The Chartered Society of Physiotherapy The Chartered Society of Physiotherapy


View your shopping cart.

Control of records

File 139761Control of records can vary according to employer and employment type.

Physiotherapists in employment

When a physiotherapist is employed, the records he or she creates or contributes to belong to the employer.

Requests for access to see records will be made to the employer, who will follow the local policy, and process the request in accordance with the Data Protection Act or the Access to Health Records Act for deceased patients.

As the record is owned by the organisation, it controls access and release, not the individual who created the record, so it does not matter if the individual has moved on or not.


In the NHS, records are owned by the Secretary of State, and are managed locally by the associated health organisation or GP practice.

In cases in the NHS where there has been a decision to allow a patient to hold their own health record, the record is still owned by the NHS body providing care to the patient.

The record is stored with the patient until such time as that care has ended, at which point the record is returned to the NHS body.

Sole practitioners

Where a person is self-employed and a ‘sole practitioner’ i.e. not contracted to provide services on behalf of another (for example a private practice, a private hospital or even a NHS hospital), it is the self-employed physiotherapist who owns the notes.

In this case, the self-employed physiotherapist also has legal responsibility to register with the Information Commissioner and take on the burden of all Data Protection issues including  storage, retention, security, processing and destruction of records.  Failure to comply with such requirements can result in legal penalty.

Self employed physios contracted to provide services for/on behalf of a third party

Where a person is self-employed but is contracted to provide services for/on behalf of a third party, for example to a private practice or clinic, private hospital or NHS establishment, private company or industry, the self-employed physiotherapist is in effect working on a consultancy basis.

In this situation the Practice contracting with the self-employed physiotherapist is normally considered to 'own' the records, for the following practical reasons:

  • In most circumstances the records are generated as a by-product of the 'contract' and in the first instance it would be the company that would be sued if something untoward happened, therefore it should be the company that retains the records. In these circumstances, the self-employed physiotherapist is also exposed to liability, so he/she must be able  to access the records to defend him or herself. Having access to the records does not mean that they have to own the records.
  • If the self-employed physiotherapist is absent from the Practice for some time, the patient is likely to wish to be treated by someone else within the Practice, and in these cases the other physiotherapist must have access to the notes, again making it essential that the Practice own the notes.

The Practice has the legal responsibility for  correct registration for all data protection issues.

Transferring records

The means of transferring patient information securely between departments, practices or different health care providers must ensure that confidentiality is maintained throughout the process.

Guidance on the use of fax machines to transfer personal health information which is directly applicable in all contexts/settings has been issued by NHS Scotland.

In the case of emailing personal health information, there is much guidance available about using secure email systems.

The use of NHS Mail was mandated by NHS Scotland from October 2006 to ensure that all email communications concerning patient and sensitive data are made using NHS Mail (the only secure email system offering a high level of encryption available in NHS England and NHS Scotland).

The use of NHS Mail in both NHS England and NHS Scotland is endorsed by the CSP for the secure transfer of clinical information between NHS Mail users.

The NHS Chief Executive made a statement in 2009 that all person identifiable data must only be transmitted via email that has built-in encryption, or, if stored on a removable or mobile device (memory stick, laptop, PDA, CD-ROM, DVD, mobile phone etc), encryption software must be used to safeguard the information.

Indeed, the Information Commissioner has commented that, if mobile devices containing personal data are lost and have not been encrypted, his office will launch an investigation (Lowth M. Confidentiality in the modern NHS: Part 1. Practice Nurse. 2013; 43 (10): 48-51)

Encryption and personal data: Useful documents and websites


Back to top