The Cozier Audit: Corporate Governance & Safeguarding Case Study

This case study documents a formal safeguarding complaint raised by a long-standing member at a Nuffield Health fitness facility in early January 2026. The complaint involved two distinct categories of reported behaviour: a direct verbal threat made toward the complainant, and a remark made publicly within the gym environment about a female member which the complainant characterised in their formal written complaint as explicitly sexual and violent in its phrasing. Both incidents were attributed to the same individual, also a member of the facility.

The purpose of this case study is twofold. First, it examines the systems and processes applied by Nuffield Health — at local management level, at national safeguarding level, and at executive level — in responding to a formal complaint of this nature. Second, it contributes to a broader, ongoing public conversation around safeguarding standards and duty of care obligations in commercial gym environments across the United Kingdom. This case study is published in the public interest, on the grounds of consumer safety, the safety of women in commercial fitness environments, and the adequacy of formal complaint-handling processes operated by large national fitness operators.

Safeguarding in gym and leisure settings has received increasing scrutiny in recent years. Commercial fitness facilities present a specific set of challenges: they are high-footfall, semi-public environments with limited supervision, often with no comprehensive CCTV coverage of exercise areas, and they typically rely on a membership model that creates a recurring relationship between operator and user. These characteristics create both a duty and a practical obligation to manage member conduct and safety robustly.

This case study does not seek to assign blame to any individual. It examines the processes deployed, the timelines observed, and the outcomes communicated, against the backdrop of the complainant's formally stated position and the operator's documented responses.

The complainant had been a continuous member of the Nuffield Health facility in question for approximately seven years at the time the complaint was raised. In their initial correspondence, the complainant noted that in that period they had not previously raised any complaint or dispute involving staff or fellow members, characterising their prior experience at the facility as consistently positive.

The complaint was formally submitted via Nuffield Health's web complaint portal on 2nd January 2026, and assigned the case reference #0167****. It was logged as a non-clinical complaint and directed to local facility management. The complaint described two distinct incidents involving another member of the facility.

3.1 Direct Verbal Threat — 2nd January 2026

At approximately 7:30 AM on 2nd January 2026, the complainant was using the stretching area of the facility when approached by the member in question. The complainant documented that the following remarks were directed at them: a statement that "we're going to have problems" if the complainant shared information about the individual, a demand that the complainant "keep my name out of your mouth," and a closing statement of: "You don't bother me, I don't bother you."

The complainant described this as a direct verbal confrontation perceived as an intimidatory threat, and noted that they responded calmly throughout in an attempt to de-escalate. They subsequently proceeded to the front desk to report the incident, but were unable to speak with available management at that time, and submitted the formal written complaint later that morning.

3.2 Remark Characterised in Formal Complaint as Sexually Violent — About a Female Member

The complainant also documented a separate, earlier incident involving the same individual. While the complainant was training in the free weights area alongside a group of fellow members, the individual in question approached the group and made a remark about a female member who was training nearby. In their formal written complaint, submitted on 2nd January 2026, the complainant characterised this remark as explicitly sexual and violent in its phrasing. The precise wording is on record in that formal complaint submission.

The complainant stated that those present at the time were deeply disturbed by the comment. The complainant noted that, while this remark was not directed at them personally, it formed part of the documented pattern of behaviour being brought to management's attention and indicated a risk to other members, in particular female members of the facility. The substance of the complainant's account was subsequently corroborated by witnesses when questioned by management.

"The suggestion that I alter my attendance times or attend alternative clubs does not address the underlying issue — the continued presence of an individual whose behaviour may place members and staff at risk."

Complainant — written correspondence, 23rd January 2026

3.3 Subsequent Conduct

Following submission of the formal complaint, the complainant documented additional conduct by the same individual during the period in which the complaint was being processed. This included sustained staring and standing in close proximity to the complainant on the gym floor on multiple occasions, and a further incident in which the individual approached very closely while the complainant was mid-exercise in a physically vulnerable position. The complainant formally documented each of these occurrences in written correspondence to management.

The following timeline is drawn directly from the documented email correspondence. It records the sequence of actions, responses, and communications across the complaint period, including the right of reply process and the subsequent escalation.

• Fri 2 Jan 2026 09:43

  Complainant → Local Management

  Formal web complaint submitted via Nuffield Health portal. Complaint documents the direct verbal threat and the remark which the complainant characterised as sexually violent in nature. Case reference #0167**** generated and distributed to local management team.

• Fri 2 Jan 2026 10:25

  Duty Manager → Complainant

  Acknowledgement issued by a Duty Manager. The response apologises for the complainant's experience and proposes a formal meeting with either the General Manager or Customer Experience Manager, describing the matter as one to be handled "in line with our Health and Safety guidelines."

• Fri 2 Jan 2026 12:59

  Customer Experience Manager → Complainant

  The Customer Experience Manager responds, requesting that a meeting be deferred to the following week citing scheduling commitments. No interim safeguarding measures are communicated.

• Sat 3 Jan 2026 09:38

  Complainant → Local Management

  Complainant submits additional written context relevant to the credibility of the reported threat and confirms willingness to meet the following week.

• Mon 5 Jan 2026 16:38

  Complainant → Management

  Formal follow-up submitted. Complainant documents that no meeting time has been confirmed, that they have been forced to train at an alternative facility and rely on the presence of other members for personal security, and formally invokes the Occupiers' Liability Act 1957 in relation to the club's duty of care. Requests written confirmation of interim safeguarding measures and confirmation that the matter has been logged on the club's risk register.

• Wed 7 Jan 2026 10:38

  Complainant → Management (incl. General Manager)

  Complainant formally requests that all CCTV footage from 2nd January 2026 at 7:30 AM in the stretching area be preserved for potential use in any subsequent police or corporate escalation. A meeting is requested for the following morning as a matter of urgency.

• Wed 7 Jan 2026 10:58

  General Manager → Complainant

  General Manager responds, confirming that the Duty Manager had spoken with the individual concerned on the day of the incident and instructed him not to interact with the complainant. The General Manager discloses that CCTV does not cover any area of the gym floor, meaning no visual record of the incident exists. A meeting is confirmed for the following morning.

