Home

Employees & Employed Job Applicants Associates & Subcontractors

Home Links Physiotherapy South East London & Kent
Privacy Notice — Employees and Employed Job Applicants

Document type	Privacy Notice
Audience	Employees, employed job applicants and workers
Version	V1
Review date	March 2026

1. Who We Are

Home Links Physiotherapy South East London & Kent (a trading name of JLinks Physiotherapy Limited, company number 11843830) is the Data Controller for the personal data we hold about you as an employee, worker or job applicant. This notice explains what data we collect, why we hold it, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

This notice applies from the point of your first application or contact with us and continues through employment and after it ends.

Our Data Protection Officer is the Company Director. Contact: [email protected]

2. What Data We Collect About You

2.1 Recruitment and Pre-Employment

CV, cover letter, application form
References from previous employers
Right to work documentation (passport, visa, driving licence)
DBS application and certificate details
Professional registration details (HCPC, CSP and others as applicable)
Interview notes and assessment records

2.2 Identity and Contact Information

Full name, home address, email address, telephone number(s)
Date of birth, national insurance number
Emergency contact name and telephone number
Photograph and biography (for website and marketing use, subject to your consent)

2.3 Employment Information

Job title, job description and pay grade
Contract of employment terms
Working hours, leave records (annual leave, sickness absence, exceptional leave)
Performance records, appraisal notes and objectives
Disciplinary and grievance records (if applicable)
Probationary period records
Training and development records, mandatory training certificates
Study leave and study budget records

2.4 Payroll and Financial Information

Bank account details (account holder name, bank name, sort code, account number)
Tax code and national insurance number
Salary, pay rates and pay changes
Expense claims and mileage records
Pension enrolment details (if applicable)

2.5 Health and Medical Information (Special Category Data)

Sickness absence records and Fit Notes (Statements of Fitness for Work)
Self-certification forms
Return-to-work risk assessments
Occupational health reports (if sought)
Any health information you voluntarily disclose that is relevant to your role, health and safety obligations, or reasonable adjustments (e.g. pregnancy, disability, chronic condition)

2.6 Operational and IT Information

Home Links email account details and usage records
Cliniko system access and activity (clinical staff only)
GoHighLevel platform access and records
Breathe HR system records
Microsoft Office 365 / OneDrive / SharePoint usage and records
RehabMyPatient access and usage (clinical staff only)
BYOD compliance confirmation and device security records
LP Networks IT registration and device records

3. Why We Hold Your Data and Our Legal Basis

Purpose	Data Used	Legal Basis
Recruitment and selection	CV, references, right to work, DBS, interview notes	Legitimate interests (recruitment); legal obligation (right to work checks)
Performing your contract of employment	Identity, contact, employment information, payroll	Contract — necessary for the performance of your employment contract
Paying your salary and managing expenses	Payroll and financial information	Contract and legal obligation (HMRC, tax, NI)
Managing sickness absence and return to work	Sickness records, Fit Notes, return-to-work assessments	Contract; legal obligation (SSP); legitimate interests
Managing your performance, development and training	Employment information, training records	Contract and legitimate interests
Managing disciplinary or grievance matters	Identity, employment and disciplinary records	Contract and legal obligation
Ensuring health and safety compliance	Health information, DBS, training records	Legal obligation (Health and Safety at Work Act 1974)
Managing access to our systems	IT and operational information	Contract and legitimate interests — secure business operations
Publishing your biography and photograph for marketing	Name, photo, biography	Consent — via the media consent form signed during onboarding
Statutory reporting and compliance (HMRC, pension auto-enrolment)	Payroll and financial information, NI number	Legal obligation
Running equal opportunities monitoring	Diversity data (if collected)	Legal obligation and legitimate interests
Managing the end of employment (references, final pay, data removal)	Identity, employment and financial records	Contract, legal obligation and legitimate interests

4. Special Category Data — Health Information

Health information is classified as special category data under UK GDPR and is subject to additional protections. We process your health data on the following bases:

Where necessary to carry out our obligations in employment law (e.g. managing sickness absence, making reasonable adjustments, complying with health and safety law).
Where you have given explicit consent (e.g. where you voluntarily share health information to support a reasonable adjustment request).
Where processing is necessary for the purposes of preventive or occupational medicine.

Health information is only shared with those who need to know it to carry out their role (e.g. your line manager or the Company Director) and is not disclosed more widely without your consent.

