Case Study

The Cozier Audit: Corporate Governance & Safeguarding Case Study

A documented public interest audit examining systemic safeguarding responses, Subject Access Request (SAR) disclosures, whistleblower retaliation policies, and UK GDPR Article 16 non-compliance within a registered UK charity

Case Reference #0167****
Period Covered January – April 2026
Organisation Nuffield Health
Status Closed by Operator (Disputed)

All names of members, staff, and the specific facility location have been anonymised in accordance with UK GDPR and to comply with applicable libel law. Details of incidents have been described at a level of generality consistent with the documentary record; specific identifying characteristics of any individual member have been withheld to mitigate jigsaw identification. This case study does not assert that any individual member engaged in criminal conduct. This case study is based solely on documented written correspondence. No events, motivations, or outcomes are speculated upon.

A draft of this case study was provided to Nuffield Health in advance of publication for the purpose of a formal right of reply. The published version incorporates Nuffield Health's written response of 24th April 2026, reproduced in full, together with amendments made to reflect legal review and the complete documentary record. Nuffield Health's right of reply is included in full at Section 09 of this document.

Throughout Sections 01–09, the individual who raised the complaint is referred to as the complainant, reflecting their formal status within Nuffield Health's internal complaint process. From Section 10 onwards, following Nuffield Health's invocation of a Persistent Complainants Policy and the threatened termination of membership in direct response to the exercise of statutory rights, the term whistleblower is also applied, reflecting the nature of the conduct reported and the organisational response to it.

Internal Case Ref #0167**** Complainant Long-standing member (anonymised) — approx. 7 years' membership Operator Nuffield Health (national fitness and wellbeing operator)
Section 01

Introduction and Purpose

This case study documents a formal safeguarding complaint raised by a long-standing member at a Nuffield Health fitness facility in early January 2026. The complaint involved two distinct categories of reported behaviour: a direct verbal threat made toward the complainant, and a remark made publicly within the gym environment about a female member which the complainant characterised in their formal written complaint as explicitly sexual and violent in its phrasing. Both incidents were attributed to the same individual, also a member of the facility.

The purpose of this case study is twofold. First, it examines the systems and processes applied by Nuffield Health — at local management level, at national safeguarding level, and at executive level — in responding to a formal complaint of this nature. Second, it contributes to a broader, ongoing public conversation around safeguarding standards and duty of care obligations in commercial gym environments across the United Kingdom. This case study is published in the public interest, on the grounds of consumer safety, the safety of women in commercial fitness environments, and the adequacy of formal complaint-handling processes operated by large national fitness operators.

Safeguarding in gym and leisure settings has received increasing scrutiny in recent years. Commercial fitness facilities present a specific set of challenges: they are high-footfall, semi-public environments with limited supervision, often with no comprehensive CCTV coverage of exercise areas, and they typically rely on a membership model that creates a recurring relationship between operator and user. These characteristics create both a duty and a practical obligation to manage member conduct and safety robustly.

This case study does not seek to assign blame to any individual. It examines the processes deployed, the timelines observed, and the outcomes communicated, against the backdrop of the complainant's formally stated position and the operator's documented responses.

Section 02

Background and Context

The complainant had been a continuous member of the Nuffield Health facility in question for approximately seven years at the time the complaint was raised. In their initial correspondence, the complainant noted that in that period they had not previously raised any complaint or dispute involving staff or fellow members, characterising their prior experience at the facility as consistently positive.

The complaint was formally submitted via Nuffield Health's web complaint portal on 2nd January 2026, and assigned the case reference #0167****. It was logged as a non-clinical complaint and directed to local facility management. The complaint described two distinct incidents involving another member of the facility.

Section 03

The Incidents Reported

3.1 Direct Verbal Threat — 2nd January 2026

At approximately 7:30 AM on 2nd January 2026, the complainant was using the stretching area of the facility when approached by the member in question. The complainant documented that the following remarks were directed at them: a statement that "we're going to have problems" if the complainant shared information about the individual, a demand that the complainant "keep my name out of your mouth," and a closing statement of: "You don't bother me, I don't bother you."

