Privacy Notice for Patients Attending Treatment

The Oxford Clinic is committed to protecting your privacy when you use our services. This Privacy Policy explains how we use information about you and how we protect your privacy under the the EU General Data Protection Regulation 2016 (GDPR) and  UK Data Protection laws.

If you want to see how we protect your privacy when using our web-site please see our Cookie Policy.

Why do we need your personal information?

We need to keep comprehensive and accurate personal data about patients to provide you with high standard, safe and appropriate physiotherapy treatment, and to meet legal and regulatory requirements. This personal data can include:

  • personal details such as age, address, telephone number and GP;
  • records of consent to treatment;
  • past and current medical history;
  • treatment notes and reports;
  • correspondence with other health care professionals, insurance companies, solicitors and employers;
  • attendance and financial records.
  • The information that we hold about your health is categorised as ‘special’ information under the GDPR and needs more protection due to its sensitivity.

The lawful basis for keeping and using your personal information

Under the General Data Protection Regulation the lawful basis for keeping and using your personal information is that:

  • you have entered into a contract with us for treatment
  • it is necessary to deliver health treatment
  • it is required by law and regulation

How long do we keep your personal information?

We are required to keep adult health records for 8 years after the date of the last treatment session. For children the retention period ends on either their 25th or 26th birthday depending on their age at the date of last treatment. In some circumstances, for example if legal proceedings are still in progress, records may be kept longer. At the end of the retention period paper records are shredded and electronic records permanently deleted.

How do we protect your information?

Personal data about you is held in the practice’s computer system and in a locked manual filing system. The information is only accessible to authorized team members. Our computer system is encrypted and we back up the system each day on the cloud in Canada using an encrypted system fully compliant with UK and EU law and regulations.

Who do we share your information with?

We may need to share information with other health professionals, for example your GP or consultant for further investigation. If your treatment is paid for by a third party such as an insurance company or your employer they will normally expect to receive reports about your treatment and attendance.  We will only share information about you if you agree and sign a form giving your consent.

In very limited circumstances or when required by law or a court order we may share your information. This may happen:

  • if there is a serious risk to the public, our staff or to other professionals;
  • to protect a child; or
  • to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.

The risk must be serious before we can override your right to privacy.  If this is the case, we’ll make sure that we record what information we share and our reasons for doing so. We’ll let you know what we’ve done and why if we think it is right to do so.

You can ask for access to the information we hold on you

You have the right to access all the information we have about you and to receive a copy. Parents may access their child’s records if this is in the child’s best interests and not contrary to a competent child’s wishes. Formal applications for access must be in writing to the Clinic’s Data Protection Officer.

You can ask us to change information you think is inaccurate

You should let us know if you disagree with something written on your file.  We may not always be able to change or remove that information but we’ll correct factual inaccuracies.

You can ask us to limit how we use your personal data

If you do not wish personal data that we hold about you to be disclosed or used in the way that is described here, please discuss the matter with your physiotherapist or ask to see the Data Protection Officer. You have the right to object; however, this may affect our ability to provide you with treatment.

Can I ask for my information to be deleted? (the right to be forgotten)

No. We are required by law and regulation to keep records of health treatment for the periods stated.

Where can I get advice?

If you have any worries or questions about how your personal information is handled please contact David Perry, the Clinic Data Protection Officer, at or by telephone on 01229 827717.

For other advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel: 0303 123 1113 (local rate).  Alternatively, visit or email