Privacy Statement

Privacy Statement

Version: 2026
Last updated: January 2026
This Privacy Statement will be reviewed annually. Significant updates will be notified to you by email, and the most recent version is always available on our website: www.pinewoodneurophysio.co.uk.

Introduction

Pinewood Neuro Physio (we/us/our) is committed to ensuring the safety and security of your personal information, which may be shared and used in the delivery of our physiotherapy services.

This Privacy Statement explains the types of information we collect, how and why we process it, and your rights under UK data protection law, including the UK GDPR and Data Protection Act 2018.

We process your personal data in accordance with UK data protection law.
Some processing is necessary to provide healthcare services or meet legal obligations, and some processing requires your explicit consent, which we will obtain where required.

Who we are

Name: Pinewood Neuro Physio
Main contact: Sarah Macdonald (Lead Physiotherapist)
Telephone: 07759 406 526
Email: info@pinewoodneurophysio.co.uk
ICO registration: ZB539554

What information we collect, use and why

We collect or use personal and special category data necessary to provide physiotherapy services, including but not limited to:

  • Name, address, contact details
  • Gender, pronoun preferences, date of birth, NHS number
  • Registered GP and contact details
  • Key safe details (with explicit consent)
  • Next of kin and emergency contacts
  • Names of other professionals involved in your care
  • Photographs and videos (with prior explicit consent)
  • Health information: medical conditions, allergies, physiotherapy assessment/treatment notes
  • Care needs: disabilities, home conditions, medications
  • Test results: scans, bloods, x-rays, other investigations
  • Records of meetings and communications (phone, email, text)

Special category data:

  • Racial or ethnic origin
  • Health information

Sources of information:

  • Directly from you
  • Family, carers (with legal authority i.e with consent from you, or LPoA for Health & Welfare or Court of Protection Deputy)
  • Other health & care providers (e.g. your GP, Consultant etc) and Social Services

Who we share information with

  • Data Processor: WriteUpp – secure, ISO27001-certified practice management software (data centres in Ireland, EU), with UK-approved safeguards in place.
  • Physiotherapy staff: The Lead Physiotherapist and, where applicable, Associate Physiotherapists working on behalf of Pinewood Neuro Physio. Associates act under contract and process personal data only in accordance with our instructions, professional obligations, and a Data Processing Agreement.
  • Parkinson’s exercise classes: Limited attendance information (name and attendance status of NLPD members only) is shared with Northern Lights PD Support Group for class administration and delivery. Both organisations act as independent data controllers. Sharing is limited to what is necessary and covered by a formal data sharing agreement.
  • Other health and care providers, and local authorities
  • Organisations where safeguarding obligations apply
  • Emergency services, legal authorities, and professional advisers
  • Only with your explicit consent: marketing purposes (e.g. website, social media, advertising)

We never share personal data without a legitimate and lawful reason.

When we may receive or share personal information

  • During an enquiry from you, or someone acting on your behalf (if legally entitled)
  • During the assessment and treatment process
  • At the end of our input, for example with a discharge letter

Secure communication: 

Email sharing is encrypted (e.g. via Egress or Proton Mail). Sensitive documents (such as physiotherapy summaries) are sent via WriteUpp with separate access codes.

 Duty of confidentiality

We maintain a duty of confidentiality, except where:

  • You provide explicit or implied consent
  • We are legally obliged to share data
  • Public interest overrides confidentiality (e.g., serious crime detection)
  • Safeguarding is required
  • The Health Service (Control of Patient Information) Regulations 2002 apply

Lawful basis for processing

We rely on the following lawful bases under UK GDPR:

1. Consent (6(1)(a)) – explicit consent obtained for:

  • Handling enquiries, assessing suitability for services. Special Category Condition: 9(2)(h) – healthcare provision
  • Key safe details, emergency contacts. Special Category Condition: 9(2)(h) – healthcare provision
  • Photographs/videos for treatment monitoring. Special Category Condition: 9(2)(h) – healthcare provision
  • Photographs/videos for marketing purposes. Special Category Condition: 9(2)(a) – explicit consent

If a client lacks the capacity to consent, we may obtain consent from a legally authorized representative (such as a Lasting Power of Attorney for Health and Welfare, a court-appointed deputy, or a legal guardian). If no such representative exists, processing may proceed under a different lawful basis where necessary for healthcare provision.

2. Contract Performance (6(1)(b)) – necessary to provide services:

  • Physiotherapy assessment, treatment, appointment scheduling, email reminders, invoicing. Special Category Condition: 9(2)(h) – healthcare provision.  You can opt out of email appointment reminders by contacting us.

3. Legal Obligation (6(1)(c)) – to comply with law and professional regulations:

  • Maintaining clinical records, audits, regulatory compliance. Special Category Condition: 9(2)(h) – healthcare provision

4. Legitimate Interests (6(1)(f)) – service improvement:

  • Client feedback surveys, anonymised/pseudonymised audits. Special Category Condition: 9(2)(h) – healthcare provision.  You can opt out of receiving surveys at any time by contacting us.

Where legitimate interests are relied upon, we perform a balancing test to protect your rights. You may request details of this assessment.

Data subject rights

We do not use automated decision-making or profiling.

You have the following rights:

  • Access: Request copies of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Delete personal data, unless legally required to retain
  • Restriction of processing
  • Portability: Receive your data in a structured, commonly used format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: For consent-based processing, including photos/videos

Note: Responses to rights requests will be provided without undue delay, normally within one month, extendable by up to two months for complex or numerous requests.

Which lawful basis we rely on may affect your data protection rights, for example, the right to erasure may not apply when the data is necessary for legal obligations or medical records. You can find out more about lawful bases, your data protection rights and the exemptions which may apply on the Information Commissioner’s Office website www.ico.org.uk.

Storing your information

  • All records are stored securely in ISO27001 certified and UK GDPR compliant, practice management software WriteUpp with whom we have a Data Processing Agreement.
  • Data is encrypted in transit and at rest.
  • Access by Physiotherapy Associates of Pinewood Neuro Physio is compliant with a Data Processing Agreement.

How long we keep information

  • As a registered Health Care Professional, we are obliged to store your health care record for a minimum of 8 years from your last contact with our service (children: until 25th birthday).
  • Complaint/legal proceedings: retained until resolution or 8 years after last contact, whichever is longer.  This is in line with the Records Management Code of Practice 2021.
  • Following the retention period, your records will be securely destroyed.
  • Enquiry-only records: retained for 12 months, then securely destroyed.
  • Your contact details on mobile phones are deleted after your episode of care closes.
  • Key safe information is deleted at the end of the treatment episode.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:          

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Website: www.ico.org.uk/make-a-complaint

 

Changes to this statement

Significant updates will be notified by email, and the most current version is on our website. Annual review ensures ongoing compliance with UK GDPR, Data Use and Access Act 2025, and ICO guidance.

Sarah Macdonald BSc(Hons) MCSP

Privacy | Contact