• Privacy Notice

Privacy Notice

All personal information of staff/students and others using the services of the GCU Physiotherapy Clinic will be treated in accordance with the terms of the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

This means that confidentiality will be respected and that appropriate security measures will be taken to prevent unauthorised disclosure. This notice is intended to meet the transparency requirement of the legislation and to ensure that all individuals in the categories above know how their data will be processed.

Using your personal information

Who will process my information?

Under Data Protection law the University is the “data controller”. This means that the University is responsible for how it uses and processes your information and is to comply with requests relating to your personal data.

Why do we collect and use your personal information?

The University collects, holds and uses information about you for a number of reasons including healthcare, service audit and research.

As a teach-and-treat clinic, we process our patients' personal data for service audit or research with their consent and where there is a legitimate interest to do so. This means we can use the data you provide to evaluate the service and make anonymous observations on the variety of musculoskeletal conditions that report to the Clinic.

If you do not want us to process your personal data for service audit and research then you may withdraw your consent at any time, without prejudice.

Keeping information updated

The University strives to ensure that all personal information is accurate and up to date. You should inform the Physiotherapy Clinic of any changes to your personal information.

You can do this by contacting the Clinic on 0141 331 8881 or by emailing gcuclinic@gcu.ac.uk.

How long is the information kept?

The University will retain your information only for as long as necessary for the purposes described. Further information is available in the University Records Retention Schedules.

Where do we obtain information from?

  • Your interactions using the service
  • Health records

What information is being collected and used?

Data will consist of the information provided by the “data subject” or a company acting on behalf of the University. Information may be in hard copy or electronic format. This includes:

  • Patients personal details and health records

The personal data of patients that we may collect and process includes:

  • Your name, contact details and personal identifiers (such as date of birth and NHS number)
  • Your general health history, your family medical history, your social/lifestyle history and any relevant signs or symptoms you tell us about, in relation to your musculoskeletal complaint
  • Details of any medicines you take or other treatments you are undergoing
  • Details of examinations and other healthcare checks and treatments we provide
  • Information relevant to your continued care from other people who care for you or know you well, such as other health professionals and relatives

Special category personal information is also processed where it is necessary and lawful for us to do so. In most cases, you have the option of whether to provide this information or not. This refers to data revealing:

  • Racial or ethnic origin
  • Political opinion
  • Religious or philosophical beliefs
  • Trade Union membership
  • Physical or mental health
  • Sex life or sexual orientation

Data relating to criminal convictions and offences are also subject to additional protection.

Who is the information shared with?

Your information will be shared internally only with those individuals who require it in the course of their duties.

The University may be required to share your personal information with external organisations. This may happen due to a statutory or legal obligation.

In addition, we may also share your information with the following if requested or required to do so:

  • NHS Lanarkshire

We process your personal data in strict confidence. We keep your personal data securely in our filing and electronic systems. Patient records are only accessible to the healthcare professionals working at the practice and any students under their supervision.

We will usually keep any personal data we hold about you for eight years after our last contact with you before we delete it. If we collected the data when you were aged under 18 we will keep it for ten years, or until your 25th birthday if that is later, in line with NHS requirements and guidelines from the Chartered Society of Physiotherapy (CSP). In exceptional cases, we may need to retain personal data for a longer period and will explain our reasons for doing so on request.

In the course of processing your personal data we may share it with:

  • The healthcare professionals working at this practice and those under their supervision
  • Healthcare professionals at other practices, but only if you have specifically asked us to pass your personal data (such as your assessment/treatment notes) to them
  • Your GP, consultant and other healthcare providers in connection with your healthcare treatment


How is the information kept securely?

Information is kept securely on University equipment in line with University Information Security and Data Protection Policies. Access is restricted to only those staff or authorised agents who require it and on a “need to know” basis.

Will the information be used for automated decision-making?


Is the information transferred outside the European Union?


Your rights

You have the right to:

  • Find out what personal data we process about you and to request a copy of the data
  • Ask us to correct inaccurate or incomplete data
  • Withdraw consent to process your personal data, if you were asked for and provided consent

If you think we are acting unfairly or unlawfully you can:

  • Object to the way we are using your data
  • Complain to the UK Information Commissioner’s Office

Under certain conditions, you also have the right to ask us to:

  • Restrict the use of your data
  • Erase your information or tell us to stop using it to make decisions about you
  • Provide you with a portable electronic copy of data you’ve given us

Please contact us if you wish to exercise/enquire about any of these rights.

Contact Details
Data Protection Officer (DPO)
Department of Governance
Britannia Building
Glasgow Caledonian University
Cowcaddens Road
G4 0BA

Email: dataprotection@gcu.ac.uk

Legal basis for using your information

The legal condition which enables the University to process personal information is found in Article 6 of the General Data Protection Regulation (GDPR). In particular, we rely on:

  • Article 6(1)(e) performance of a task in the public interests/exercise of official authority
  • Article 6(1)(f) legitimate interests

When we provide services under the GCU/NHS Lanarkshire Agreement, our legal basis for processing personal data in respect of that service is a public task, in relation to healthcare provision.

Our condition for processing special category data is the provision of health or social care or treatment.

Where special categories of data are processed we will have your explicit consent or another legal reason within Article 9(2) of GDPR will apply.

Further information

You can visit these links for further information:

Call the team today

Physiotherapy@GCUClinic offers specialist services to help you get back on track, ready for life, work and leisure. Tel: +44 141 331 8881