Your Guide To How We Look After Your Data

What information will you be asked to provide through your journey with Shepherds’ Health?

Booking your appointment: The data taken will vary depending on the method of being booked for your physiotherapy assessment. However usually we will take the following information at first contact: name, email address and phone number. Bookings can be via:

  • the Shepherds’ Health website enquiry form
  • the Shepherds’ Health reception agents over the phone
  • direct bookings at Shepherds’ Health locations
  • your insurer
  • your employer

Standard information taken regardless of method of booking may include:

  • Name; Postal Address; Telephone Number; Email (assistance for confirmation of bookings); Date of Birth.

Some methods of booking may also include the following data being taken:

  • Body site of injury or pain; employer or insurer and policy details or referral /authorisation code (if relevant); maximum session or maximum value allowed under insurer policy (if relevant)

Initial Assessment

  • Face to face assessment – you may be asked to review a Patient Registration Form and complete details such as your GP details and if relevant, your insurer. In addition. In addition, you will be asked if you consent to us contacting you regarding your treatment.
  • Clinical assessment – this will include the history of your present condition; past medical history; social history including your occupation; previous treatment you’ve received and by whom and other questions which will allow the physiotherapist to understand the best course of treatment for your condition.

Where we may collect your information from.

As discussed above there are a number of avenues that you may come via to have your physiotherapy through Shepherds Health. Depending on which method this is and how your appointment is being booked will vary with how we initially receive information about you. Information could be coming from:

–      Yourself directly, either through the website or a direct booking.
–      Another health professional working for or outside of Shepherds’ Health.
–      You have previously had physiotherapy through Shepherds’ Health and therefore the physiotherapist may be able to see notes stored on our secure system with regards to your previous treatment.
–      Your insurer or employer.

Why we need this information and how we might use it.

We are required to collect the information that we have outlined above for a number of different purposes which are listed below and will vary depending on who is paying for your treatment.

–      Data protection – personal data is required so that we can complete appropriate checks, such as call verification, to ensure we are speaking to the right person.
–      To provide a smooth patient journey – email addresses and telephone numbers allow us to provide booking confirmation and contact you to book and confirm future appointments.
–      Clinical treatment – to construct the most effective treatment plan for your condition or symptoms.
–      Billing – depending on who is paying for your treatment, where relevant, so invoices can be sent to you.

When things go wrong.

–      Shepherds’ Health pride ourselves with the quality of our services and consistent positive customer satisfaction, however, we understand that in a small number of cases you may have cause to raise a concern regarding an element of your patient journey. It is important that Shepherds’ Health learn from these episodes to continually enhance services and as such we carry out thorough investigations. In order to fully investigate your concern we may need to share information with our team, senior leaders or other parties not directly involved with your care. For example, if you were referred to Physiotherapy via your insurer we might need to discuss your concern with your insurer in order to fully investigate it. In any case, we will only share a limited amount of information, as little as is necessary to investigate the concern. We may also need to share details of your concern with your treating physiotherapist or other professionals involved in your care for the purposes of the investigation.
–      If the concern has come via a third party e.g. a regulator, body or solicitor, we may need to disclose your data with them in order to resolve, defend or investigate a concern.

Who your Personal Data may be shared with.

There are variations on who your data may be shared with depending on who is your bill payer. These differences are outlined below.

–      Handovers to other health professionals – during your treatment journey it may be necessary to share information, with regards to you, with other health professionals who are involved in your care, e.g. your GP or a consultant. This could be with regards to referrals to the health professional or reporting back the results of their referral to the physiotherapist. Your consent will be sought before any information is shared, except in rare emergency scenarios.
–      Billing – if your insurer or your employer are covering the cost of your treatment we will need to share enough information with the bill payer to ensure they are able to pay for the treatment.
–      Authorisation of treatment (where relevant) – depending on your bill payer we may have been asked to send reports to authorise treatment or with regards to your treatment outcomes. In order to proceed we may need authorisation from the bill payer (ie – your employer or your insurer) to continue or commence treatment. We will only send the most limited amount of data as is necessary to allow the bill payer to make this assessment.
–      Research – to continue to improve clinical treatment Shepherds Health may use non- identifiable data as part of a research project or an assessment of our services.
–      Occupational Health Reports – if your referral has been from your employer as part of an occupational health assessment then a report will be produced and sent to your employer, however, not before you have had the option to see the report and have provided your consent.

Fair and Lawful Processing

Each organisation is required to demonstrate that they are processing personal data fairly and lawfully, to do this we must have a ‘lawful basis for processing’ personal data. Consent is probably the condition that has gained the most attention but we only rely on consent in limited circumstances e.g. to share information with a third party or your GP.

