TrustYourWebsite
GDPR & Privacy

GDPR for physiotherapists in the UK: CSP & HCPC

Steven | TrustYourWebsite · 17 May 2026

Physiotherapy practices sit at the intersection of three rule sets: the UK GDPR and the Data Protection Act 2018, the Health and Care Professions Council (HCPC) Standards of conduct, performance and ethics, and — for the roughly 65,000 UK physios who are members of it — the Chartered Society of Physiotherapy (CSP) information-governance toolkit. NHS-contracted practices add a fourth layer: the NHS Data Security and Protection Toolkit (DSPT) and the NHS Records Management Code of Practice 2021.

This guide covers what UK physiotherapy practices — clinic chains, sole practitioners, sports-injury specialists, women's-health physios and NHS first-contact practitioners alike — need to do to keep that stack compliant.

Why physiotherapy data is "special category"

Physiotherapy clinical records are health data, and health data is a special category of personal data under UK GDPR Article 9(1). That covers far more than just the clinical note:

  • Subjective and objective examination findings, treatment plans and progress notes
  • Photographs and video used for technique analysis, posture or gait assessment
  • Range-of-motion measurements, force-plate data, electromyography traces
  • Medication and allergy information collected at triage
  • GP and consultant referral letters
  • Imaging (ultrasound, MRI summaries you receive from secondary care)
  • Insurance authorisation forms when they contain diagnostic detail

To process special-category data lawfully you need three things stacked together:

  1. An Article 6 lawful basis. For NHS-contracted work that is usually Article 6(1)(e) (public task). For private practice it is usually Article 6(1)(b) (contract with the patient).
  2. An Article 9 condition. The standard condition is Article 9(2)(h) — provision of healthcare or treatment by, or under the responsibility of, a health professional bound by an obligation of professional secrecy. HCPC-registered physiotherapists meet that "health professional" test.
  3. A DPA 2018 Schedule 1 condition. Article 9(2)(h) is only available where the further condition in section 11(1) of the DPA is met — namely that the processing is carried out by, or under the responsibility of, a health professional or someone who owes an equivalent duty of confidentiality. The corresponding Schedule 1 condition is Part 1 paragraph 2 (health or social care purposes). It does not require a separate appropriate policy document.

For Schedule 1 conditions that do require an appropriate policy document (for example paragraph 6 — statutory and government purposes — if you ever rely on it), you must have a written document in place when the processing begins, retain it until 6 months after the processing ends, and produce it to the ICO on request.

CSP and HCPC: how they overlay UK GDPR

The HCPC is the statutory regulator of physiotherapists; the CSP is the professional body and trade union. Both layer obligations on top of UK GDPR.

HCPC Standards of conduct, performance and ethics (current edition):

  • Standard 5 (confidentiality) — keep information about service users confidential and use it only for the purpose for which it was provided
  • Standard 10 (record keeping) — keep full, clear and accurate records throughout, and in line with applicable laws
  • HCPC fitness-to-practise concerns can be raised against an individual registrant where a personal failing (lost laptop, gossip about a celebrity patient, sharing notes with a partner) caused a breach. The HCPC and ICO can act in parallel — an ICO monetary penalty against the practice does not preclude an HCPC sanction against the individual

CSP information governance toolkit:

  • The CSP's information-governance pages (linked below) summarise UK GDPR for members and signpost the iCSP members-only practical templates (privacy notice, data-protection impact assessment, processor due-diligence checklist). The public toolkit lists the eight UK GDPR principles, the lawful bases, and the steps to take after a breach
  • CSP guidance treats the common-law duty of confidentiality as continuing alongside UK GDPR — patient consent in the common-law sense is still needed for many disclosures even when a UK GDPR lawful basis exists

In short: HCPC standards and the common-law duty of confidentiality sit alongside UK GDPR, and a defence under one does not automatically satisfy the others.

NHS DSPT for NHS-contracted physios

Any practice that holds an NHS contract, receives NHS-funded referrals (including first-contact practitioner posts and AQP/Any Qualified Provider contracts), or connects to NHSmail / NHS Spine / the e-Referral Service must complete an annual Data Security and Protection Toolkit submission. The DSPT is the NHS information-assurance framework operated by NHS Digital.

