Data Protection Policy


Vita Health Group (RehabWorks Ltd, Right CoreCare Ltd, Crystal Palace Physio Group Ltd, including any other subsidiary companies or trading names) provides healthcare and wellbeing services to employers, insurance companies and Occupational Health providers across the UK. The confidential patient data we collect and access must be used legally and in good faith, following the principles and guidance published in relevant legislation and industry standards. To ensure this, this policy documents the principles and guidance we expect to be applied at all times.


This policy applies to the treatment of personal data for which Vita Health Group is the data processor or data controller and applies to all staff members, temporary staff members, associates, and sub-processors.


This document states, and explains how we aim to comply with, the principles of data protection, and acts as a statement of intent to which the company, employees or third parties must abide. This policy may be published and distributed to customers and patients as required for informative purposes. This policy cannot, and does not aim to cover every possible use of data, but should be used for guidance where required.


Vita Health Group will:

  1. Ensure that we comply with the principles of data protection and the Caldicott Principles.
  2. Meet our legal obligations as laid down by the General Data Protection Regulation, Human Rights Act 1990, Health and Social Care Act 2015, Access to Health Records Act 2000, and any other relevant legislation.
  3. Ensure that processes and procedures are in place to allow data subjects' rights to exercise their rights.


The data protection principles shall be used to guide all use of personal data:

  1. Accountability – This means that we acknowledge and understand our role and responsibilities as a data controller or data processor. We ensure this by having appropriate governance of how data is used, at the appropriate level of management. Data Protection Accountability
  2. Lawfulness, Fairness, and Transparency
    1. Lawfulness means having a legitimate legal basis for processing personal data. This is the service contracts or agreements we have in place with our Customers. By referring a patient to us, or by a patient self-referring, this gives us the legal basis to process their personal data.
    2. Fairness means only using data in the manner which is expected. We ensure this by making sure patients are aware of, and understand how, we process their personal data, ensuring that this is clear and accurate, and ensuring that we do not use data in any other way.
    3. Transparency means that patients must be aware of how we use their data. We ensure this by informing patients how we use their personal data on first contact, and by publishing documents such as this one in easily accessible locations and formats.
  3. Purpose Limitation – This means that data may only be collected for specific, explicit and legitimate purposes. We ensure this by having clear agreements with our customers and suppliers which limit the use of personal data.
  4. Data Minimisation – This means that only the minimum relevant personal data should be collected for the agreed purposes. We ensure this by only collecting the data we require to provide our services, and by ensuring that staff are adequately trained.
  5. Accuracy – This means ensuring that data is accurate and up-to-date. We ensure this by adequately training our staff, and by having a process in place to allow patients to access and request corrections to their personal data.
  6. Storage Limitation – This means that personal data should only be kept for the minimum time necessary. We ensure this by regularly reviewing patient data, and destroying it in line with the Information Governance Alliance Information Management Code of Practice. In practice this means that we store personal data for eight years from the patients last contact with us.
  7. Integrity and Confidentiality – This means that personal data should kept safe, only be accessed securely, and by those with a legitimate need to do so. We ensure this by restricting access to personal data on a 'need to know' basis, and by protecting processes and systems with appropriate technical or policy controls.


The Caldicott Principles are specifically focussed on the use of confidential healthcare data. These principles shall be considered, above and beyond those stated above:

  1. Justify the purpose(s) for using confidential information – Use of personal confidential should be clearly defined, scrutinised, documented, and reviewed by an appropriate guardian.
  2. Don't use personal confidential data unless it is absolutely necessary - Personal confidential data items should not be included unless it is essential. The need for patients to be identified should be considered at each stage.
  3. Use the minimum necessary personal confidential data - Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is used as is necessary for a given function to be carried out.
  4. Access to personal confidential data should be on a strict need-to-know basis - Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see.
  5. Everyone with access to personal confidential data should be aware of their responsibilities – Clinical and non-clinical staff handling personal confidential data should be fully aware of their responsibilities and obligations to respect patient confidentiality
  6. Comply with the law - Every use of personal confidential data must be lawful. Each organisation handling personal confidential data should have a person responsible for ensuring that the organisation complies with legal requirements.
  7. The duty to share information can be as important as the duty to protect patient confidentiality - Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.


