General Data Protection Regulation May 2018


Physiotherapy @ Castle Clinic


Physiotherapy @ Castle Clinic follows all legal obligations in protecting private client data as stipulated by GDPR and CSP/HCPC guidelines. By using our services, you hereby consent to the collection and use of your data as detailed within the policy below. Should this policy change in the future then you will be contacted prior to inform on and explain any changes.

1.Data Controller

Physiotherapy @ Castle Clinic is the data controller and based at Castle Clinic in Knaresborough, HG5 8AS 01423 797800 

Contact email address is For the purposes of this privacy policy these will hereafter be referred to as the Physiotherapist.

2.Purpose of Data Collection

In order to assess and treat any medical condition with physiotherapy techniques it is statutory to collect personal data including, name, date of birth, Address, telephone and email contact details, GP details, insurance details (if applicable), medication details and current and past medical history. All this information will be recorded in paper format and stored within a locked filing cabinet accessible only by the Physiotherapist. Any information stored on the physiotherapists laptop computer is accessible only to the physiotherapist and is password protected.


3.Use & Organisation of Data

Data is organised and used by the Physiotherapist, as data controller, for therapy and administration purposes only. This may include contact between physiotherapist and client for organisation of future appointments or communication with other medical professionals if required. Should this communication be required then the patient consent with be acquired before any such communication.  All data use and organisation is compliant with GDPR guidelines. No information will be shared with any other 3rdparty.


4.Legal Use of Data

To meet contractual obligations obtained from explicit patient consent and legitimate interest to respond to enquiries concerning the services provided. The physiotherapist is governed by Health and Care Professions Council and by law is required to obtain and retain your information. Your information will be disclosed where required to do so by law or in accordance with an order of court or jurisdiction. 


5.Data Retention

The physiotherapist will retain all personal data and information, processed throughout the treatment time period, for up to 8 years after completion of treatment or until client is aged 25 in the case of people aged 16-18. This time period of retention is due to legal obligations. After this time period all personal data will be deleted. 


6.Data Security/Storage

Personal data and information security is of the highest importance to the physiotherapist who ensures all data is protected in accordance with UK and EU legislation. 


7.Individual GDPR Rights

All clients have the following rights in regards to personal data:

  • Right of access – you have the right to request a copy of the information that we hold about you.

  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.

  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.

  • Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.

  • Right of portability – you have the right to have the data we hold about you transferred to another organisation. 

  • Right to object – you have the right to object to certain types of processing such as direct marketing.

  • Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.


8.Social Media

Physiotherapy @ Castle Clinic & NIdderdale Medical Practice does not use any social media on any format in any professional or socially related manner.



Any professional marketing by the physiotherapist will contain no personal or private client information or data at any time. Patients will not be contacted at any time for marketing or promotional purposes.


10.Lodging a Complaint

Should you wish to lodge a complaint, you can contact the physiotherapist at the above details. Alternatively you can contact the Information Commissioner’s Office (ICO) at

Wycliffe House, Water Lane, Wilmslow, SK9 5AF