GDPR for Physiotherapists: How to Handle Patient Data in Private Practice
If you run a private physiotherapy, osteopathy, chiropractic, or sports therapy practice, you handle some of the most sensitive personal data that exists under GDPR: detailed health information about real people's bodies, pain, and medical histories. Getting data protection wrong in healthcare isn't just a regulatory risk — it's a breach of professional trust.
This guide covers everything you need to know about GDPR compliance in private musculoskeletal practice, from consent forms to clinical record retention, practice management software, and medico-legal reporting.
Why Physiotherapy Records Are Special Category Data
Under Article 9 of the UK GDPR (and EU GDPR), health data is classified as special category data — a higher tier of protection that requires stricter handling, stronger legal bases, and more careful documentation.
Physiotherapy records are unambiguously health data. Your patient files routinely contain:
- Injury history and past medical conditions — previous surgeries, chronic conditions, musculoskeletal history
- Current symptoms and pain scores — Visual Analogue Scale (VAS) readings, pain diagrams, functional assessments
- Clinical examination findings — range of movement, neurological testing results, orthopaedic test outcomes
- Treatment notes and session records — what you did in each session, how the patient responded
- Medication history — especially relevant for pain management, anticoagulants, and corticosteroid use
- GP referral letters — which also contain diagnoses and other clinical information
- Subjective history — including information about mental health, lifestyle, work, and social circumstances that bear on treatment
All of this is special category health data. The ordinary lawful bases for data processing (consent, legitimate interest, contract) are not sufficient on their own. You need to satisfy both a standard lawful basis and a specific condition under Article 9(2).
Lawful Basis: What Actually Applies to You
For most private physiotherapy practices, the two relevant Article 9(2) conditions are:
Article 9(2)(a) — Explicit Consent
You can process special category health data with the explicit consent of the patient. This is different from ordinary consent — it must be:
- Freely given (not bundled with treatment as a condition)
- Specific (explaining exactly what data is collected and why)
- Informed (the patient understands what they're consenting to)
- Unambiguous (an active affirmative act — a signature or tick box, not silence)
- Capable of being withdrawn
Many private practitioners rely on explicit consent gathered via their initial assessment forms. This is valid, but your consent mechanism must meet all the above criteria.
Article 9(2)(h) — Healthcare Provision
If you are providing healthcare as a regulated professional, you can rely on Article 9(2)(h), which permits processing "for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment." In the UK, this is supported by Schedule 1, Part 1 of the Data Protection Act 2018.
HCPC-registered physiotherapists providing clinical care will typically qualify here. This basis does not require consent for each clinical record but does require you to have a privacy notice in place and to process data only for the clinical purpose.
Practical recommendation: Use both. Obtain explicit consent for marketing communications and any non-clinical processing, and rely on Article 9(2)(h) for the clinical treatment record itself.
Your Privacy Notice: What It Must Cover
Your privacy notice (sometimes called a fair processing notice) must be given to patients at the point of data collection — before or at first appointment, not buried on your website in a place patients never see.
A compliant privacy notice for a physiotherapy practice must cover:
- Who you are — your name, trading name, business address, and contact details
- What data you collect — be specific: clinical notes, assessment findings, contact details, insurance information
- Why you collect it — treatment, appointment management, insurance billing, legal and regulatory obligations
- Your lawful basis — Article 9(2)(h) for clinical data, explicit consent for anything beyond
- Who you share it with — other treating practitioners, insurance companies, solicitors (for PI claims), your HCPC registration body if required, your practice management software provider
- How long you keep it — 8 years minimum from last treatment for adults; until age 25 (or 8 years from last treatment if longer) for patients treated as children
- Their rights — access, rectification, erasure (subject to clinical record-keeping obligations), restriction, portability, objection
- How to complain — including the right to complain to the ICO (UK) or relevant supervisory authority
Patient Consent Forms: Getting It Right
Your initial assessment paperwork is a critical compliance document. Beyond collecting clinical information, it is the primary mechanism for obtaining both clinical consent and GDPR consent.
