Clinical Exercise Physiology Clinic privacy notice

Information you need to know

The Clinical Exercise Physiology Clinic is part of Liverpool John Moores University (LJMU). See further information on the institution.

Liverpool John Moores University is the Data Controller.

Our Data Protection Officer can be contacted at DPO@ljmu.ac.uk.

This privacy notice explains how we use your personal information and your rights regarding that information.

For information about how the wider university uses personal data, please see the Privacy notice section of our website.

Information we are collecting

We may collect and process a range of personal data, where it is relevant to your engagement with the Clinic.

This includes personal identifiers such as:

  • your name
  • date of birth
  • contact details

We also collect health and medical information where this is necessary to support:

  • exercise assessment
  • risk stratification
  • exercise prescription

In addition, we may collect information about your lifestyle and physical activity, for example:

  • your daily step count
  • activity patterns
  • exercise history

We may also process clinical and fitness assessment data, including:

  • physiological measurements
  • functional capacity assessments
  • test results

Source of the personal data

Most of the personal data processed by the Clinic is collected directly from you. This includes information you provide during consultations, through completed questionnaires, and during in person clinical and fitness assessments.

We also use a third party scheduling platform, Calendly, to arrange appointments. When you book an appointment, Calendly processes your name and email address for the sole purpose of scheduling. Calendly does not have access to your clinical, health, or assessment data.

Calendly is used only for appointment coordination and does not process special category health data on behalf of the Clinic. Further information about how Calendly processes personal data is available in Calendly’s own privacy notice.

Why we are collecting your data and the legal basis for this

We process personal data in accordance with the principles of the GDPR and only where there is a valid lawful basis to do so.

When you complete an Expression of Interest form to access the clinic’s services, we process your personal data with your consent in order to manage your engagement with the clinic and provide appropriate clinical exercise support.

We also process personal data where it is necessary to carry out tasks in the public interest. This includes the delivery of supervised clinical services, the education and training of students, and related academic and research activities within a higher education institution.

Where we process health and other special category data, this is done with your explicit consent and, where appropriate, for scientific research purposes, subject to suitable safeguards.

Your data is used to:

  • deliver safe and effective clinical exercise assessment and intervention
  • support the supervision, assessment, and education of students on placement
  • meet our professional, ethical, and safeguarding obligations

Student practitioners only access the information they need for their learning and are supervised by a registered Clinical Exercise Physiologist and academic staff. All student practitioners are bound by Fitness to Practise requirements and confidentiality agreements, and any breaches are dealt with in line with university disciplinary procedures.

Data will also be collected from patients for research and service evaluation purposes. This supports improvements in clinical practice, teaching, and academic research. Where data is used for research, it is anonymised, identifiable information is not included in publications or presentations, and all research activity follows university ethical approval procedures.

Your decision to engage with research will not affect your access to clinical care.

Who has access to this data

Access to your personal data is limited to authorised LJMU staff and students where this is necessary for them to carry out their role in relation to the Clinic.

This includes:

  • registered Clinical Exercise Physiologists delivering clinical services
  • academic staff responsible for the oversight, governance and supervision of the Clinic
  • LJMU students undertaking approved placements within the Clinic under appropriate supervision

All staff and students are subject to confidentiality obligations and, where applicable, professional or Fitness to Practise requirements. Access to personal data is role-based and restricted to what is necessary.

Your personal data will not be shared outside the Clinic unless you have provided explicit consent, there is a legal or safeguarding requirement to do so, or sharing is necessary to protect your vital interests or the safety of others.

Your data is not shared for commercial or marketing purposes.

How the university protects your data

We are committed to keeping your personal data secure in accordance with data protection legislation and the university’s information security and data protection policies.

Appropriate technical and organisational measures are in place to protect your data from unauthorised access, loss, misuse or disclosure. Your personal data is held within secure, university-approved electronic systems and, where applicable, encrypted storage environments. Access to these systems is controlled through role-based permissions, ensuring that only authorised staff and supervised students can access personal data where this is necessary for their role.

All staff and students are subject to confidentiality obligations and are required to complete relevant data protection training. The university also maintains secure procedures for the retention and disposal of personal data in line with its policies.

Access to your personal data is restricted to those involved in clinical delivery, teaching oversight or approved research activities, and only where this is necessary for them to carry out their responsibilities.

How long the university keeps your data

In most cases, this means your records are retained for six years from the end of your relationship with the Clinic. After this period, records are securely and permanently disposed of in accordance with university policy.

Where personal data has been fully anonymised for research purposes and can no longer be used to identify you, it may be retained for longer periods, including indefinitely, to support ongoing academic research and improvements to teaching and clinical practice.

Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request - this could be in a portable electronic format
  • request that the university changes incorrect or incomplete data if you think that it is inaccurate or out of date
  • request that the university delete or stop processing your data, for example where the data is no longer necessary or legally required for the purposes of processing

If your personal data has been provided by consent, you have a right to withdraw that consent at any time.

If you would like to exercise any of these rights, please contact the Data Protection Officer at DPO@ljmu.ac.uk.

If you do not provide data

Providing relevant personal and health information is necessary for the university to deliver safe and appropriate clinical exercise assessment and intervention. If you choose not to provide the information requested, we may be unable to offer you access to the Clinic or to design and deliver an exercise programme safely and effectively.

Providing this information is not a statutory requirement. However, without sufficient data, the university cannot meet its clinical, educational, and governance responsibilities.

Transfers of data outside the UK

We normally keep your personal data within the UK. In some cases, however, we may need to transfer it to another country - for example, to deliver a contract with you or to work with a partner organisation such as a university based overseas.

Whenever this happens, we make sure your information stays protected. This could be through a UK “adequacy regulation” (which confirms that the other country’s data protection laws are up to UK standards) or by putting strong safeguards in place.

These safeguards might include:

  • model contractual clauses
  • formal data sharing or processing agreements
  • binding corporate rules

In short, even if your data travels abroad, it will continue to be treated with the same care and respect as it would under UK law.

Automated decision-making

We do not use computers to make decisions about you based solely on your personal data. Any decisions that affect you will always be made by a human, ensuring that you are treated fairly.

How to complain to the university

You have a right to complain to the university if you think it has not properly responded to your request for personal information or feel it has not handled your personal data responsibly.

If you are not satisfied with how your request for information or how your personal data has been handled, you should set out your complaint in writing to:

Maria Burquest
University Secretary and General Counsel
Legal and Governance Services
2nd Floor Exchange Station
Tithebarn Street
Liverpool
L2 2QP

or by email via DPO@ljmu.ac.uk.

How to complain to the Information Commissioner’s Office

You have the right to complain to The Information Commissioner if you believe that our processing of your personal data does not meet our data protection obligations. The Information Commissioner can be contacted using the following details:

  • Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF.
  • Telephone: 0303 123 1113.
  • Email: contact can be made by accessing the ICO website.