Privacy Policy

We collect and process various types of data about you, depending on how you interact with The Lady Basset Physiotherapy Centre (The LBPC). The types of data we collect include:

• Identity and Contact Data: This includes your first name, last name, date of birth, gender, billing address, email address, and telephone numbers. This information is essential for identifying you and managing your care effectively.

  
  

• Health and Medical Data: We collect detailed health information, including your medical history, current health status, symptoms, injuries, treatment records, diagnostic reports, and other clinical information gathered through forms or consultations. This data helps us tailor our services to meet your specific needs.

  
  

• Appointment and Attendance Data: We maintain records of your appointments, cancellations, and attendance history. This is crucial for scheduling future appointments and ensuring continuity of care.

  
  

• Payment and Transaction Data: We collect details about payments, billing records, and insurance information (where applicable). This information is necessary for processing payments, handling insurance claims, and managing other purchase-related details.

  
  

• Communication Data: This includes records of emails, phone calls, and other communications related to your care or queries. Keeping these records helps us provide responsive and personalised service.

• Technical and Website Data: When you use our website, we may collect technical data such as your IP address, browser type and version, browser plug-ins, operating system, platform, time zone setting, location, and other technology details. We also collect information about how you use our website through cookies and online booking forms. For more details, please refer to our Cookies Statement which is available on our website at www.ladybasset.co.uk/cookies.

  
  

• Usage Data: Information on how you interact with our website and services, helping us improve user experience and optimise our services.

• Consent for Data Processing: By providing your information, you consent to the collection and processing of your personal data in accordance with this statement and our Privacy Policy.

Personal data is collected in various ways to ensure we have the necessary information to provide effective physiotherapy and sports therapy services. The methods of data collection include:

• In-Person Consultations and Assessments: During your visits for physiotherapy and sports therapy, we collect personal data and health information directly through discussions and assessments. This may include details about your current condition, medical history, and any relevant treatments you have undergone.

  
  

• Completed Medical History Forms: You may provide information by filling out medical history forms, which can be completed on paper or electronically before your appointment. These forms help us understand your health background, including previous injuries and conditions, allowing us to tailor your treatment accordingly.

  
  

• Communication Channels: We may collect personal data when you contact us via telephone, email, or other communication methods. This could include inquiries about our services, appointment scheduling, or follow-up questions regarding your treatment. We also collect data through forms on our website, including the contact form(s), the "Is Physiotherapy Right for Me?" questionnaire, and the "Speak to a Physiotherapist" form.

  
  

• Appointment Bookings: When you book appointments through our website or in person, we collect personal information such as your name, contact details, and any relevant health information necessary for your appointment. This ensures we have accurate information to facilitate your care.

By providing your information through these methods, you consent to the collection and processing of your personal data as outlined in this statement.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform that contract or provide the service you have requested. This includes, but is not limited to:

• Appointment Booking: If you do not provide necessary information for booking or attending an appointment, we may not be able to complete your booking or provide the requested physiotherapy services.

  
  

• Feedback Forms and Requests: If you do not provide accurate and complete information through feedback forms, we may not be able to address your concerns or improve our services effectively.

  
  

• Contact Forms: If you do not provide the required information in contact forms (such as the Request a Callback form), we may not be able to respond to your request or provide the necessary support.

In such cases, we may need to stop providing the relevant service to you. If this situation arises, we will notify you at the time to explain the impact and discuss any potential next steps.

The law requires us to determine under which of six defined bases we process different categories of your personal information and to notify you of the basis for each category.

If a basis on which we process your personal information is no longer relevant, we shall immediately cease processing your data. If the basis changes, we shall notify you of the change and any new basis under which we have determined that we can continue to process your information, if required by law.

5.1 Information We Process Because We Have a Contractual Obligation with You

According to Article 6(1)(b) of the General Data Protection Regulation (GDPR), processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

• Service Provision: When you book a service from us or agree to our terms and conditions, a contract is formed between you and us. To fulfil our obligations under that contract, we must process the information you provide, including personal and medical information.

