Privacy & Data Protection and Security Policy 

General Data Protection Regulation (GDPR)

This policy sets out how The Twyford Clinic uses and protects any information that you give us when you seek treatment or use our website.

The Twyford Clinic is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this privacy statement.

The Twyford Clinic may change this policy from time to time by updating this page. Please check this page when required to ensure that you are happy with any changes. This policy is effective from 14th September 2018.

Lawful Basis for Holding and Using Client Information

We need to retain some information in order to provide you with the best possible treatments, support and advice. The lawful basis under which we do so is known as legitimate interest. As we hold special-category data – specifically health-related information – the additional condition under which we keep and use this is to fulfil our role as healthcare practitioners.

What Information Do We Hold and What We Do With It?

In order to give treatments, we naturally ask for and keep information about your health. We only use this to inform decisions in relation to treatments, though, and to give advice as a result of treatments. The information we hold is:

  • Your contact details
  • Medical history and other health-related information
  • Treatment details and related notes

We keep your information for seven years from the date your last treatment has been received. Other than in the unlikely event of being required to do so by law, there are no circumstances under which we transfer information outside the EU or share your data without your explicit consent. We hold your data on secure reliable practise management software provived by Cliniko. Cliniko’s privacy policy can be reviewed in full at .

Email Communication Services

We may use your information to contact you via email with any service updates, special offers or informative newsletters. You can choose whether to opt in to these emails when completing your registration form at your initial assessment with The Twyford Clinic. Will not disclose any of your details to any third party marketing entities. 

We may use “MailChimp” to send emails, so they will indirectly have access to a portion of your activity and some of your personal details. MailChimp is a dedicated email automation platform. MailChimp’s privacy policy can be reviewed in full at .

Protecting Your Personal Data

The Twyford Clinic is committed to ensuring that your personal data remains secure. To prevent unauthorised access or disclosure of information, we use appropriate technical, physical and managerial procedures to safeguard it.

You have the absolute right to have your data removed from The Twyford Clinic’s systems at any time. Please contact our data protection officer via email: if you would like to request deletion. You will be contacted with 48 hours of any such request being made to confirm that your request has been actioned.

Please Note
If you do not agree to The Twyford Clinic keeping data about you/your treatments, or if you don’t allow us to use the information in the way we need, we may not be able to treat you. Also we have a legal requirement to keep your records of treatment for eight years from the date of your last treatment or until the age of 25 if you attend as a minor, which may mean that even if you ask us to erase your details, we might have to keep them securely until after that time.


Our website uses cookies. By using our website and agreeing to this policy, you consent to our use of cookies in accordance with the terms of this policy.

What Are Cookies?

A cookie consists of information sent by a web server to a web browser, and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.

Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. For example, in Internet Explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector. Blocking all cookies will, however, have a negative impact upon the usability of many websites.

Links to other websites

The Twyford Clinic website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Your Rights

GDPR gives you the right…

  • To be informed: to know how your data will be held and used – this notice.
  • Of access: to see our records of your personal information, so you can verify it.
  • To rectification: to make changes to your data if it’s incorrect or incomplete.
  • To erasure/the right to be forgotten: to request we erase your information
  • To restrict processing of personal data: to request limits on how we use your data
  • To data portability: under certain circumstances, you may request a copy of electronically -held personal information so that you can reuse it in other systems.
  • To object: to say you don’t want us using parts of your data, or only using it for certain purposes.

You also have rights in relation to automated decision-making and profiling, and the right to lodge a complaint with the Information Commissioner’s Office if you feel your data is incorrect, being stored unnecessarily, or used in a way for which you’ve not given permission.

Full details of your rights can be found at ICO GDPR Guide. If you wish to exercise any of these rights, please let us know via email at

If you’re dissatisfied with our response, you may complain to the Information Commissioner’s Office.

Date: May 2020

Version Created By: Phillip Wilson

Initial Policy     


1. Policy Statement

2. Scope

3. Principles

4. Information Security

5. Information Quality Assurance

6. Legal and Trusted Related Policies 7. Improvement Plan and Assessment 8. DSPT Management

9. Training


Appendix 1 The Twyford Clinic Policies and Legal Acts

1. Policy Statement

The Twyford Clinic recognises the importance of reliable information, both in terms of the clinical management of individual patients and the efficient management of services and resources. Information governance plays a key part in supporting clinical governance, service planning and performance management.

It also gives assurance to The Twyford Clinic and to individuals that personal information is dealt with legally, securely, efficiently and effectively, in order to deliver the best possible care.

