• 07979771883

Data Protection Policy

  1. Home
  2. Data Protection Policy

1. Introduction

Alfa Physio Clinic is committed to ensuring that all personal data is collected, processed, stored, and protected in compliance with the General Data Protection Regulation (GDPR), Data Protection Act 2018, and MedCo requirements.

This policy outlines our responsibilities as a Data Controller and Data Processor and applies to all employees, associates, and any third parties involved in handling personal data. It sets out how we process personal data lawfully, fairly, and transparently, ensuring data subjects' rights are protected at all times.

2. Scope

This policy applies to all personal data processed by Alfa Physio Clinic, including data collected from:

  • Patients and claimants
  • Instructing parties (solicitors, insurers, MedCo-registered MROs)
  • Employees, contractors, and associates
  • Website users and online inquiries

This policy applies to all forms of personal data, whether held electronically, on paper, or in any other format.

3. Data Protection Principles

Alfa Physio Clinic ensures compliance with the seven core principles of GDPR:

  • Lawfulness, Fairness, and Transparency – Personal data is processed lawfully, fairly, and transparently.
  • Purpose Limitation – Data is collected for specified, explicit, and legitimate purposes only.
  • Data Minimisation – We collect only the minimum data necessary for the intended purpose.
  • Accuracy – Data is kept accurate and up-to-date, with correction mechanisms in place.
  • Storage Limitation – Data is retained only as long as necessary, in line with legal and regulatory requirements.
  • Integrity and Confidentiality – Data is securely stored and protected against unauthorised access or breaches.
  • Accountability – We take full responsibility for ensuring GDPR compliance.

4. Lawful Basis for Processing Personal Data

Alfa Physio Clinic processes personal data on the following lawful grounds:

  • Contractual Obligation – Processing is necessary for providing physiotherapy and medico-legal services under contractual agreements.
  • Legal Obligation – Compliance with UK laws, including MedCo Rules, GDPR, and the Health and Social Care Act 2015.
  • Legitimate Interests – Ensuring operational efficiency, managing patient cases, and improving services.
  • Consent – In cases where explicit consent is required, patients and claimants will be informed and given the right to withdraw consent.

5. Categories of Personal Data Processed

The following categories of personal data may be collected and processed:

  • General Identifiable Data: Name, address, contact details, date of birth, occupation
  • Medical Information: Health history, medical reports, clinical records, diagnostic results
  • Case and Claim Information: Accident details, referral sources, solicitors’ instructions
  • Financial Information: Payment details, invoicing records, insurance claim data

Sensitive (Special Category) data such as health records is processed under strict confidentiality and only when necessary for medico-legal reporting.

6. How Personal Data is Collected

Alfa Physio Clinic collects data through:

  • Direct Patient Contact: Initial consultations, assessments, and medical examinations
  • Referrals from Solicitors & MROs: MedCo-registered MROs and instructing parties submit case details
  • Electronic & Paper Forms: Online forms, consent forms, and signed agreements
  • Automated Systems: Case management and clinical record software

7. Data Retention Policy

Medical Records & Case Files: Retained for 8 years from the last patient interaction (or until the patient turns 25 if under 18).

Financial & Billing Records: Retained for 6 years, in line with HMRC guidelines.

Employee Records: Retained for 7 years after employment ends.

Marketing & Enquiry Data: Retained for 1 year, unless consent is withdrawn earlier.

After the retention period, data is securely deleted, anonymised, or destroyed.

8. Data Sharing & Third-Party Processors

Alfa Physio Clinic does not sell or share personal data with third parties for marketing purposes. However, we use Medqon Limited as a third-party software provider for case management and medico-legal report writing.

  • Medqon Limited is a Data Processor, not a Data Controller. Alfa Physio Clinic remains the sole Data Controller, and Medqon Limited only processes data on our behalf under a strict Data Processing Agreement (DPA) in compliance with GDPR and MedCo requirements.
  • Medqon’s Responsibilities Include:
    • Securely storing, managing, and processing case-related data within its software system.
    • Ensuring data encryption, restricted access, and compliance with GDPR.
    • Not sharing or accessing data beyond its intended purpose.
  • Data Security Compliance:
    • Medqon Limited follows ISO 27001 security standards for data protection.
    • All data remains within secure servers, and no data is stored outside the UK or EU unless required and explicitly agreed upon.
    • Access to personal data within Medqon’s system is strictly controlled, and only authorized personnel at Alfa Physio Clinic have access to sensitive case information.

9. Security & Data Protection Measures

Alfa Physio Clinic takes data security seriously and implements the following safeguards:

  • Encryption: All stored and transmitted data is encrypted.
  • Access Control: Personal data is restricted to authorised personnel only.
  • Secure IT Infrastructure: Firewalls, intrusion detection, and secure cloud storage.
  • Regular Security Audits: Routine vulnerability testing and risk assessments.
  • Staff Training: All staff receive annual GDPR and information security training.

If a data breach occurs, affected individuals and the ICO (Information Commissioner's Office) will be notified within 72 hours, in line with GDPR regulations.

10. Data Subject Rights

Under GDPR, individuals have the following rights regarding their personal data:

  • Right to Access: Request a copy of personal data held. If a data subject requests access to their records stored within Medqon’s case management system, Alfa Physio Clinic will provide access within the legally required timeframe, in accordance with GDPR. Medqon Limited does not independently process subject access requests and directs all such requests back to Alfa Physio Clinic as the Data Controller.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure (Right to be Forgotten): Request deletion of personal data when no longer needed.
  • Right to Restrict Processing: Request limited use of personal data under specific circumstances.
  • Right to Data Portability: Request transfer of personal data to another provider.
  • Right to Object: Object to processing based on legitimate interests.
  • Rights Related to Automated Decision-Making: Challenge automated profiling decisions.

To exercise these rights, individuals can contact Alfa Physio Clinic at:

11. Data Protection Officer & Complaints

Data Protection Officer (DPO): For concerns or questions regarding data protection, please contact our DPO at:

Filing a Complaint:

If you believe your data protection rights have been violated, you can file a complaint with:

  • The Information Commissioner’s Office (ICO)
  • Website: www.ico.org.uk
  • Phone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

12. Policy Review & Updates

This policy will be reviewed annually and updated as necessary to reflect changes in legislation, technology, or operational processes. The latest version will always be available on our website.

Useful link

Timings

Monday to Friday
8:00 am - 9:00 pm
Saturday
9:00 am - 7:00 pm
Sunday
9:00 am - 7:00 pm

Our Clinic Address

Manchester Office:
Aura Business Center
412 Stretford Road
Manchester,M15 4AE
Stroke-on-tent Office:
Unit5, 3 Sutherland Institute
Lightwood Road, Longton,
Stroke-on-tent, ST3 4HY
E-mail :
info@alfaphysioclinic.com
Contact :
07979771883

Registered With

Copyright @ 2018.All Rights Reserved.
Alfa Physio Clinic

Top