• Thu 8 Jan 2026

  Complainant & General Manager

  In-person meeting takes place at the facility between the complainant and the General Manager, as scheduled. No written record of the meeting's content or outcomes has been provided in the correspondence chain. During the meeting, the complaint disclosed additional incidents of racial harassment experienced at the facility. These incidents are not detailed in the complainant's SAR data.

• Mon 12 Jan 2026 16:52

  Complainant → General Manager

  Follow-up submitted requesting an update. Complainant notes that the individual has maintained some physical distance but that they continue to feel unsafe when using the facility without fellow members present.

• Tue 13 Jan 2026 14:52

  General Manager → Complainant

  Brief response confirming that the General Manager has spoken directly with the individual in question. A telephone call is agreed for the following afternoon at 2:00 PM.

• Wed 14 Jan 2026 06:11

  Complainant → General Manager

  Prior to the scheduled call, the complainant submits a written statement of their position, expressing concern that the approach to date has relied on verbal assurance from the individual rather than objective safeguarding controls. The scheduled telephone call between the complainant and General Manager subsequently takes place at 2:00 PM.

• Wed 14 Jan 2026 14:00

  General Manager → Complainant (telephone)

  A telephone call takes place between the complainant and the General Manager at 2:00 PM as previously agreed. The call lasts approximately 21 minutes. The following was documented by the complainant following the call.

  First, the General Manager confirmed that the individual whose conduct was the subject of the formal complaint had denied making the direct verbal threat documented in the complaint of 2nd January 2026.

  Second, the General Manager stated that he did not feel he was in a position to ban the individual concerned following that denial, and raised the possibility of banning both parties — the complainant and the individual concerned — as an alternative course of action. The complainant formally disputes the appropriateness of this framing, which equated the position of a member who raised a formal safeguarding complaint with the position of the member whose conduct was the subject of that complaint.

  Third, the General Manager confirmed that the remark formally characterised by the complainant as sexually violent in nature — the second and most serious incident documented in the formal complaint of 2nd January 2026 — had not been raised with the individual concerned during the investigation. The reason given was time constraints. This omission meant that the most serious element of the reported conduct was not addressed with the individual at any point during the initial investigation period.

  Fourth, the General Manager confirmed that concerns about racial harassment raised by the complainant at the in-person meeting of 8th January 2026 had not been formally recorded and had not been raised with the individual concerned. No written record of the racial harassment concern exists in any internal system, as subsequently confirmed by the Subject Access Request disclosure of 11th March 2026.

  The complainant notes that the four matters confirmed during this call — the denial accepted without further investigation, the suggestion of banning both parties, the omission of the most serious complaint element, and the absence of any formal recording of racial harassment concerns — collectively indicate that by 14th January 2026 the investigation had not addressed the substance of the formal complaint and that concerns of a racial nature raised at the facility had been handled verbally without documentation.

• Mon 19 Jan 2026 08:29

  Complainant → Head Office (Safeguarding & Customer Relations)

  Formal escalation submitted to Nuffield Health's national safeguarding email address and customer relations team. The escalation sets out the full pattern of behaviour, references applicable legislation, documents the absence of interim measures, and discloses that the matter has been formally recorded by the police as an intelligence report.

• Wed 21 Jan 2026 06:02

  Complainant → General Manager

  Complainant formally notifies the General Manager that the complaint has been escalated to Nuffield Health Head Office for independent review, citing the absence of interim safeguarding measures and the continued absence of a concrete written outcome from the local process.

• Fri 23 Jan 2026 09:59

  National Safeguarding Lead → Complainant

  National Safeguarding Lead responds. The response acknowledges the concern, states that "appropriate steps" will be taken, and suggests the complainant may wish to use the gym at alternative quieter times or visit an alternative club. It also states that in relation to the remark characterised by the complainant as sexually violent in nature, a formal complaint from the individual directly targeted would be required before the organisation could "address this with the member." The response advises that Stage 1 complaints are responded to within 20 working days.

• Fri 23 Jan 2026 10:14

  Complainant → National Safeguarding Lead

  Complainant responds, formally challenging the framing of the Head Office response. Complainant states that: the matter is a safeguarding concern, not a personal discomfort issue; that the remark characterised as sexually violent in nature had already been corroborated by witnesses; that Nuffield Health's membership terms do not require a criminal charge or a sole complainant to justify action; and that applying a 20-working-day standard complaint response window to a safeguarding matter is inappropriate. Requests written confirmation of any immediate protective measures in place.

• Mon 26 Jan 2026 11:37

  National Safeguarding Lead → Complainant

  Second response from National Safeguarding Lead. Confirms that the matter has been reviewed jointly with the General Manager as a safeguarding matter rather than a standard complaint. States that the member in question was spoken to, that "there is no risk" to the complainant's safety, that additional gym floor monitoring has been implemented, and that further interaction is not anticipated. Confirms that the General Manager will respond directly. No specific measures communicated in writing.

• Mon 26 Jan 2026 11:55

  Complainant → National Safeguarding Lead

  Complainant formally challenges the National Safeguarding Lead's response. Notes that: verbal assurances do not constitute enforceable safeguards; the General Manager had confirmed to the complainant that the remark characterised as sexually violent in nature was not raised with the individual during the initial intervention; the absence of CCTV undermines any assurance of monitoring; and the burden of adjustment has been placed on the complainant rather than the source of risk. Complainant states an intention to escalate to the CEO. A Subject Access Request (SAR) is also referenced as having been submitted.

• Mon 26 Jan 2026 16:41

  Complainant → General Manager

  Complainant documents a further incident in which the individual in question approached very closely while the complainant was mid-exercise in a physically vulnerable position. Complainant formally requests, in writing, a clear timeline for resolution, written confirmation of safeguarding measures, and an explanation of how duty of care is being met in the absence of CCTV.

• Thu 29 Jan 2026 17:12

  General Manager → Complainant

  General Manager issues a formal written response stating that the investigation has been completed and the matter "addressed in full." The response confirms that: staff have been made aware and will maintain a visible presence; the complainant may use their multisite membership to attend alternative clubs; and no further correspondence regarding the complaint will be entered into, with future emails to be placed on file without reply. No specific or enforceable safeguarding measures are set out in writing.