• Medical Records: As part of fulfilling our contract and professional obligations, we maintain accurate records of interactions with patients, including health-related data. This record includes all the information relating to the health status and management of the individual patient (Data Subject).

  
  

  • Retention Period: We are required to retain this data for 8 years after your last treatment. For records concerning individuals under 18, data is retained until they reach the age of 25, in line with professional guidelines.

  • Relevant Guidelines:

     Chartered Society of Physiotherapy (CSP) Quality Assurance Standards

    HCPC Standards of Conduct, Performance, and Ethics

    HCPC Standards of Proficiency for Physiotherapists

    CSP Record Keeping Guidance

5.2 Information We Process with Your Consent

According to Article 6(1)(a) of the General Data Protection Regulation (GDPR), the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

• Consent Through Actions: When you engage with our website or request additional information about our services or content, you consent to our processing of any personal data you provide. This includes situations where there is no formal contractual relationship between us, such as browsing our website, submitting a contact form, or requesting information.

  
  

• Explicit Consent: We aim to obtain your explicit consent where possible. For example, you may be asked to agree to our use of cookies or accept our terms and conditions before submitting information through our contact page or feedback forms.

  
  

• Implicit Consent: In some cases, consent may be implicit. For example, when you send us an email, make a phone call, or fill out a contact form, we assume you consent to us processing your personal data to respond to your request and provide the necessary information or services.

  
  

• Data Handling and Retention: We may keep records of your requests and our responses to improve our service efficiency and ensure high-quality communication. This includes maintaining personally identifiable information, such as your name and email address, to track and manage our interactions with you.

  
  

• Withdrawal of Consent: You have the right to withdraw your consent at any time by contacting us at info@ladybasset.co.uk. Please be aware that withdrawing your consent may affect your ability to use certain features of our website or access our services.

  
  

• Data Retention: We will continue to process your information based on your consent until you withdraw it or until it can be reasonably assumed that your consent no longer exists.

5.3 Information We Process for the Purposes of Legitimate Interests

According to Article 6(1)(f) of the General Data Protection Regulation (GDPR), processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, particularly when the data subject is a child.

• Operational Efficiency: We may process your data for operational purposes, such as improving our services, managing website functionality, and responding to unsolicited communications from you.

• Legal Obligations: We process data to protect and assert legal rights, fulfil professional obligations, and comply with legal and regulatory requirements.

• Service Improvement: Your data may also be used to enhance our services and ensure the proper administration of The Lady Basset Physiotherapy Centre.

5.4 Special Personal Information

Special category data, also known as sensitive personal data, requires elevated protection due to its sensitive nature. This includes information concerning your:

• Race or ethnicity

• Religious or philosophical beliefs

• Sex life or sexual orientation

• Political opinions

• Trade union membership

• Health and genetic or biometric data

The GDPR imposes strict requirements for processing this type of data. To process special category data legally, we must identify both a lawful basis under Article 6 and a separate condition under Article 9.

Lawful Basis Under Article 6

For processing special category data, we rely on the following lawful basis under Article 6 of the GDPR:

• 6(1)(b): Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

This means that when you engage with us to provide health-related services, we process your data as part of fulfilling our contractual obligations.

Condition for Processing Under Article 9

In addition to the lawful basis under Article 6, we must satisfy one of the conditions for processing special category data outlined in Article 9 of the GDPR. The relevant condition for our processing is:

• Article 9(2)(h): Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, the provision of health or social care, or treatment, and management of health or social care systems and services. This must be carried out by or under the supervision of a health professional or social work professional or another person who owes a duty of confidentiality under an enactment or rule of law.

In the UK, this is further supported by the Data Protection Act 2018, specifically Schedule 1, Condition 2, which covers:

• Preventive or occupational medicine

• The provision of health care or treatment

• The management of health care or social care systems or services

Data Retention and Management

We may request details related to your health and medical conditions to provide appropriate and safe treatment and to fulfil our contractual obligations. We are committed to discussing with you what information is essential for your care and to ensure it is handled with the highest level of confidentiality.