The complainant described this as a direct verbal confrontation perceived as an intimidatory threat, and noted that they responded calmly throughout in an attempt to de-escalate. They subsequently proceeded to the front desk to report the incident, but were unable to speak with available management at that time, and submitted the formal written complaint later that morning.

3.2 Remark Characterised in Formal Complaint as Sexually Violent — About a Female Member

The complainant also documented a separate, earlier incident involving the same individual. While the complainant was training in the free weights area alongside a group of fellow members, the individual in question approached the group and made a remark about a female member who was training nearby. In their formal written complaint, submitted on 2nd January 2026, the complainant characterised this remark as explicitly sexual and violent in its phrasing. The precise wording is on record in that formal complaint submission.

The complainant stated that those present at the time were deeply disturbed by the comment. The complainant noted that, while this remark was not directed at them personally, it formed part of the documented pattern of behaviour being brought to management's attention and indicated a risk to other members, in particular female members of the facility. The substance of the complainant's account was subsequently corroborated by witnesses when questioned by management.

"The suggestion that I alter my attendance times or attend alternative clubs does not address the underlying issue — the continued presence of an individual whose behaviour may place members and staff at risk."

Complainant — written correspondence, 23rd January 2026

3.3 Subsequent Conduct

Following submission of the formal complaint, the complainant documented additional conduct by the same individual during the period in which the complaint was being processed. This included sustained staring and standing in close proximity to the complainant on the gym floor on multiple occasions, and a further incident in which the individual approached very closely while the complainant was mid-exercise in a physically vulnerable position. The complainant formally documented each of these occurrences in written correspondence to management.

Section 04

Chronological Record of Complaint Handling

The following timeline is drawn directly from the documented email correspondence. It records the sequence of actions, responses, and communications across the complaint period, including the right of reply process and the subsequent escalation.

  • Fri 2 Jan 2026 09:43

    Complainant → Local Management

    Formal web complaint submitted via Nuffield Health portal. Complaint documents the direct verbal threat and the remark which the complainant characterised as sexually violent in nature. Case reference #0167**** generated and distributed to local management team.

  • Fri 2 Jan 2026 10:25

    Duty Manager → Complainant

    Acknowledgement issued by a Duty Manager. The response apologises for the complainant's experience and proposes a formal meeting with either the General Manager or Customer Experience Manager, describing the matter as one to be handled "in line with our Health and Safety guidelines."

  • Fri 2 Jan 2026 12:59

    Customer Experience Manager → Complainant

    The Customer Experience Manager responds, requesting that a meeting be deferred to the following week citing scheduling commitments. No interim safeguarding measures are communicated.

  • Sat 3 Jan 2026 09:38

    Complainant → Local Management

    Complainant submits additional written context relevant to the credibility of the reported threat and confirms willingness to meet the following week.

  • Mon 5 Jan 2026 16:38

    Complainant → Management

    Formal follow-up submitted. Complainant documents that no meeting time has been confirmed, that they have been forced to train at an alternative facility and rely on the presence of other members for personal security, and formally invokes the Occupiers' Liability Act 1957 in relation to the club's duty of care. Requests written confirmation of interim safeguarding measures and confirmation that the matter has been logged on the club's risk register.

  • Wed 7 Jan 2026 10:38

    Complainant → Management (incl. General Manager)

    Complainant formally requests that all CCTV footage from 2nd January 2026 at 7:30 AM in the stretching area be preserved for potential use in any subsequent police or corporate escalation. A meeting is requested for the following morning as a matter of urgency.