• Thu 29 Jan 2026 17:25

  Complainant → General Manager

  Complainant formally records their position that the matter is not resolved, challenges the adequacy of the investigation given the omission of the remark characterised as sexually violent in nature in the initial intervention, and states that the response to close further correspondence is not appropriate where a safeguarding concern remains active. Formally notifies the General Manager of imminent escalation to the CEO.

• Thu 29 Jan 2026 17:44

  Complainant → CEO

  Complainant writes directly to the CEO of Nuffield Health, formally escalating the complaint following four weeks of unresolved correspondence. The email sets out the full pattern of conduct, documents the absence of written safeguarding measures, raises the inconsistency between the verbal and written accounts provided by management, and requests a governance-level response. No acknowledgement or reply is received.

• Fri 30 Jan 2026

  Complainant → Nuffield Health Data Team

  Subject Access Request submitted under Article 15 UK GDPR, requesting all personal data held by Nuffield Health including emails, internal correspondence, complaint logs, safeguarding records, and any data associated with the complainant's membership or interactions with staff at both local club and head office level. Request acknowledged the same day.

• Wed 4 Feb 2026 10:19

  Complainant → MP (Constituency)

  Complainant writes to their local Member of Parliament and, for visibility, a second MP representing the constituency in which the facility is located. The correspondence raises the safeguarding concerns, documents the absence of written concrete safeguards, and requests independent oversight of whether Nuffield Health's safeguarding processes are being applied appropriately. A broader concern regarding women's safety in commercial gym environments is also raised.

• Fri 6 Feb 2026

  MP → Complainant

  The MP responds, acknowledging the concern and noting that primary jurisdiction rests with the police and Nuffield Health's senior leadership. The MP offers to chase a response from the CEO if one is not received within a reasonable timeframe.

• Sun 2 Mar 2026 09:07

  Complainant → Nuffield Health Data Team

  Complainant formally notes that the statutory one-month SAR deadline under Article 12 UK GDPR expired on 28 February 2026 without a response being received, and without notification of any lawful extension. A response is requested within 48 hours, with an ICO complaint flagged as the next step.

• Sun 2 Mar 2026 18:05

  Nuffield Health Data Team → Complainant

  SAR response issued — one month and one day after submission, with no prior notification of an extension. The disclosure is provided in a password-protected document. The response states that emails in which the complainant was a participant have not been included on the basis that the complainant would already hold copies. No statutory exemption is cited for this exclusion.

• Tue 3 Mar 2026 08:52

  Complainant → CEO (follow-up)

  Having received no acknowledgement of the January CEO escalation, and having now reviewed the SAR disclosure, the complainant sends a detailed follow-up to the CEO raising five distinct governance concerns: the apparent incompleteness of the SAR; the characterisation of the incidents in the adverse event record; the safeguarding threshold determination; the absence of written records of verbal discussions; and the inconsistent application of data protection principles. A governance-level review is formally requested.

• Mon 10 Mar 2026 18:49

  Complainant → Nuffield Health Data Team & MP

  Having received no response to the questions raised about the scope of the SAR search, the complainant formally notifies the data team that the matter has been escalated to the Information Commissioner's Office. In parallel, the complainant updates the MP, noting the incomplete SAR, the absence of the police reference number from the disclosed records, and the continued silence from the CEO.

• Wed 11 Mar 2026

  Nuffield Health Data Team → Complainant

  A supplementary SAR disclosure is issued following the ICO escalation, this time including email correspondence. The data team confirms that no written or recorded notes of any verbal conversations exist — all such discussions were conducted verbally without documentation. It is also confirmed that the police reference number provided by the complainant was not recorded in any internal system, with the only record being within email correspondence.

• Wed 11 Mar 2026

  MP → Complainant

  The MP responds to the complainant's update, noting that the ICO is now the appropriate body to assess SAR compliance. The MP offers to contact the CEO directly on the complainant's behalf once the complainant is ready to pursue that route.

• Mon 17 Mar 2026

  Complainant → MP

  Complainant formally requests that the MP contact the CEO on their behalf, given that the CEO escalation of 29th January remains unacknowledged after over six weeks. A copy of the CEO correspondence is provided to the MP for context.

• Wed 19 Mar 2026

  MP → Complainant / MP → CEO

  The MP confirms that contact has been made with the CEO on the complainant's behalf and that a response will be forwarded upon receipt.

• Wed 16 Apr 2026

  Complainant → MP (follow-up)

  Approximately one month after the MP's contact with the CEO, the complainant follows up to enquire whether a response has been received. No direct communication from Nuffield Health has been received by the complainant.

• Thu 17 Apr 2026

  MP's Office → Complainant

  The MP's office confirms that no reply has been received from Nuffield Health and that a further chase has been sent. The office notes that it cannot compel a private organisation to respond.

• Sun 20 Apr 2026

  Nuffield Health → MP

  A response is issued to the MP by a Senior Customer Relations Coordinator — not the CEO. The response states that the matter has been reviewed by the safeguarding team, that no safeguarding concerns have been identified (a conclusion contested by the complainant on the grounds set out in Sections 03–07 of this case study), that this outcome has been communicated to the member, and that Nuffield Health will not be engaging in any further discussion on the matter. No further substantive detail is provided.

• Tue 21 Apr 2026

  Complainant → Nuffield Health CEO

  A draft case study documenting the full complaint history is formally provided to Nuffield Health's Chief Executive Officer in advance of publication, with a genuine and formal invitation to submit a response, correction, or contextual statement for inclusion. A 14-day right of reply window is extended. The document is provided for the purpose of responsible pre-publication review and not shared with any third party during this period.

• Thu 24 Apr 2026

  Nuffield Health Customer Relations → Complainant

  Nuffield Health issues its written response to the right of reply document. Rather than engaging with or contesting any specific factual assertion in the case study, the response invokes the organisation's Persistent Complainants Policy and explicitly indicates the possibility of membership termination. The response does not address the outstanding Article 16 UK GDPR rectification request, does not provide a copy of the Persistent Complainants Policy despite invoking it, and does not contest the characterisation of the complaint in adverse event record ADV-89039. The full text of this response is reproduced at Section 09 of this case study.