We will retain your special personal data for 8 years after your last treatment. For records concerning individuals under 18, data will be retained until they reach the age of 25, in accordance with the Chartered Society of Physiotherapy (CSP) guidelines.

• CSP Record Keeping Guidance: CSP Record Keeping Guidance (PD061 v4, January 2021)

At The Lady Basset Physiotherapy Centre, we take your privacy seriously and only share your personal data when necessary, in accordance with the UK GDPR. We share data with third parties only to facilitate your care or to meet legal obligations.

We may share your personal data in the following ways:

6.1 Healthcare Providers

With your consent, we may share your health data with other healthcare professionals or providers involved in your treatment to ensure continuity of care.

6.2 Third-Party Service Providers

We use trusted third-party providers to securely manage and store your personal data. The key providers we use include:

• Cliniko: Our practice management software, Cliniko, is fully compliant with GDPR. Cliniko stores your personal and health data securely and only processes it on our behalf for managing appointments, records, and billing. Cliniko ensures data security through encryption in transit (HTTPS) and encryption at rest (AES-256), and provides regular backups. Cliniko acts solely as a data processor and does not access or use your data for any purposes beyond providing their service to us. For more information, you can visit their website at www.cliniko.com.

  
  

• Stripe: We accept online payments via Stripe, a secure payment processing service. When you make a payment, your payment details are processed by Stripe and are subject to their privacy policies and terms of service. We do not store your credit or debit card information. Stripe uses strong security measures, including encryption, to protect your payment information. For more information, you can visit their website at www.stripe.com.

  
  

• Wix: Our website is hosted on Wix, a web hosting platform that collects and processes data from users who interact with our site (e.g., through appointment bookings or contact forms). Wix is committed to maintaining a secure environment and complies with GDPR requirements. Any data collected through our website is subject to Wix’s privacy policies and terms of service. For more information, you can visit their website at www.wix.com.

  
  

• Best Reception: We use Best Reception, a virtual receptionist service, to handle calls and appointment bookings. Best Reception may collect and process your personal data, including your name, contact details, and appointment information, to facilitate your communication with us. Best Reception is committed to maintaining the confidentiality and security of your information and complies with GDPR. For more information, you can visit their website at www.bestreception.co.uk.

6.3 Payment Processors and Insurance Companies

When applicable, we share necessary billing and treatment information with insurance companies or payment processors to handle claims or transactions.

6.4 Regulatory Authorities and Legal Obligations

In the event of legal obligations or regulatory compliance (e.g., with HMRC or the Care Quality Commission), we may share required information in accordance with data protection laws.

We do not share your data with third parties for marketing purposes without your explicit consent.

7.1 Website Hosting and Data Storage

Our website is hosted by Wix.com. Wix operates globally and may store your data in various locations, including:

• Data Storage Locations: Wix can store your personal information in data centres located in the United States of America, Ireland, South Korea, Taiwan, Israel, and potentially other jurisdictions as necessary for service delivery.

• Data Protection and Compliance: Wix respects the laws of the jurisdictions in which it operates. The processing of your personal data may occur within the UK, the EU, or other countries. For transfers to countries outside the UK or the EU that are not recognised as providing adequate protection by the European Commission, Wix uses Standard Contractual Clauses (SCCs) as set out in Appendix 1 of their Data Processing Agreement (DPA) to ensure compliance with data protection regulations.

7.2 Practice Management Software

We use Cliniko for practice management, which may involve processing data outside the UK.

• Data Storage Locations: Cliniko’s servers are primarily located in Australia. Data may also be processed and stored in other locations as required for the operation of their services.

• Compliance with Data Protection Laws: Cliniko complies with Australian data protection laws. For data transfers from the UK, Cliniko ensures compliance with the UK GDPR and the GDPR by using appropriate safeguards, including Standard Contractual Clauses (SCCs) as outlined in their Data Processing Agreement (DPA).

• Adequate Level of Protection: As Australia is not recognised by the UK or EU as providing an adequate level of protection under data protection regulations, Cliniko employs Standard Contractual Clauses to ensure your data is protected in accordance with the UK GDPR and GDPR requirements.

