Banbury Private Physiotherapy Practice Ltd


Health Align

GDPR and Privacy Policy – Client Information

  1. Introduction:

As you may already know a new data protection legislation is due to become effective on 25th May 2018, called GDPR (General Data Protection Regulations). This aims to give you greater control over your personal information and to better protect your data in the modern world.

One thing that has not changed is our commitment to keeping your personal information safe. We protect all data we hold about you and keep it confidential. If you are happy with the ways we communicate with you, there is no need to do anything. If however, you wish to update us with your preferences please email us at:

Our data protection and privacy policy are written out below and are written in some detail due to the huge diversity of clients that we serve. Please read through it and bear with us if some of the document may not apply to you.

The purpose of this policy is to give guidelines on how we maintain confidentiality and privacy, the circumstances where disclosures may be necessary, and the procedure for doing so. To this end we fully comply with the UK Data Protection Act 1998 and GDPR.  The personal data that you provide us is also be protected in accordance with the clinical confidentiality guidelines, including those published from time to time by the General Medical Council (GMC) and the Health and Care Professions Council (HCPC), and your rights in relation to that data (ref. Article 5 GDPR).

  1. Processing personal data 

Please read the following carefully to understand how we process your personal data. By providing your personal data to us, or by using our services, you are accepting or consenting to the practices described or referred to in this Privacy Policy.

For the purpose of Data Protection Laws, the data protection officer (DPO) for Banbury Private Physiotherapy Practice LTD/Health Align LTD is:

Sarah Baimbridge


Banbury Private Physiotherapy Practice LTD

49 North Bar Street


Oxon OX16 0TH

We are also registered with the Information Commissioners Office (

  1. What personal data may we collect from you?

When we refer to personal data in this policy, we mean information that can, or has the potential to identify you as an individual.

We may hold and use personal data about you as a customer, a patient, a service user, or in any other capacity. To avoid confusion and for the purposes of this document everyone who chooses to use the services of the Banbury Private Physiotherapy Practice LTD will be referred to as a “client”.

Data collection can occur for example, when you visit our website, complete a form, access our services, or speak to us.  Depending on what services you receive from us this may include sensitive personal data such as information relating to your health and wellbeing.

  1. Data collection


Personal data we collect from you may include the following:

  • information that you give us when you first enquire, information to become a client, or apply for a job or training course with us, including name, address, and contact details (including email address and phone number)
  • the name and contact details (including phone number) of your next of kin, or carer, or power of attorney / executive
  • details of referrals, quotes and other contact and correspondence that we may have had with you
  • details of services and / or treatment that you have received from us or which has been received from a third party and referred on to us
  • information obtained from customer surveys
  • notes and reports about your physical and mental health and any treatment and care you have received and / or need, including about clinic and hospital visits, test results and medicines administered
  • patient feedback and the treatment outcome information that you provide
  • information about complaints and incidents
  • information you give us when you make a payment to us, such as financial or credit card information

Note: Where you have named someone as your next of kin, or as your main carer, or as your power of attorney, and provided us with personal data about that individual, it is your responsibility to ensure that that individual is aware of and accepts the terms of this Privacy Policy.

Note: The data that we request from you may include sensitive personal data. By providing us with sensitive personal data, you give us your explicit consent to process this confidential personal data for the purposes set out in this Privacy Policy.

  1. Personal data we may receive from third parties and other sources

We may receive and collect personal data about you from third parties such as:

  • The NHS – for the continuity of your care we may be passed medical information usually in the form of a referral letter for the purposes of your treatment with the Banbury Private Physiotherapy Practice LTD or from a third-party consultant.
  • Independent consultants – these Consultants, including solicitors, may need to share your personal data and medical records with the Banbury Private Physiotherapy Practice LTD. Insurance providers may also pass personal data of clients to The Banbury Private Physiotherapy Practice LTD who have commenced a claim and require treatment with the Banbury Private Physiotherapy Practice LTD
  1. The use of personal data

Further details on how we use health related personal data are given below. We may use your personal data to:

  • enable us to carry out our obligations to you arising from any contract entered between you and us, including providing services or treatments to you and related matters such as, billing, accounting and audit, credit or other payment card verification and anti-fraud screening
  • provide you with information, products or services that you request from us
  • notify you about changes to our products or services
  • respond to requests where we have a legal or regulatory obligation to do so
  • check the accuracy of information about you and the quality of your treatment or care, including auditing, medical and billing information for insurance claims as well as part of any claims or litigation process
  • supporting your doctor, nurse or allied healthcare professional
  • assess the quality and / or type of care you have received (including giving you the opportunity to complete customer satisfaction surveys) and any concerns or complaints you may raise, so that these can be properly investigated
  • to conduct and analyse market research
  • to ensure that the content from any of our websites is presented in the most effective manner for you and for your computer.
  1. Security of your personal data

We will protect all personal data we hold about you by ensuring that we have appropriate organisational and technical security measures in place to prevent unauthorised access or unlawful processing of personal data, and to prevent personal data being lost, destroyed or damaged. We conduct assessments to ensure the ongoing security of our information systems.

Any personal data you provide will be held for as long as is necessary having regard to the purpose for which it was collected and in accordance with all applicable UK laws.

  1. How long your information is kept for and how it is stored?

Your information is retained in secure electronic and paper records and access is restricted to only those who need to know. Information will be retained in line with the Records Management Code of Practice for Health and Social Care 2016 retention schedules as follows:

Adult records – Basic health and social care retention period is 7 years after the last appointment.

Children’s records – Basic health and social care retention requirement is to retain until 25th birthday or if the patient was 17 at the conclusion of the treatment, until their 26th birthday.

