Skip to main content
Severn Physiotherapy — Freedom Through Movement

Data Protection & Privacy Policy

Inclusive of UK GDPR regulations. Audited annually.

Last reviewed: 19/06/2026 — KS. ICO registration: ZB344746.

Statement of awareness

  1. This document shows that we are aware of our requirement to have a privacy policy to protect patient and contractor information.
  2. It lists where patient and contractor data is kept and what data is held.
  3. Severn Physiotherapy holds a consent form which every patient (or power of attorney) signs before assessment begins, detailing how their data is used.

Who we are

Severn Physiotherapy LLP ("we", "us", "our"), based in Portishead, North Somerset, is the data controller for the personal information described below. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and maintain the common law duty of confidentiality owed to our patients. Contact: hello@severnphysiotherapy.co.uk or 01275 400466.

Patient data we keep

  • Name
  • Date of birth
  • Address
  • Care home name and number
  • Pertinent health and social care information
  • GP name and address
  • Consultant name and hospital
  • Social worker name and number
  • Any other relevant health / social care professional name and number involved
  • Medical notes made throughout assessment and treatment sessions
  • Contacts with, or concerning, clients between sessions

How we keep patient data

Most data is stored on our clinical notes package, WriteUpp. WriteUpp acts as our Data Processor: they have appropriate measures and protections in place to comply with their responsibilities in this role and provide a suite of tools to enable Severn Physiotherapy to comply with its responsibilities as a Data Controller. Members of the team have access to all clients' data but, in line with HCPC registration requirements, accessing data is only on a need-to-know basis.

We have a Lovable website which submits the contact form and client intake form with sensitive medical and personal data. This information is available only to administrators of Severn Physiotherapy using 2FA, and is deleted after being uploaded to WriteUpp. There is an automatic deletion of this data after 10 years from the system, in line with current UK law, and an admin log of all deletions of form data. Lovable / Supabase as a data processor itself complies with UK regulations for sensitive healthcare and personal data and uses only EU servers.

Other digital data may be processed by an API or other software we purchase for use with our Lovable website. Severn Physiotherapy carefully chooses software based on data protection regulations and with the ethos of safely managing the data we collect.

Severn Physiotherapy makes every effort not to store any paper-based data; for any that is, it will be stored in a locked cabinet. Any paper records containing patient information that need to be destroyed will be shredded.

Team members are expected to act in accordance with professional body guidelines and HCPC standards in regards to data protection and processing / controlling. This includes accurate record keeping and only accessing clinically relevant information.

Transporting data

It is recommended that all physiotherapists working for Severn Physiotherapy use their electronic device with the software app downloaded to record patient data and progress notes. They should not remain logged in to the app when it is not in use.

How to make data electronic

Any photos of patient information such as GP summaries, medical reports or prescriptions must be taken with the physiotherapist's phone and saved to the clinical note-writing software, then deleted off the phone immediately. If this information has been emailed, it can be saved directly to the software.

Sharing patient data

Severn Physiotherapy has a duty of care to share relevant information with involved health and social care practitioners in the case of safeguarding concerns; this is at the clinician's discretion, and the client will usually be informed first.

Therapists may need to share information to make onward referrals, with client consent, or to liaise with other medical or social care staff for their benefit. The client will also be informed before these discussions occur. This is only done when necessary, with minimal information conveyed.

Information will only be shared for the purposes agreed at the original time of disclosure. If later required for another purpose, this must be agreed with the owner in person.

Severn Physiotherapy will willingly provide patients their own data at their request, in electronic or paper format, within 28 days. We will need to verify the patient requesting the data is the correct person by asking for full name, date of birth and address; additional identification may also be required.

Deleting patient data

After 10 years Severn Physiotherapy and our data processors delete all patient data electronically and do not keep any traceable form. In the case of paper notes, these are shredded and untraceable.

Processing patient data

Severn Physiotherapy will not process any data for any profiling or marketing purposes, unless a patient has specifically consented to this.

Data breach

Severn Physiotherapy will notify any clients involved within 72 hours of becoming aware of the breach. In the case of a significant breach we will inform the Information Commissioner's Office.

Audit

Skye Ramell and Kelly Steed will audit this data protection process every six months to ensure our clinical notes system is being used appropriately, that information being shared by email has been anonymised as described above, and that paper documentation is locked and secured.

Right to be forgotten

Severn Physiotherapy has a legal duty to keep your notes for 10 years and no shorter time than this. This law does not allow a patient to ask to be forgotten. In a court of law, patient notes are required within 10 years of contact with a client.

Information security policy

  • WriteUpp, Lovable, and any API we purchase for use with our website do not sell your data.
  • Communications containing patient information will be anonymised as far as possible.
  • Email access is provided through Tuta and, when necessary, is protected with end-to-end encryption software.
  • WhatsApp messages are protected with end-to-end encryption.
  • We do not have conversations in public using any patient-identifiable information.
  • We are ICO registered: ZB344746.

Contractor data

Data we keep about contractors / associates:

  • Name
  • Address
  • References
  • DBS check
  • Relevant employment history
  • Any data required for diversity and inclusion (e.g. relevant disabilities)

Data pertaining to freelancers is kept in secure folders on Asana (access by partners only). Data is collected initially via our Lovable Cloud / Supabase website, which is GDPR compliant.

With permission from the individual, they will be added to the Severn Physiotherapy WhatsApp group, enabling others to access their mobile number, to be used for professional purposes only.

Their Severn Physiotherapy email address will be shared with other members of the Severn Physiotherapy team. A contractor's Severn Physiotherapy email address may be shared with patients, their families or other health professionals as deemed appropriate. Contractors may choose to share their mobile number if they wish. Alternatively our landline 01275 400466 can be used for patients and their families.

Your rights

You have the right to: access the data we hold about you, request corrections, request deletion where appropriate (subject to the 10-year clinical retention requirement above), object to or restrict certain processing, and withdraw consent at any time where processing is based on consent. To exercise any of these rights, contact us at hello@severnphysiotherapy.co.uk. We will respond within one calendar month.

If you are unhappy with how we have handled your data, you can complain to the ICO at ico.org.uk or 0303 123 1113.

References

  • Records Management: Code of Practice for Health & Social Care 2016
  • NHS Information Governance: Guidance on Legal and Professional Obligations, September 2007
  • The Health and Social Care Acts 2008, 2012 and the Health & Social Care (Safety and Quality) Act 2015 and their regulations
  • Data Protection Act 1998 — and updated 2018 GDPR
  • BMA Access to Health Records Guidance (2019)

Reviewed 19/06/2026 — KS.

Call us: 01275 400466