7.3 Payment Processing With Stripe

We use Stripe for processing payments, which may involve processing your personal data outside the UK and the European Union.

• Data Storage Locations: Stripe’s servers are primarily located in the United States. Your personal information may be processed in various locations to facilitate payment transactions.

  
  

• Compliance with Data Protection Laws: Stripe complies with applicable data protection laws, including GDPR. For transfers of personal data from the UK and EU, Stripe ensures compliance by utilising Standard Contractual Clauses (SCCs) as set out in their Data Processing Agreement (DPA).

  
  

• Adequate Level of Protection: As the United States is not recognised by the UK or EU as providing an adequate level of protection under data protection regulations, Stripe employs Standard Contractual Clauses to ensure that your data is safeguarded in accordance with UK GDPR and GDPR requirements.

             

• Safeguards for Data Transfers: Each of Wix, Cliniko, and Stripe uses Standard Contractual Clauses (SCCs) to provide adequate protection for your personal data when it is transferred outside the UK or the EU. These clauses ensure that your data is handled in compliance with applicable data protection laws and regulations.

7.4 Use of Heidi AI

We use Heidi AI to assist with specific purposes, such as generating reports, improving administrative efficiency, or enhancing customer service.

• Data Handling: Any data processed through Heidi AI is securely handled in compliance with our confidentiality policies and applicable data protection laws, including the UK GDPR and GDPR.

• Data Protection Measures: Heidi AI implements robust security measures to ensure your personal data is protected. When data transfers outside the UK or the EU are required, Heidi AI uses Standard Contractual Clauses (SCCs) to maintain compliance with data protection regulations.

• Further Information: For more details on Heidi AI’s safety and data protection practices, please visit their website at https://www.heidihealth.com/uk/safety.

For more information on how Wix, Cliniko, Stripe, and Heidi AI handle your data and the safeguards in place, please refer to their respective Data Processing Agreements (DPAs) or contact us at info@ladybasset.co.uk.

At The Lady Basset Physiotherapy Centre, we prioritise the security of your personal and health data by utilising robust security measures, both for electronic and physical records. The software we use to manage patient data, Cliniko, provides state-of-the-art security features to ensure that all personal data is protected.

8.1 Electronic Data Security

8.1.1 Cliniko Software: We use Cliniko, a secure practice management system, to store and manage patient records. Cliniko employs:

• Encryption in Transit: All data sent between you and Cliniko is encrypted using HTTPS with a 2048-bit SSL certificate, ensuring end-to-end encryption.

• Encryption at Rest: All stored data is encrypted using the AES-256 encryption algorithm, an industry-standard method for securing data.

• Daily Backups: Data is backed up daily and stored redundantly across multiple physical locations, ensuring up-to-date, secure backups.

• Monitoring: Cliniko’s system is monitored 24/7/365, ensuring that any potential issues are detected and resolved immediately.

• Accreditations: Cliniko’s hosting partner, Amason Web Services (AWS), is certified to several security standards, including:

  
  

  • PCI DSS Level 1 (Payment Card Industry Data Security Standard).

  • ISO 27001 (Information Security Management System).

  • FIPS 140-2 (United States Federal Information Processing Standard).

8.1.2 Wix Hosting: Our website is hosted on Wix, which employs various security measures to protect data hosted on its platform, including:

• SSL Encryption: All data transmitted between your browser and our website is protected by SSL encryption, ensuring secure communication.

  
  

• Regular Security Updates: Wix regularly updates its security protocols to address vulnerabilities and protect user data.

  
  

• Data Backup: Wix provides automated backups to help ensure data integrity and availability.

  
  

• Secure Data Centers: Wix’s servers are housed in secure data centers with restricted access, physical security measures, and environmental controls to protect stored data.

  
  

• Compliance: Wix is committed to data protection and complies with GDPR and other relevant data privacy regulations.

8.1.3 Access Control: Only authorised members of our clinical and administrative staff can access patient records. Access is managed through role-based permissions, ensuring that only personnel who require data for clinical or operational purposes have the necessary access rights.

