Physiotherapy Terms and Conditions
Privacy Notice (GDPR)
This privacy policy outlines how Em Thomson Physiotherapy collects, uses, and protects personal data in compliance with the Health and Care Professions Council (HCPC) Standards of Conduct, Performance and Ethics, Chartered Society of Physiotherapy (CSP) guidance, and UK GDPR. This policy applies to all patients, staff, and business partners of the practice.
Compliance with HCPC and CSP Standards
Em Thomson Physiotherapy is committed to maintaining confidentiality and handling personal data in line with the HCPC’s and CSP’s professional and ethical guidelines, particularly:
HCPC Standard 10: Duty to protect patient information and maintain accurate records.
HCPC Standard 2: Responsible and clear communication regarding data use.
CSP Data Protection Guidance: Ensuring best practice in the collection, storage, and sharing of patient information.
What Personal Data Em Thomson Physiotherapy Collects
Em Thomson Physiotherapy collects and stores the following personal information:
Patient details (name, date of birth, addresses, contact details, GP details, next of kin)
Medical history, treatment notes, and referrals
Payment details (for processing fees)
Communications with patients (emails, letters, and forms)
Marketing preferences (where applicable and with consent)
Chaperone details (name)
Purpose of Data Collection
Patient data is collected and processed for the following purposes:
Providing physiotherapy assessment and treatment
Maintaining accurate health records in compliance with HCPC and CSP guidelines
Processing payments and managing billing records
Sending appointment reminders and relevant health information
Conducting anonymous audits for quality assurance and clinical improvement
Data Storage and Security Measures
Em Thomson Physiotherapy use secure systems to store and manage patient data:
Patient records are stored digitally using Microsoft Business cloud-based software, compliant with UK GDPR.
Physical records (if applicable) are stored securely with restricted access.
Access to data is limited to Em Thomson as the treating clinician.
Em Thomson undergoes data protection training to ensure compliance.
Data Retention Period
Patient records are kept in line with HCPC guidelines:
Adult patient records: Retained for 8 years after the last appointment.
Children’s records: Retained until the patient turns 25 years old.
After the retention period, data is securely destroyed in compliance with ICO regulations.
Data Sharing and Third Party Processors
Em Thomson Physiotherapy does not share personal data with third parties without explicit patient consent, except where required by law or professional obligations.
Where cloud-based record systems are used, patient data remains confidential and is only accessed by authorised personnel.
Where referral letters are required (e.g., to GPs or consultants), patient consent is obtained beforehand.
Any sharing for clinical audits or training purposes will always be fully anonymised.
Marketing and Communications
Patients will only receive marketing communications if they have opted in.
Every patient has the right to withdraw consent for marketing at any time.
ICO Registration and Compliance
As a data controller, Em Thomson Physiotherapy is registered with the Information Commissioner's Office (ICO). Patients can contact the ICO if they have concerns about how their data is handled.
Data Breaches and Reporting
In the event of a data breach:
Em Thomson Physiotherapy will notify the ICO within 72 hours as required under UK GDPR.
Affected individuals will be informed where there is a risk to their rights or privacy.
Patient Rights and How to Contact
Patients have the right to:
Request access to their data
Ask for corrections to inaccurate information
Withdraw consent for marketing or data processing
Request deletion of personal data where legally permitted
For any queries, data access requests, or concerns, please contact physio@emthomsonyoga.com
Last Updated: 22nd May 2026