  1. Data storage

As part of the services offered to you, for example through our Website, the information you provide to us may be transferred to and stored in countries outside of the European Economic Area (EEA) as we use remote website server hosts to provide the website and some aspects of our service, which may be based outside of the EEA, or use servers based outside of the EEA – this is generally the nature of data stored in “the Cloud”.  It may also be processed by staff operating outside the EEA who work for one of our suppliers, e.g. our website server host, or work for us when temporarily outside of the EEA.

We will only use credible IT and information storage hosts with the highest level of security

  1. Internet Security

The transmission of information via the Internet or email is not completely secure.  Although we will do our best to protect your personal data, we cannot guarantee the security of data during the transmission of it to our site, and any such transmission is at your own risk.  Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.

At your request, we may occasionally transfer personal information to you via email, or you may choose to transfer information to us via email.  Email is not a secure method of information transmission; if you choose to send or receive such information via email, you do so at your own risk. Where we have gained your permission to email relevant reports, for example to your GP or consultant, we will use a password protected portal in order to send this information.

  1. Payment data

All information that you provide to us is stored securely. Any payment transactions will be processed securely by third party payment processors.

We may share your personal data with our payment processors, but only for the purpose of completing the relevant payment transaction. Such payment processors are banned from using your personal data, except to provide these necessary payment services to us, and they are required to maintain the confidentiality of your personal data and payment information.

  1. Disclosure to third parties

In the usual course of our business we may disclose your personal data (to the minimal extent necessary), with certain third-party organisations that we use to support the delivery of our services. This may include the following:

  • business partners, suppliers and sub-contractors for the performance of any contract we enter with you
  • organisations providing IT systems support and hosting in relation to the IT systems on which your information is stored
  • third party debt collectors for the purposes of debt collection
  • delivery companies for the purposes of transportation of goods
  • we may also disclose your personal data to third parties if we sell or buy any business or assets or where we are required by law to do so
  • we may disclose your information to regulatory bodies to enable us to comply with the law and to assist fraud protection and minimise credit risk.
  • where you have consented for us to do so, we may provide your data to selected third parties who may contact you about their goods or services that you may be interested in, such as equipment that you wish to try or buy

If you do not want us to use your data for those activities listed above, please do let us know by writing to us or sending us an email to: at any time

  1. Disclosure to external practitioners

If we refer you externally for treatment, we will share with the person or organisation that we refer you to, the clinical and administrative information we consider necessary for that referral.  It will always be clear when we do this, as your consent will be gained, and you will receive a copy of any and all correspondence.

13.1 Your GP:  If the practitioners treating you believe it to be clinically advisable, we may also share information about your treatment with your GP.  You can ask us not to do this, in which case we will respect that request if we are legally permitted to do so, but you should be aware that it can be potentially dangerous and / or detrimental to your health to deny your GP full information about your medical history, and we strongly advise against it.

13.2 Your insurer:  We share with your medical insurer information about your treatment, its clinical necessity and its cost, only if they are paying for all or part of your treatment with us.  We provide only the information to which they are entitled. If you raise a complaint or a claim, we may be required to share personal data with your medical insurer for the purposes of investigating any complaint/claim.

13.3 The NHS:  If you are referred to us for treatment by the NHS, we will share the details of your treatment with the part of the NHS that referred you to us, as necessary to perform, process and report back on that treatment.

13.4 Medical regulators:  We may be requested, and in some cases can be required to share certain information (including personal data and sensitive personal data) about you and your care with medical regulators such as the General Medical Council or the Health and Care Professions Council for example if you make a complaint, or the conduct of a medical professional involved in your treatment is alleged to have fallen below the appropriate standards and the regulator wishes to investigate.  We will ensure that we do so within the framework of the law and with due respect for your privacy.

EXEMPTIONS – Please note: There are special considerations relating to the protection of children and vulnerable adults in relation to safeguarding these individuals, which may exempt us from first contacting a parent or carer / executive if their safety and well-being is considered at risk, or of concern.


The Education (Schools’ Records) Regulations 1989 exempt any information relating to actual, alleged or suspected child abuse from the requirements of disclosure to those with ‘Parental Responsibility’ (Children Act 1989).


In an emergency and if you are incapacitated, we may also process your personal data (including sensitive personal data) or make personal data available to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).

  1. Accessing and updating your information
  • The DPA and GDPR give you the right to access information held about you by us. Please write to us or contact us if you wish to request confirmation of what personal information, we hold relating to you. We will provide this information within one month of your requesting the data.

You have the right to have the personal data we hold about you corrected if it is factually inaccurate. It is important to understand that this right does not extend to matters of opinion, such as medical diagnoses. If any of your personal data has changed, especially contact information such as: email address, postal address and phone number please get in touch us at:

The Banbury Private Physiotherapy Practice LTD

49 North Bar Street



OX16 0TH.

01295 257584

In order to protect your privacy, we may ask you to prove your identity before we take any steps in response to such a request.

  1. Changes to our Privacy Policy

We keep our Privacy Policy under regular review and as a result it may be amended from time to time without notice. As a result, we encourage you to review this Privacy Policy regularly, where the latest update will be posted on our website under “Articles and Links”.



If you have any questions in relation to our privacy policy, please email us at or call 01295 257584.or write to the Data Protection Officer at:

The Banbury Private Physiotherapy Practice LTD/Health ALIGN.

49 North Bar Street



OX16 0TH.

This privacy policy also applies to the Banbury Private Physiotherapy Practice LTD website

This policy covers the collection, processing and other use of personal data under the Data Protection Act 1998 (“DPA”) and the General Data Protection Regulations (“GDPR”). For further information please use the links on page 1 of this policy.