top of page





Dudley Physiotherapy Clinic wants you to be confident that the personal data we hold for you is safe and secure.

We collect your data in a number of ways, and it is always kept confidential.


What data will be collected and by whom?

As a clinic, the data will be collected initially by the reception staff and will be name, address, telephone number, email, date of birth and GP practice you are registered with.  (This is your basic data)

The physiotherapist will then collect your recent medical history and a description of your current symptoms and concerns. (This is your sensitive data)


Where is my data stored?

Your personal and medical data is stored on the Practice Management system – Cliniko. 

Cliniko is a secure encrypted electronic medical records database.

Our desktop computer which can only be accessed by staff using 2 different passwords. Data may be used for analysis.

Cloud storage is used for temporary storage/collection of patients notes which is only shared between clinician and CRM storage server. Storage is password protected and encrypted via 256-bit AES encryption.

Our computer is backed up physically on removable storage which is kept off site securely behind 2 lockable doors.

Our online client management system which stores digital copies of your notes, correspondence and other clinically relevant information is securely stored on UK based servers, to access all users require two factor authentication. 

Your sensitive data is also stored on our paper-based files which is kept in locked cabinets when the clinic is closed. Once discharged the data is kept locked away for 8 years until is it shredded.


Will my Data be Shared?

The data will only be shared with the following and for the reasons given: - 

GP – We may write to your GP if symptoms do not ease or get worse. This may be to ask for further investigations or to give them a report on your condition, your consent to do this will be obtained prior to sending. This is usually sent through secure NHS email Insurance company – If you have been referred to us by an insurance company, we may have to provide them with initial assessments and discharge reports. 

Staff – in the course of completing their jobs staff may see sensitive information on your treatment notes. All staff have signed a confidentiality clause as part of their job contract. 

Imaging Services – If we have to refer you on to an imaging service for MRI or ultrasound, we have to give them your basic data such as address, DOB etc and then a brief history of the issue and why we are asking for you to be scanned.


Who has access to your data?

Physiotherapists have access to both basic and sensitive data to enable them to treat you.

Receptionists have access to your basic data. In carrying out their job they may see sensitive data but have signed confidentiality agreements.

GP – we may need to contact your GP or send them a report of your treatment/symptoms. We may need to send an assessment and discharge report to them if you have been referred to us by them.


How your data will be used?

To enable the clinic to provide you with the best treatment possible. 

To provide you with an invoice by post for payments due or a receipt for payments made.

To send you a text/email message reminder of appointments.        



What legitimate interest does the clinic have for using your data?

As a healthcare provider Dudley Physiotherapy Clinic needs your data to complete your treatment and to allow us to comply with our legal requirements. Our lawful basis for processing your data is Consent and Legal Obligation.


What is considered as Special or sensitive data?

Health data (Including Genetic) is sensitive data. This is needed as a requirement to treat you. Other sensitive data E.g. racial, political, religious, biometric and sexual is not collected by us or recorded in any way unless you specifically ask for it to be recorded.


Right to be forgotten

You have the right under the law to ask companies to remove your data from their systems. We can do this but not until after 8 years have passed after you have been discharged. This is the legal minimum we must keep your notes by law and this law over rules GDPR.



By consenting to this privacy notice you are giving us permission to process your personal data for the purposes identified above.  


You may withdraw consent at any time either verbally or in writing to Stuart Elwell, Dudley Physiotherapy Clinic, 1a Parsons Street, Dudley, DY1 1JJ.  Telephone 01384 233306



Dudley Physiotherapy Clinic will not pass your data to third parties without first obtaining your specific consent. You will have to sign an agreement to this before any data is shared.

A copy of this privacy policy is available for you to take away.

bottom of page