Practical points:

  • The submission window is set each year by NHS Digital; missed submissions appear publicly on the DSPT portal and can be a contractual breach with the commissioning ICB
  • The DSPT requires an information asset register, a record of data flows, a documented retention schedule, evidence of staff training, and confirmation that all processors hold UK-appropriate transfer mechanisms
  • DSPT-published incident notifications feed both NHS England and (where the GDPR threshold is met) the ICO; you cannot use one to avoid the other

Wholly private practices that never touch NHS systems do not need to submit a DSPT — but several private medical insurers (BUPA, AXA Health) increasingly ask for a DSPT or an equivalent attestation in their provider agreements, and corporate occupational-health contracts often require one. Treat the DSPT as a useful self-assessment even where it is not strictly mandatory.

Clinical record retention

The NHS Records Management Code of Practice 2021 (last amended August 2023) sets the standard retention periods. Physiotherapy is treated as general health record-keeping — not the longer dental retention period.

Record typeRetention period
Adult clinical records (NHS or private)8 years from the date of last contact
Children's clinical recordsUntil 25th birthday (or 26th if patient was 17 at last entry)
Mental health records20 years from last contact, or 8 years after death
Maternity records (pelvic-floor / women's health)25 years after the birth of the last child
Adult social-care records8 years from last contact
Imaging (ultrasound, etc.)Same as the parent clinical record
Consent formsRetain for the duration of the clinical record
Financial / billing records6 years (HMRC)

After the retention period, records must be securely destroyed — shredded for paper, properly wiped or cryptographically erased for digital records. Document each destruction event so you can demonstrate compliance with UK GDPR Article 5(1)(e) (storage limitation).

Private practitioners are not strictly bound to the NHS Code — but holding paying patients to a lower standard than NHS patients on the same caseload is hard to justify, and CSP guidance recommends mirroring NHS retention. A single retention schedule keeps you defensible regardless of who paid.

Practice-management software

Most UK physios run on one of a handful of practice-management platforms. Each is a processor under Article 28 UK GDPR, and each needs a written data-processing agreement.

PlatformHostingNotes for UK practice
TM3 / PPS (Civica)UKUK data centres; UK contract, no transfer issue
ClinikoAustralia (AWS Sydney)UK personal data flows to Australia — needs the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, plus a transfer risk assessment (Article 46(2)(d) + DPA 2018)
PabauEU + US multi-regionConfirm the UK tenant's hosting region; transfer mechanism needed for the US replica
NookalAustraliaSame IDTA / Addendum requirement as Cliniko
ClinicPro / WriteUppUKUK hosting; standard Article 28 DPA still required
Jane AppCanadaCanada has a UK adequacy decision via retained-EU equivalents — confirm in the agreement

What to ask your processor for, in writing:

  • An Article 28 data-processing agreement covering the eight mandatory points (instructions, confidentiality, security, sub-processors, data-subject rights assistance, breach notification timing, return/deletion at end of contract, audit rights)
  • A list of sub-processors and the right to object to changes
  • The hosting country and the transfer mechanism (IDTA, UK Addendum, adequacy regulations) for any data leaving the UK
  • Security certifications — Cyber Essentials Plus and ISO 27001 are normal in this market; some buyers expect HSCN-accredited or DSPT-aligned
  • The breach-notification SLA — UK GDPR Article 33 gives you 72 hours from awareness to notify the ICO; your processor must give you "without undue delay" notice. In practice 24-48 hours is the standard contractual ask

If the processor will not commit in writing, that is itself a red flag.

Online booking and patient portals

Online booking platforms (Healthcode, Semble, Patient Access listings, plus the bookings module built into TM3 / Cliniko / Pabau) are also Article 28 processors. The data they touch is identifying personal data (name, date of birth, contact details) and often special-category data (the symptom you typed into the appointment-reason field). The same DPA, transfer and breach-notification requirements apply as for the parent practice-management system.

