Promni Health (“Promni Health”, “we”, “us”, or “our”) is committed to protecting personal information and maintaining the confidentiality, integrity and security of the data we process.
This Privacy Notice explains how we collect, use and protect personal information in relation to:
- Patients receiving clinical services
- Employees and contractors
- Business partners, customers and suppliers
- Website users
Promni Health Limited is registered in England and Wales.
Registered office:
Promni Health
Commerce House
Carlton Boulevard
Lincoln
LN2 4WJ
Data Protection Officer (DPO):
David Hopkins
Email: primarycarefcp.dataprotection@nhs.net
Telephone: 0113 831 2014
How We Handle Clinical Records
Most clinical records relating to your care are held within NHS GP clinical systems controlled by your GP practice.
Primary Care Physio clinicians access and document information within these systems as authorised healthcare professionals in order to deliver care.
We do not routinely maintain a separate central database of full patient clinical records. The GP practice remains the primary custodian of the patient record.
In some circumstances, referral or appointment information may be received via secure NHS systems (such as NHSmail) to manage access to services.
What Information We Process
We process information necessary to deliver safe and effective care and to meet professional, contractual and regulatory obligations.
Personal Information
Name
Date of birth
NHS number
Contact details
GP and referral information
Appointment records
Health Information
Clinical assessments
Treatment plans
Progress notes
Outcome measures
Relevant medical history
How We Receive Your Information
Information may be received from:
Your GP practice
NHS referral or navigation services
First Contact Practitioner clinics
NHS commissioning or partner organisations
You directly during assessment and treatment
Why We Process Your Information (Direct Care)
We use your information to:
Provide assessment and treatment
Coordinate care with healthcare professionals
Maintain accurate clinical records
Support rehabilitation and recovery
Ensure safety and quality of care
Meet NHS contractual requirements
Lawful Basis
Article 6(1)(e) UK GDPR – processing necessary for the performance of a task carried out in the public interest
Article 9(2)(h) UK GDPR – processing necessary for the provision of health or social care
Processing for direct care is undertaken in accordance with the Common Law Duty of Confidentiality (implied consent).
Digital Clinical Tools
Exercise Prescription Platforms (Physitrack)
Where exercises are prescribed, limited personal information (such as name and email address) may be shared with an approved digital exercise platform to enable secure account creation and delivery of rehabilitation programmes.
These suppliers act as data processors under strict contractual safeguards and NHS information governance standards.
Physitrack privacy information:
https://www.physitrack.com/legal/privacy
Clinical Documentation Tools
Where secure transcription or documentation support tools are used, they operate under contractual data protection safeguards and are subject to appropriate security controls.
Audit, Evaluation and Service Improvement
As an NHS provider we support monitoring, evaluation and service improvement.
As part of commissioned NHS services, including programmes such as the Health and Growth Accelerator (HGA), limited information may be shared with NHS commissioning bodies and NHS England for service monitoring and improvement.
Where required, structured Minimum Data Set (MDS) information may be submitted via NHS-approved processing routes for commissioning and evaluation purposes.
Where possible, anonymised or pseudonymised data is used.
Lawful Basis
Article 6(1)(e) – Public task
Article 9(2)(i) – Public interest in public health
Article 9(2)(j) – Statistical and research purposes
National Data Opt-Out
The National Data Opt-Out applies to uses of confidential patient information beyond direct care.
Opt-outs are applied in accordance with NHS policy via NHS-approved processing routes.
Further information:
https://www.nhs.uk/your-nhs-data-matters/
Information Sharing
We may share relevant information with:
GP practices and NHS providers involved in care
NHS commissioning bodies and NHS England
Referral or navigation services
Regulatory, legal or safeguarding authorities
Approved digital processors
We never sell personal information.
Retention
Records are retained in accordance with the NHS Records Management Code of Practice (2021).
Clinical records are primarily retained within GP clinical systems.
Security
We use:
NHS secure systems
Role-based access controls
Encrypted devices
Audit monitoring
Data Security and Protection Toolkit (DSPT) safeguards
All staff receive mandatory information governance training.
Automated Decision-Making
We do not use automated decision-making in clinical care.
Patient Rights
You have the right to:
Access your information
Request correction
Restrict processing
Object to certain uses
Lodge a complaint with the ICO
ICO: https://ico.org.uk
Telephone: 0303 123 1113
Employees and Contractors
We process personal information about employees and contractors to:
Manage recruitment and onboarding
Verify identity, references and DBS checks
Administer payroll and benefits
Manage performance and professional development
Meet legal and regulatory obligations
Business Contacts and Suppliers
We process limited personal information about business contacts and suppliers to:
Manage contracts and service delivery
Maintain professional communications
Meet financial and legal obligations
Website Users
Our website sets cookies to track and respect your choices. We use cookie_notice_accepted to store your cookie consent preferences. Expires after 1 month.” That is the cookie set by the cookie accept plugin we use. When you use our website we may collect limited technical information such as browser data and usage analytics.
International Transfers
Personal data is not routinely transferred outside the United Kingdom.
Where cloud-based service providers operate internationally, appropriate safeguards are in place in accordance with UK data protection law.
Retention of Information
Information is retained only as long as necessary in accordance with legal, contractual and NHS retention requirements.
Complaints and Contact
For privacy concerns contact our Data Protection Officer.
You may complain to the Information Commissioner’s Office if you are not satisfied with our response.
Updates
We may update this notice periodically.
The latest version will always be available on our website.
Last updated: [07/04/2026]