• Sat 25 Apr 2026

  Complainant → Nuffield Health / ICO / Charity Commission / MPs

  Final notice issued to Nuffield Health Customer Relations, copied to the Data Protection Team and the Office of the Chief Executive. The notice formally places on record the inconsistencies in Nuffield Health's response, reiterates the outstanding Article 16 rectification request, and advises that the following external steps have been taken: the ICO complaint has been updated; a formal report has been submitted to the Charity Commission; and the published case study — including Nuffield Health's response of 24th April 2026 reproduced in full — has been provided to three Members of Parliament for their awareness.

• Sat 25 Apr 2026

  Publication

  This case study is published at thecozieraudit.co.uk in the public interest, based solely on documented written correspondence and statutory disclosures. Nuffield Health's written response of 24th April 2026 is reproduced in full. All individual names and the specific facility location remain anonymised. The ICO referral and Charity Commission report remain active. The Article 16 rectification request remains outstanding. Status: Unresolved.

Following the General Manager's formal closure of the complaint on 29th January 2026, and having received no satisfactory written safeguarding outcome from either local management or the national safeguarding team, the complainant wrote directly to the CEO of Nuffield Health the same evening.

The initial CEO escalation, submitted on 29th January 2026, set out the full history of the complaint and identified five specific concerns: the absence of any written, enforceable safeguarding measures; the continued unrestricted access of the individual involved; the inconsistency between what had been discussed verbally and what had been documented formally; the incompatibility between the outcome reached and Nuffield Health's own membership terms; and the attempt by local management to close down further correspondence while the safeguarding concern remained, in the complainant's view, unresolved.

No acknowledgement or reply was received from the CEO following the January escalation.

On 3rd March 2026, having received and reviewed the Subject Access Request disclosure, the complainant sent a second and more detailed email to the CEO. This correspondence raised five further governance-level concerns arising directly from the disclosed documentation, which are addressed in Section 06 of this case study. A governance-level review was formally requested, independent of the local branch management team. This correspondence also remained unanswered.

The CEO did not respond directly to either piece of correspondence, nor to the subsequent contact made on the complainant's behalf by the MP. When a response was eventually provided to the MP on 20th April 2026 — some 81 days after the initial CEO escalation — it was issued by a Senior Customer Relations Coordinator rather than by the CEO or a member of the executive team. That response stated that the matter had been reviewed by the safeguarding team, that no safeguarding concerns had been identified, and that no further discussion would be entered into.

On 30th January 2026, the complainant submitted a formal Subject Access Request (SAR) to Nuffield Health under Article 15 of the UK GDPR. The request sought all personal data held by the organisation relating to the complainant, including emails, internal correspondence, complaint logs, safeguarding records, and any data associated with the complainant's membership or interactions with staff at both local club and head office level.

Timeliness of the SAR Response

The statutory deadline for a SAR response under Article 12 UK GDPR is one calendar month from the date of receipt. The complainant's request was acknowledged on 30th January 2026; the statutory deadline therefore fell on 28th February 2026. No response was received by that date, and no notification of a lawful extension — as required under Article 12(3) — was issued. The complainant formally raised this lapse on 2nd March 2026. A disclosure was provided later that day, one day beyond the statutory deadline, without any explanation for the delay or reference to an extension having been applied.

Completeness of the Initial Disclosure

The initial SAR response explicitly excluded all emails in which the complainant was a participant, on the stated basis that the complainant would already hold copies of those communications. No statutory exemption was cited for this exclusion. The complainant formally challenged this position, noting that their request encompassed all personal data processed by the organisation — including internal correspondence referencing them — regardless of whether they had been copied into those communications at the time.

Following the complainant's escalation to the Information Commissioner's Office on 10th March 2026, a supplementary disclosure was issued on 11th March 2026 which included email correspondence. This supplementary disclosure confirmed that no written or recorded notes of any verbal conversations during the investigation process exist — all such discussions had been conducted verbally without documentation. It was further confirmed that the police reference number provided by the complainant to management had not been recorded in any internal system, including the incident log, safeguarding records, or the gym membership management system. The only record of this information was within email correspondence.

The Adverse Event Record: ADV-89039

The SAR disclosure included the internal adverse event record created in relation to this complaint, designated ADV-89039 and dated 9th January 2026 with an event date of 5th January 2026. Several aspects of this document are of note.

The brief summary of the event records that "members spoke unpleasantly about each other" — a phrase quoted verbatim from internal adverse event record ADV-89039, as disclosed pursuant to the Subject Access Request of 30th January 2026. On the face of the two documents, and in the complainant's submission, this characterisation appears materially inconsistent with the substance of the complaint as formally submitted, which documented a direct verbal threat and a remark characterised by the complainant as explicitly sexual and violent in its phrasing — two distinct incidents of differing character and severity. The complainant formally challenged this characterisation as inconsistent with the requirements of Article 5(1)(d) UK GDPR, which requires that personal data be accurate.

The adverse event form records the presence of witnesses as "NO." This is consistent with the facts in relation to the direct verbal threat on 2nd January 2026, which occurred without witnesses present. However, the investigation summary contained within the same document references the General Manager having spoken to two members identified by the complainant as witnesses to the remark characterised as sexually violent in nature. The form therefore appears to record witness status for the complaint as a whole rather than distinguishing between the two separate incidents. The complainant had formally notified management that the two incidents involved different evidence bases.

The adverse event form records the safeguarding field as "NO" — meaning the matter was assessed as not constituting a potential safeguarding concern. It records the degree of harm as "0 — No harm — prevented (near miss)." The investigation conclusion records "No Further Action Required." The complainant formally requested clarification of the safeguarding criteria applied, whether a formal risk assessment was conducted, and what monitoring or preventative measures, if any, were put in place. No substantive response to these questions was received.

The investigation summary within the adverse event record also confirms that the General Manager spoke to one of the witnesses identified by the complainant regarding the remark characterised as sexually violent in nature, and that this individual indicated the comment was said by the reported member. This detail had not been disclosed to the complainant during the investigation period and was only made known through the SAR disclosure.