Two physiotherapy-specific points:

  • Pre-screen forms. If your booking flow asks the patient to declare conditions, medication or pregnancy status before the first appointment, you are processing special-category data the moment they submit. State the lawful basis (9(2)(h)) and Schedule 1 condition in your privacy notice for the booking page, not just on the practice's main privacy notice
  • Marketing opt-in. A booking confirmation tick-box that quietly adds the patient to your newsletter list is a UK GDPR Article 7 problem (bundled consent is not freely given) and a PECR Regulation 22 problem (direct marketing without specific consent). Keep the marketing opt-in physically separate from the booking submit button

Insurance claims and direct billing

Working with BUPA, AXA Health, AVIVA, Vitality, WPA, Cigna or a corporate occupational-health insurer is a controller-to-controller disclosure, not a processor relationship. The insurer is processing the patient's claim under its own lawful basis (its contract with the policyholder and its regulatory obligations under the Financial Services and Markets Act 2000 / FCA rules). Practical implications:

  • Each insurer's privacy notice covers their own processing; your privacy notice has to tell the patient which insurers you share data with and why
  • Direct billing typically requires sending the clinical justification along with the invoice — diagnosis codes, treatment date, body region, sometimes range-of-motion deltas. That is special-category data. Obtain the patient's specific consent (Article 9(2)(a)) to share clinical detail with the insurer for billing, alongside the standard treatment consent
  • Subject access requests (SARs) from a patient give them access to your records. They do not give them access to the insurer's records; signpost them to the insurer for a parallel request
  • A breach by the insurer is the insurer's UK GDPR Article 33 obligation, not yours — but if the leak was data you shared, document the share so you can demonstrate you released only what was necessary

Sports-and-exercise photography and video

Posture analysis, slow-motion gait video, before-and-after marketing photographs and webinar case studies all involve images of identifiable people, often performing exercises in clinical attire. These are personal data, and when they show a clinical context they are also special-category data.

  • Obtain explicit, written, separately-recorded consent for each purpose — clinical use (kept in the patient record) is different from marketing use (published on your website or Instagram) is different from training use (shown in CPD sessions). One blanket form is not enough
  • Tell the patient where the images will appear (your website, the practice's Instagram, conference talks), how long they will be retained, and how to withdraw consent. Withdrawal must be as easy as giving consent (Article 7(3))
  • Anonymisation by face-blurring is rarely enough — tattoos, unique injuries, sports kit and surrounding context can still identify
  • For under-18s, consent must come from a person with parental responsibility, and Scotland's separate capacity rules in the Age of Legal Capacity (Scotland) Act 1991 apply for children aged 12-15 if you practise in Scotland

Your practice website

Required on a UK physiotherapy practice site:

  • Companies House disclosures if the practice trades through a limited company — registered name, company number, registered office, country of registration. See the company website trading disclosures guide
  • HCPC registrant number for the lead physio (and ideally each treating clinician). The HCPC Standards expect registrants to be identifiable; this also helps patients verify registration through the HCPC online register
  • CSP membership statement where applicable — "Member of the Chartered Society of Physiotherapy" with the member number is conventional, though not legally required
  • Professional indemnity insurer — required disclosure under the Provision of Services Regulations 2009 for services regulated as part of a profession
  • Privacy notice covering booking-form data flows, marketing data flows, the lawful basis stack, the DSPT crossover (if NHS-contracted), retention periods, and ICO complaint route
  • Cookie banner compliant with PECR and the ICO's 2025 enforcement standard — see cookie banner rules under the ICO. Reject must be as prominent as accept on the first layer; analytics cookies (GA4, Plausible non-anonymous mode, Microsoft Clarity) require consent before the script fires

Common gaps on physio sites: Calendly/Acuity booking widgets that drop tracking cookies before consent; embedded Instagram or YouTube technique videos that load before the cookie banner is answered; Facebook Pixel and Google Ads remarketing tags wired into the conversion event of a booking — all special-category-adjacent because the conversion itself implies a health enquiry. A free website compliance check will surface this.

For the wider UK GDPR baseline see GDPR compliance for UK businesses.

The ICO data protection fee

Under the Data Protection (Charges and Information) Regulations 2018 every controller that is not exempt must pay an annual ICO fee. The small-business exemption does not apply where you process health data, which means every physiotherapy practice is in scope.