8.1.4 Two-Factor Authentication (2FA): Cliniko supports two-factor authentication for added security, requiring users to provide a secondary form of identification when accessing the system.

8.1.5 Data Transfer Security: When personal data is transmitted electronically (e.g., in communications with patients or other healthcare providers), we use secure, encrypted channels to prevent unauthorised access.

• Secure Emailing: For the secure transmission of sensitive personal and medical data via email, we use Egress Protect. Egress utilises identity-based AES 256-bit encryption, employing FIPS 140-2 approved cryptographic libraries, ensuring end-to-end security for data exchange. This allows us to safely encrypt emails and files when transferring them from our internal network to external recipients, safeguarding your data during communication.

8.2 Physical Data Security:

• Secure Premises: Access to our clinic and physical records is controlled to prevent unauthorised access. All paper records are kept in locked, fireproof cabinets, and access is restricted to authorised personnel only.

• Document Disposal: When personal or medical records are no longer required, they are securely destroyed. Physical records are shredded, while electronic records are permanently deleted in accordance with legal and best practice guidelines.

8.3 Organisational Measures:

• Staff Training: All staff members receive regular training on GDPR and data protection, including the proper handling of sensitive health data and how to identify and report potential data breaches.

• Internal Policies: We follow strict internal policies regarding the collection, processing, and storage of data, ensuring that we only collect the data necessary for providing physiotherapy and sports therapy services.

• Data Minimisation: We adhere to the principle of data minimisation, collecting only the personal and medical information that is necessary for the purpose of delivering effective healthcare services.

8.4 Data Backups and Contingencies:

• Cliniko ensures that data is continuously backed up, with redundancy in place across multiple physical locations. In the event of a system failure or interruption, data can be restored swiftly.

• As a part of best practice, we also encourage patients to request exports of their data if needed, providing an additional backup option.

8.5 Ongoing Protection

We continuously review and update our security practices to respond to new threats and ensure the ongoing protection of your data.

We do not sell, rent, or share your personal data with third parties for marketing purposes. Additionally, we do not accept advertising from third parties on our website.

8.6 Data Breach Notification

In the unlikely event of a data breach that compromises your personal information, we will notify you promptly and take appropriate steps to mitigate any potential impact.

By leveraging the comprehensive security features of Cliniko and following strict internal data protection protocols, Lady Basset Physiotherapy ensures that your personal data is always secure, confidential, and protected from unauthorised access.

• Confidentiality and Consent: We are committed to maintaining the confidentiality of your personal and health information. We will not disclose any patient or personal information to third parties, such as private organisations, solicitors, employers, or police officers, without your explicit consent, unless required by law.

  
  

• Third-Party Requests: If a third party, such as a solicitor, is acting on your behalf, we will not release any information about you without your explicit consent. In cases where we receive requests related to your care from a police officer or an employer, we will only disclose information with your explicit consent or as permitted by data protection laws.

  
  

• Minimum Necessary Information: We adhere to the principle of data minimisation, meaning we only collect and process the minimum amount of information necessary to provide and support your care. This ensures that your data is handled responsibly and only used for the purposes for which it was collected.

  
  

• Data Protection Principles: We follow data protection laws and principles to ensure that the information we collect is relevant, adequate, and not excessive. Our practices are designed to comply with the principle of data minimisation, which requires us to only collect information that is necessary for the specified purposes.

  
  

• Data Security Measures: We have implemented appropriate security measures to protect your information from unauthorised access, disclosure, alteration, or destruction.

When you contact us, whether by telephone, through our website, or by e-mail, we collect the data you provide to respond to your inquiries and deliver the information or services you request.

Data Collection and Use: We collect personally identifiable information, such as your name, email address, and any other details you provide. This information is used to track and manage our communications with you, ensuring we provide a high-quality service and address your needs effectively.

