• Safe & Effective
  • Kind & Caring
  • Exceeding Expectation
Physiotherapy and Occupational Therapy Department Privacy Notice

Data Controller: Physiotherapy and Occupational Therapy Department Privacy Notice

The Physiotherapy & Occupational Therapy Department of The Royal Wolverhampton NHS Trust provides physiotherapy & occupational therapy services to inpatients and outpatients, both adults and children. Services are provided at:

  • New Cross Hospital
  • West Park Hospital
  • Cannock Chase Hospital
  • The Gem Centre (Children’s Therapies)
  • Many GP surgeries, community venues, special schools and patients’ own homes


In the Physiotherapy & Occupational Therapy Department we aim to provide you with safe and effective care to the highest standards. To do this the team of health professionals caring for you will keep records about your health and any care you receive from the trust. This is called your Health Record and may be stored in a paper form or on computer systems. This may include:

  • Basic details such as your name, address, date of birth, NHS number, gender, next of kin, and ethnicity
  • Details of your hospital appointments/visits
  • Notes and reports about your health, treatment and care 
  • Results of x-rays, scans and laboratory tests. This may sometimes include clinical photographs but these will only be taken with your written consent.
  • Relevant information from people who care for you and know you well, such as health professionals and relatives    

It is very important that your personal details are accurate and up to date. We will often check with you at appointments or visits that these details are correct.

Records are created in both paper and electronic forms.  Local databases may also be kept – for example, using a ‘spreadsheet’ type of document – to help us manage workloads and work flows across our various teams. These are kept securely on the Trust’s computer systems, and access is controlled and limited to only those staff that have a justifiable need to gain access. Such records may contain your hospital number but all other identifiers (such as date of birth, address, NHS number) are removed. If you are at all concerned about storage of your information in this way, please speak to the health professional in charge of your care.

Return to top

As a data controller the Trust must establish and publish the lawful basis that is relied on for processing personal data and data that is special categories (sensitive data). Generally most of the processing we carry out is to deliver your care and  treatment, and is covered by the following legal provisions:

  • For the performance of a task carried out in the public interest or in the exercise of official authority, to delivery you a heath care service  
  • For medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

The Physiotherapy & Occupational Therapy Department uses the above data in the following ways. For each purpose we process your personal data, the legal bases allowing us to do so are listed within the table below.

Purpose of using personal data in GP Practices Legal basis of processing personal data

For commissioning and healthcare planning purposes

For example:
  • Assessing and treating the health problem for which you have been referred to us
  • reporting to Commissioners on the number of patients being referred for a particular health problem.

GDPR Article 6(1)(c) – compliance with a legal obligation

GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Special category 9(2)(i) – public interest in the area of public health

For planning, general running purposes and system improvements

For example:
  • Care Quality Commission powers to require information and records
  • Creating a spreadsheet to help organise workload management.

GDPR Article 6(1)(c) – compliance with a legal obligation (the GP practice) 

Regulation 6(1)(e) – the performance of a task carried out in the public interest (CQC)

GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Special category 9(2)(i) – public interest in the area of public health

For planning and running of the NHS nationally, for example: National clinical audits

GDPR Article 6(1)(e) – the performance of a task carried out in the public interest

GDPR Article 9(2)(h) – medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Special category 9(2)(i) – public interest in the area of public health

For research purposes

For example: Investigating the effectiveness of health campaigns such as stop-smoking

GDPR Article 6(1)(f) – legitimate interests…except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject

GDPR Article 6(1)(e) – the performance of a task carried out in the public interest

GDPR Article 6(1)(a) – explicit consent

GDPR Article 9(2)(j) – scientific or historical research purposes or statistical purposes

Return to top

We may share information about you with other agencies in order to support the delivery of your care. This might be, for example, making referrals for additional care after a hospital stay or if an illness has left you unable to look after yourself without assistance. The health professionals looking after you will tell you about these before sharing your information. These are some of the other agencies we might contact:

  • Department of Health and other NHS bodies 
  • Clinical Commissioning Groups (CCG’s) 
  • Other providers involved in your care- such as other hospitals, residential or care homes, care agencies
  • General Practitioners (GP’s) in Wolverhampton and out of area if you are not from Wolverhampton.
  • Ambulance Services
  • Mental health services 
  • Social services

To ensure continuity of care and appropriate care planning between the various professionals who might be involved in your care, we may also share your information with the agencies listed below. This will always be discussed with you beforehand and you do have the right to object in certain circumstances (for example, if you do not wish your information to be shared with voluntary sector providers):

  • Education services (usually for children)
  • Local authorities 
  • Voluntary sector providers (for example, charities who support rehabilitation or provide assistance with daily activities)
  • Private sector companies (for example, specialist equipment companies who may need to supply you with specific items of equipment)

We may also share your information with others that need to use records about you to carry out the following:

  • Check the quality of treatment or advice we have given you 
  • Protect the health and/or safety of the general public 
  • Manage the health service 
  • Help investigate any concerns or complaints you or your family have about your healthcare

This will be done with protocols or agreements in place to govern the sharing of data to ensure it is adequate and relevant to the purposes listed above.

Some information we have to share is used for statistical, research or audit purposes. In these instances we take strict measures to ensure that individual patients cannot be identified and where appropriate, anonymisation and pseudonymisation techniques will be used to protect your identity. An example of this is:

  • National clinical audits (for example, for collecting data about pulmonary rehabilitation, stroke services, falls prevention services or cardiac rehabiliation)

Please ask a member of staff if you require further details about who your information may be shared with. We will always seek your consent for any identifiable information to be shared for audit or research purposes.