5. The Systems We Use to Store Your Data

System	Purpose	Data Held
Breathe HR	Core HR system — employment records, absence, documents	Identity, contact, employment details, sickness records, training records, policies acknowledged, payroll data (if integrated)
Microsoft Office 365 / OneDrive / SharePoint	Email, document storage, team communication	Email correspondence, shared documents, policy records, absence correspondence
Cliniko	Client management system (clinical staff only)	Diary, session notes, client records associated with your caseload
GoHighLevel	Onboarding course delivery, CRM and workflow	Onboarding completion records, communications, task records
RehabMyPatient	Exercise prescription (clinical staff only)	Login credentials and usage records
LP Networks	IT support and system security management	IT registration, device compliance, helpdesk records

6. Who We Share Your Data With

We will only share your personal data where necessary and with appropriate safeguards in place. Recipients may include:

LP Networks (IT support provider) — for system access, device security and technical support
HMRC — for PAYE, NI and statutory reporting obligations
The Disclosure and Barring Service (DBS) — for criminal record checks
HCPC and CSP — for verification of professional registration (clinical staff)
Pension provider — for auto-enrolment and contributions
Our HR advisors — where required for employment matters or policy review
Our legal advisors — where required for legal compliance or proceedings
Occupational health providers — where we seek medical advice to support your employment
Former employers — where we seek references during recruitment

7. How Long We Keep Your Data

Personnel records (general): minimum 7 years after employment ends
Payroll records: minimum 7 years (HMRC requirement)
Sickness absence records: 7 years after employment ends
Disciplinary and grievance records: 7 years after employment ends (or longer if legal proceedings are ongoing)
Training and mandatory training records: 7 years after employment ends
DBS records: retained for the duration of employment — certificate details held no longer than 6 months after checking unless a specific business reason exists
Accident records for reportable incidents: at least 4 years from the report date, or until any younger person involved reaches 21
Recruitment records (unsuccessful applicants): 1 year from the end of the recruitment process
Media consent and marketing materials: for the duration of use, subject to any withdrawal of consent

8. International Transfers

Some of the systems we use may store or process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place. Details of how individual systems handle international transfers can be found in their respective privacy policies.

9. Automated Decision-Making

We do not currently use automated decision-making or profiling in a way that produces legal or similarly significant effects on employees.

10. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

The right to access — you can request a copy of the data we hold about you (Subject Access Request).
The right to rectification — you can ask us to correct any inaccurate or incomplete data.
The right to erasure — in certain circumstances, you can ask us to delete your data.
The right to restrict processing — you can ask us to limit how we use your data.
The right to data portability — you can ask for your data in a structured, machine-readable format.
The right to object — you can object to processing based on legitimate interests.
The right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at: [email protected]

We will respond within one month. If your request is complex, we may extend this by a further two months and will notify you accordingly.

Exercising your rights will not result in any detriment to your employment.

11. Complaints

If you are unhappy with how we have handled your personal data, please contact us in the first instance at [email protected]. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: https://ico.org.uk/
Telephone: 0303 123 1113

12. Changes to This Notice

We may update this notice from time to time to reflect changes in our practices or legal requirements. Where changes are significant, we will notify you directly. The most current version will always be available via your line manager or from [email protected].

Home Links Physiotherapy South East London & Kent
Privacy Notice — Associates and Subcontractors

Document type	Privacy Notice
Audience	Self-employed Associates and Subcontractors
Version	V1
Review date	March 2026

1. Who We Are

Home Links Physiotherapy South East London & Kent (a trading name of JLinks Physiotherapy Limited, company number 11843830) is the Data Controller for the personal data we hold about you as a self-employed Associate or subcontractor. This notice explains what data we collect, why we collect it, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

Our Data Protection Officer is the Company Director. Contact: [email protected]

2. What Data We Collect About You

As part of our engagement with you as a subcontractor, we collect and hold the following categories of personal data:

2.1 Identity and Contact Information

Full name, home address, email address, telephone number(s)
Emergency contact name and telephone number
Date of birth
Photograph and biography (for marketing and website use, subject to your consent)

2.2 Professional and Compliance Information

HCPC registration number and status
CSP membership details
DBS certificate number, issue date and Update Service status
Professional indemnity and public liability insurance certificate(s)
Mandatory training certificates (Basic Life Support, Moving and Handling, Infection Control, Information Governance, Safeguarding, and others as required)
Right to work documentation (passport or driving licence)
Professional biography submitted for website and marketing use

2.3 Financial Information

Bank account details (account holder name, bank name, sort code, account number) for processing invoice payments
Invoice records and payment history
VAT registration number if applicable

