View navigation



Musculoskeletal Health Privacy Notice

Why are we collecting your information?

This Privacy Notice has been written to inform you that York Teaching Hospital NHS Foundation Trust (the Trust) processes information about you in order to provide musculoskeletal (MSK) services after a referral.

Who do we collect your information from?

Your information comes to us via the Your Physio website. Your Physio is hosted by See Green Systems Ltd. who works with the Trust to provide a self-referral pathway to access the MSK service. The Trust only access and record details that you provide through the Your Physio Self Referral electronic form. To view the See Green Systems Ltd privacy information please go to:

Who are we?

The Trust is a ‘Data Controller’, this means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation.

The Trust has appointed Rebecca Bradley (Head of Information Governance) to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the Trust is compliant with Data Protection legislation and to oversee data protection procedures. The DPO contact details are:

York and Scarborough Teaching Hospital NHS Foundation Trust
York Hospital
Wigginton Road
North Yorkshire
YO31 8HE

When you share your self-referral information on the Your Physio website, See Green Systems Ltd. act as a Processor. The Trust and See Green have a Contract which documents the relationship and See Green will only act upon instructions from the Trust.

What Information are we collecting when you self-refer?

We may also process special categories of information that may include:

What is our lawful basis for processing your information?

Any personal data we process is done so in accordance with the data protection legislation. Our lawful basis for processing are:

Where we process your special category information our lawful basis are:

We do not need your consent to use your personal information for the delivery of direct care because we have a public task to do this. We use personal information because it is necessary for us to use this to carry out our activities as an NHS organisation.

How long do we keep your information for?

The Trust follows NHS Digitals recommended retention schedule which can be found in the Records Management Code of Practice for Health and Social Care 2016.

Who do we share your information with?

We may share your information with:

Do we transfer your information outside the UK?

We do not transfer this information outside the UK.

What rights do you have over your data?

Under GDPR data subjects have the following rights in relation to the processing of their personal data:

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above. To put in a Subject Access Request please contact:

01904 725680

If we cannot resolve your concerns you may also complain to the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the Trust has handled your personal data. You can do so by contacting:

First Contact Team
Information Commissioner’s Office
Wycliffe House Water
Lane Wilmslow
SK9 5AF // 0303 123 1113

Download the PDF