Privacy Policy

Introduction

This privacy policy explains how we collect, use, store, and protect your personal data in accordance with the Data Protection Act 2018 and the UK GDPR (General Data Protection Regulation), which came into effect on 25 May 2018. By using our website or engaging with our services, you consent to this policy.

We are registered with the Information Commissioner’s Office (ICO) under
registration number ZA055210.

Summary

A summary of this Privacy Policy can be found here.

1. Who we are

W6 Physiotherapy is a trading name of W6 Physiotherapy Limited, registered in England under company number 08656000.

Our registered office is located at: Nazareth House, 169-175 Hammersmith Road, London, W6 8DB.

You can contact us via:

We take your privacy seriously. We are the data controller for your personal data. If you have any questions about how we collect, process, or protect your personal data, please contact Jakub Bienczak, our Data Protection Officer, via the contact details above.

2. What information we collect and why

2. 1. Information collected via online platforms, email and telephone.

When you contact us via our website, online booking forms, by phone, or email, we collect personal information, such as:

  • Name and title
  • Contact details (email, phone/mobile number)
  • Date of birth
  • Address
  • Health insurance details (if applicable)
  • Brief outline of your problem/medical history, imaging/investigations relevant to the problem.
  • Source of referral

Use of cookies

A cookie is a small file stored on your browser or the hard drive of your computer. We use website cookies to collect information about your computer for our services. This is statistical data about our visitors and your use of our website.

The booking form is provided by Rushcliff LTD (Private Practice Software – Private Practice Management Software).

2.2. Information collected at the clinic prior to treatment

Privacy for healthcare treatment is assured under the common law Duty of Confidence (for further details, please visit Ethical and legal duties of confidentiality).

  • We collect your personal and health data. Processing of this personal data is necessary for the purposes of medical diagnosis and healthcare. We do not gather other sensitive data (e.g. genetic or biometric data, information about race or ethnic origin, political opinions, philosophical beliefs, sexual orientation or criminal convictions).
  • We collect your name, surname, occupation, sex, your age (date of birth), your address, your preferred contact details, information relating to your past medical history including any letters you may have from specialists, your GP’s details, details about your general health, what medication you may use and your activity level. We will also create a physical record of details from your physical examination. These details are used to:
    • Identify you
    • Understand the nature of your disorder, formulate a diagnosis and establish a goal and plan of treatment.

The lawful basis for processing this data is for the provision of healthcare under Article 9(2)(h) of the UK GDPR, which allows us to process health data where it is necessary for healthcare purposes.

  • We collect alternative contact details for you, and, if applicable, your health insurance policy number, authorisation code, how many sessions you are authorised for and if you have an excess, the amount you need to pay.
  • In some cases, upon your consent, we may store your card payment details on file using a secure payment method called Square UP. Please view Square UP Privacy Policy. These details are used for:
    • communication purposes relating to appointments,
    • processing payments,
    • notifications relating to invoices settled by health insurers
    • sending you your exercise programmes.

The lawful basis for processing your personal data is your consent.

As stated in Article 9 of the GDPR, processing is necessary to protect the vital interests of the data subject or of another natural person, where one is physically or legally incapable of giving consent.

We therefore collect either:

  • Vulnerable adult’s information – details of the Power of Attorney (POA) and the official documents, if the service user is not able to give consent themselves.
  • Children’s information – details of the parent or legal guardian, if the service user is under 16 years of age.

3. Use of your information

We keep your information secure in accordance with the Data Protection Act 2018 (GDPR compliance) and use it to respond to your enquiry. When attending your appointment, you will have the option to give consent and once given we only provide treatment within the scope of that consent. As the treatment changes, we would again ask you for your informed consent.

We use your personal data to:

  • Book appointments, manage your treatment and develop treatment plan,
  • Process payments and insurance claims,
  • Communicate with you regarding your treatment, treatment progress, payments, and health updates.

We ensure that any data shared with third parties is in line with our privacy policy and only for legitimate purposes.

4. How We Store and Access Your Information

4.1. Storage of Paper Records

Records for patients registered before 31 December 2017 are stored securely in a locked filing cabinet, accessible only to authorized staff.

4.2. Storage of Digital Records

Patient records for those registered after 1 January 2018 are stored securely on Private Practice Software (PPS) by Rushcliff Ltd. Their privacy policy can be found here.

Rushcliff LTD Data Centres are covered by ISO 27001, 27017, 27018, and 27701. They are GDPR compliant, ensuring the highest level of data security for complete peace of mind. All data is kept virtually secure through a network that offers built-in protection against increasingly sophisticated global cyber threats, including advanced firewalls and the most powerful anti-DDoS solution in the industry. The Data Centre is also kept physically secure with industry-leading fire protection, 24/7 physical site security and surveillance, an uninterrupted power supply (UPS) System and N+1 cooling redundancy. *

Source: Private Practice Software – Security. Accessed: 5 May 2025

We have a Data Processing Agreement with PPS to ensure compliance with the Data Protection Act 2018 and UK GDPR.