Absence of Written Investigation Records

The supplementary SAR disclosure confirmed that there are no written or recorded notes of any verbal conversations relating to the complaint or the investigation. All substantive discussions — including conversations between management and the individual at the centre of the complaint, and conversations with witnesses — were conducted verbally and not documented. This is consistent with the complainant's repeated written requests, throughout the complaint period, for all communications to be conducted in writing, which were not consistently observed.

ICO Referral

On 10th March 2026, having received no response to the questions raised about the scope and completeness of the SAR, the complainant formally referred the matter to the Information Commissioner's Office. As at the date of publication, that referral remains under investigation by the ICO.

The document below is the original formal complaint submitted by the complainant via Nuffield Health's own web complaint portal on 2nd January 2026. It is reproduced here as a primary source document to allow readers to assess, on the face of the two documents, how the formal complaint as submitted is characterised in internal adverse event record ADV-89039 — disclosed via the Subject Access Request — as "members spoke unpleasantly about each other."

This document is held on Nuffield Health's own systems, has been provided in full to Nuffield Health's Data Protection Officer and Chief Executive Officer as an attachment to the correspondence of 27th May 2026, and has been provided to all active regulatory bodies. It is published here in the public interest. One targeted redaction has been applied as described in the editorial notice below.

The following observations are drawn directly from the documented correspondence. They relate to systems, processes, and procedural decisions rather than to the conduct of any individual member of staff.

• Absence of Interim Safeguarding Measures

  At no point in the documented correspondence was the complainant informed of any concrete, enforceable interim safeguarding measures put in place while the complaint was under investigation. Verbal assurances and staff awareness were referenced, but no written controls — such as a formal instruction for physical separation, adjusted access, or temporary suspension pending investigation — were communicated.

• No CCTV Coverage of the Gym Floor

  The General Manager confirmed in writing that CCTV does not cover any area of the gym floor at the facility in question. This means there is no independent visual record of the incidents reported. This is a significant limitation in any operator's ability to investigate, verify, or deter misconduct in the main exercise environment, and has implications for how assurances of safety can be substantiated.

• Remark Characterised as Sexually Violent Not Raised in Initial Intervention

  It was confirmed to the complainant by the General Manager that the remark characterised by the complainant as sexually violent in nature — made about a female member — was not raised with the individual in question when he was initially spoken to by management. This omission meant that the most serious element of the reported conduct was not addressed in the first substantive intervention, a fact the complainant identified as materially undermining the adequacy of the investigation.

• Standard Complaint Process Applied to a Safeguarding Concern

  The National Safeguarding Lead's initial response advised that Stage 1 complaints are responded to within 20 working days. The complainant formally challenged the appropriateness of applying a standard service complaint timeline to a matter involving witness-corroborated accounts of language characterised as sexually violent in nature, and a credible physical threat, where the individual remained on the gym floor throughout.

• Mitigation Directed Solely at the Complainant

  The mitigations proposed by both local management and the National Safeguarding Lead consistently directed the complainant to modify their own behaviour: to attend at alternative times, to use alternative facilities, or to rely on the visible presence of staff or personal contacts. Neither the local nor national response documented any measure that addressed the source of the reported risk.

• Communication Conducted Primarily by Telephone

  A number of substantive discussions and interventions in this case took place by telephone or in person, without a corresponding written record being provided to the complainant. The complainant formally and repeatedly requested that all communications be conducted in writing to ensure an accurate audit trail. The documented correspondence confirms this request was not consistently observed.

• Complaint Formally Closed Without Written Safeguarding Outcome

  On 29th January 2026, the General Manager issued a written response declaring the matter "addressed in full" and stating that no further correspondence would be entered into. This closure took place without any specific, enforceable safeguarding measure having been set out in writing, and while the complainant had formally and repeatedly stated that they did not feel safe. The complainant did not accept this as a resolution.

• CEO Did Not Respond Directly

  The complainant wrote to the CEO on 29th January 2026 and again on 3rd March 2026. Neither received an acknowledgement. When a response was eventually provided to the MP's enquiry on 20th April 2026 — 81 days after the initial escalation — it was issued by a Senior Customer Relations Coordinator, not the CEO. The response stated that no further engagement would be entered into. Formal correspondence sent by Royal Mail Special Delivery to both the Chief Executive Officer and the Data Protection Officer by name on 27th May 2026 produced a response from the Data Protection Officer team on 1st June 2026. The Chief Executive Officer has not responded directly to any correspondence across the full period documented in this case study.

• Subject Access Request Returned Late and Initially Incomplete

  The SAR submitted on 30th January 2026 was not responded to within the statutory one-month deadline, and no notification of a lawful extension was issued. The initial disclosure excluded all emails in which the complainant was a participant without citing a statutory exemption. A supplementary disclosure was only provided after escalation to the ICO. As at the date of publication, that referral remained under investigation.

• Adverse Event Record Characterisation Formally Defended After Review of Original Complaint

  The internal adverse event record ADV-89039 characterises the complainant's formal safeguarding complaint of 2nd January 2026 as "members spoke unpleasantly about each other." The same record notes no witnesses and no safeguarding concern, while the investigation summary within it references the General Manager having spoken to witnesses who corroborated the remark characterised as sexually violent in nature. On 27th May 2026, the original complaint was provided in full to Nuffield Health's Data Protection Officer and Chief Executive Officer, and both were specifically invited to assess on the face of the two documents whether the characterisation accurately reflected its contents. In their written response of 1st June 2026, Nuffield Health's Data Protection Officer team formally defended the characterisation, stating that "the accuracy principle applies to personal data, not to internal narrative summaries of incidents" and that they were "satisfied the record is not inaccurate in this context." The characterisation has therefore been formally maintained in writing after the original complaint was reviewed in full. No rectification has been made and no written investigation records exist. The original complaint is reproduced in Section 6a of this case study.

