Clinical Exercise Physiology Clinic privacy notice

Information you need to know

The Clinical Exercise Physiology Clinic is part of Liverpool John Moores University (LJMU). See further information on the institution.

LJMU is the Data Controller. We are committed to handling your personal data in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018.

Our Data Protection Officer can be contacted at DPO@ljmu.ac.uk.

This privacy notice explains how we use your personal information and your rights regarding that information.

For information about how the wider university uses personal data please see the Privacy Notice section of our website.

Information we are collecting

We may collect and process the following categories of personal data, where relevant to your engagement with the Clinic:

  • Personal identifiers, such as your name, date of birth and contact details.
  • Health and medical information relevant to exercise assessment, risk stratification, and prescription.
  • Lifestyle and physical activity information, for example daily step count, activity patterns, and exercise history.
  • Clinical and fitness assessment data, such as physiological measurements, functional capacity assessments, and test results.

Health and medical information are classified as special category data under UK GDPR and is subject to enhanced protection and additional safeguards.

We only collect data that are necessary and proportionate for the purposes described in this Privacy Notice.

Source of the personal data

Most personal data processed by the Clinic are collected directly from you. This includes information you provide during consultations, through completed questionnaires and during in person clinical and fitness assessments.

We also use a third party scheduling platform, Calendly, to arrange appointments. When you book an appointment, Calendly processes your name and email address for the purpose of scheduling only. Calendly does not have access to your clinical, health or assessment data.

Calendly acts only in relation to appointment coordination and does not process special category health data on behalf of the Clinic. For more information on how Calendly processes your data, please see their privacy notice.

Why we are collecting your data and the legal basis for this

We collect personal data only when we have a valid reason to do so, and always in line with the principles of the GDPR.

We process your personal data under the following lawful bases set out in Article 6 of UK GDPR.

Article 6(1)(a) Consent

When you complete the Expression of Interest Form to use the clinic services, we ask you for your consent to process your personal data for this purpose.

Article 6(1)(e) Public task

Processing is necessary for the performance of tasks conducted in the public interest, including education, training, research, and the provision of supervised clinical services within a higher education institution.

For special category health data, processing is conducted under Article 9(2)(a) Explicit Consent and Article 9(2)(j) for scientific research purposes.

Your data is used to:

  • deliver safe and effective clinical exercise assessment and intervention
  • support supervision, assessment, and education of students on placement
  • meet professional, ethical, and safeguarding obligations

Student practitioners only access data required for their learning and are supervised by a registered Clinical Exercise Physiologist and Academic Staff. All student practitioners are bound by Fitness to Practise regulations and confidentiality agreements, with breaches managed in line with university disciplinary procedures.

Data will be collected from all patients for research and service evaluation purposes. This supports improvement of clinical practice, teaching, and academic research.

For research use:

  • data is fully anonymised
  • identifiable data are not included in publications or presentations
  • all research activity follows university ethical approval procedures

Your decision to engage with research does not affect your access to clinical care.

Who has access to this data

Access to your personal data is limited to authorised LJMU staff and students where it is necessary for them to conduct their role in relation to the Clinic. This may include:

  • registered Clinical Exercise Physiologists delivering clinical services
  • academic staff responsible for oversight, governance, and supervision of the Clinic
  • LJMU students undertaking approved placements within the Clinic, under supervision

All staff and students are subject to confidentiality obligations and professional or Fitness to Practise requirements. Access to data is role based and limited to what is necessary.

Your personal data will not be shared outside the Clinic unless:

  • you have provided explicit consent
  • there is a legal obligation or safeguarding requirement
  • sharing is necessary to protect your vital interests or the safety of others

Your data is not shared for commercial or marketing purposes.

How the University protects your data

The University is committed to keeping your personal data secure in accordance with UK data protection legislation and the University’s Information Security and Data Protection Policies.

Appropriate technical and organisational measures are in place to protect your data against unauthorised access, loss, misuse, or disclosure. These include:

  • secure, University approved electronic systems and encrypted storage
  • role-based access controls, limiting access to authorised staff and supervised students
  • confidentiality obligations and mandatory data protection training for staff and students
  • secure retention and disposal procedures in line with university policy

Access to your data is restricted to those involved in clinical delivery, teaching oversight or approved research, and only where necessary for their role.

How long the University keeps your data

Clinical records are retained in accordance with university retention schedules and legal, professional and insurance requirements. This is typically six years from the end of your relationship with the Clinic. After this period, records are securely and permanently disposed of in line with university policy.

Where data have been fully anonymised for research purposes and can no longer identify you, they may be retained indefinitely to support ongoing academic research and service evaluation.

Your rights

Under UK data protection legislation, you have the following rights in relation to your personal data:

  • The right to be informed about how your data are collected and used.
  • The right of access to request a copy of the personal data held about you.
  • The right to rectification to request correction of inaccurate or incomplete data.
  • The right to erasure, in certain circumstances.
  • The right to restrict processing, in certain circumstances.
  • The right to data portability, where processing is based on consent or contract and conducted by automated means.
  • The right to object to processing conducted under public task or legitimate interests.
  • Rights in relation to automated decision-making and profiling, although the Clinic does not undertake solely automated decision-making that produces legal or similarly significant effects.

To exercise any of your rights, please contact the University Data Protection Officer at DPO@ljmu.ac.uk.

If you do not provide data

Provision of relevant personal and health information is necessary for us to deliver safe and appropriate clinical exercise assessment and intervention. If you choose not to provide the information requested, we may be unable to offer you access to the Clinic or deliver an exercise programme safely and effectively.

The provision of data is not a statutory requirement. However, without sufficient information, we cannot fulfil our clinical, educational and governance responsibilities.

Transfers of data outside the UK

We normally keep your personal data within the UK. In some cases, however, we may need to transfer it to another country - for example, to deliver a contract with you or to work with a partner organisation such as a university based overseas.

Whenever this happens, we make sure your information stays protected. This could be through a UK “adequacy regulation” (which confirms that the other country’s data protection laws are up to UK standards) or by putting strong safeguards in place. These safeguards might include model contractual clauses, formal data sharing, or processing agreements, or binding corporate rules. In short, even if your data travels abroad, it will continue to be treated with the same care and respect as it would under UK law.

Automated decision-making

We do not use computers to make decisions about you based solely on your personal data. Any decisions that affect you will always be made by a human, ensuring that you are treated fairly.

How to complain to the University

You have a right to complain to the University if you think it has not properly responded to your request for personal information or feel it has not handled your personal data responsibly.

If you are not satisfied with how your request for information or how your personal data has been handled, you should set out your complaint in writing to:

Maria Burquest
University Secretary and General Counsel
Legal and Governance Services
2nd Floor Exchange Station
Tithebarn Street
Liverpool
L2 2QP

or by email via DPO@ljmu.ac.uk.

How to complain to the Information Commissioner’s Office

You have the right to complain to The Information Commissioner if you believe that our processing of your personal data does not meet our data protection obligations. The Information Commissioner can be contacted using the following details:

  • By post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF.
  • By phone: 0303 123 1113.
  • By email: contact can be made by accessing the ICO website.