To assist in combating fraud and protecting our business interests, we may share information with credit reference agencies in specific circumstances. This includes:

• Credit Reference Agency Involvement: If a client or customer instructs their credit card issuer to cancel a payment to us without first providing an acceptable reason or giving us the opportunity to refund their money, we may share relevant information with credit reference agencies. This helps us address and prevent fraudulent activities and manage financial risks.

• Purpose of Sharing Information: The information shared with credit reference agencies is used to verify the legitimacy of the payment dispute and to protect against potential financial losses.

• Data Handling: We ensure that any information shared with credit reference agencies is handled in accordance with data protection laws and regulations, maintaining confidentiality and security.

For any questions or concerns regarding how we handle information in relation to credit references, please contact us at info@ladybasset.co.uk.

We use Cliniko as our booking system, and payments are processed through Stripe. When you make a payment or provide payment details through our website, the following practices apply:

• Secure Payment Processing: All payment transactions are processed securely through Stripe, which employs industry-standard encryption and security measures to protect your payment information.

• Payment Data Handling: Stripe collects and processes your payment information on our behalf. We do not store or handle your payment details directly. Stripe's privacy policy outlines how your payment data is managed and protected.

• Privacy and Security: Stripe is committed to maintaining the security and confidentiality of your payment information. For details on how Stripe handles your data, please review their privacy policy available here.

• Transaction Records: Payment records are retained in accordance with our data retention policies and applicable regulations. This includes retaining transaction details for a period of 8 years after your last treatment, in line with our data retention practices.

• Privacy Policy Updates: Our privacy policy may be updated to reflect changes in how payment information is processed. We encourage you to review our privacy policy periodically for the latest information on how we protect your data.

If you have any questions or concerns about payment processing or data security, please contact us at info@ladybasset.co.uk.

Cookies Policy: By continuing to use our website, you agree to our use of cookies. For more details on how we use cookies and how you can manage them, please refer to our Cookies Policy.

Personal Identifiers from Your Browsing Activity: When you visit our website, we automatically collect information from your web browser or mobile device. This includes:

• Geographical Location: We record data on your approximate location based on your IP address.

• Internet Service Provider (ISP): Information about your ISP is logged.

  
  

• IP Address: Your IP address is collected to help manage and secure our website.

  
  

• Device and Software Details: We gather information about the type of device and software you are using, such as the type of computer or mobile device, operating system, and screen resolution.

We use this information in aggregate to evaluate the popularity of different webpages and assess how effectively we provide content. This helps us improve your user experience and enhance our services.

Potential for Personal Identification: While this data is primarily used in aggregate form, if combined with other information we have about you from previous visits, it could potentially be used to identify you personally. We take appropriate measures to safeguard your information and ensure it is handled securely.

The Lady Basset Physiotherapy Centre website may contain links to other websites that are not owned or managed by us. These links are provided for your convenience and interest.

• External Websites: Once you use these links to navigate away from our site, we no longer have control over the content or privacy practices of the external website. We cannot be held responsible for the privacy of information collected by these third-party sites.

  
  

• User Responsibility: We encourage you to exercise caution when visiting other websites and to review their privacy policies. Each website will have its own privacy statement, and it is important to understand how your data is managed by those sites.

• Right to be Informed: You have the right to be informed about the collection and use of your personal data. We aim to be transparent about how and why we process your information.

• Right of Access: You have the right to request confirmation of whether we are processing information about you and to obtain a copy of that information. To make a request, please contact Sonia Jeffreys at info@ladybasset.co.uk.

• Right to Rectification: You have the right to correct any inaccurate or incomplete data we hold about you. You can also request that we complete any information that is incomplete. To update your details, please contact us at info@ladybasset.co.uk or call us at 01209 698353. We will update your information as soon as possible and within 30 days.

• Right to be Forgotten: You have the right to request the erasure of your data, for instance, if it is no longer necessary for us to process it, or if you withdraw your consent. Please note, this right is not absolute; we may need to retain certain data to comply with legal obligations or to fulfill other legitimate purposes. We will respond to a request for erasure within 30 days.