Vita Health Group collects and stores patient personal data on behalf of employers, Occupational Health providers, or insurance companies, who pay for our services. Generally, the data we collect may consist of (where required for treatment):

  1. name;
  2. address and post code;
  3. telephone number;
  4. employee number;
  5. email address;
  6. IP Address (if using web services);
  7. website usage statistics and data;
  8. medical history;
  9. medical conditions;
  10. age or date of birth;
  11. gender;
  12. ethnic group or race;
  13. sexual orientation;
  14. criminal offences;
  15. political, religious or philosophical beliefs;
  16. other details about a patient as required for legitimate treatment purposes.


The data we collect is for the provision of Physiotherapy, Psychological Therapy, Counselling, and Employee Assistance Services, and is used to provide reports to customers in line with their agreements with us. This data is also used to positively identify individuals, and for clinical audit purposes. This data may also be used to provide analysis and intelligence reports to customers, and for billing and accounting purposes – in most cases, personal data is anonymised for these processes where allowed by the customer. Personal data required for treatment, including clinical reports, is stored securely on local and cloud-based systems in the UK.


Personal data may be accessed by clinical or administrative members of staff as required for the provision of services, or by clinical auditors who ensure the quality of service. This data may also be shared with other clinical professionals outside of Vita Health Group, where this is required for the provision of services, is required by law, or when required to safeguard the wellbeing of a patient or other person. Data may occasionally be accessed by selected service suppliers who provide technical support.


Personal data collected by a healthcare professional forms part of a medical record and Vita Health Group is legally required to maintain this data in line with the guidance of relevant healthcare governing bodies. In general terms, this means that data is stored for 8 years after a patients last contact with Vita Health Group, however there are exceptions for minors, or following the death of a patient. For more detail, see the Information Governance Alliance Records Management Code of Practice.


Any data breach which may result in harm to an individual will be reported to the individual, to the relevant customer organisation, and to the Information Commissioner's Office within 72 hours of discovery.


  1. Vita Health Group systems and processes are protected by CyberEssentials certified technical controls which are verified on an annual basis, and managed using an ISO27001:2013 certified Information Security Management System, which is subject to bi-annual external audits, regular internal audits, and full re-certification every three years.
  2. We use enterprise-grade firewalls on network boundaries which include intruder detection and intruder prevention systems. Remote centres are connected to our network using a secure private network, and remote or mobile workers connect via an encrypted virtual private network.
  3. Data is stored on locally hosted and remote UK based platform-as-a-service hosted servers, which are managed and maintained by an ISO27001:2013 certified IT Service provider. Customer Data is also stored on a remote UK based software-as-a-service Case Management System. These services are securely connected to our local network or accessed by encrypted connections.
  4. All servers and user endpoints are protected with enterprise grade Anti-Virus/Anti-Malware software which is monitored and updated on a continuous basis. High risk endpoints are monitored with device monitoring software which allows remote secure deletion of files, or disablement.
  5. All users have unique login credentials with passwords which meet common complexity guidance, and monthly password changes are enforced by network policy. Users with regular access to sensitive data are subject to background checks, criminal records checks, previous employment checks, and governing body certification checks.
  6. Where data is transmitted outside of the network, it is protected by pseudonymisation, anonymisation, or encryption.
  7. Data is backed up locally, and remote copies are stored encrypted for one month. Key systems are also replicated, or have redundant failover to ensure continuity of services in the event of a disaster or technical incident.
  8. Network security is tested by external penetration and vulnerability testing annually, and backups and business continuity measures are fully tested at least annually.
  9. When Patient Data reaches end of life, it is securely destroyed, deleted, or otherwise made inaccessible by secure physical shredding, digital shredding, or database anonymisation.


Whilst data is collected on behalf of our business customers, patients have the following inalienable data rights when it comes to their data:

  1. The right to be informed – Patients should be informed, at the earliest opportunity, what data is to be collected and what it will be used for. This must be provided in a clear, concise, and transparent format. They should also be informed of how they may exercise this, or any other data right.
  2. The right of access – Patients may request, in writing and free of charge, access to their own records. These should be provided in an accessible format once the patients identity has been confirmed, and within 30 calendar days in most circumstances.
  3. The right to rectification – Patients may request that inaccurate or incomplete data is rectified, and where this data has been disclosed to another party, such as their insurance provider or employer, we have an obligation to inform them of corrections.
  4. The right to erase – Bearing in mind the legal protection required for medical records, patients may request the deletion of data where it is no longer required for legitimate purposes, or where they withdraw their consent to processing.
    N.B. Under no circumstances may a medical record be altered or erased without seeking the proper authority and consulting with the Vita Health Group Data Protection Officer.
  5. The right to restrict processing – Processing of data may be suspended should a patient contest the accuracy of personal data, or where they object to processing, prior to any decision being made about rectifying or deleting data. Enough data may be retained in any case to ensure that any restrictions on processing are respected in the future.
  6. The right to data portability – Patients are allowed to obtain and reuse their personal data for their own purposes. We must be prepared to transfer personal data across organisations or IT systems without hinderance to usability.
  7. The right to object – Patients may object to their data being used on grounds relating to their particular situation, unless we can demonstrate compelling legitimate grounds to continue. This should be considered on a case-by case basis.
  8. Rights in relation to automated decision making and profiling – If an automated decision is made about an individual, they may request that this decision is reviewed by a human being.


Every effort will be made to ensure that patients clearly understand how their data is used, and employees must seek advice if they are unsure - never guess or misrepresent facts to a patient. This policy answers most questions which a patient is likely to ask and patients may be referred back to this document, however staff should be aware of the following details:

  1. Identity and contact details of the controller and the data protection officer. This is generally the customer organisation, however this can vary between contracts and services. Always check with the Vita Health Group Data Protection Officer, or relevant Account Manager.
  2. Purpose of the processing and the lawful basis for the processing. See sections 7 and 8.
  3. The legitimate interests of the controller or third party, where applicable. See sections 7 and 8.
  4. Any recipient or categories of recipients of the personal data. See section 9.
  5. Details of transfers to third country and safeguards – See section 8.
  6. Retention period or criteria used to determine the retention period. See section 10.
  7. The existence of each of data subject's rights. See section 12.
  8. The right to withdraw consent at any time, where relevant. See section 12.
  9. The right to lodge a complaint with a supervisory authority. See section 16.
  10. Where any data we already hold about the patient came from. Usually this is name only and comes from the referral source.
  11. Our contractual obligation to collect data, and possible consequences of failing to provide the personal data. This varies between contracts, and should be referred to the Data Protection Officer, or relevant Account Manager.
  12. The existence of automated decision making. Some digital triage may produce automated outcomes. These decisions are routinely reviewed by members of staff and this may form part of the treatment process, however patients may request a review of any automated decisions.


General queries may be answered verbally by any member of staff; however, the following apply:

  1. Requests to access a patient's personal data must be made in writing from the patient; this can be in any format, such as email, tweet, or text message; and we must positively identify the patient's identity prior to fulfilling any such request. On receiving an access request, we are usually bound to inform the relevant Customer organisation, and may need to refer the request back to them, dependant on our contractual agreements.
    NB. Where a request for a patient's personal data does not come from the patient, refer the matter to the Data Protection Officer immediately.
  2. Requests to transfer the data to another provider, or other health professional, or another professional (such as a solicitor) must follow the procedure outlined above for access requests.
  3. Requests to correct inaccurate data may be made verbally as long as the patient has passed the standard data protection checks. In general, treatment records may not be edited but a note may be added showing a correction. Where required, patients shall be requested to write a supplementary statement of the correction required to add to a case file.
  4. Requests to erase data, or suspend processing, or withdraw consent may be made verbally, however these should be referred to the Vita Health Group Data Protection Officer, and the consequences of this explained to the patient, which may vary between contracts. In general, we may not erase any part of a medical record, but may be able to offer alternative solutions on a case-by-case basis, and if consent is withdrawn, further treatment may be withdrawn.
  5. Requests from children, from an adult who provided data to us as a child, or from a parent regarding a child will be dealt with on a case-by-case basis by the Vita Health Group Data Protection Officer.


Whilst we make every effort to uphold the principles of data protection and the Caldicott Principles, occasionally we may make mistakes. Where a patient is unhappy about how their data is used they may report their concerns to:

  1. Vita Health Group Data Protection Officer:
    Data Protection Officer
    7 Angel Hill
    Bury St. Edmunds
    IP33 1UZ
    Phone: 0333 222 0272
  2. The Information Commissioner's Office:
    The Information Commissioner
    Wycliffe House
    Water Lane
    SK9 5AF
    Phone: 0303 123 1113
  3. The employer or service provider who referred the patient.

17. END