2. Why we need to collect, use and process personal information

We collect, use and process personal information including sensitive personal information in order to supply our services and perform our contractual obligations. When you are referred to us by your medical practitioner or you approach us, you understand that we will be processing your personal data for the purpose set out above.

3. The information that we collect, hold and process about you

This information will include:

• Title
• Full name
• Residential address
• Telephone contact numbers
• Email addresses
• Date of birth
• Next of kin details including their telephone contact numbers and email addresses
• Details of your medical practitioner(s) including their contact telephone numbers and email addresses
• Medical condition(s)
• Diagnostic information
• Details of your treatment
• Your exercise training records
• Lifestyle details.

We need to collect, process and hold sensitive personal information including details regarding any physical or mental health condition as well as other information which could be relevant to the provision of our service.

4. How we use your personal information

We use your personal information: • To enable you to receive information about our services.
• To process your request for our services.
• To enable us to assess your suitability for our services.
• To ensure that we plan an exercise programme for you taking into account your physical or mental health or condition.
• To administer the services provided including the receipt of monies due to us.
• To comply with legal or regulatory requirements.
• In the protection of our legal rights.
• To provide you with access to applications in relation to the services that you have requested.
• To notify you of changes to our services.
• For research, statistical analysis, patient profiling and in the development of our services.
• To send you details by post, email, telephone or any other electronic means of applications and services we supply which we believe might be of interest to you, but only if you have given us prior consent.

5. How we collect information

You may give us information by filling in forms or by corresponding with us by phone, email, post or any other electronic means. This includes information when you apply for our services.

We may also receive personal information from third parties who we work closely with and who are entitled to share that information (such as medical practitioners), public sources or any other service providers, but in each case as permitted by applicable law.

6. Disclosure of your information

We may share your personal data (including storage and transfer of data) with your medical practitioners for whom you have given prior consent for us to share personal information, any third party in order to meet our legal and regulatory obligations including statutory and regulatory bodies, law enforcement agencies and our advisers, our service providers or third parties who process information on our behalf, any third party in the context of actual or threatened legal proceedings provided we can do so legally and third parties to whom we sell or negotiate to sell our business or assets.

7. Data retention

We may retain information about you at the end of your contract, where your request for services is declined or where you decide not to proceed. This information will be held for as long as is necessary to meet any legal or regulatory requirements and for our lawful business processing. We regularly review our records to ensure that we only retain your personal information for as long as is necessary for the purposes set out in this Privacy Information Notice. Where we no longer need your personal information, we will dispose of it in a secure manner without further notice to you.

8. Automated decisions

We may use your personal data for automated decision making, including profiling.

9. Mobile and website data

We may obtain information through mobile applications or websites. Mobile applications and websites may be provided by us or third parties. Where mobile applications or websites are provided by a third party, you must read that third party’s own privacy information notice in relation to that application or website. We are not responsible for third party mobile applications or websites and their use of your personal information.

10.Marketing and Support

From time to time where you have provided consent, we may use your personal information to contact you by telephone, post, email or by any other electronic means with details about our services or to provide you with information and support services.

11.Transfers outside the European Economic Area (EEA)

The data that we collect from you may be transferred to and stored at a destination outside of the EEA. It may also be processed by our service providers (and their employees) operating outside of the EEA.

We take steps to ensure that in the event that your information is transferred outside of the EEA by our service providers, appropriate measures and controls are in place to protect the information in accordance with applicable data protection laws and regulations in the UK.

12.Security and storage of information

The security and storage of your personal information and sensitive personal information is very important to us. The personal information we collect from you and your medical practitioners is stored in various ways: some personal information including sensitive personal information is stored physically under lock and key; where information is stored electronically by our service provider in the cloud, it is stored using end-to-end encryption to protect personal data from exposure and unauthorised access (with end to end encryption, our cloud storage provider does not have access to our encryption keys or to the personal data in our files); where information is stored on personal computers and mobile devices, the data is automatically encrypted.

We use standard security software and processes to guard against unauthorised or unlawful processing and against accidental destruction or damage. Where possible your personal information and sensitive personal information is anonymised.

We use email encryption services to transfer sensitive personal information to medical practitioners where possible. Although we use market standard security software to protect your personal information, we cannot guarantee the security of your data transmitted by you or your medical practitioner – any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

If we have given you or you have a password to certain applications or services, we will not share this password with anyone.

13.Your information and rights

You have the following rights:

• To be informed about how we obtain and use your information.
• To ask for a copy of the information that we hold about you.
• To have your information rectified.
• To request us to restrict processing of your data.
• To request to have your information erased (Right to be forgotten).
• To object to the processing of your information (e.g. for direct marketing purposes).
• To have information you provided to us, returned to you or sent directly to another company, in a structured, commonly used and machine-readable format where technically feasible (Data Portability).
• Where the processing of information is based on your consent, the right at any time to withdraw that consent.
• To object to any decisions based on the automated processing of your personal data, including profiling.
• To lodge a complaint with the Information Commissioner’s Office (ICO), the supervisory authority responsible for data protection matters.

You cannot opt out of receiving regulatory or legal information or updates (e.g. information about a change to our service terms and conditions).

If you withdraw your consent to the processing of your personal information or ask for your information to be erased, we may not be able to provide you with access to our services.

If you would like to use any of your rights please contact us at info@cpandr.co.uk.

14.Other sites and social media

If you follow a link from our website, applications or services to another site or service, this Privacy Information Notice will no longer apply. We are not responsible for the handling practices of third party sites or services and we encourage you to read the privacy information notices appearing on those sites or services.

15.Electronic mail containing personal information

You and your medical practitioners may, from time to time send personal information to us electronically. We are not responsible for the way in which you or your medical practitioners handle personal information. Where possible, we insist that you or your medical practitioners communicate using secure/encrypted email, through a secure portal or using encrypted files. Please refer to clause 12 of this Privacy Information Notice regarding the security of information not sent via secure means. When we communicate personal information with you or your medical practitioners through electronic means we will ensure that it is done so securely using either encrypted files or secure messaging.

16.Changes to our Privacy Information Notice

We may change, modify or adjust this Privacy Information Notice from time to time. Any changes we make to our Privacy Information Notice in the future will be found on our website www.cpandr.co.uk. Copies are also available from us by post.

17.Contact us

We take your privacy and protection of your personal information very seriously. If you have any questions or comments or queries about the way we are collecting or using your personal information please contact us at CP+R, 8 UPPER WIMPOLE STREET, LONDON, W1G 6LH or email us at referrals@cpandr.co.uk.

If you have any concerns about the way in which we are collecting or using your personal information you may also contact the Information Commissioner’s Office directly at https://ico.org.uk/concerns/