GDPR for Physiotherapists: A Plain-English Guide to Patient Data in 2026

If you work as a physiotherapist in the UK or EU, GDPR applies to you. That's true whether you run a single-room private clinic, a five-physio practice, or you're an NHS Band 6 seeing patients in a community clinic on a Tuesday. This is the plain-English version — no legal jargon, no scare tactics.

The short version

You collect patient data. That data is legally considered sensitive personal data (sometimes called "special category data"). GDPR says:

1. You must have a lawful reason to collect it.
2. You must tell patients what you're doing with it.
3. You must keep it safe.
4. You must give it back (or delete it) if they ask.
5. If you use third-party software to store or process it, you stay responsible for it.

That last point is where most clinics accidentally get into trouble.

Controller vs processor — the 30-second version

• You (the clinic) are the data controller. You decide what data is collected, why, and for how long.
• Your software vendors (your notes software, your booking system, your AI tool) are data processors. They handle the data on your instructions.

If a patient complains to the ICO, the ICO knocks on your door, not your vendor's. That's why a clear Data Processing Agreement (DPA) with every vendor matters — it defines what they can and can't do with the data, and who's accountable for what.

If a vendor won't give you a DPA, that's a red flag. Walk away.

Patients' rights you need to know

Your patients have seven rights under GDPR. In practice, the four you'll actually see come up in a physio setting are:

1. Right of access — "Can I have a copy of everything you have on me?" You have 30 days to respond. It must be free.
2. Right to rectification — "My date of birth is wrong on your records." You fix it.
3. Right to erasure — "Please delete everything." You assess whether any legal retention obligation applies (insurance, clinical record minimums), then delete what you can.
4. Right to data portability — "Please send my full record to my new physio." You package their data in a readable format (PDF or similar) and send.

You don't need a fancy system to handle these. You need a written process for each — so when it happens, you aren't figuring it out on the spot.

Retention periods — the actual numbers

UK guidance suggests physiotherapy records should be kept for:

• Adults: at least 8 years after the last contact.
• Children: until the child's 25th birthday (26th if they were 17 at last contact).
• Deceased patients: 8 years after death.

These are minimums. Some professional indemnity insurers want longer. Check yours.

After the retention period, you don't just leave records sitting around — you delete or anonymise them. "Just in case we might need it one day" is not a GDPR-compatible reason.

If you use AI tools — what to specifically check

This is the part that changed a lot in 2024–2026. AI tools process patient data to generate notes, differentials, or treatment plans. That's fine under GDPR if a few conditions are met. Ask every AI vendor these eight questions:

1. Where is my patient data processed geographically? UK and EU is straightforward. US or non-adequacy countries means you need Standard Contractual Clauses and extra safeguards.
2. Is patient data used to train your AI models? The only acceptable answer is "no, never, under any circumstances." Get that in writing in the DPA.
3. Is the data encrypted in transit? (Expected answer: TLS 1.2 or 1.3.)
4. Is the data encrypted at rest? (Expected answer: yes, AES-256 or equivalent.)
5. How is access controlled? Look for "least privilege" access and audit logging.
6. Is data isolated per clinic (multi-tenant isolation)? This matters if the tool is multi-clinic.
7. How do you handle data breach notification? (GDPR requires notification within 72 hours.)
8. How do I delete my data if I leave? Clear self-service deletion beats "email us and we'll get to it."

If a vendor fudges any of these answers, that's a red flag.

The simplest GDPR paperwork you can get away with

You don't need a 40-page GDPR manual. For a small physio practice, the realistic minimum is:

• Privacy notice — a short plain-English document you give (or link to) every new patient explaining what data you collect and why.
• DPA with each vendor — already-written template DPAs exist; each vendor usually provides one.
• Written retention policy — one paragraph stating how long you keep records and what happens after.
• Breach response plan — one page saying: if we discover a breach, within 24 hours we notify the clinic owner; within 72 hours we notify the ICO if required.

That's it. Most of this is boring. Good.

What GDPR does NOT require

A lot of myths floated around in the early GDPR years. For the record:

• You do not need a Data Protection Officer unless you're a large-scale operation.
• You do not need to encrypt every email to patients.
• You do not need to get written consent for routine clinical documentation — you already have a "legitimate interest" and "provision of healthcare" basis.
• You do not need to re-do consent every year.

One final thing

GDPR is designed to be proportionate. A five-room private clinic is not held to the same operational standard as a hospital trust. You are expected to make reasonable efforts to protect data, be transparent with patients, and respond to rights requests. That's the essence.

If a vendor's GDPR documentation is clearer than their sales page, that's a good sign. If it's the other way round, be suspicious.

How Oris handles this

For transparency: Oris stores clinic data in per-clinic isolated databases, encrypts in transit and at rest, doesn't use patient data to train AI models, and offers self-service data export and deletion. Our full privacy policy and DPA are on the site. If you want to see what a GDPR-aware clinical AI tool looks like in practice, the Starter plan is free — no credit card.