• Article 16 Rectification Request Formally Refused on Disputed Legal Grounds

  On 1st June 2026, following the formal rectification request and seven-day deadline set out in the complainant's letter of 27th May 2026, Nuffield Health's Data Protection Officer team issued a written response formally refusing to rectify adverse event record ADV-89039. The refusal advanced the position that "the accuracy principle applies to personal data, not to internal narrative summaries of incidents" and that the record was not inaccurate "in this context." This position was stated after the original complaint of 2nd January 2026 had been reviewed in full by both the Data Protection Officer and the Chief Executive Officer. The response did not address the specific question posed — how the characterisation "members spoke unpleasantly about each other" accurately reflects a complaint that documented a direct verbal threat and a remark formally characterised as sexually violent in nature — but argued instead that the accuracy principle did not apply. The complainant has submitted this written response to the Information Commissioner's Office for independent assessment of the legal position advanced. A letter before action under section 167 of the Data Protection Act 2018 has been served.

This case does not exist in isolation. Safeguarding in commercial leisure and fitness environments has become an area of increasing public concern in the United Kingdom. Unlike regulated settings such as schools, hospitals, or local authority leisure centres, private commercial gyms operate without a mandatory statutory safeguarding framework specifically tailored to their environment. Their obligations derive from a combination of common law duty of care, the Occupiers' Liability Act 1957, the Equality Act 2010, the Protection from Harassment Act 1997, and their own contractual membership terms.

A number of features specific to commercial gym environments create particular safeguarding challenges. These include the high volume and regular recurrence of members sharing the same space; the semi-public, unsupervised nature of the exercise floor; the limited or, as documented in this case, absent CCTV coverage of exercise areas; the reliance on verbal interaction to manage member conduct; and the fact that membership creates an ongoing relationship which makes exclusion decisions more complex than in one-off public settings.

The incidents described in this complaint — specifically the remark characterised by the complainant as sexually violent in nature, made about a female member in a shared exercise environment — raise questions about the effectiveness of the mechanisms available to operators for identifying, investigating, and responding to predatory or threatening conduct among their membership. Where CCTV is absent, where no written record of informal interventions is created, and where the investigative process relies substantially on conversations with the individual accused, the capacity for independent verification is significantly limited.

The complainant's experience also raises a question of consistency between published membership terms and their application in practice. Nuffield Health's membership terms include provisions permitting action — including termination of membership — where a member uses threatening, offensive, or sexually inappropriate language or conduct, or where their behaviour may place other members at risk. The complainant formally raised this inconsistency in correspondence, and it was not substantively addressed in any written response received.

The concerns documented in this case study relate primarily to the handling of a formal safeguarding complaint and associated data protection failures. However, the documented conduct and the institutional responses to it engage provisions of the Equality Act 2010 that cannot responsibly be excluded from the record. The following does not reframe the primary subject of this case study. It documents specific conduct and specific institutional omissions that have Equality Act implications the complainant considers relevant to the full picture. No assertion is made about the motivation of any individual. Motivation is a matter for the relevant regulatory authority to assess.

Background — Protected Characteristic

The complainant is of mixed race. The General Manager responsible for investigating the formal complaint of 2nd January 2026 and the individual whose conduct was the primary subject of that complaint are both white. These are documented facts of record rather than assertions about motivation or intent.

Pattern of Racially Harassing Conduct — June to December 2025

In the period between June 2025 and December 2025 — in the months preceding the formal safeguarding complaint of 2nd January 2026 — the complainant experienced and witnessed a pattern of conduct by a separate facility member, distinct from the individual whose conduct was the primary subject of the formal complaint. This pattern included racially dehumanising language directed at the complainant, racial slurs directed at other members of the facility, and conduct directed at the complainant on the basis of their race on multiple occasions across this period. Several of these incidents were witnessed by other members of the facility.

Institutional Failure to Record or Act — Section 26 Equality Act 2010

At the in-person meeting of 8th January 2026 — six days after the formal safeguarding complaint was submitted — the complainant raised with the General Manager the pattern of racially harassing conduct described above, including specific incidents involving racially dehumanising language and conduct directed at the complainant on the basis of their race. This notification was made in the context of the complainant's broader concern that a hostile environment had developed at the facility.

In the telephone call of approximately 21 minutes on 14th January 2026 the General Manager confirmed the following. The racial harassment concerns raised at the 8th January 2026 meeting had not been formally recorded. The concerns had not been raised with the individual concerned.

The Subject Access Request disclosure of 11th March 2026 subsequently confirmed that no written or recorded notes of any verbal conversations during the investigation period exist in any internal Nuffield Health system. The only record of the racial harassment notification exists within the complainant's own correspondence and in the documented confirmation of the General Manager's admission during the 14th January 2026 telephone call.

An organisation that receives a formal notification of a sustained pattern of racial harassment at its facility — including racially dehumanising language directed at a member on the basis of their race — and takes no documented action raises concerns under section 26 of the Equality Act 2010, which places an obligation on service providers to ensure that those using their services are not subjected to unwanted conduct related to a protected characteristic that has the purpose or effect of creating a hostile, degrading, humiliating, or offensive environment.

Race is a protected characteristic under the Equality Act 2010. The conduct described above was directly related to the complainant's race. The General Manager's confirmation that no formal record was created and no action was taken is documented in the correspondence record and confirmed by the Subject Access Request disclosure.

The Link to the Formal Safeguarding Complaint

The racial harassment pattern documented above is directly connected to the formal safeguarding complaint of 2nd January 2026 in the following documented respects.

First, the pattern occurred in the same shared exercise environment and during the same membership period as the conduct that was the subject of the formal complaint. The complainant was subjected to a direct verbal threat on 2nd January 2026 in the same facility in which racial harassment had been occurring since June 2025. The cumulative effect of both patterns of conduct on the complainant's experience of the facility is relevant to the assessment of whether a hostile environment within the meaning of section 26 existed at the time the formal complaint was raised.

Second, the General Manager's confirmation that the racial harassment concerns were not formally recorded is consistent with the broader pattern of verbal-only investigation confirmed by the Subject Access Request disclosure — specifically that no written or recorded notes of any verbal conversations during the investigation process exist in any internal Nuffield Health system. The failure to record the racial harassment concern is not an isolated omission. It is consistent with an investigative approach that systematically failed to create written records of any substantive concern raised during the complaint period.

