We need to inform you the name and contact details of our organisation, which is at the top of this document.
You have the right to be informed about how we collect and use your personal data. We are obliged to provide this right to be informed in a clear and concise manner.
This Privacy Notice you are reading is designed to inform you how we collect and use your personal data.
The right of access
You have the right to confirmation that your data is being processed and to view this information. This is known as a Subject Access Request or ‘SAR’ , but you do not have to specify this term when requesting your personal information from us. You also have the right to request a copy of your personal data that we process.
We will need to identify you using reasonable means before we will start the process of collating your personal information.
Once we have identified you, we will reply to any requests for your personal information (SARs) within 30 days, unless we deem the request to be complex, or repetitive, where we will notify you that we may take an additional two months to provide your personal information.
We will not charge you to request information from us. However, we will charge a reasonable fee if the request for information is repetitive. If we’ve provided information to you and you wish to request it again, we ask that you contact us beforehand to discuss what our reasonable fee is.
If the request is manifestly unfounded or excessive, particular because if the request becomes repetitive, we might decide to:
- charge a reasonable fee taking into account the administrative costs of providing the information; or
- refuse to respond.
Where we refuse to respond to a request, we will explain why to you, informing you of your right to complain to the ICO without undue delay and at the latest within one month of our refusal.
The right to rectification
You have the right to request rectification of your personal information. However, we only consider requests to correct factual information. Any clinical opinions will remain valid as they were the opinion at the time of being recorded. If it is later determined that a clinical opinion or diagnosis was then found to have changed, we will update your personal information to reflect this, but we will not change or remove the original clinical opinion.
The right to erasure
You have the right to request erasure of personal information.
If you have subscribed to any of our email educational or marketing correspondence, you have the right to request erasure from our email list, or you can click on the ‘unsubscribe’ link that appears in all emails we send. We will only use your personal information to send you marketing or educational material if you have given us your explicit permission.
We will consider all requests in conjunction with our legal obligation to retain information relating to your health care provided by us, as well as data protection law which clearly states when the right to erasure does not apply. Normally, this means we will not erase any information, unless it was not required for legal reasons.
If we determine we cannot delete data, you still have the right to ask us to restrict processing of your personal data.
The right to restrict processing
You can request that we restrict processing of personal information. This means that we will stop actively processing it, and it will just be stored. Stopping processing will mean that we will not add any additional information to your existing information.
The right to data portability
You have the right obtain and reuse their personal data for your own purposes across different services. This affords you the right to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right to object
You have the right to object if processing is based on legitimate interests, or if processing is being used for direct marketing.
Rights in relation to automated decision making and profiling
We do not make any kinds of automated decisions or perform any profiling with your personal information.
The right to lodge a complaint with a supervisory authority
We ask that you first contact us if you feel you wish to make a complaint. Please see the template letter and guidelines listed on the ICO website.
You can also contact the ICO directly:
They can also be contacted at the following address: