Privacy Notice

This privacy notice sets out how Claire Hughes of Corvedale Physiotherapy uses and protects any information that you provide in relation to your treatment with the clinic.

Corvedale Physiotherapy is committed to protect your privacy and your rights under the General Data Protection Regulations (GDPR) 2018. This policy explains the information held about you, and who else may have access to it. The only personal information we will have is that which is voluntarily supplied by you.

Please take a few minutes to read this document; if you find anything unclear please contact us.

The data we handle and the legalities of holding data

As a Chartered Physiotherapist Claire Hughes of Corvedale Physiotherapy has a legal obligation to collect and process information for the purposes of medical records and also has to process any information received from website enquiries. Claire Hughes of Corvedale Physiotherapy (The Clinic) is the data controller. The Clinic is currently based within the Spiro Clinic and Wellness Centre at Lower Galdeford, Ludlow, SY8 1RT.

The new GDPR regulations cover all types of hard and electronic data. Your personal information relating to address and date of birth is essential so that we can accurately identify a patient.  We may have 2 or 3 patients on our system with the same name.  We may only be able to tell them apart by date of birth or address.  These details are essential and must be included with your consent, so we can securely identify our patients.

If you wish to book an appointment online then we will require an email address.  Emails are used to provide details about your appointment booking. These are sent at the time of booking. We may send you an email about your treatment and for communication relating to billing, invoices and receipts.  Any sensitive information will only be passed to you via email if you approve.  We do not send out marketing material via email and will only send emails if they are relevant to your time at the clinic. Your email address will not be shared with anyone else.  

Your health records may also include photographs, video analysis and health questionnaires. We will only collect and process information about you that is relevant to our purpose and is adequate to fulfil this purpose. Information that we hold will be kept up-to-date and every effort will be made to rectify information as soon as possible when we become aware of inaccuracies. Although you have the right to information held about you being deleted, our legal obligation may supersede this right with regards to your healthcare information. Please contact The Clinic directly if you have questions about this.

We are part of the medical profession and are therefore governed by the same rules that would apply to your GP or Hospital Consultant. Physiotherapists are governed by the Data Protection Act and competencies set out by the the Health and Care Professions Council ( HCPC) and The Chartered Society of Physiotherapy ( CSP), to collect and store information about you, your medical condition, work and lifestyle information plus possibly information about other aspects of your physical and mental health, family history, employment status and disability, provided this information is relevant and required to perform our purpose.

How long we store your data

Under CSP and HCPC regulations, relating to the maintenance of health records, we are required to keep your records for a minimum of 8 years. After 8 years following completion of treatment, your records will be destroyed securely in accordance with best practice at that time.

How we store your data

The Clinic takes your data security seriously.  We use a cloud-based diary management system called Acuity Scheduling to collect and store personal and demographic information about you.  The system is password protected and only staff working within The Clinic have access to this system. The data itself is securely stored with multi-layer security features, the operators of the data centres do not have access to your data and simply hold this data on our behalf.

A software package called Wave is used for creating invoices and receipts. Wave is a secure data base that is accessed via an encrypted server over the internet. Claire Hughes has a unique username and password for accessing the database. Invoices are printed for face-to-face clients and email receipts are sent on request.

We take electronic payments through Square.  This is chip and pin and is one of the safest methods to take a card payment.  We are compliant with the PCI DSS (Payment Card Industry Data Security Standard).  This is something that is checked annually with Square.

Online payments can be made using Paypal, which is also a safe and secure method.

Your physiotherapy records are held in secure filing cabinets, in a secure office within a secure building. We may send/receive letters or emails about your care to/from other healthcare professionals. Letters are sent by Royal Mail, or delivered by hand, and received letters are kept securely with your Physiotherapy notes. Emails are printed and stored securely with your physiotherapy notes before being deleted from computer storage. No information of this kind will be held for any longer than required to perform our purpose but does form part of your medical record.

Who else might see my personal information?


The Clinic will not share your personal information without your consent. When relevant and with your consent we may communicate regarding your treatment, with other medical and healthcare professionals, consultants, coaches, fitness instructors, family or other individuals involved in your wider care. We will ask your permission before doing this and you have the absolute right to deny this permission except in the circumstance of vital interest such as communicating with next of kin or medical professionals in the event of an incident, accident or emergency. We will share your information where required to do so by relevant legislation or court orders. We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.  Should The Clinic be acquired by another company, customer information may be deemed a transferable business asset and as such will transfer to the new owners.

Yours rights regarding the data we hold

  1. Right of Access – Following a written request, with your consent we will provide all information held about you. We have one month from the date of the written request to provide you with this data. This information will be provided free of charge to the patient unless it is considered an unreasonably excessive request. Written reports are not covered by this and do incur an administrative fee equivalent to one 30minute treatment charge at the current rate of The Clinic at the time of the request. We may still charge insurance companies and solicitors or other third parties acting on your behalf if requesting copies of your records.
  2. Right of Rectification – You have the right for information stored by us to be accurate. We will make every effort to ensure that personal information stored about you is accurate and up-to-date. Health records cannot be rectified if the information is true at the time the record was made in accordance with maintenance of medical records regulations.
  3. Right to be Forgotten (Erasure) – You have the right to ask to have your records deleted. As we are a medical healthcare company we are legally obliged to keep your records for a minimum of 8yrs or until your 25th birthday if your treatment was as a child. If this timescale has lapsed and you wish to check that your records have been deleted, please contact the clinic in writing and this will be arranged providing there is no legal obligation to refuse in accordance with the regulations in place at the time of the request.
  4. Right to Restriction of Processing – You have the right to restrict the purpose for which we process your information. We will always seek to gain your consent for processing your data in any other way than our legal requirement to maintain accurate, up-to-date and specific medical records.
  5. Right of Data Portability – You have the right to have your records transferred to another location if you or treatment is transferred to another practitioner. In this circumstance you will need to apply in writing as per the Right to Access section above.
  6. Right to Object – You have the right to object to your data being stored/processed. As we are a medical healthcare practice this will result in us not being able to treat you as a patient. However, you have the absolute right to object to receiving news and updates about the clinic. Therefore you may consent to The Clinic holding information about your treatment but object to receiving information and updates about The Clinic- we will always seek your permission to do this.
  7. Right not to be Automatically Processed – The Clinic does not currently operate any automatic processing or profiling based on your personal or health data.

What happens if we lose or share your data without consent – Data Breaches

We take security of your data seriously but unfortunately from time to time things may happen that are beyond our control. In the event of a data breach we will inform you as soon as is practically possible about the nature, extent and possible impact of any data breach. This involves not only inadvertent sharing but also destruction of information through fire, flood, theft, loss etc… If the data breach is deemed serious enough, we will also inform the Information Commissioners Office (ICO) within 3 days of the breach and set-up an internal investigation as to the cause of any such breach. If required, we will communicate the results of such an investigation to you and also our intended plan to rectify and stop such breaches in the future. We only need to do this if there has been a definite or high risk breach as defined by the ICO.

What if this Privacy Policy changes? 


Claire Hughes of Corvedale Physiotherapy reserves the right to change this privacy policy from time to time. We will notify you of any important changes to this policy. An up-to-date copy is kept behind the main reception of The Clinic and on our website.

To ensure we are maintaining security we perform an audit once a year to ensure all our processes are in keeping with GDPR.

date of last review of this policy: February 2024

Contact Us


If you have any queries or concerns about this policy please write to:

Claire Hughes

Corvedale Physiotherapy

Spiro Clinic and Wellness Centre

Lower Galdeford

Ludlow

SY8 1RT