Your consent form should:
- Reference your privacy notice — patients should confirm they've received and read it
- Distinguish clinical consent from GDPR consent — consent to treatment is separate from consent to process personal data for marketing
- Use clear plain English — avoid legal jargon; patients must genuinely understand what they're agreeing to
- Be explicitly signed and dated — a checkbox or signature with the date
- Be stored securely — treat the signed consent form as a clinical record
Do not use a single tick box that conflates treatment consent, data processing consent, and marketing consent. These are legally distinct and must be presented separately.
Practice Management Software as a Data Processor
If you use software like Cliniko, Jane App, Power Diary, or WriteUP to manage appointments, store clinical notes, and process payments, that software provider is acting as your data processor under Article 28 GDPR.
This matters because:
- You remain the data controller — responsible for how patient data is used
- Your software provider must have a Data Processing Agreement (DPA) in place with you
- The DPA should specify what data they hold, how it's protected, and what happens if there's a breach
- You must ensure their security standards meet GDPR requirements — check their ISO 27001 certification or SOC 2 reports
All four of the major physiotherapy practice management platforms offer DPAs — but you need to actually sign them. Check your account settings or contact your provider if you haven't formalised this.
Also consider: where is your data hosted? If your practice management software stores data on US servers (common with US-headquartered platforms), you need to understand the international data transfer mechanism in use — typically Standard Contractual Clauses (SCCs).
HCPC Registration Data
As an HCPC-registered physiotherapist, the Health and Care Professions Council holds your personal data for regulatory purposes. They have their own legal obligations under GDPR, including maintaining a public register. This data is processed under their regulatory mandate — you have no control over it, but you do have the right to access and request correction of your HCPC record if it contains errors.
If you employ other registered practitioners in your practice, you will collect their professional registration data. This is processed under your legitimate interest as an employer to verify professional credentials, which must be documented in your Records of Processing Activities (ROPA).
Insurance Company Data Sharing
One of the more complex areas for private physiotherapists is third-party insurance data sharing.
PMI (Private Medical Insurance)
If you treat patients funded by PMI insurers (Bupa, AXA Health, Vitality, etc.), you will share clinical information with them to support billing and pre-authorisation. This typically includes:
- Diagnosis and condition codes
- Treatment plans and session records
- Outcome measures
Patients must be aware of this sharing via your privacy notice. The insurance company is an independent data controller — they have their own GDPR obligations. Your DPA with the insurer should clarify each party's responsibilities.
Personal Injury Claims
If you provide medical reports for personal injury (PI) litigation — for example, whiplash or accident injury claims — you will share your clinical records and expert opinion with:
- The instructing solicitor
- Potentially the court
- Potentially the opposing party's legal representatives
This processing requires the explicit consent of the patient, obtained specifically for the purpose of the PI report. A general treatment consent does not cover litigation disclosure. Use a specific written authority signed by the patient before preparing or disclosing any medico-legal report.
Medico-Legal Reporting and Data Handling
Medico-legal reporting raises specific GDPR considerations:
- Lawful basis: Article 9(2)(f) — necessary for the establishment, exercise, or defence of legal claims — in addition to the patient's explicit authority
- Data minimisation: Share only what is relevant to the legal question; do not disclose your entire clinical record when a targeted summary suffices
- Third-party data: If your treatment notes include information about third parties (e.g., a partner mentioned by the patient), you must take care not to disclose this unnecessarily
- Retention: Medico-legal reports and correspondence are clinical records and subject to the same minimum 8-year retention
If you use a medico-legal agency to source expert reporting work, that agency may be a data processor or joint controller depending on the arrangement — get this clarified in writing.
GP Referral Letters and Third-Party Data
When a GP refers a patient to you, their referral letter contains personal and clinical data. It may also contain incidental references to:
- Family members or carers
- Mental health history
- Medications and conditions unrelated to the presenting complaint
You are responsible for that data from the moment it enters your practice. This means:
- Store the referral letter securely (electronically in your clinical system, or in a locked physical file)
- Do not share the referral letter more widely than clinical need requires
- Be mindful of the third-party information it contains — the referred patient's consent does not extend to that third-party data
- Include referral letters in your retention schedule (8 years minimum)
If you send referral letters to other practitioners, apply the same principles: include only clinically relevant information, send via secure means (encrypted email or NHS-accredited secure messaging where available), and keep a record of what you disclosed and to whom.