The Twyford Clinic will establish and maintain policies and procedures to ensure compliance with requirements contained within the Data Security and Protection Toolkit (DSPT)

2. Scope

This policy covers all aspects of information within the organisation, including (but not limited to):

• Patient/Client/Service User information

• Personnel information

• Organisational information

This policy covers all aspects of handling information, including (but not limited to):

• Structured record systems – paper and electronic

• Transmission of information – fax, e-mail, post and telephone

This policy covers all information systems purchased, developed and managed by/or on behalf

of, the organisation and any individual directly employed or otherwise by the organisation.

3. Principles

The Twyford Clinic recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.

Information will be defined and where appropriate kept confidential, underpinning the principles of Caldicott and the regulations outlined in the Data Protection Act. Non-confidential information on The Twyford Clinic and its services will be available to the public through a variety of means, in line with The Twyford Clinic’s code of openness. Work will be undertaken to ensure compliance with the Freedom of Information Act.

Patients will have access to information relating to their own health care, options for treatment and their rights as patients. There will be clear procedures and arrangements for handling queries from patients and the public.

Integrity of information will be developed, monitored and maintained to ensure that it is appropriate for the purposes intended.

Availability of information for operational purposes will be maintained within set parameters relating to its importance via appropriate procedures and computer system resilience.

The Twyford Clinic regards all identifiable personal information relating to patients as confidential, compliance with legal and regulatory framework will be achieved, monitored and maintained.

The Twyford Clinic regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise.

The Twyford Clinic will establish and maintain policies and procedures to ensure compliance with the Data Protection Act, Human Rights Act, the common law duty of confidentiality and the Freedom of Information Act.

Awareness and understanding of all staff, with regard to responsibilities, will be routinely assessed and appropriate training and awareness provided.

Risk assessment, in conjunction with overall priority planning of organisational activity will be undertaken to determine appropriate, effective and affordable data security and protection controls are in place.

4. Information Security

The Twyford Clinic will establish and maintain policies for the effective and secure management of its information assets and resources.

Audits will be undertaken or commissioned to assess information and IT security arrangements.

The Twyford Clinic’s Incident Reporting system will be used to report, monitor and investigate all breaches of confidentiality and security.

5. Information Quality Assurance

The Twyford Clinic will establish and maintain policies for information quality assurance and the effective management of records.

Audits will be undertaken or commissioned of Surrey Physio’s quality of data and records management arrangements.

The Practice Manager will be expected to take ownership of, and seek to improve, the quality of data within their services.

Wherever possible, information quality will be assured at the point of collection.

The Twyford Clinic will promote data quality through policies, procedures/user manual and training.

6. Legal and Trusted Related Policies

The Twyford Clinic has a comprehensive range of policies supporting the Data Security and Protection agenda; reference must be made to these alongside this policy. Legal and professional guidance should also be considered where appropriate. (Ref. Appendix 1)

7. Improvement Plan and Assessment

An assessment of compliance with requirements, within the Data Security and Protection (DSPT) will be undertaken each year. Annual reports and proposed action/development plans will be developed by the Director of The Twyford Clinic for to submission to the DSPT if required. The requirements are grouped into the following initiatives:

• Code of Confidentiality

• Data Protection

• Freedom of Information

• Health Records

• Information Governance Management

• Information Quality Assurance

• Information Security

8. DSPT Management

Data Security and Protection management across the organisation will be co-ordinated by the Data Security and Management. • The Directors of The Twyford Clinic,

The responsibilities of the Data Security and Management will include (but not be limited to):

  • Implementing the updated policies and procedures.

• Implementing the annual submission of compliance with requirements in the Data Security and Protection Toolkit and related action plan.

Data Security and Protection leads throughout at The Twyford Clinic will be central to the delivery of the data security and protection strategy.

9. Training

All appropriate training will be conducted each year.

Appendix 1

The Twyford Clinic Related Policies

• Data Protection Policy

• Access to Personal Health Records Policy

• Information Security Policy

• Data Sharing and Guidance Policy

• Lifecycle Policy

• Professional codes of conduct from the HSPC, CSP and AACP

• Quality Policy

• Training Policy

• GDPR Privacy Notice Policy

Legal Acts

• Data Protection Act 2018

• Human Rights Act 2000

• Freedom of Information 2000

• Access to Health Records Act 1990 (where not superseded by the Data Protection Act)

• Computer Misuse Act 1990

• Copyright, designs and patents Act 1988 (as amended by the Copyright Computer programs regulations 1992

• Crime and Disorder Act 1998

• Electronic Communications Act 2000

• Regulation of Investigatory Powers Act 2000