Third, the characterisation of the formal safeguarding complaint in adverse event record ADV-89039 as "members spoke unpleasantly about each other" is materially inconsistent not only with the direct verbal threat and the remark characterised as sexually violent in nature that were formally reported, but also with the broader context of a sustained pattern of racially harassing conduct that was raised with management at the same meeting and was equally absent from the internal record.

Victimisation — Section 27 Equality Act 2010

Section 27 of the Equality Act 2010 defines victimisation as subjecting a person to a detriment because they have done a protected act. A protected act includes making a complaint or allegation of conduct that contravenes the Act.

The complainant's raising of racial harassment concerns at the in-person meeting of 8th January 2026 constitutes a protected act under section 27. The subsequent invocation of the Persistent Complainants Policy on 24th April 2026 — which threatened the termination of the complainant's membership — constitutes a detriment within the meaning of section 27.

The complainant does not assert that the Persistent Complainants Policy was invoked solely or primarily because of the racial harassment protected act. The complainant notes that the protected act was made, that a detriment followed, that the temporal connection between the two is documented in the correspondence record, and that the Equality and Human Rights Commission — whose jurisdiction specifically covers Equality Act 2010 provisions — is the appropriate body to assess the significance of that connection.

The complainant also notes that the Persistent Complainants Policy does not appear in Nuffield Health's published membership terms and conditions, has never been communicated to the complainant during approximately seven years of continuous membership, and has not been provided despite a formal written request. A policy used to impose a detriment on a member who made a protected act — and of which the member was never informed — raises additional concerns about the transparency and proportionality of its application that fall within the EHRC's assessment remit.

Hostile Environment — Section 26 Equality Act 2010

The pattern of racially harassing conduct described above — sustained across a six-month period, involving multiple incidents, witnessed by other members, and occurring in a shared exercise environment — contributed to a hostile environment at the facility within the meaning of section 26 of the Equality Act 2010.

The formal safeguarding complaint of 2nd January 2026 documented a direct verbal threat and a remark formally characterised as sexually violent in nature made about a female member. The racial harassment pattern documented above occurred in the same shared exercise environment during the same membership period. The cumulative effect of both patterns of conduct on the complainant's experience of the facility is relevant to the assessment of whether a hostile environment within the meaning of section 26 existed at the facility during this period.

The General Manager's confirmation that the racial harassment concerns were not formally recorded is consistent with the broader pattern of verbal-only investigation confirmed by the Subject Access Request disclosure. The failure to record the racial harassment concern is not an isolated omission. It is consistent with an investigative approach that systematically failed to create written records of any substantive concern raised during the complaint period. An organisation whose investigative approach systematically produced no written records of any concern raised during a formal safeguarding investigation is an organisation whose ability to demonstrate compliance with its section 26 obligations depends entirely on the recollection of personnel rather than on documentary evidence.

Regulatory Position

The Equality Act concerns documented in this section have been referred to the Equality and Human Rights Commission. The EHRC has specific enforcement jurisdiction over Equality Act 2010 breaches in relation to service providers including commercial fitness facilities. The referral specifically addresses the failure to record or act on formally notified racial harassment concerns under section 26, the temporal connection between the racial harassment protected act and the Persistent Complainants Policy invocation under section 27, and the hostile environment concerns under section 26.

The complainant notes that Nuffield Health, as a registered charity whose objects include the advancement of health and wellbeing, has specific obligations in relation to equality and non-discrimination that extend beyond the minimum requirements of the Equality Act 2010. A charity operating a fitness facility in which a member experienced a sustained pattern of racial harassment, raised those concerns formally with management, received no documented response, and was subsequently designated a persistent complainant raises questions about the consistency of the organisation's operations with its charitable objects that the Charity Commission for England and Wales — to which a separate report has been made — is also invited to consider.

The complainant further notes that the local-only complaints policy operated by Nuffield Health — under which all complaints are resolved at facility level without documented head office oversight or consistency framework — is directly relevant to the Equality Act concerns documented in this section. A national registered charity operating without a centralised mechanism for identifying and responding to patterns of discriminatory conduct across its facility network is a charity whose governance architecture creates the precise conditions in which racial harassment can be reported, go unrecorded, and remain unaddressed without any escalation to a level capable of identifying or correcting the failure.

Following the publication of this case study and the filing of supplementary regulatory submissions on 27th May 2026, a formal letter was addressed directly to Nuffield Health's Data Protection Officer in their independent statutory capacity under Article 38(3) UK GDPR. The letter set a seven-day deadline for compliance. Nuffield Health responded on 1st June 2026. Both documents are reproduced below.

The letter of 27th May 2026 was sent simultaneously by email from the complainant's business address and by Royal Mail Special Delivery to Nuffield Health's registered office, addressed to both the Data Protection Officer and the Chief Executive Officer. The original complaint of 2nd January 2026 was attached in full so that both officers could assess, on the face of the two documents, whether the characterisation in ADV-89039 accurately reflects its contents.

Following the formal closure of internal communications with Nuffield Health on 25th April 2026, the following external steps were taken to ensure the documented concerns are subject to appropriate independent oversight. Each action was taken proportionately and in direct response to the contents of Nuffield Health's written response of 24th April 2026.

