This privacy policy outlines how Function First collects, uses, and protects personal data in accordance with the Health and Care Professions Council (HCPC) Standards of Conduct, Performance and Ethics, Chartered Society of Physiotherapy (CSP) guidance, and UK GDPR regulations. This policy applies to all patients, staff, and business partners of the clinic.

1) Compliance with HCPC and CSP Standards

1a – We are committed to maintaining confidentiality and handling personal data in line with the HCPC’s professional and ethical guidelines, particularly:

– HCPC Standard 10: Duty to protect patient information and maintain accurate records.
– HCPC Standard 2: Responsible and clear communication regarding data use.
– CSP Data Protection Guidance: Ensuring best practice in the collection, storage, and sharing of patient information.

2) What Personal Data We Collect

2a – We collect and store the following personal information:

– Patient details (name, date of birth, contact details, GP details, next of kin).
– Medical history, treatment notes, and referrals.
– Payment details (for processing fees).
– Communications with patients (emails, letters, and forms).
– Marketing preferences (where applicable and with consent).

3) Purpose of Data Collection

3a – Patient data is collected and processed for the following purposes:

– Providing physiotherapy assessment and treatment.
– Maintaining accurate health records in line with HCPC and CSP guidelines.
– Processing payments and managing billing records.
– Sending appointment reminders and relevant health information.
– Conducting anonymous audits for quality assurance and clinical improvement.

4) Data Storage and Security Measures

4a – We use secure systems to store and manage patient data:

– Patient records are stored digitally using cloud-based practice management software, compliant with UK GDPR.
– Physical records (if applicable) are stored securely with restricted access.
– Access to data is limited to treating clinicians and essential administration staff only.
– All staff handling patient data undergo data protection training to ensure compliance.

5) Data Retention Period

5a – Patient records are kept in line with HCPC guidelines:

– Adult patient records: Retained for 8 years after the last appointment.
– Children’s records: Retained until the patient turns 25 years old.
– After the retention period, data is securely destroyed in compliance with ICO regulations.

6) Data Sharing and Third-Party Processors

6a – We do not share personal data with third parties without explicit patient consent, except where required by law or professional obligations:

– If cloud-based record systems are used, patient data remains confidential and is only accessed by authorised personnel.
– Where referral letters are required (e.g. to GPs or consultants), patient consent is obtained beforehand.
– Any sharing for clinical audits or training purposes will always be fully anonymised.

7) Marketing and Communications

7a – Patients will only receive marketing communications if they have opted in.

7b – Every patient has the right to withdraw consent for marketing at any time.

8) ICO Registration and Compliance

8a – As a data controller, the clinic is registered with the Information Commissioner’s Office (ICO), registration number ZB617313.

8b – Patients can contact the ICO if they have concerns about how their data is handled.

9) Data Breaches and Reporting

9a – In the event of a data breach:

– We will notify the ICO within 72 hours, if required under UK GDPR.
– Affected individuals will be informed where there is a risk to their rights or privacy.