top of page



Nordic Rehab Ltd General Data Protection Regulations Policy


Nordic Rehab Ltd’s Data Protection Policy complies with the General Data Protection Regulations (2018). Confidentiality and data protection are maintained in line with the professional standards of the Chartered Society of Physiotherapy and the Health & Care Professions Council.


The data controller for Nordic Rehab Ltd is 'Nordic Rehab Ltd',  ICO No. Z3038991


The nominated data Processor is Lasse Flosand, on behalf of Nordic Rehab Ltd.




Nordic Rehab Ltd holds only essential data by which to identify its patients, clients, and suppliers.

Nordic Rehab Ltd holds the following personal data – name, address, date of birth, telephone numbers, Email address, GP, medical insurance details (if appropriate) Invoicing details.

Nordic Rehab Ltd also holds relevant medical details & clinical information pertinent to the patient’s condition.

This data enables Nordic Rehab Ltd to contact you regarding appointments, exercise plans or updates on progress or return to work and to assist in planning and carrying out treatment plans.


This data is legitimate, accurate, specific, and explicit and limited only to that which is necessary.

Nordic Rehab Ltd does not send out marketing material via post or email.



Nordic Rehab Ltd utilises a GDPR compliant practice management software to store personal data.

Electronic patient clinical records are stored securely using GDPR compliant software.

Nordic Rehab Ltd utilises a GDPR compliant invoicing software system to invoice our clients electronically.

Data written at time of assessment is transferred to electronic format using GDPR compliant software, within 24 hrs.


Any clinical records in paper format are stored securely in a locked filing cabinet in a lockable room at the business address.


Nordic Rehab Ltd is bound by its legal and professional responsibilities to retain all adult patient records for a minimum of 8 years following the patients last consultation.


In the case of children under the age of 16, records will be kept until the child reaches the age of 25.



Patients data can only be accessed by those who work for Nordic Rehab Ltd.


All employees understand their legal responsibility to maintain confidentiality and follow practice procedures to ensure confidentiality and data protection. All employees have undertaken GDPR compliant training.

On occasions, Nordic Rehab Ltd may be duty bound to share Clinical information with the patient’s GP, medical consultant or other health professional. On these occasions the patient or next of kin, will be informed.


Data will only be shared with any other third parties eg medical insurance companies, solicitors upon written request and signed consent.


In certain circumstances or if required by law, we may need to disclose your information to a third party not connected with your health care, including HMRC or other law enforcement or government agencies.


When data is shared with third parties, this is carried out through a 2-way encrypted email using GDPR compliant software.


Data received from a third party via Email will be uploaded to, and stored on the patient management system.



The patient has the right to access the personal data held by Nordic Rehab Ltd.


This request MUST be made in writing to the data controller at Nordic Rehab Ltd.


All requests should be made by email, sent with proof of identity, to our office:


The subject may request that the data controller rectify any inaccuracies of the personal data held about them.


The patient may request erasure or restriction of their personal data, excepting that Nordic Rehab Ltd has a legal requirement to maintain clinical records for 8 years following completion of their last episode of care.


In the case of children all clinical data must be kept until the child reaches the age of 25.


If you do not wish us to use your personal information as described, you should discuss the matter with your physiotherapist. If you object to the way that we collect and use your information, we may not be able to continue to provide your physiotherapy treatment.



Nordic Rehab Ltd will implement appropriate technical and organisational measures in an effort to prevent a data breach.


In the event of a data breach Nordic Rehab Ltd will inform the Information Commissioner's Office, where possible within 72 hours or as soon after as Nordic Rehab Ltd becomes aware of such a breach.


If appropriate, where a risk to the individual is likely, inform those individuals affected.



Clinical notes and personal data will be destroyed and / or deleted after 8 years.


Personal data will be deleted from the patient's system after 8 years.


If you have any unresolved concerns, you have the right to contact the Information Commissioner's Office.

(Updated February 2021)

bottom of page