Privacy notice

This Privacy Notice is for patients (and parents and carers of patients aged 16-17), and tells you what Oxford Brookes University (OBU) does with information or data you provide to us in order to be provided with physiotherapy services (Physio Services) at the OBU Physiotherapy Clinic (the Clinic).

OBU is committed to protecting the privacy and security of personal data in accordance with our obligations under the UK GDPR and Data Protection Act 2018 (as may be amended).

OBU is registered with the Information Commissioners Office as a Data Controller – Registration Number Z656932

The purpose of this privacy notice is to:

• be clear about the information the University collects and stores about you and how that information is used;
• let you know what your rights are and whom you can contact about data use;
• comply with obligations under UK data protection and privacy law.

OBU is the controller responsible for your personal data. Personal data is information that could identify you. We collect and process your personal data when you visit our website and provide information direct to us or via our third-party providers for the purpose of being provided with Physio Services at the Clinic. OBU will make the decisions on how your data is used and for what reasons, as well as for how long it is kept.

Other notices may also apply to you so please read this privacy notice in conjunction with other applicable privacy notices found on the OBU website, including our website privacy policy.

We collect information about you at various stages of the provision of Physio Services to you, including when you visit the Clinic’s website, make a booking or make payment for that booking (through Nookal and Stripe), and attend the appointment. You may choose to provide this information by completing an online booking, making a payment online, or in person at the Clinic (including via Nookal and Stripe).

We may collect, use, store and transfer different kinds of personal data about you as follows:

• Basic personal data that identifies you, such as your name and date of birth;
• Contact details, such as email address;
• Financial details when you make payment via Stripe;
• Transaction details such as the date of your appointment;
• Technical data as required to run the Clinic’s website, the Nookal software or payments via Stripe;
• Profile details such as information you provide to us and which are recorded in your clinical notes;
• Usage data such as frequency of appointments.

We may collect, use, store and transfer different kinds of special category data that you provide to us about you where that information is relevant to the Physio Services you are receiving, as follows:

• data concerning your physical or mental health;
• data concerning your sex life (if relevant to presenting condition).

We need to collect information in order to provide you with Physio Services, and to meet contractual and legal obligations.

For example:

• we need your contact details to provide you with booking services through our clinic software which is provided by Nookal (see the Clinic’s T&Cs);
• in order to treat musculoskeletal conditions, we need to collect information from you about your injuries and the effect of those injuries on your daily life, together with any treatment you have received or been recommended;
• it is a requirement of registration with the Health and Care Professions Council and the Chartered Society of Physiotherapy, that the Clinic’s supervising physiotherapists and student physiotherapists record clinical notes.

We will only use your personal data in accordance with UK data protection laws and only for the purpose for which we collected it which includes the following:

• To provide you with Physio Services;
• To register you as a new customer;
• To provide you and the Clinic with booking, payment and clinical notes services via software provided by Nookal and Stripe;
• To manage your relationship with us;
• Only to the extent necessary to provide placements to student physiotherapists.

UK data protection law requires us to determine a relevant legal basis for each data processing activity we undertake with your personal data.

The lawful grounds that apply to the processing of data undertaken by OBU and related to the provision of Physio Services at the Clinic include:

1. Consent – you choose to provide us and Nookal and Stripe with your information in order that we and they can provide you with Physio Services and connected administration and payment services.
2. Necessary for the provision of a contract - much of the personal information OBU processes is necessary in order to provide Physio Services to you, for example creating and confirming a booking for an appointment.
3. Necessary to fulfil a legal obligation - we must process your personal data when required to do so under UK law or as required by regulatory bodies, for instance recording clinical notes of treatment received during an appointment.
4. Necessary to protect the vital interest of you or another person - under extreme circumstances we may share your personal data with third parties to protect your interests or those of another person, for example providing medical or emergency contact information to emergency services personnel.
5. Processing is necessary for the performance of a public task - OBU is a higher education institute that will sometimes process your personal data in the public interest.
6. Processing is necessary for fulfilling the legitimate interests of you or of OBU – we may process your data to in relation to matters arising from or connected to the provision of Physio Services to you, where it is in your or OBU’s legitimate interests to do so.

We will ask for your consent to process personal data where there is no other available lawful basis for processing, or where we deem it appropriate to seek consent regardless of any other lawful basis. You may withdraw your consent at any time, but if you do so, we may not be able to continue to provide Physio Services to you.

In situations where the personal data is defined as sensitive or special category data (for example health or medical data) processing must be with your explicit consent.

Clinic bookings are made through a third-party provider of booking and clinical note handling services: Nookal Practice Management software, provided by Nookal Pty Ltd (Nookal), and for secure payments, Stripe Payments Europe, Limited (Stripe) via Nookal.

