Privacy Policy & General Data Protection Regulation (GDPR)

The Data Controller

The Data Controller is Dr Massimo Barcellona (Practice Owner: Email: [email protected])

Privacy policy

GDPR is bringing in new legal protection for personal information from the 25th May 2018. This Privacy Policy sets out how SHP Health uses and protects the information that you give to us when you register as a patient. SHP Health is committed to protecting and respecting your privacy and complying with the principles of the GDPR. We fully respect the confidentiality of the information that you may share with us.

The purpose of processing your information

We aim to process information about you in a secure and transparent way that enables us to carry out our job of assessing and managing you, whilst holding your data in a way that you can understand and complies to current legislation.
When you register as a patient at SHP Health we will ask you for some basic personal data including name, address, date of birth, contact details and medical information both relevant to the condition you have been referred for/have referred yourself for and any other medical information about your general health. This will help us to assess your condition and manage you in the most appropriate way that suits your individual needs. We may also use your information to promote our services and to support and manage our staff.

The lawful basis for processing your information

At SHP Health and as members of the Chartered Society of Physiotherapy (CSP) we abide by the CSP code of practice and ethics. The lawful basis under which we hold and use your information is our legitimate interests; our requirement to retain the information to provide you with the best possible assessment and management of your condition.
As we hold special category data known as “health related information”, the Additional Condition under which we hold and use this information is: for us to fulfil our role as physiotherapists/health care practitioners in line with the CSP Code of Members’ Professional Values and Behaviour and the CSP Quality Assurance Standards for physiotherapy service delivery.

What information we hold and what we do with it

The information we hold includes your:
• Personal and contact details.
• Medical history and other health-related information; including physical and mental health, family, lifestyle, social, employment and education details.
• Treatment details and related notes.
We might use your information in the following ways:
• For our own record keeping.
• To provide you with the highest levels of care, treatment and customer service.
• As a patient, we may need to contact you by email, phone or through the post. Our primary means of contact is email. We may forward appointment reminders to you and may need to liaise about payment matters.
• From time to time we may send you an email with news about our clinics: the range of services we offer, clinic promotions and news and articles of interest to you.
• To improve our services offered to you.
The information you provide us with is held in strict confidence. We will NOT sell, distribute or disclose your information to third parties unless we have your permission or are required to do so by law or by following best medical practice.

How we store your information

Your information is stored securely on password protected encrypted computers and as internal paper records/patient file. This information allows us to provide you with health services, to manage your records and appointments and to correspond (if applicable and consent given) with your referring consultant, insurer or case management company to process your claim (as appropriate).

Retention period for your information

Your patient file information is held for a minimum of 8 years (as required by The Data Protection Act). All financial records are retained for a minimum of 7 years.


The protection of your personal information is extremely important to us, we are committed to ensuring that your information is secure, and we strive to protect your personal information using means reasonably required by us to do so. We have physical, electronic and managerial procedures to secure the information that you supply us with. As no form of data storage and transmission is 100% reliable we cannot guarantee its absolute security. Therefore, we make no warranties as to the level of security afforded to your data. We will, however, always aim to act in accordance with the relevant legislation. We will not share your information with anyone other than the professionals (NHS/private referrers) and intermediaries, (insurer, solicitor, employer or other party) that you have given us permission to share your information with. Your data will not be transferred outside the EU without your consent.

Under 16s

All our physiotherapists are DBS checked, fully qualified and insured to treat children under the age of 16. Children under the age of 16 must be accompanied by a parent or guardian over the age of 18 when visiting our service. We also require the child’s parent or guardian to provide their consent for assessment and treatment and acceptance of our terms on behalf of the child.

Your Rights

GDPR gives you the following rights:
• The right to be informed: To know how your information will be held and used (this notice).
• The right of access: To see your therapist’s records of your personal information, so you know what is held about you and can verify it.
• The right to rectification: To tell your therapist to make changes to your personal information if it is incorrect or incomplete.
• The right to erasure (also called “the right to be forgotten”): For you to request your therapist to erase any information they hold about you
• The right to restrict processing of personal data: You have the right to request limits on how your therapist uses your personal information
• The right to data portability: Under certain circumstances you can request a copy of personal information held electronically so you can reuse it in other systems.
• The right to object: To be able to tell your therapist you don’t want them to use certain parts of your information, or only to use it for certain purposes.
• The right to lodge a complaint with the Information Commissioner’s Office: To be able to complain to the ICO if you feel your details are not correct, if they are not being used in a way that you have given permission for, or if they are being stored when they don’t have to be.
Full details of your rights can be found at
If you wish to exercise any of these rights or you would like to find out more about your rights, please use the contact details given above.
If you are dissatisfied with the response you can complain to the Information Commissioner’s Office; their contact details are at:

Therapist’s rights

Please note:
• If you do not agree to us keeping records of information about you and your treatments, or if you do not allow us to use the information in the way we need to for treatments, we may not be able to treat you.
• We must keep your records of treatment for a certain period as described above, which may mean that even if you ask us to erase any details about you, we might have to keep these details until after that period has passed.
• We can move your records between our computers and IT systems, as long as your details are protected from being seen by others without your permission.

Changes to Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

Further information

For further information regarding our personal data processing please see our data protection register entry details on the Information Commissioner’s Office website at