What information you may be asked to provide


The data taken will vary depending on the method of being booked for your physiotherapy assessment. This can be via:

  • the Nuffield Health website
  • the Nuffield Health booking agents over the phone
  • direct bookings at Nuffield Health locations
  • your insurer
  • your employer (click here for more information)
  • the NHS

Standard information taken regardless of method of booking will include:

  • Name
  • Postal Address
  • Telephone Number
  • Email (assistance for confirmation of bookings)
  • Date of Birth

Some methods of booking may also include the following data being taken:

  • Card details for payment (even if you are an insured patient)
  • body site of injury or pain
  • employer or insurer and policy details or referral /authorisation code (if relevant)
  • maximum session or maximum value allowed under insurer policy (if relevant)


Depending on your customer/patient journey it may be that your initial assessment is via telephone or face to face; depending on which will provide some variation in data requested.

Phone based assessment – when the call begins you will be asked a set of questions to protect your data to ensure we are talking to the right person.
This may include information such as: address; date of birth; insurer; body site treated.
Face to face assessment – you will be asked to review a Patient Registration Form and complete details such as your GP details and if relevant, your insurer. In addition, if your card payment details are not already on the system then you will be asked for these.

Clinical assessment – this will include the history of your present condition; past medical history; social history including your occupation; previous treatment you’ve received and by whom and other questions which will allow the physiotherapist to understand the best course of treatment for your condition.

Where we may collect your information from

As discussed above there are a number of avenues that you may come via to have your physiotherapy through Nuffield Health. Depending on which method this is and how your appointment is being booked will vary with how we initially receive information about you. So information could be coming from:

  • Yourself directly, either through the website or a direct booking.
  • Through another health professional working for or outside of Nuffield Health.
  • You have previously had physiotherapy through Nuffield Health and therefore the physiotherapist may be able to see notes with regards to your previous treatment (this will vary depending on when you had treatment and in which location).
  • Through your insurer or employer.

Why we need this information and how we might use it

We are required to collect the information that we have outlined above for a number of different purposes which are listed below and may vary depending on who is paying for your treatment.

Data protection – personal data is required so that we can complete appropriate checks, such as call verification, to ensure we are speaking to the right person. 

To provide a smooth patient journey – email addresses and telephone numbers allow us to provide booking confirmation and contact you to book and confirm future appointments.

Clinical treatment – to construct the most effective treatment plan for your condition or symptoms. 

Billing – a certain amount of information will be shared with the bill payer. If you are using your insurance to cover treatment, the bill payer will be your insurer, but it could also be your employer or you may be self-funding your treatment (please see ‘payment’ below for more information about card details that will be collected as part of your patient journey).

Payment – in accordance with our standard processes all physiotherapy patients are required to provide a credit or debit card when commencing their treatment. Nuffield Health will not store your card details but instead will use them to obtain an algorithmically generated token. Tokenisation is a method used to safeguard the security of your data by substituting your card details with non-sensitive information, and we use the services of Barclaycard’s secure payment gateway for this. Only the token will be stored by us and will be used to acquire payment if required. This will be in the case of you self-funding your treatment or if an invoice for your policy excess, cancellation or ‘did not attend’ charge is not paid.

When things go wrong

Nuffield Health pride ourselves with the quality of our services and consistent positive customer satisfaction, however, we understand that in a small number of cases you may have cause to raise a concern regarding an element of your patient journey.

It is important that Nuffield Health learn from these episodes to continually enhance services and as such we carry out thorough investigations. In order to fully investigate your concern we may need to share information with our compliance team, senior leaders or other parties not directly involved with your care. For example, if you were referred to Physiotherapy via your insurer we might need to discuss your concern with your insurer in order to fully investigate it.

In any case, we will only share a limited amount of information, as little as is necessary to investigate the concern. We may also need to share details of your concern with your treating physiotherapist or other professionals involved in your care for the purposes of the investigation. 

If the concern has come via a third party e.g. a regulator, body or solicitor, we may need to disclose your data with them in order to resolve, defend or investigate a concern. 

Who your personal data may be shared with

There are variations on who your data may be shared with depending on who is your bill payer. These differences are outlined below.  