• Right to Restrict Processing: Under certain conditions, you have the right to restrict the processing of your data. This is an alternative to the right to be forgotten and may not be applicable in all cases. If we refuse your request for restriction, we will provide a clear explanation. We will respond to requests for restriction within 30 days.

• Right to Data Portability: You have the right to obtain your personal data from us and reuse it for your own purposes. This includes the right to transfer information to another organisation, such as a different physiotherapist.

• Right to Object: You have the right to object to certain types of processing, such as direct marketing. If you exercise this right, we will stop processing your data for those purposes.

Identification Requirements: To process your data access requests, we require identification to ensure the security of your information. We will accept the following forms of ID: a copy of your driving license, passport, birth certificate, and a utility bill not older than three months. A minimum of one piece of photographic ID and a supporting document is required. If the quality of the identification is insufficient, we may request additional information before releasing your data.

Legal Challenge: If we refuse a request under your rights, we will provide a reason for the refusal. You have the right to challenge our decision through legal channels if you believe your rights have not been upheld.

To exercise any of these rights or if you have questions about your personal data, please contact us at info@ladybasset.co.uk or by calling 01209 698353.

At The Lady Basset Physiotherapy Centre, we retain personal and health data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal, regulatory, and professional obligations, and to ensure continuity of care. Our data retention practices are aligned with the Data Protection Act 2018, the UK GDPR, and the Chartered Society of Physiotherapy (CSP) Record Keeping Guidance (PD061 v4, January 2021).

16.1 Retention Periods

• Contact Details: We will retain your contact details for up to 12 months after our last interaction. This includes individuals who have contacted LBPC but did not proceed to receive treatment. We may retain your information for this period to allow for follow-up communication regarding our services. If you wish to have your contact details deleted sooner, please contact us at info@ladybasset.co.uk.

• Patient Records:

  
  

  • Adults: We retain patient records for a minimum of 8 years from the date of the last treatment, in accordance with professional and legal guidelines.

  
  

  • Children’s Records: For patients under 18 years of age, records are retained until the patient’s 25th birthday (or 26th birthday if the patient was 17 at the time of their last treatment), in line with professional guidelines.

• Inactive Patients: Even if a patient has not attended a consultation for several years, their data will be kept for the full retention period, as outlined above, to ensure legal compliance.

• Financial Records: In accordance with financial regulations, billing and payment information is retained for 6 years, in line with tax and accounting obligations.

• Communication Records: Emails, appointment history, and other communications related to your care will be retained for the duration of the patient record retention period.

16.2 Secure Disposal of Data:

At the end of the retention period, we ensure that all personal data is securely destroyed:

• Physical Records: Paper-based records are shredded and disposed of securely.

• Electronic Records: Electronic records are permanently deleted from all systems and backups, ensuring that data cannot be reconstructed or recovered.

16.3 Data Retention for Legal or Clinical Purposes:

In some cases, we may be required to retain certain data for longer periods if:

• Ongoing Clinical Care: Your records are needed to ensure continuity of care.

• Legal Obligations: We are required by law or regulation to retain data for longer than the standard retention period (e.g., in the case of ongoing litigation or regulatory investigations).

After these periods, data will be securely erased in compliance with the CSP Record Keeping Guidance and legal requirements.

16.4 Patient Rights and Retention:

You have the right to request access to your data or request that it be deleted at any time. However, please note that we may be required to retain certain data for legal or clinical purposes, even if you request erasure.

If you wish to exercise your right to erasure, or if you have any questions regarding the retention of your personal data, please contact us using the details provided in this statement.

To protect your personal data during transmission, we use Secure Sockets Layer (SSL) certificates. SSL technology ensures that any data exchanged between your browser and our servers is encrypted and secure.

How to Verify SSL Encryption: When information is transferred between you and us, you can verify that it is encrypted using SSL by checking for the following indicators in your browser:

• A closed padlock symbol in the URL bar or toolbar.

  
  

• "https://" at the beginning of the URL.

These indicators show that SSL is active and your data is being transmitted securely.

Our privacy policy is designed to comply with applicable data protection laws and regulations in every country or legal jurisdiction where we operate.