If you do not wish personal data that we hold about you to be used in the way that is described in this notice, please discuss the matter with us. You have the right to object in certain circumstances, such as where you have given consent to the processing or have entered into a contract you have given consent, but this may affect our ability to provide you with care or advice.

Return to top

The Physiotherapy & Occupational Therapy Department will collect data about you in a number of ways. The main method of collection is from you directly.

Face to face: 
Most of the information we hold about you will be collected from you at the time you engage with the service. Any data provided will be used for the reasons listed in this notice and only relevant data will be requested and recorded.

Video calls:
As services develop it is increasingly likely that some consultations will be conducted remotely rather than face to face. This usually involves the use of a smart device and enables the physiotherapist/occupational therapist to see a live video stream of you as the patient. The therapist will be in a secure and private location, and the software used for this purpose has been approved as secure by the NHS.

These sessions are not recorded by the trust and are therefore not available to view once the consultation has ended.

Telephone calls: 
Information you disclose over a telephone call may be noted down within your written records if it is relevant to your care. This may for example include requests to change appointments, or any new or updated information you share with us about your health.

Remote consultations also take place by telephone. The information discussed during the call and the outcome of the consultation will be recorded in your written hospital notes by the therapist who makes the call.

If you email us we may keep a record of your contact and your email address for our record keeping. It is possible that in the future the trust may use your email address to contact you but you have the right to decline if you prefer not to be contacted using email.

Other organisations: 
We may receive information from other organisations that are also required by law to share information with us about you, to help us have a full picture of your needs and provide you with care.

Referrals – We may receive referrals or a transfer of your notes from specific specialties as a result of your care being transferred to our services. This can be from another Trust, your GP or any health or social care provider initiating a referral.  Additionally, voluntary sector agencies, charities and public services (such as the Fire Service) may refer you to Physiotherapy & Occupational Therapy after their contact with you – this should only be with your explicit consent. If you feel that you have been referred to our services without your knowledge or consent you should contact the Data Protection officer (DPO) of the referring organisation.

Direct access – The Trust and its staff may, on a need to know basis have access to specific clinical systems from other organisations such as the summary care record or other Trust clinical systems in order to access information about you that is relevant to your care delivery. All systems are auditable and access is on a need to know basis.

Return to top

Below is a list of the rights you have in relation to your data and when they apply. To make an application for any of the below rights please contact the Health Records Access Team Team, who will coordinate your request (see How do I request my information? section below). All rights requests must be completed within 30 calendar days from the date received, but may be extended if complex.


The Right of Access
You have the right to request a copy of any information held by the Trust as well as any supplementary information. See How do I request my information? for details on how to request your information.


The Right to Rectification
If you believe your information may be inaccurate or incomplete you can make a request to have your information reviewed.

restrict processing

The Right to Restrict Processing
The right to restriction allows you to request the restriction or suppression your personal data. This right is closely linked with the right to rectify and the right to object and will only apply if:

  • you contest the accuracy of your personal data and the accuracy is being verified by the trust
  • the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and you oppose erasure and requests restriction instead
  • the personal data is no longer needed but we need to keep it in order to establish, exercise or defend a legal claim

You have a right to see or have copies of any information held by the Trust that relates to you free of charge. We have the right to charge an administration fee in situations where repeated requests are received for the same information or the request is excessive. You will be required to prove your identity when making requests.

Subject Access Requests under GDPR rules (post 25 May 2018) will be processed within 30 days. However, once our teams have established the volume of records requested there may be a requirement to extend this up to a further 2 months. We will contact you within 30 days should this be the case.

To request access to health records please complete a Subject Access Request form and forward on to:

Health Records Access Team 
Health Records Library
Location B19
New Cross Hospital
Wednesfield Road
WV10 0QP

Email: rwh-tr.healthrecordsaccess@nhs.net
Telephone: 01902 307999 Extension 5544

Return to top

All our records are destroyed in accordance with the NHS Retention Schedule, which sets out the appropriate length of time each type of NHS records is retained. We do not keep your records for longer than necessary. All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required. For more information please see the Record Management Code for Practice for Health and Social Care 2016, retention schedules.

There are longer retention periods for children’s records – please speak to your child’s therapist if you wish to know more. 

If paper records are created they are scanned and uploaded to the Trust’s Clinical Web Portal once an episode of care is concluded. This is a web-based repository for all of your clinical records which can be accessed by staff who have a legitimate need to do so. Once the paper copies have been uploaded they are destroyed confidentially.

Return to top

If you have any concerns or wish to make a complaint about your care, please speak to a health professional involved in your care in the in the first instance. If your concern is not resolved to your satisfaction please contact the Patient Advice and Liaison Service (PALS).

Data Protection Officer (DPO): Raz Edwards 
New Cross Hospital
Wolverhampton Road
Heath Town
WV10 0QP

Email: rwh-tr.IG-Enquiries@nhs.net
Telephone: 01902 307999 ext. 88124

The Data Protection Officer is a point of contact for advice and guidance in relation to your rights.  The DPO is responsible for monitoring the Trusts compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) 2016 as any policies the Trust has in relation to the protection of personal data.   The DPO shall perform their duties in an independent manner with due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. 

If you have any concerns about how your information is being processed or any of the rights as detailed above, please contact the Trust in the first instance through:

Health Records Access Team 
Health Records Library (Location B19)  
New Cross Hospital
Wednesfield Road
WV10 0QP

Email: rwh-tr.healthrecordsaccess@nhs.net
Telephone: 01902 695544, 01902 695545 or 01902 307999 Ext. 88093

You also have a right to complain directly to the Information Commissioner’s Office if you feel the Trust has not responded effectively to any of the above.

Information Commissioners Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113
Website:  https://ico.org.uk/

Return to top

A Teaching Trust of the University of Birmingham