Privacy Policy

Data Protection Policy for Sussex Physio

Updated 14/06/2020 – to comply with May 2018 GDPR

Statement of awareness:

This document shows that we are aware. This document lists where we keep patient data and what data we hold. We have a consent form which every patient or power of attorney signs before assessment is started.

Patient data we keep:

  • Name
  • Date of birth
  • Address
  • Next of kin contact details
  • Care home name and number
  • GP name and address
  • Consultant name and hospital
  • Social worker name and number
  • Any other relevant health / social care professional name and number involved
  • Medical notes that we make throughout assessment and treatment sessions including phone calls

How we keep patient data:

This is all kept on a secure password protected computer in our house. The hard drive is encrypted. Any paper notes will be locked in a secure cabinet in our home.

Transporting data:

We make written paper notes to record assessments and progress notes whilst with patients and transpose these onto word documents which are securely kept our computer at home. All paper notes are then shredded and disposed of safely.

How to make data electronic:

Any photos of patient information such as GP summaries, medical reports, prescriptions etc must be taken with the Physiotherapist’s phone and saved to the electronic clinical notes; then deleted off the phone immediately. If this information has been emailed then it can be saved directly to the electronic notes and deleted from the inbox and trash.

Sharing patient data

We have a duty of care to share relevant information with involved health and social care practitioners in the case of safeguarding concerns, this is at our discretion and we will normally inform you first.

We also are required to sometimes share your information to make onward referrals, with your consent, or to liaise with other medical or social care staff for your benefit, you will also be informed before these discussions occur. This is only done when necessary with minimal information conveyed.

Information will only be shared for the purposes agreed at original time of disclosure. If later required for another purpose this must be agreed with the owner in person.

We will willingly provide patients their own data at their request in electronic or paper format within 28 days. We will need to verify the patient requesting the data is the correct person by asking for full name, date of birth and address.

Deleting patient data

After 10 years we delete all patient data electronically and do not keep any traceable form. In the case of paper notes these are shredded and untraceable.

Processing patient data

We will not process any data for any profiling or marketing purposes currently (to be reviewed in 2021).

Data breach

We will notify any clients involved within 72 hours of becoming aware of the breach. In the case of a significant breach we will inform the Information Commission Office.


Emily Foster will audit this data protection process every 6 months to ensure passwords are being used on digital documents, that information being shared by email has been anonymised as described above, and that paper documentation is locked and secured.

Right to be forgotten:

We have a legal duty to keep your notes for 10 years and no shorter time than this. In this case this means that this law does not allow you to ask us to be forgotten. If in the case of a court of law your notes are required within 10 years of us having contact with you we are obliged to provide them.

Information Security Policy:

Sussex Physio does not resell your data.Emails with patient information on will be anonymised as far as possible. If this has not happened the information will be copied and pasted into the patient notes and then the email will be erased and ‘removed from trash’.


  • Records Management: Code of Practice for Health & Social Care 2016
  • NHS Information Governance: Guidance on Legal and Professional Obligations September 2007
  • The Health and Social Care Acts 2008, 2012 and the Health & Social Care (Safety and Quality) Act 2015 their regulations
  • Data Protection Act 1998 – and updated 2018 GDPR

If you wish to discuss our privacy policy, please contact us via email at