Clinical Record Retention
The ICO and the Chartered Society of Physiotherapy both provide retention guidance. For private practice, the minimum retention periods are:
| Record Type | Minimum Retention Period |
|---|---|
| Adult clinical records | 8 years from last treatment |
| Children's records | Until age 25, or 8 years from last treatment — whichever is longer |
| GP referral letters | As part of the clinical record |
| Consent forms | As part of the clinical record |
| Medico-legal reports | 8 years minimum |
| Financial/billing records | 6 years (HMRC requirement) |
After the retention period expires, records must be securely destroyed — shredded if paper, permanently deleted from all systems if electronic. Do not simply delete a file and empty the Recycle Bin; use secure deletion software or confirm your practice management system's data deletion policy.
Document your retention schedule in your ROPA. If you are ever subject to a DSAR or ICO investigation, being able to demonstrate you have a policy and follow it is significant.
Remote Physiotherapy: Video Sessions and Data Handling
Remote physiotherapy via video consultation has become standard practice. It raises specific GDPR considerations:
Platform Selection
If you use Zoom, Microsoft Teams, Google Meet, or a specialist telehealth platform, that provider is a data processor. You need:
- A DPA signed with the platform provider
- Confirmation of where data is stored and processed
- Clarity on whether sessions are recorded and who can access recordings
Some platforms auto-record — check your settings. If you record sessions, you must inform the patient before the session begins, obtain their explicit consent to recording, and store and delete recordings in accordance with your retention policy.
Transmission Security
Clinical video consultations must use end-to-end encryption or equivalent secure transmission. Consumer-grade platforms may not meet this standard for healthcare use. Consider purpose-built telehealth platforms that are GDPR and Data Security and Protection Toolkit (DSPT) compliant.
No Recording Without Consent
You cannot record a clinical video session without the patient's explicit prior consent. If the patient does not consent to recording, do not record. Document what was discussed in your usual clinical notes instead.
GDPR Compliance Checklist for Physiotherapists
Use this checklist to assess your current position:
Legal Foundation
- [ ] Identified lawful basis for processing clinical data (Article 9(2)(h) or explicit consent)
- [ ] Documented basis in your Records of Processing Activities (ROPA)
- [ ] Privacy notice in place, provided to all patients at first contact
Patient-Facing Documents
- [ ] Consent form separates clinical consent from GDPR consent
- [ ] Consent form explicitly references your privacy notice
- [ ] Specific written authority obtained before preparing any medico-legal report
- [ ] Privacy notice covers all third-party sharing (insurers, solicitors, other practitioners)
Practice Management Software
- [ ] DPA signed with your practice management software provider
- [ ] Understood where patient data is hosted (UK, EU, or US)
- [ ] Confirmed international transfer mechanism if data is hosted outside UK/EU
Record Keeping
- [ ] Retention schedule documented and followed
- [ ] Secure destruction process in place for expired records
- [ ] GP referral letters and consent forms included in retention schedule
- [ ] Children's records flagged for extended retention
Medico-Legal and Insurance
- [ ] Written patient authority obtained for every PI report
- [ ] Understood data sharing arrangement with each PMI insurer
Remote Consultations
- [ ] DPA in place with video platform provider
- [ ] Recording consent obtained before recording any session
- [ ] Telehealth platform meets encryption requirements
Security
- [ ] Electronic records password-protected and access-controlled
- [ ] Paper records in locked storage
- [ ] Staff (if any) trained on data protection
- [ ] Incident response process documented for data breaches
- [ ] ICO registration maintained (required if you process personal data professionally)
Get a Free Privacy Scan
Your practice management system and website may be processing more data than you realise — cookies, third-party trackers, analytics platforms. Run a free scan at https://app.custodia-privacy.com/scan to see exactly what your website is collecting, and identify any compliance gaps in 60 seconds.
This guide provides general information about GDPR compliance for physiotherapists and allied health professionals in private practice in the UK. It does not constitute legal or regulatory advice. Requirements vary based on the nature and volume of data you process and your specific practice model. Consult a qualified data protection professional or your professional body for advice specific to your circumstances.
Top comments (0)