At Devonshire Square Physiotherapy we are committed to protecting and respecting your privacy.

This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and what choices you have. It relates to all our business activities, not just this website.

We may change this Policy from time to time so please check this page occasionally to ensure that you're happy with any changes. By using our services, you're agreeing to be bound by this Policy.

Date: 25/5/2018

Review Date 25/4/2018

Who Are We?

We are Devonshire Square Physiotherapy, a private physiotherapy practice, treating patients'

musculoskeletal problems such as sports injuries, postural problems, neck and back complaints and post-operative rehabilitation. The clinic has been running since 2011 and the ownership was taken over by its lead physiotherapist, Amir Pojhan, on 1st May 2018.

Clinic Owner and Senior Physiotherapist: Amir Pojhan

Clinic Manager: Anahita Ghaffarpasand

General Statement of our Practice's Duties and Scope

As a physiotherapy clinic, we collect and process patients' personal data as part of our operation and shall take all reasonable steps to do so in accordance with our policies. This policy has been written to ensure that we comply with the relevant provisions of the Data Protection Act 1998, the Freedom of Information Act 2000 and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679). It has been written with reference to the information provided by the Information Commissioner’s Office (ICO). 


Data Protection

Devonshire Square Physiotherapy will be registered with the Information Commissioners Office (ICO) and will act as the Data Controller determining the purposes and means of handling personal data for physiotherapy patients at our practice.


The Principles of GDPR


We shall ensure that your information will be:

• Fairly and lawfully processed

• Processed for a lawful purpose

• Adequate, relevant and not excessive

• Accurate and up to date

• Kept no longer than necessary

• Processed in accordance with your rights

• Secure 

• Not transferred to other countries without adequate protection 


Data Controller

Devonshire Square Physiotherapy will be the Data Controller responsible for information in respect of its physiotherapy patients, and personnel at the practice will process data in association with their role. Clinical staff are responsible for following their relevant professional and legal obligations. Whilst processors have legal responsibility for their actions the Controller has an obligation to ensure that they comply with GDPR. All processors are bound by their contractual obligations about client and patient confidentiality.


External Processors

We will ensure that, where data are processed externally, for example by service providers, Cloud services or storage facilities, all external processors are compliant with this policy and relevant legislation. 


What kinds of personal information do we process?


Reception staff are required to collect personal data (e.g. contact details) for making appointments and day to day administration. These will be recorded on the clinical notes and diary system. It is a legal requirement for us to record attendance. Reception staff are required to handle sensitive personal data but will never share this. 



Sensitive Personal Data

Clinical records contain sensitive personal information and will be recorded by clinicians in accordance with the relevant professional standards and legal obligations. Consent is to be obtained before sensitive personal data are shared with, for example, General Practitioners, other health professionals or insurers. Sharing information with other parties will not be done without your written consent specifying what details you wish to share and who you would like to share it with. You can ask to see a copy of any correspondence before it is sent. 


How will we collect your information?

• We will ask you to give your title, full name and date of birth, telephone number, email and payment basis when you book your initial appointment by phone in person.

• We will ask you whether you wish to receive a text reminder.

• When you come to your initial appointment you will be asked to complete our full patient registration form and sign our privacy notice to confirm your consent allowing us to process your information.

• Your physiotherapist will collect all the medical information that they need to treat you during your assessment. The assessment will be recorded on the clinical record and will not be shared without consent. 


Privacy Notice and Consent

Every physiotherapy patient (or their guardian) will be asked to read a Privacy Notice at the start of each new session of care and be required to complete the data consent section at the bottom of the form. Their consent will be recorded on their clinical record. All associates from other disciplines are responsible for obtaining their own relevant consent and documentation. 


Right of Access to Information

You have the right of access to information held by Devonshire Square Physiotherapy. We will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 30 days for access to records and 21 days to provide a reply to an access to information request. (Known as a subject access request SAR). An initial copy of your information will be provided at no charge. 



Devonshire Square Physiotherapy will endeavour to ensure that all data held are accurate. We ask you to notify us of any changes to information held about you, and it is your right to have inaccurate data corrected or erased. This does not apply where there is a legal requirement to retain records of corrections or mistakes in the interest of all parties to which they apply, and where no alterations can be made to the clinical record. 


Monitoring Data Protection

We will conduct a GDPR Risk Assessment annually and a report included in our Practice Manual. 

An annual data processing and information audit will be conducted to document the following:

• The type of information the Clinic holds

• Where the data are being stored

• How data are being processed

• Whether the data are being collected and stored in accordance with our policies

• Records of Consent

• Records of data breaches


Data Retention and Destruction

• Your information will be retained in accordance with legal and operational requirements. Your clinical notes are kept for 8 years and anything financial is retained for 7 years.

• Data will be securely destroyed once the retention period has expired. 


Information sharing

• We will not share your personal information with anyone without your consent.

• If you are making a claim to pay for your treatment through a health insurer they will require us to share information. It will not be possible to process your claim without this but if you wish you can ask to see any information or reports before they are shared. 


Is your information transferred outside the UK or EEA?

The information you have provided (either directly or via a referral from your health insurer) will be stored in our practice management program, Cliniko, an Australian company. Although Cliniko and its subprocessors aren't physically in the EU/EEA, by agreeing to Cliniko’s policies and terms, we are abiding by GDPR's requirements around data that's processed outside of the EEA. This means that despite our patient data being physically stored outside of the EEA zone, we are still allowed to use Cliniko. We have signed Cliniko’s Data Protection Addendum (DPA), an additional agreement (separate from Cliniko’s regular Privacy Policy). The DPA includes Standard Contractual Clauses (also known as "Model Clauses"). These are an approved set of provisions which offer sufficient safeguards and protection for data that's processed outside of the EU/EEA.

Use of Cookies and Analytics

We are using services from Wix and Google to host this website and provide analytics on usage of this website. This involves the use of Cookies which are small pieces of information that are stored on your computer or mobile device when you visit a website. You will be asked to consent to our use of cookies on you first visit.

Wix (, Ltd.)

Wix is a platform provided by, Ltd. that allows the Owner to build, run and host Website. Wix is highly customizable and can host websites from simple blogs to complex e-commerce platforms.

Data collected: various types of Data as specified in the privacy policy of the service.

For more details check Wix Privacy Policy and Cookies Used links.

Google Analytics (Google Inc.)

Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google utilizes the Data collected to track and examine the use of this Website , to prepare reports on its activities and share them with other Google services.

Data collected: Cookies and Usage Data.

For more details check Google Analytics Privacy Policy and Opt Out links.

Contact Form

By voluntarily filling in the Contact Form with your data you are authorising this website to use these details to reply to requests for information, quotes or any other kind of request as indicated by the form’s header. Data collected : email address, name, country, date of last activity.



• We will not use your data for marketing ourselves unless we obtain specific consent from you first. 

• We will not pass any of your information on to anyone for external marketing purposes.

Changes to this policy


We may update these policies to reflect changes to the website and customer feedback. Please regularly review these policies to be informed of how we are protecting your personal data.


We welcome any queries, comments or requests you may have regarding this Privacy Policy. Please do not hesitate to contact us at Devonshire Square Physiotherapy, Fitness First, 9 Devonshire Square, London, EC2M 4WY or


Version: May 2018