RISE Privacy Notice

Rise Physiotherapy Bristol Ltd respects your privacy and is committed to protecting your personal data. This privacy notice will inform you of how we look after your personal data and tell you about your privacy rights and how the law protects. It aims to give you information on how Rise Physiotherapy Bristol Ltd collects and processes your personal data, including any data you may provide through this website.
Controller
Rise Physiotherapy Bristol Ltd (Companies House number 15927206) is the controller and responsible for your personal data. We have appointed a data protection officer (PDO), Simon Carely-Smith (company director) who is responsible for questions in relation to this privacy notice. If at any point you believe the information we process on you is incorrect you can request to see this information and have it corrected or deleted. If you have any questions or concerns regarding this privacy notice and how your data is used please contact the DPO via hello@risephysiotherapy.com.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office https://ico.org.uk.
What data do we hold, where is it stored and how is it secured?
We legally have to collect and hold certain Personal Data and Special Category Data for the purposes of Physiotherapy and sports massage, keeping a record of the therapy that has taken place at each appointment to fulfil legal and professional obligations imposed by the Health Care Professions Council and Chartered Society of Physiotherapy.
For all our Physiotherapy and Sports Massage services we collect the following data:
  • Names
  • Dates of birth
  • Current address
  • Telephone Number and Email Addresses
  • Registered GP Surgery
  • Previous medical history
  • Drug history
  • Social history
This is all as part of a comprehensive subjective history taking, which is seen as an industry standard amount of information required to have a full picture of a person’s health in order to clinically reason and professionally administer safe and effective therapeutic interventions. If you fail to provide this information we may not be able to perform the contract we have to are hoping to enter into (ie. provide you with our services). This may result in cancellation of our services, you will be notified of this at the time.
Our clinicians use electronic notes on password protected platforms. We use RehabGuru and Heidi Ai, both meeting the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018. Where patients have called or texted us or we have called or texted them, our smart phone is used. This automatically stores telephone numbers and where manually entered, their names, as well as text content. Specific medical information is not discussed in texts. The telephone is locked by a 6 digit pin code making the records on it inaccessible in the event of loss or theft.
Follow up emails are routinely sent to patients asking for them to keep us updated of their progress. If a specific summary of findings and rehabilitation advice is offered it is attached in an encrypted document, the client will be sent a password via a separate channel to unlock this (e.g. text).
How do we get this data?
During the online booking process for Physiotherapy and Sports massage clients are asked to enter their name, address, date of birth and some details of their present condition and history of any problems, which can contain medical information classed as special category data. This is entered by clients into an online pre-assessment sheet which is held within the password secured online booking system run by www.acuityscheduling.com. Because this system operates outside the EU we have signed an international data transfer agreement. By booking through this system clients are accepting that their data will be transferred and held by this secure system which meets international and european data protection standards. Further details on this can be found at https://www.squarespace.com/dpa
At first assessments for physiotherapy and sports massage clinicians will confirm this data and input to Rehabguru. Previous medical history, social history and drug history is taken and recorded by the treating therapist Rehabguru as part of your clinical notes. This information is re-confirmed/checked at subsequent appointments to ensure it is up to date.
Why do we have this information and Special Category Data?
Special Category Data refers to highly sensitive personal information including but not limited to; race, gender, religious views and health data. Additional protections are afforded to this data and we are required to have a lawful basis to process such data. To comply with standards set by the HCPC and CSP we need to collect the above special category data regarding health for all Physiotherapy services. To do the same for sports massage is thorough and best practice in order to keep fully comprehensive records of patient health and therapeutic care administered.
Email addresses are requested and kept as a convenient point of contact for patients. They are not a required category. A checked box is offered to opt in to future marketing contact from Rise Physiotherapy and Pilates, with the purpose of keeping clients in touch with the activities and products of our company.
How long do we keep information?
We keep all records for 8 years from the date of the last appointment or their 18th birthday (whichever date is the latter) in line with the DPA. If clients have opted in to emails for marketing they will continue to stay on the list, with the option of unsubscribing at any time.
Our policy is to shred all paper records once they pass the 8 year threshold, and to pay an external, officially credited company to correctly erase electronic records and data when required.
How do we use your personal Data?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
  • Where we need to perform the contract we are about to enter into or have entered into with you to provide medical treatment
  • Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests
  • Where we need to comply with a legal or regulatory requirement
  • We will occasionally use data to send marketing information occasionally, such as special offers, discount codes, referral schemes, clinic updates including opening times, new locations, logistical information
When do we share this information?
We never share this information with third parties for any commercial reasons. We may communicate specific and limited information to your GP, third party professionals providing diagnostic screening or medical consultants in writing, only when specifically agreed with the client in question and required for further investigations or medical input.
Healthcare professionals are legally bound to share limited and specific information on the extremely rare occasion that it relates to the safeguarding of a vulnerable child or adult, and this would only be to relevant authorities in line with safeguarding legislation.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not all third parties to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Your Legal Rights
You have the right to:
  • Request access to your personal data. This enable you to receive a copy of the personal data that we hold and check it is being lawfully processed
  • Request a correction of the personal data we hold about you.
  • Request deletion of your personal data. This allows you to remove your personal information where there is no good reason for us to continue to use it. You also have the right to ask us to remove your personal data where you have successfully exercised you rights to object to processing where we may have processed your personal data unlawfully or where required to remove personal data in compliance with local law. We may not always be able to comply with your request for specific legal reasons, which will inform you of
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; © where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.