Handovers to other health professionals – during your treatment journey it may be necessary to share information, with regards to you, with other health professionals who are involved in your care, e.g. your GP or a consultant. This could be with regards to referrals to the health professional or reporting back the results of their referral to the physiotherapist. Your consent will be sought before any information is shared, except in rare emergency scenarios.

Billing – if your insurer or your employer are covering the cost of your treatment we will need to share enough information with the bill payer to ensure they are able to pay for the treatment. 

Payment - all patients will have card details collected to take payment up front or to cover any shortfall (for insured patients). Card details are not stored by Nuffield Health. They are stored by Barclaycard, who provide Nuffield Health with a non-sensitive payment token to allow us to take payments from that card if necessary to cover shortfall.

Authorisation of treatment (where relevant) – depending on your bill payer we may have been asked to send reports to authorise treatment or with regards to your treatment outcomes. In order to proceed we may need authorisation from the bill payer (ie – your employer or your insurer) to continue or commence treatment. We will only send the most limited amount of data as is necessary to allow the bill payer to make this assessment. 

Research – to continue to improve clinical treatment Nuffield Health may use non- identifiable data as part of a research project or an assessment of our services.

Occupational Health Reports – if your referral has been from your employer as part of an occupational health assessment then a report will be produced and sent to your employer, however, not before you have had the option to see the report and have provided your consent. 

Fair and Lawful Processing

Each organisation is required to demonstrate that they are processing personal data fairly and lawfully, to do this we must have a ‘lawful basis for processing’ personal data. Consent is probably the condition that has gained the most attention but we only rely on consent in limited circumstances e.g. to share information with a third party or your GP.

Physiotherapy will mainly be processing data based on the following lawful basis for processing:
Article 6 (1)(b) Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract.

Article 6 (1)(f) Legitimate interests: the processing is necessary because of a legitimate interest or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Article 9 (2)(h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of English Law or pursuant to contract with a health professional.

What does this actually mean?

In order to provide you with the level of support agreed to in our contracts in a safe and effective way we need to process the data discussed, and as such, we are doing so lawfully. This means we may not always ask your consent each time we use your data if what we are doing is linked to your treatment or doing something we must do by law.

Your rights in respect of your Personal Data

The law gives you certain rights in respect of the information that we hold about you. Below is a short overview of the key rights available to you.

Data Subject Access Request - with some exceptions designed to protect the rights of others, you have the right to a copy of the personal data that we hold about you. Where the data is data that you have given to us, you have the right to receive your copy of it in a common electronic format, and to provide copies of it to other people if you wish (Right to Data Portability).

Right to Rectification - you have the right to have the personal data we hold about you corrected if it is factually inaccurate. This right does not extend to matters of opinion, such as assessments of performance or fitness to work.

Right to Erasure - in some limited circumstances, you have the right to have personal data that we hold about you erased (the “right to be forgotten”). This right is not generally available where we still have a valid legal reason to keep the data (for example, because we are obliged to do so by law).

Right to Restrict Processing - you also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data, for example if you contest its accuracy or where we are processing it on the basis of our legitimate interest and you contest our assessment that our interest overrides your rights.

The above is not a complete and exhaustive statement of the law

How long we will keep your Personal Data for?

The length of time that Personal Data is stored is set by national legislation and is outlined in Nuffield Health Policy.

Physiotherapy adult health records are generally kept for 8 years. For individuals who are aged under 18, records will need to be kept until their 25th birthday or those who were aged 17 at the start of treatment until their 26th birthday.

Automated Decisions

Each Physiotherapy Journey is different and our highly skilled physiotherapists and our administration team will ensure that you receive a bespoke patient journey that is right for you. As such, all of our decision making is based on the expert opinion of our team and no part of your journey will be based on wholly automated decisions.

Further Information

For further information about how your data may be processed or to ask any questions please raise this with your physiotherapist.

If you are not satisfied with how we handle your personal data or a request to exercise one of your rights in relation to your data, you can contact the Data Protection Officer on dataprotectionofficer@nuffieldhealth.com

Should you remain dissatisfied you have a right to complain to the Information Commissioner’s Office on 0303 123 1113 or through their website https://ico.org.uk/