Shepherds’ Health will mainly be processing data based on the following lawful basis for processing, as set out by the General Data Protection Regulation:

–      Article 6 (1)(b) Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract.
–      Article  6  (1)(f)  Legitimate  interests:  the  processing  is  necessary  because  of  a legitimate interest or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
–      Article  9  (2)(h)  Processing  is  necessary  for  the  purposes  of  preventive  or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of English Law or pursuant to contract with a health professional.

What does this actually mean?

In order to provide you with the level of support agreed to in our contracts in a safe and effective way we need to process the data discussed, and as such, we are doing so lawfully. This means we may not always ask your consent each time we use your data if what we are doing is linked to your treatment or doing something we must do by law.

Your rights in respect of your Personal Data

The law gives you certain rights in respect of the information that we hold about you.  Below is a short overview of the key rights available to you.

  • Data Subject Access Request – with some exceptions designed to protect the rights of others, you have the right to a copy of the personal data that we hold about you.  Where the data is data that you have given to us, you have the right to receive your copy of it in a common electronic format, and to provide copies of it to other people if you wish (Right to Data Portability).
  • Right to Rectification – you have the right to have the personal data we hold about you corrected if it is factually inaccurate.  This right does not extend to matters of opinion, such as assessments of performance or fitness to work.
  • Right to Erasure – in some limited circumstances, you have the right to have personal data that we hold about you erased (the “right to be forgotten”).  This right is not generally available where we still have a valid legal reason to keep the data (for example, because we are obliged to do so by law).
  • Right to Restrict Processing – you also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data, for example if you contest its accuracy or where we are processing it on the basis of our legitimate interest and you contest our assessment that our interest overrides your rights.

The above is not a complete and exhaustive statement of the law.

How long we will keep your Personal Data for.

The length of time that Personal Data is stored is set by national legislation. Physiotherapy adult health records are generally kept for 8 years. For individuals who are aged under 18, records will need to be kept until their 25th birthday or those who were aged 17 at the start of treatment until their 26th birthday.

Automated Decisions

Each Physiotherapy Journey is different and our highly skilled physiotherapists and our administration team will ensure that you receive a bespoke patient journey that is right for you. As such, all of our decision making is based on the expert opinion of our team and no part of your journey will be based on wholly automated decisions.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We implement a variety of such security measures. Such parties are required to keep the information confidential. After a transaction, your personal information (credit card details, financial information etc.) will not be stored on our servers. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Further Information

For further information about how your data may be processed or to ask any questions please raise this with your physiotherapist. If you are not satisfied with how we handle your personal data or a request to exercise one of your rights in relation to your data, you can contact the Data Protection Officer on

Should you remain dissatisfied you have a right to complain to the Information Commissioner’s Office on 0303 123 1113.

Cookies In Use on This Site

Cookies and how they Benefit You

Our website uses cookies, as almost all websites do, to help provide you with the best experience we can. Cookies are small text files that are placed on your computer or mobile phone when you browse websites. You can learn more about cookies at

Our cookies help us:

  • Make our website work as you’d expect
  • Improve the speed/security of the site
  • Continuously improve our website for you
  • Make our marketing more efficient (ultimately helping us to offer the service we do at the price we do)

We do not use cookies to:

  • Collect any personally identifiable information (without your express permission)
  • Collect any sensitive information (without your express permission)
  • Pass data to advertising networks
  • Pass personally identifiable data to third parties
  • Pay sales commissions

You can learn more about all the cookies we use below

Granting us permission to use cookies

If the settings on your software that you are using to view this website (your browser) are adjusted to accept cookies we take this, and your continued use of our website, to mean that you are fine with this. Should you wish to remove or not use cookies from our site you can learn how to do this below, however doing so will likely mean that our site will not work as you would expect.

More about our Cookies

Our own cookies

We use cookies to make our website work including:

Third party functions

Our site, like most websites, includes functionality provided by third parties. A common example is an embedded YouTube video. Our site includes the following which use cookies:

Google Maps – we embed maps from Google which may place one or more cookies on your computer once you visit a page on our website with the embedded map. We have no control over those cookies, but you can find out about Google’s privacy policy and approach to cookies at

YouTube Videos – we embed videso from YouTube which may place one or more cookies on your computer once you visit a page on our website with the embedded video. We have no control over those cookies, but you can find out about YouTube’s privacy policy and approach to cookies at

Disabling these cookies will likely break the functions offered by these third parties

Turning Cookies Off

You can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies (Learn how here). Doing so however will likely limit the functionality of our’s and a large proportion of the world’s websites as cookies are a standard part of most modern websites

It may be that you concerns around cookies relate to so called “spyware”. Rather than switching off cookies in your browser you may find that anti-spyware software achieves the same objective by automatically deleting cookies considered to be invasive. Learn more about managing cookies with antispyware software.

The cookie information text on this site was derived from content provided by Attacat Internet Marketing, a marketing agency based in Edinburgh. If you need similar information for your own website you can use their free cookie audit tool.