Jurisdictional Compliance:

• We strive to ensure that our privacy practices meet the legal requirements of the jurisdictions in which we conduct business. If you believe that our privacy policy does not comply with the laws of your jurisdiction, we welcome your feedback and encourage you to contact us.

• Contact Us: Please inform us if you think our privacy policy does not meet the legal requirements of your jurisdiction. You can reach us at info@ladybasset.co.uk or by phone at 01209 698353.

User Choice:

• Ultimately, the decision to use our website is yours. If you do not agree with our privacy practices or if our policy does not meet the legal standards in your jurisdiction, you may choose not to use our website.

As a registered physiotherapy and sports therapy provider, Lady Basset Physiotherapy adheres to the Chartered Society of Physiotherapy (CSP) Record Keeping Guidance (PD061 v4, January 2021). This guidance sets out best practices for the recording, storage, and retention of patient information to ensure the highest standards of care, confidentiality, and accuracy in physiotherapy and sports therapy records.

We are committed to complying with all relevant data protection regulations, including the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Our practices are aligned with the guidelines provided by regulatory bodies, such as the Information Commissioner’s Office (ICO).

• Self-Employed Associates – ICO Registration: All associates at Lady Basset Physiotherapy Centre (LBPC) are self-employed and, as per ICO guidelines, are required to register individually with the Information Commissioner's Office (ICO). This ensures that each associate is compliant with GDPR regulations when processing personal data.

If you have concerns about how your personal data is being processed by The Lady Basset Physiotherapy Centre, you have the right to raise a complaint with us.

Contact Details for Complaints:

• Postal Address:

  Sonia Jeffreys

  The Lady Basset Physiotherapy Centre

  Church Road

  Pool, Cornwall

  TR15 3PT

• Email Address:

  info@ladybasset.co.uk

We aim to address any concerns promptly and will respond to your complaint within 30 days. If we do not resolve your issue to your satisfaction, or if you do not receive a response within this timeframe, you have the right to escalate your complaint to the Information Commissioner’s Office (ICO).

Escalation to the ICO:

• ICO Website: Make a Complaint

• ICO Helpline: 0303 123 1113

• ICO Address:

  Wycliffe House

  Water Lane

  Wilmslow

  SK9 5AF

We encourage you to contact us first to discuss your concerns. We value the opportunity to address and resolve any issues before you take further steps.

General Data Protection Regulation (GDPR):

UK General Data Protection Regulation (UK GDPR) (2020) 

Available at: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted.

Article 6(1)(b): Processing necessary for the performance of a contract.

Article 9(2)(h): Processing necessary for health or social care.

Data Protection Act 2018:

Data Protection Act 2018 (c. 12). Available at: Legislation.gov.uk.

Schedule 1, Condition 2: Conditions for processing special categories of personal data.

Chartered Society of Physiotherapy (CSP):

Chartered Society of Physiotherapy. (2021).

Record Keeping Guidance (PD061 v4, January 2021). Available at: CSP Record Keeping Guidance.

To ensure ongoing compliance with relevant legislation and best practices, we may periodically update this Privacy Policy.

Policy Updates:

• Effective Date: The terms of this Privacy Policy that apply to you are those in effect on the day you visit our website. We recommend that you print and keep a copy for your records.

  
  

• Notification of Changes: Any updates or changes to this Privacy Policy will be posted on our website. For significant changes that impact how we process your data or your rights, we will provide a prominent notice on our website and, where appropriate, contact you directly via email or other means. We encourage you to review this policy regularly to stay informed about how we collect, use, and disclose your information.

  
  

Questions: If you have any questions or concerns regarding our Privacy Policy, please contact Sonia Jeffreys at info@ladybasset.co.uk.

For any queries regarding this policy, therapists and contractors can contact:

The Lady Basset Physiotherapy Centre

Church Road, Pool, Cornwall,

TR15 3PT

Owner: Sonia Jeffreys

Email: info@ladybasset.co.uk

Phone: 01209 698353Website: www.ladybasset.co.uk