Please read the Privacy Notices for Nookal and Stripe.

At Oxford Brookes University, we are committed to protecting the personal information of our students, staff, and visitors. We adhere to the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 to ensure the highest standards of data privacy and security.

Our key measures include:

1. Established information security management principles adopted and certified to the international ISO/IEC standard 27001:2022.
2. GDPR complaint and a registered Data Controller with the Information Commissioner's Office (ICO) - Reg., Z6569324.
3. Appropriate technical and organisational measuresin place as per UK-GDPR (2018), Article 32, (1-4):
   1. Data secured at rest and in transmission by appropriate methods of encryption or other known methods.
   2. Back and recovery systems and a suitable vulnerability management programme is in place.
   3. Data retention policy and secure methods disposal of materials and assets according to their information classification.
   4. Security awareness training and process for the management of incidents in place.
      And
   5. payment card secure transactions as Brookes are PCI-DSS compliant.

Nookal states that it takes privacy and data security very seriously. Here are some key points about how they handle data security and your privacy [Nookal_Sec-Priv]:

1. Data Encryption: All data, including patient records and communications, is encrypted both in transit and at rest to ensure security.
2. Compliance with Privacy Laws: Nookal complies with various international privacy laws, including GDPR, HIPAA, and the Australian Privacy Principles.
3. Access Controls: The platform allows clinics to set different access levels for staff, ensuring that only authorized personnel can access sensitive information.
4. Regular Security Audits: Nookal conducts regular security audits to identify and address potential vulnerabilities.
5. Virus Scanning: Files and documents uploaded to Nookal are scanned for viruses to prevent any security breaches.
6. Nookal: Payment card management is PCI-DSS compliant

Stripe states in its Privacy Policy that it keeps your personal data secure by employing several robust security measures:

1. PCI Service Provider Level 1 Certification: Stripe is certified to the highest level of security standards in the payments industry, ensuring that card data is handled securely.
2. Encrypted Data and Communication: Stripe uses PGP keys for secure communication and encryption to protect data both in transit and at rest.
3. Regular Audits and Compliance: Stripe undergoes regular audits and complies with standards such as SOC 1, SOC 2, and PCI DSS.
4. Data Protection: Stripe's systems and processes are designed to protect the confidentiality, integrity, and availability of your data.
5. Multi-Factor Authentication: Stripe supports multi-factor authentication to add an extra layer of security to your account

We do need this information from you if you wish to be provided with Physio Services.

OBU has selected Nookal and Stripe to provide administration and payment services to the Clinic.

As set out in the Clinic’s T&Cs, Nookal may transfer, store and process your personal data outside the UK by transfer to Ireland – all such processing will be in accordance with data protection legislation.

As an international company, Stripe may also transfer your data outside of the UK. Please see the Stripe privacy policy for further details. Any such transfers are in accordance with data protection legislation, including, as applicable, by reliance on ICO adequacy decisions, use of a UK International Data Transfer Agreement and Addendum, EU-US Data Privacy Framework.

We also collect information about how you use our website and the services you access.

Cookies

Information about your usage of our website is collected using cookies. See our cookie policy for further details of what we are collecting and why.

For details of your rights under data protection laws, including the right to receive a copy of the personal data we hold about you and the right to make a complaint at any time to the Information Commissioner's Office, the UK regulator for data protection issues (www.ico.org.uk).

You have the following rights under UK data protection law:

• the right to be informed;
• the right of access to your data;
• the right to withdraw your consent where that is the legal basis of our processing;
• the right to correct data;
• the right to ask for your data to be deleted;
• the right to restrict use of the data we hold;
• the right to data portability;
• the right to object to Oxford Brookes using your data.

Your rights will depend on the legal ground used to process your data.

Please see the ICO website for further information on the above rights.

No

The University keeps information only for as long as is necessary and we follow our policy which can be found in the University retention schedule. It is likely that the University will keep that information for 6 years after you have stopped attending the Clinic.

You can contact the Information Security Management Team via info.sec@brookes.ac.uk if you have a concern about Data Protection matters or if you want to exercise your rights under Data Protection or Freedom of Information law, Oxford Brookes‘ Data Protection Officer via BrookesDPO@brookes.ac.uk who ensures that Data Protection provisions are applied lawfully in Oxford Brookes.

If you are concerned about the use of your data the information Commissioner (Regulator) via the website ICO.org.uk. who is the national regulator for Data Protection or Freedom of Information matters.

We keep our privacy notice under regular review. This privacy notice was last updated on 21 February 2025.