4.3. Access to Records

Paper records are accessible only to authorized office staff with the appropriate access codes and keys. Electronic records are only accessible by authorized healthcare professionals and clinic staff, protected by multi-factor authentication and encrypted systems.

5. Sharing Your Information

  • External Healthcare Providers – We may share your data with other healthcare professionals involved in your treatment (e.g. GPs, consultants) for your ongoing care. This will be done securely via encrypted email or post.
  • Solicitors – Your healthcare records will only be shared with solicitors upon your written request and signed consent for medico-legal purposes.
  • Insurance Providers – We may share your data with health insurance providers to facilitate treatment authorization and claims processing.
    If requested by Bupa, specific information that is obtained by processing existing service-user data may be shared with the Bupa insurance scheme (Key Performance Indicators – KPI). Information is shared to provide Bupa with statistical and performance data. Your information will only be shared with the insurance provider or case management company that has authorized your treatment and with whom you hold your membership.
  • Third-Party Services – We use third-party services for billing, secure messaging, and other administrative purposes. These include:
    • Healthcode (Privacy Notice: Healthcode Privacy Policy)
    • Egress (Privacy Policy: Egress Privacy Policy)
    • Bupa Providers Online (Privacy Policy: Bupa Privacy Policy)

These services allow us to securely process payments and communicate with your insurer.

  • Statutory Disclosures – We may disclose your data to public authorities or in response to legal requirements under UK law, such as the Prevention of Terrorism Act, Public Health Act, or Police and Criminal Evidence Act 1984.

6. Security of Your Data

While we take reasonable steps to protect your personal data, we cannot guarantee 100% security, especially for data transmitted via the internet (e.g., email). Once we receive your data, we ensure it is protected with robust security measures.

We will notify ICO within 72 hours upon a discovery of data breach.

7. Your Rights Under UK Data Protection Law

Under the UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data:

  • Access: You can request a copy of your personal data held by us (via Subject Access Form Request).
  • Rectification: You can request corrections to any incorrect information.
  • Erasure: You can request that we delete your data, although we may be unable to delete all records due to legal or medical reasons (via Data Erasure Form Request)
  • Restriction: You can request that we restrict how your data is processed.
  • Objection: You can object to the processing of your data for certain purposes.
  • Portability: You can request a copy of your data in a structured, machine-readable format.

7.1. Proof of identity

To help us establish your identity, you must provide two pieces of identification: One that clearly shows your name and date of birth, and a second that shows your current address.

  • We accept a photocopy or a scanned image of one of the following as proof of identity: passport or photo identification such as a driver’s licence, national identification number card, or birth or adoption certificate.
  • We accept a photocopy or a scanned image of one of the following as proof of your address: a copy of a bank or credit card statement or utility bill showing your current address and dated within the last three months.
  • If you have changed your name, please provide the relevant documents evidencing the change.

We may request additional information from you to help us confirm your identity and your right to access, and to provide you with the personal data we hold about you. We reserve the right to refuse to act on your request if we are unable to identify you.

Parental requests for information pertaining to their children

Parents will normally have responsibility for accessing the health records of their children. However, care must be taken to obtain consent of the child where necessary (16 and 17 year olds are seen as adults in relation to confidentiality, and their consent would be necessary). It is important to be aware that children under 16 years of age who have capacity and understanding for decision making should also have their confidence respected. However, they should be encouraged to involve parents and guardians in their healthcare matters.

7.2. Denial or limitation of information

We may deny or limit the scope of information we provide to you if:

  • The information released may cause serious harm to the physical or mental health, or condition of the individual or any other person, or
  • The disclosure would also reveal information relating to or provided by, a third person who has not consented to that disclosure unless:
    • The third party is a clinician who has compiled or contributed to the health records, or who has been involved in the care of the individual.
    • The third party, who is not a clinician, gives their consent to the disclosure of that information.

Although we do not have the obligation to inform you why we had denied you access to your personal information, we will document this for our records. We will respond within 30 days of your written request (unless there are exceptional circumstances, in which case we will inform you if a longer period is required).

For more details on how to exercise these rights, please contact us at info@w6physiotherapy.co.uk or jbienczak@w6physiotherapy.co.uk.

8. Complaints

If you are dissatisfied with how we have handled your data, please contact our Data Controller, Jakub Bienczak, at jbienczak@w6physiotherapy.co.uk or info@w6physiotherapy.co.uk.

We will respond to your concerns within 30 days.

If you are not satisfied with our response, you can contact the Information Commissioner’s Office (ICO) for further assistance.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, data practices, or UK legislation. You will be notified of any significant updates via email or through our website.

Last Updated: 6 May 2025

This policy aims to ensure that your personal data is handled with care and in compliance with the UK GDPR and the Data Protection Act 2018.