top of page

Privacy Policy

Privacy Policy

​

Information about Physio@Home

​

Company Name:  Physio@Home

Address: 4 Berkeley Hill, Falmouth. TR11 2BL

Place of registration: England and Wales

Registered Office: N/A – a mobile service

Email Address: Physio-at-home@outlook.com

​

Principal activities Healthcare services as defined below.

​

About our Privacy Notice

​

Physio@Home is dedicated to safeguarding your privacy and legal rights concerning your personal information. This Privacy Notice aims to offer transparent and comprehensible information about the data we gather regarding you (or individuals for whom you've provided information, such as your child), how we utilize and safeguard it, and details your rights related to the processing of this data.

​

Should you have any questions regarding this Privacy Notice, require clarification on any points, or wish to reach out regarding the personal information we maintain, please email us at Physio-at-home@outlook.com.

​

Physio@Home is registered with the Information Commissioner's Office under registration number ZB685638

 

Right to Object

You retain the right to object to the processing of your data in cases where such processing is based on legitimate interests or if it is used for direct marketing purposes. The concept of 'legitimate interests' is elaborated upon in this Privacy Notice. Please reach out to us initially if you wish to exercise this right to object.

​

Definitions of terms within this Privacy Notice

When we refer to ‘we’, ‘our’, ‘us’, or ‘Company’, we are directly addressing Physio@Home.

​

‘Services’ refers to healthcare-related services provided by us, as defined in the ‘Scope of healthcare services’.

​

GDPR refers to the EU General Data Protection Regulation that came into force on May 25th, 2018.

​

ICO refers to the Information Commissioner’s Office and may also refer to any successor as the UK data protection authority.

​

‘Data Protection Laws’ encompass the Act, GDPR, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003), and all applicable laws and regulations concerning the processing of personal data and privacy. This includes any guidance and codes of practice issued by the ICO or any other supervisory authority, and equivalents in relevant jurisdictions.

​

‘Data Controller’, ‘Data Processor’, ‘Data Subject’, and ‘Personal Data’ have the meanings provided in the Act and GDPR.

‘Website’ or ‘site’ refers to the Company’s website at https://www.physioathome.uk/.

​

‘Patient’ or ‘patients’ refers to individuals who use or intend to use our services.

​

‘Patient or patient’s data’ includes Personal Data or Special Category data, as defined by the GDPR.

​

‘Personal information’ encompasses Personal Data or Special Category data, as defined by the GDPR

​

Privacy Notice scope

This Privacy Notice extends to any individual (referred to as a 'data subject') who inquires about, utilizes, or procures our services. Please refer to the section titled 'Scope of Health Care Services' for further details.

​

It also applies if you engage with us in any form, whether discussing current or previous usage of our services.

​

If you are reading a printed version of our Privacy Notice, note that it may not be the most recent edition. Please access the current Privacy Notice on our website, or reach out to us using the contact details provided at the beginning of this Privacy Notice to request a copy via email in Adobe PDF format.

​

Scope of Health Care Services

Physio@Home provides the following health care services.

  • Physiotherapy

 

Securing your personal information

Data protection regulations mandate that we must implement suitable technical and organizational measures to prevent unauthorized access or processing of personal information. As the Data Controller for Physio@Home, we bear the responsibility for implementing these measures.

The level of technical safeguards applied to data should be proportionate to the type of information involved and the potential harm that could arise from its misuse, accidental deletion, or destruction.

​

Outlined below are some of the technical and organizational measures we have established to uphold the security and integrity of your data:

  • Our clinicians and administrative staff receive training on handling personal information appropriately and responding to data breaches.

  • We adhere to basic cybersecurity practices, such as locking screens when unattended and promptly installing Windows/Mac OS updates.

  • Whenever feasible, we employ two-factor authentication for critical systems.

  • We enforce regular password changes across our systems.

  • All our note storage is managed through Write Upp, a platform compliant with ISO27001, a globally recognized standard for information governance and security. For more insights into their security protocols, please refer to https://www.writeupp.com/security.

 

How we collect personal information from you

We gather personal information directly from you or from third parties acting on your behalf.

If you provide us with personal information about others, please ensure they have reviewed and understood this Privacy Notice before sharing such information with us.

We collect both Standard and Special Category personal data from various sources, including:

  • Your parent or guardian, if you are under 18 years old

  • Family members or authorized representatives

  • Interpreters representing you

  • Your direct input during consultations, via email, telephone, or postal communications

  • Explicit consent given for educational or marketing email subscriptions

  • Manual completion of referral, assessment, registration, and other forms

  • Information shared by clinicians and their administrators involved in your care, through electronic or postal means

  • Direct communications from social services, caregivers, relatives, or friends, via phone or in person

  • Data from medical imaging and diagnostic testing providers involved in your treatment

  • Information from your private medical insurance provider or referring Embassy

  • Data obtained in emergencies by social services, police, or ambulance services staff

 

Categories of personal information that we process

Standard personal information which can include (but not limited to)

  • name

  • address(es)

  • email address(es)

  • telephone number(s)

  • occupation

  • date of birth

  • next of kin or similar contact details

  • details of any complaints or grievances raised that relate to the provision of our services

  • financial details that relate to payments for our services (note we do not store card details)

  • account details relating to your private medical insurance provider

 

Special Category personal information This is personal information specifically relating to your:

  • health, both physical and mental

 

Special Category personal information relating to health can include (but is not limited to) clinical notes, examination findings, medical imaging data related to your care, diagnostic test results, correspondence and communications from other clinical professionals which relates to your current or past clinical care.

