MacFarlane Physiotherapy Ltd is committed to protecting the personal data of our patients, staff, and stakeholders in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).
We recognise the importance of data privacy and confidentiality and will ensure that personal data is handled lawfully, fairly, and transparently at all times.
Scope
This policy applies to:
- All employees, associates, and contractors of MacFarlane Physiotherapy
- All patient, client, and staff data collected, stored, processed, or shared
- All formats of data – digital, paper, audio, or verbal
Our Data Protection Principles
We adhere to the following UK GDPR principles. Personal data must be:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary
- Accurate and kept up to date
- Kept only as long as necessary
- Processed securely using appropriate technical and organisational measures
What Personal Data We Collect
We may collect and process the following types of personal data:
- Patient contact details (name, address, phone, email)
- Medical and treatment history
- Appointment records and clinician notes
- Payment and billing details
- Staff employment and training records
How We Use Your Data
- To provide safe, effective physiotherapy care
- To maintain accurate clinical records
- To contact you about appointments, services, or follow-up care
- To comply with legal or regulatory obligations (e.g. insurance, HCPC)
- To manage clinic operations and staff administration
Sharing Your Information
We only share personal data:
- With your explicit consent (e.g. referral to GP or consultant)
- Where required by law or professional regulation
- With trusted service providers who comply with UK data protection law (e.g. secure booking platforms)
Data Security
We keep data secure by:
- Using encrypted systems for digital records
- Storing paper records in locked cabinets
- Restricting access to authorised personnel only
- Regularly reviewing and updating our security protocols
Your Rights Under UK GDPR
You have the right to:
- Access the personal data we hold about you
- Request corrections to inaccurate data
- Request data erasure (where legally permitted)
- Object to or restrict certain types of processing
- Withdraw consent for non-essential data uses
To exercise any of these rights, please contact us in writing.
Data Breaches
If a data breach occurs, we will:
- Contain and assess the risk immediately
- Notify affected individuals and the Information Commissioner’s Office (ICO) if legally required
- Take steps to prevent future breaches
Policy Review
This policy is reviewed annually or sooner if there are significant changes in legislation, operations, or security measures.