2.4 Operational and IT Information

Home Links email account details and usage records
Cliniko system access and activity logs
GoHighLevel platform access records
RehabMyPatient access and usage (clinical staff only)
BYOD compliance confirmation and device security records
LP Networks IT registration details

2.5 Health Information (Special Category Data)

Any health or medical information you voluntarily share with us that is relevant to your ability to carry out your role safely (e.g. pregnancy, injury, condition affecting lone working)

3. Why We Hold Your Data and Our Legal Basis

Purpose	Data Used	Legal Basis
Entering into and managing your subcontracting agreement	Identity, contact, professional, financial	Contract — processing is necessary for the performance of our contract with you
Verifying your eligibility to work with us safely (DBS, HCPC, insurance)	Professional and compliance information	Legal obligation and legitimate interests — ensuring safe, compliant service delivery
Processing your invoices and making payments	Bank account details, invoice records	Contract — necessary to fulfil our payment obligations to you
Managing access to our systems (Cliniko, email, GoHighLevel, RehabMyPatient, BYOD)	IT and operational information	Contract and legitimate interests — secure operation of our business systems
Maintaining mandatory training records	Training certificates	Legal obligation and legitimate interests — demonstrating regulatory compliance
Publishing your biography and photograph on our website and marketing materials	Name, photo, biography	Consent — you are asked to provide explicit consent via the media consent form
Managing clinical governance, incident reporting, and complaints	Identity, operational information	Legitimate interests and legal obligation — maintaining safe, accountable service delivery
Complying with tax, HMRC and other legal obligations	Financial and identity information	Legal obligation
Ensuring the safety of lone workers and clients	Emergency contact, vehicle, location information	Legitimate interests — staff and client safety

4. Special Category Data

Where you share health or medical information with us, we process this on the basis of your explicit consent and/or where processing is necessary for the purposes of carrying out obligations in the field of health and safety law. We will only use this data for the purpose for which it was shared and will not share it further without your agreement.

5. The Systems We Use to Store Your Data

Your personal data may be stored in or processed through the following systems:

System	Purpose	Data Held
Breathe HR	HR records management	Identity, contact, compliance documents, training records, engagement records
Cliniko	Client management system (clinical staff only)	Clinical diary, session notes, client records you are associated with
GoHighLevel	Onboarding course delivery, CRM and workflow management	Onboarding progress, communications, engagement data
Microsoft Office 365 / OneDrive / SharePoint	Email, document storage, team communication	Email correspondence, shared documents, policy records
RehabMyPatient	Exercise prescription tool (clinical staff only)	Login credentials, usage records
LP Networks	IT support and system security	IT registration and device compliance records

6. Who We Share Your Data With

We will only share your personal data where necessary and with appropriate safeguards. Recipients may include:

LP Networks (our IT support provider) — for system access, device compliance and technical support
HCPC and CSP — where we need to verify your registration status
The Disclosure and Barring Service (DBS) — for criminal record checks and Update Service verifications
Our HR advisors and legal advisors — where required for contractual or compliance purposes
HMRC — where required by tax law

7. How Long We Keep Your Data

Subcontractor records: minimum 7 years after the end of your engagement with us
DBS and professional registration records: retained for the duration of engagement plus 7 years
Invoice and financial records: minimum 7 years (HMRC requirement)
Training records: 7 years after the end of your engagement
Media consent and marketing materials: for the duration of use, subject to any withdrawal of consent
Unsuccessful pre-contract checks (where engagement did not proceed): 1 year

Where you withdraw consent for use of your photograph or biography, we will remove these as soon as reasonably practicable from live materials, though we cannot guarantee immediate removal from already-printed publications.

8. International Transfers

Some of the systems we use may store or process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place (such as the UK International Data Transfer Agreement or adequacy decisions). Details of how individual systems handle international transfers can be found in their respective privacy policies.

9. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

The right to access — you can request a copy of the data we hold about you (Subject Access Request).
The right to rectification — you can ask us to correct any inaccurate or incomplete data.
The right to erasure — in certain circumstances, you can ask us to delete your data.
The right to restrict processing — you can ask us to limit how we use your data in certain circumstances.
The right to data portability — you can ask for your data in a structured, machine-readable format.
The right to object — you can object to processing based on legitimate interests.
The right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at: [email protected]

We will respond within one month. If your request is complex, we may extend this by a further two months and will let you know.

10. Complaints

Website: https://ico.org.uk/
Telephone: 0303 123 1113

11. Changes to This Notice

We may update this notice from time to time. Where changes are significant, we will notify you directly. The current version is always available on request from [email protected].