TierAnnual turnoverStaffFee (DD)Fee (other)
Tier 1 — micro≤ £632,000≤ 10£35£40
Tier 2 — small/medium≤ £36m≤ 250£55£60
Tier 3 — large> £36m or > 250 staff£2,895£2,900

Most sole-practitioner and small-clinic physios are Tier 1. Failure to register can result in a monetary penalty of up to £4,350 (10× the Tier 3 fee + a 50% uplift), and the ICO routinely sends discovery letters to unregistered organisations in regulated sectors.

Breach procedure

If clinical records, contact lists or financial information are accessed without authorisation — a cyberattack, a lost laptop, a misdirected email to another patient, a printout left in a treatment room — you must:

  1. Contain. Revoke access, change passwords, recover or remotely wipe the device, isolate the affected systems
  2. Assess. What data was involved, how many subjects, what is the likely impact on rights and freedoms. Health data almost always meets the "likely to result in a risk" threshold for ICO notification
  3. Notify the ICO within 72 hours of becoming aware, via ico.org.uk/for-organisations/report-a-breach. If you cannot complete the assessment within 72 hours, file a preliminary notification and follow up
  4. Notify the patients directly where the breach is likely to result in a high risk — for example clinical detail leaked to a named third party, or a ransomware exfiltration of identifiable records
  5. Document everything — the timeline, the decision rationale, the people informed, the remedial steps. UK GDPR Article 33(5) requires you to maintain a record of every breach regardless of whether it was notified
  6. NHS-contracted practices additionally use the DSPT incident-reporting tool, which auto-routes to NHS England's incident management framework alongside (not instead of) the ICO notification
  7. Consider HCPC reporting. If an individual registrant's conduct caused the breach (deliberate disclosure, gross carelessness with records), the HCPC's fitness-to-practise process may engage. The practice and the registrant can both face action — the ICO targeting the controller, the HCPC targeting the individual

Health-data breaches at small practices have led to several ICO reprimands in recent years; the regulator generally favours reprimands and improvement notices over fines for first-time small-business breaches, but repeat or willful failures are fined.

For wider context on health-data record-keeping under UK GDPR, see the GDPR for dental practices guide — the special-category framing carries across the wider primary-care sector.

Practical checklist for UK physiotherapy practices

ItemRequired?
ICO data protection fee paid (Tier 1 or 2)Yes
Lawful basis stack documented (Art. 6 + Art. 9(2)(h) + DPA Sch 1 Part 1 ¶2)Yes
HCPC registration number visible on websiteYes (HCPC Standard 9, public identification)
Article 28 DPA signed with practice-management softwareYes
Transfer mechanism (IDTA / UK Addendum) for non-UK processorsYes, if any data leaves the UK
Companies House details in footerYes, if incorporated
Privacy notice covering booking, marketing, insurer disclosures, retentionYes
Separate explicit consent for marketing/training/clinical photo useYes
Cookie banner with equally prominent accept/rejectYes, if using non-essential cookies
Adult clinical records retained 8 years from last contactYes (NHS RM Code)
Children's records retained until 25th birthdayYes
NHS DSPT submissionYes, if NHS-contracted
Breach notification procedure (ICO 72h + DSPT)Yes
Staff trained on UK GDPR + confidentiality + common-law dutyYes

Check your practice website

Free website compliance check →

A TYW scan checks your privacy notice, cookie banner configuration, Companies House disclosures, embedded booking widgets, video embeds, and trackers loaded before consent — in 60 seconds, no signup.

Sources

This is technical analysis, not legal advice. Consult the CSP, the HCPC, and a data protection specialist for advice specific to your practice.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

AI-Built Website Liability Under UK Law

ICO enforces UK GDPR, PECR and Equality Act against the site owner, not Cursor, Lovable or the developer. EU PLD doesn't apply post-Brexit.

GDPR for UK Restaurant Websites: Data, Bookings, and Consent

UK GDPR and PECR for restaurant websites: bookings, email signups, cookies, payment data. ICO guidance with examples.

ICO investigation process: what UK firms can expect

ICO investigation: information notices, 30-day deadlines, formal investigations, fine decisions and appeal routes.

Contact Form GDPR Requirements: Article 13 Compliance

What a GDPR-compliant contact form needs: Article 13 information, the right legal basis (legitimate interest vs precontractual), unchecked boxes, retention.

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.