​

What we use your personal information for

Under the law, we must establish lawful bases for processing both your Standard personal information and your Special Category personal information. Moreover, for Special Category personal data, we must specify a condition or conditions for processing, in addition to the lawful basis or bases.

​

These two types of personal information are detailed in the section titled "Categories of personal information that we process."

For 'Standard' personal information:

​

We process your Standard personal information under the following circumstances:

  • It is within our Legitimate Interests. Further details on what constitutes Legitimate Interests are provided below.

  • It is our Legal Obligation – meaning we are obligated by law to process your Standard personal information to comply with legal requirements. Further details on Legal Obligation are provided below.

  • We have obtained your Explicit Consent – this applies when you have opted in to receive our email newsletters, blogs, and marketing offers, or when you have consented to receive such communications via our marketing consent form through an opt-in checkbox.

 

Standard personal information – Legitimate Interests

The law mandates that we carefully balance the processing of your Standard personal information with your interests, rights, and freedoms. We conduct a legitimate interests assessment to ensure that the processing of your Standard personal information does not override your related interests, rights, or freedom.

​

The Legitimate Interests identified that allow us to process your Standard personal information include:

  • Gathering sufficient information to identify you when scheduling appointments

  • Sending basic appointment-related information via email

  • Managing our relationship with you concerning invoicing and insurer authorization codes

  • Contacting you to reschedule or cancel appointments

 

If you schedule an appointment as a potential patient and we have no prior clinical records directly related to your care, cancelling the appointment means we no longer have a legitimate interest in processing your data. In most cases, we would delete any personal information used for booking.

​

Please be aware that if you are a current patient or have scheduled appointments, we will use your email address to notify you of clinic-related changes, such as fee adjustments or address updates. Even if you opt out of receiving marketing or educational emails, we will still use your email address for clinic-related communications.

​

Standard personal information – Legal Obligation

We process Standard personal information to meet our Legal Obligation, which entails maintaining comprehensive records of the healthcare services provided to you. This involves processing a subset of your Standard personal information, with the lawful basis being a Legal Obligation.

The Standard personal information processed under Legal Obligation includes:

  • Full name

  • Address

  • Date of birth

  • Gender

  • Contact details (email address, telephone number)

  • Parent(s) or legal guardian details if you are a minor

​

Please note that while we initially use Legitimate Interests as the lawful basis for processing your data, once you receive our services and we document clinical notes related to your care, we will then process your Standard personal information based on our Legal Obligation.

 

For ‘Special Category’ personal information

Since we provide healthcare services to you, we have compelling reasons to process your Special Category personal information. It is essential for us to process this information in compliance with Data Protection Laws, as explained in the section "Definitions of terms within this Privacy Notice" within this document.

​

We process Special Category personal information about you under the following circumstances:

  • It is our Legal Obligation – meaning we are required by law to process your Special Category personal information. Further details on the Legal Obligation and additional conditions for processing are provided below.

  • ​

The conditions under which we process your Special Category personal information include:

  • Processing is necessary for preventive or occupational medicine, medical diagnosis, or the provision of healthcare or treatment, based on Union or Member State law or pursuant to contract with a healthcare professional.

  • Processing is necessary for establishing, exercising, or defending legal claims (e.g., processing personal information for a legal claim against us, including sharing information with our regulatory body if lawfully requested).

​

Special Category information – provision of healthcare or treatment based on UK law (lawful basis is Legal Obligation)

Healthcare professionals directly involved in your care, regulated by bodies listed in the Medical Act 1983 or the Health Professionals Order 2001, are legally obligated to record information related to preventive or occupational medicine, medical diagnosis, or healthcare provision.

 

We are obligated to demonstrate compliance with legal requirements outlined in:

The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014

This includes:

  • PART 3, Section 2, Regulation 17 (c), which mandates maintaining accurate, complete, and contemporaneous records for each service user, including care and treatment details and related decisions.

 

Note that you, as the patient, are considered the "service user."

 

Our Regulatory body, the Health & Care Professions Council (HCPC), also mandates the collection and processing of medical records to support safe and effective care. Given that our regulatory body operates under UK law, this underscores the legal requirement to maintain clinical records related to your care.