• Information Commissioner's Office (ICO): The existing complaint was formally updated to include Nuffield Health's written response of 24th April 2026. The update specifically records the outstanding Article 16 rectification request — the right to correction of inaccurate personal data under UK GDPR — in relation to the characterisation of the complainant's formal safeguarding complaint in internal adverse event record ADV-89039. The update further notes that the exercise of statutory data rights was cited as part of the basis for invoking the organisation's Persistent Complainants Policy. The ICO referral remains active as at the date of publication.
• The Charity Commission: A formal report was submitted to the Charity Commission in relation to the invocation of an administrative policy instrument against a member in direct response to a formally submitted safeguarding concern, and the explicit threatened termination of that member's relationship with the organisation in the same written communication. As a registered charity, Nuffield Health is subject to the Charity Commission's oversight in matters of governance and operations consistent with its charitable objects, which include the advancement of health and wellbeing.
• Equality and Human Rights Commission (EHRC): A formal notification has been submitted to the EHRC regarding potential breaches of Sections 26 and 27 of the Equality Act 2010. The referral focuses on the documented failure to record or investigate a formal disclosure of a sustained pattern of racial harassment, paired with the subsequent deployment of an uncontracted policy instrument to penalise the complainant. The EHRC retains enforcement jurisdiction over service providers who subject individuals to a detriment following a protected act, or fail to maintain environments free from harassment related to a protected characteristic.
• Competition and Markets Authority (CMA): A formal notification has been submitted to the CMA regarding systemic concerns under consumer protection legislation, specifically the Consumer Rights Act 2015. The referral addresses the organisation’s reliance on an uncontracted policy that does not appear in Nuffield Health's published terms and conditions, and public-facing consumer frameworks—to alter a consumer's status and threaten relationship termination. The CMA has a regulatory interest in consumer terms that are not transparently disclosed and in policies that affect a consumer's rights but do not appear in published terms and conditions. The complainant's concern, set out in the referral, is that such a policy was applied to alter his status as a consumer and to indicate possible termination of his membership after he had raised a safeguarding complaint and exercised statutory rights. Trading Standards: A formal complaint has been filed with Trading Standards concerning potential breaches of the Consumer Protection from Unfair Trading Regulations 2008. The submission highlights a pattern of unfair commercial practices, specifically the use of misleading omissions regarding consumer rights and the enforcement of uncontracted rules which the complainant considers had the effect of deterring legitimate escalation following a safeguarding dispute. As the local and regional statutory enforcement arm for consumer law, Trading Standards is invited to assess the transparency, contractual validity, and proportionality of the organisation's consumer-facing operations.
• Parliamentary Notification: The published case study — including Nuffield Health's written response of 24th April 2026, reproduced in full — was provided to the Members of Parliament for Kingston upon Thames, the constituency in which Nuffield Health's head office is located, and the complainant's own constituency. Each was notified for their awareness in their capacity as elected representatives.
• Public Audit Publication: This case study was published at thecozieraudit.co.uk in the public interest, as a transparent and fully documented account of the complaint-handling process and its outcomes, based solely on written correspondence and statutory disclosures. It is published responsibly: all individual names and the specific facility location have been anonymised, a genuine right of reply was offered to and responded to by Nuffield Health prior to publication, and no events, motivations, or outcomes have been speculated upon beyond the written record.

The following sets out, transparently and in good faith, what a genuine resolution of this matter would look like. Each requirement is grounded in a statutory obligation, a contractual commitment made by Nuffield Health to its members, or what any member raising a serious safeguarding concern in good faith would reasonably expect. None of these requirements is extraordinary. All remain outstanding as at the date of publication.

This case study documents a formal safeguarding complaint raised in good faith by a long-standing member of a national fitness operator, and the full sequence of escalations that followed over a period of nearly four months. The complaint involved two distinct incidents of a serious nature: a direct verbal threat made in the gym environment, and a remark made publicly about a female member which the complainant characterised in formal correspondence as explicitly sexual and violent in its phrasing. The complainant engaged consistently, constructively, and transparently throughout — escalating formally and proportionately at each stage when the responses received were considered inadequate.

The documentary record, now supplemented by the Subject Access Request disclosure and Nuffield Health's written response of 24th April 2026, indicates a series of procedural inconsistencies that, taken together, meant the complainant did not receive a written, concrete, or independently verifiable safeguarding outcome despite sustained engagement over an extended period. The internal adverse event record ADV-89039 — disclosed via the SAR — characterises the complaint as "members spoke unpleasantly about each other," a description that, on the face of the documents and in the complainant's submission, appears inconsistent with what was formally reported. No written record of any investigative conversation was created or retained. The police reference number provided by the complainant was not recorded in any internal system. The CEO did not respond to two formal written escalations. When the MP's enquiry was eventually answered — 81 days after the initial CEO correspondence — it was by a Customer Relations Coordinator, who stated that no further discussion would be entered into.

The Subject Access Request was returned one day beyond the statutory deadline with no prior notification of extension, and initially excluded emails in which the complainant participated without citing a lawful exemption. A supplementary disclosure was only provided after the complainant escalated to the Information Commissioner's Office, whose investigation remains ongoing as at the date of publication.

When a pre-publication case study documenting these matters was formally provided to Nuffield Health for right of reply, the organisation's written response did not contest a single factual assertion. It invoked a Persistent Complainants Policy and indicated the possibility of membership termination. That response is reproduced in full at Section 09 of this document.

It is not the purpose of this case study to assert that any individual acted in bad faith. Local management and the national safeguarding team did engage with the complaint, and the investigation summary within the adverse event record confirms that conversations with the relevant parties did take place. What the full documentary record does not demonstrate is a systematic, written, enforceable, and transparent safeguarding response proportionate to the nature of the concerns raised — nor an internal record that accurately reflects the substance of those concerns.

The documentary record also documents a pattern of racial harassment experienced by the complainant — a member of mixed race — at the facility between June and December 2025, formally notified to the General Manager at the in-person meeting of 8th January 2026. The General Manager confirmed in the telephone call of 14th January 2026 that these concerns had not been formally recorded and had not been raised with the individual concerned. The Subject Access Request disclosure subsequently confirmed the absence of any written record of the notification in any internal system. This case study does not assert that Nuffield Health is institutionally racist, that any member of staff holds racist views, or that any institutional failure was motivated by racial considerations. What it documents is a formally notified equality concern that was not recorded, not acted upon, and not escalated — in a complaints process that operates exclusively at local level without executive oversight or national consistency framework. The adequacy of that institutional response to a formally notified concern under the Equality Act 2010 is a matter the Equality and Human Rights Commission has been invited to assess.

Commercial gym operators occupy a position of ongoing responsibility for the safety and wellbeing of their members. Where incidents of this nature are reported, the processes applied to investigate and respond to them matter — not only for the individuals directly involved, but for the broader confidence of members, particularly female members and members from minority ethnic backgrounds, in the safety and inclusivity of shared fitness environments. The manner in which complaints are documented internally is equally important: records that do not accurately reflect the substance of what was reported cannot form the basis of a robust safeguarding or equality assessment. This case study is intended to contribute to that conversation.