top of page

Privacy Policy

Surrey Cardiac Rehab is committed to safeguarding the privacy and confidentiality of our clients and website users. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the professional standards set by the Chartered Society of Physiotherapy (CSP) and the Health and Care Professions Council (HCPC).

 

This Privacy Policy explains how we collect, use, store and protect your personal information.

​

1. Data Controller

Surrey Cardiac Rehab is the data controller responsible for your personal data.

If you have any questions about this Privacy Policy or how your data is handled, please contact us using the details provided on our website.

 

2. Personal Data We Collect

In order to provide safe, effective physiotherapy and cardiac rehabilitation services, we may collect and process the following information:

Personal details

  • Name

  • Address

  • Email address

  • Telephone number

  • Date of birth

  • Emergency contact details

Health and medical information (special category data)

  • Medical and cardiac history relevant to your care

  • Current symptoms, diagnoses and risk factors

  • Assessment findings, treatment plans and progress notes

  • Information shared by GPs, consultants or other healthcare professionals (with your consent)

Administrative and financial information

  • Appointment records

  • Correspondence

  • Invoices and payment records

We only collect information that is necessary, relevant and proportionate to your care, in line with CSP and HCPC guidance.

 

3. How We Collect Your Information

We collect personal data:

  • When you contact us via telephone, email, website or in person

  • When you complete registration, consent or assessment forms

  • During physiotherapy and rehabilitation sessions

  • From other healthcare professionals involved in your care, with your consent

 

4. Lawful Basis for Processing

Under UK GDPR, we process your personal data lawfully under the following bases:

  • Provision of health care and treatment

  • Performance of a contract (providing agreed services)

  • Your explicit consent, where required

  • Compliance with legal and regulatory obligations

Special category health data is processed in accordance with UK GDPR Article 9 for the purpose of healthcare delivery by a regulated health professional.

 

5. How We Use Your Information

Your information is used to:

  • Deliver safe, effective and personalised physiotherapy and cardiac rehabilitation

  • Carry out assessments and develop treatment programmes

  • Monitor progress and outcomes

  • Communicate with you regarding appointments and care

  • Maintain accurate clinical records in line with professional standards

  • Meet legal, insurance and regulatory requirements

Your data will never be used for marketing purposes without your explicit consent.

 

6. Confidentiality and Information Sharing

We adhere to strict professional confidentiality standards.

Your information will only be shared:

  • With your GP, consultant or other healthcare professionals involved in your care (with your consent)

  • Where required by law (e.g. safeguarding concerns)

  • With professional advisors or service providers who are subject to confidentiality obligations

We will never sell or share your data for commercial purposes.

 

7. Data Storage, Security and Retention

We take appropriate measures to ensure your data is stored securely, including:

  • Secure electronic record systems

  • Password-protected devices and access controls

  • Secure storage of any paper records

Clinical records are retained in line with CSP, HCPC and legal record-keeping guidance, after which they are securely destroyed.

 

8. Your Rights

You have the right to:

  • Access your personal data

  • Request correction of inaccurate or incomplete information

  • Request restriction or objection to processing (where applicable)

  • Request erasure of data (subject to legal and professional record-keeping requirements)

  • Withdraw consent at any time, where processing is based on consent

Requests can be made by contacting us directly.

 

9. Website and Cookies

Our website may use cookies to improve functionality and user experience. Cookies do not identify you personally. You can manage cookie settings through your browser.

 

10. Complaints

If you have concerns about how your data is handled, please contact us first so we can resolve the issue.

You also have the right to complain to the Information Commissioner’s Office (ICO):
www.ico.org.uk

 

11. Changes to This Policy

This Privacy Policy may be updated periodically to reflect changes in legal, regulatory or professional requirements. The most recent version will always be available on our website.

​

Last updated: Jan 16, 2026

bottom of page