 

Sharing your personal information

At times, we need to share your information with others or organizations for the purposes outlined in this Privacy Notice. We will share the minimal amount of your personal data necessary with these parties:

  • Doctors, surgeons, clinicians, and other healthcare professionals, as well as hospitals, clinics, and healthcare providers.

  • Their administrative staff, such as secretaries.

  • Individuals or organizations mandated by law or our regulatory body to receive your personal information.

  • Law enforcement agencies, when required by law or court order.

  • A parent or legal guardian, if you are a minor.

  • Any individual authorized by you to receive information from us.

​

Transferring Information Outside the European Economic Area (EEA)

Typically, we store your personal information on secure systems located within the EEA. In instances where our systems are located outside the EEA, we ensure the presence of suitable contractual or other safeguards to protect your data.

These measures may involve agreements between the data controller (us) and data processors, ensuring their compliance with data protection laws. Alternatively, your data may be transmitted from the EEA to global locations in a highly encrypted format, stored on secure systems utilizing "zero knowledge" encryption, meaning it cannot be decrypted by data processors.

​

Retention Period for Your Personal Information

As we process your personal data for the provision of healthcare services based on the lawful basis of Legal Obligation, we are also legally obligated to retain this data.

Additionally, we adhere to industry-standard retention guidelines (established by the UK National Health Service) in line with regulatory body requirements.

​

Typically, we retain and process your personal information for eight (8) years for adults and until their 25th or 26th birthday if they are a child. However, this duration may extend under specific circumstances. Should you have inquiries about the duration of data processing, please reach out to us.

​

We also retain information to address any legal claims arising from your use of our services, storing the data as long as necessary and advised by our legal counsel.

​

Your Rights Regarding Processing and Storage of Personal Information

Your rights concerning our processing and storage of your personal information are detailed below:

The right to be informed:

  • You have the right to be informed about the name and contact details of our organization, which are provided at the top of this document.

  • You are entitled to clear and concise information about how we collect and use your personal data, which is outlined in this Privacy Notice.

​

Please note that while you have several rights, they are not absolute. The only absolute right you possess is to request that we do not use your personal information for direct marketing purposes.

Feel free to contact us if you have questions about your rights as described below. We are committed to explaining how your rights apply to the personal information we process for our specified lawful purposes.

​

The Right of Access

You have the right to confirm whether your data is being processed and to access this information. This process is known as a Subject Access Request (SAR), although you do not need to use this term when requesting your personal information from us. You also have the right to receive a copy of the personal data we process about you.

​

To initiate this process, we will need to verify your identity using reasonable methods.

​

Upon successful identification, we will respond to any requests for your personal information (SARs) within 30 days. However, if the request is deemed complex or repetitive, we may notify you of a potential extension of up to two months to provide the information.

 

There is no charge for requesting information from us. However, if the request is repetitive, we may charge a reasonable fee. If you wish to request information that we have previously provided, please contact us beforehand to discuss applicable fees.

​

In cases where the request is manifestly unfounded or excessive, especially if it becomes repetitive, we may:

  • Charge a reasonable fee to cover administrative costs; or

  • Refuse to respond to the request.

​

If we refuse a request, we will explain the reason for our decision and inform you of your right to lodge a complaint with the ICO (Information Commissioner's Office) promptly, and no later than one month after our refusal.

​

The Right to Rectification

You have the right to request correction of your personal information. However, we will only consider requests to rectify factual inaccuracies. Clinical opinions will remain valid as recorded at the time. If a clinical opinion or diagnosis has since changed, we will update your personal information accordingly, but the original opinion will not be altered or removed.

​

The Right to Erasure

You have the right to request erasure of your personal information.

If you have subscribed to our educational or marketing emails, you can request removal from our email list by clicking the 'unsubscribe' link provided in all our emails. We will only use your personal information for marketing or educational purposes if you have explicitly consented.

We will evaluate all erasure requests in alignment with our legal obligation to retain healthcare-related information and data protection laws, which specify exceptions to the right to erasure. Generally, we will not erase information required for legal reasons. If deletion is not feasible, you still have the right to request restriction of processing your personal data.

​

The Right to Restrict Processing

You can request to restrict the processing of your personal information. This means we will cease active processing and only store the data. Ceasing processing will prevent additional information from being added to your existing records.

​

The Right to Data Portability

Since we do not process personal information based on either consent or for the performance of a contract, the right to data portability does not apply. However, you still have the right to request this.

​

The Right to Object

You have the right to object to processing based on legitimate interests or if processing is used for direct marketing purposes.

Rights Concerning Automated Decision-Making and Profiling

​

We do not engage in automated decision-making or profiling with your personal information.

​

The Right to Complain to a Supervisory Authority

If you wish to make a complaint, we encourage you to first contact us. You can find a template letter and guidelines on the ICO website:

https://ico.org.uk/for-the-public/raising-concerns/

​

You can also directly contact the ICO:

https://ico.org.uk/concerns/

​

Their contact information is as follows:

​

Wycliffe House, Water Lane, Wilmslow, SK9 5AF

​

​

bottom of page