  • Wed 7 Jan 2026 10:58

    General Manager → Complainant

    General Manager responds, confirming that the Duty Manager had spoken with the individual concerned on the day of the incident and instructed him not to interact with the complainant. The General Manager discloses that CCTV does not cover any area of the gym floor, meaning no visual record of the incident exists. A meeting is confirmed for the following morning.

  • Thu 8 Jan 2026

    Complainant & General Manager

    In-person meeting takes place at the facility between the complainant and the General Manager, as scheduled. No written record of the meeting's content or outcomes has been provided in the correspondence chain.

  • Mon 12 Jan 2026 16:52

    Complainant → General Manager

    Follow-up submitted requesting an update. Complainant notes that the individual has maintained some physical distance but that they continue to feel unsafe when using the facility without fellow members present.

  • Tue 13 Jan 2026 14:52

    General Manager → Complainant

    Brief response confirming that the General Manager has spoken directly with the individual in question. A telephone call is agreed for the following afternoon at 2:00 PM.

  • Wed 14 Jan 2026 06:11

    Complainant → General Manager

    Prior to the scheduled call, the complainant submits a written statement of their position, expressing concern that the approach to date has relied on verbal assurance from the individual rather than objective safeguarding controls. The scheduled telephone call between the complainant and General Manager subsequently takes place at 2:00 PM.

  • Mon 19 Jan 2026 08:29

    Complainant → Head Office (Safeguarding & Customer Relations)

    Formal escalation submitted to Nuffield Health's national safeguarding email address and customer relations team. The escalation sets out the full pattern of behaviour, references applicable legislation, documents the absence of interim measures, and discloses that the matter has been formally recorded by the police as an intelligence report.

  • Wed 21 Jan 2026 06:02

    Complainant → General Manager

    Complainant formally notifies the General Manager that the complaint has been escalated to Nuffield Health Head Office for independent review, citing the absence of interim safeguarding measures and the continued absence of a concrete written outcome from the local process.

  • Fri 23 Jan 2026 09:59

    National Safeguarding Lead → Complainant

    National Safeguarding Lead responds. The response acknowledges the concern, states that "appropriate steps" will be taken, and suggests the complainant may wish to use the gym at alternative quieter times or visit an alternative club. It also states that in relation to the remark characterised by the complainant as sexually violent in nature, a formal complaint from the individual directly targeted would be required before the organisation could "address this with the member." The response advises that Stage 1 complaints are responded to within 20 working days.

  • Fri 23 Jan 2026 10:14

    Complainant → National Safeguarding Lead

    Complainant responds, formally challenging the framing of the Head Office response. Complainant states that: the matter is a safeguarding concern, not a personal discomfort issue; that the remark characterised as sexually violent in nature had already been corroborated by witnesses; that Nuffield Health's membership terms do not require a criminal charge or a sole complainant to justify action; and that applying a 20-working-day standard complaint response window to a safeguarding matter is inappropriate. Requests written confirmation of any immediate protective measures in place.

  • Mon 26 Jan 2026 11:37

    National Safeguarding Lead → Complainant

    Second response from National Safeguarding Lead. Confirms that the matter has been reviewed jointly with the General Manager as a safeguarding matter rather than a standard complaint. States that the member in question was spoken to, that "there is no risk" to the complainant's safety, that additional gym floor monitoring has been implemented, and that further interaction is not anticipated. Confirms that the General Manager will respond directly. No specific measures communicated in writing.

  • Mon 26 Jan 2026 11:55

    Complainant → National Safeguarding Lead

    Complainant formally challenges the National Safeguarding Lead's response. Notes that: verbal assurances do not constitute enforceable safeguards; the General Manager had confirmed to the complainant that the remark characterised as sexually violent in nature was not raised with the individual during the initial intervention; the absence of CCTV undermines any assurance of monitoring; and the burden of adjustment has been placed on the complainant rather than the source of risk. Complainant states an intention to escalate to the CEO. A Subject Access Request (SAR) is also referenced as having been submitted.

  • Mon 26 Jan 2026 16:41

    Complainant → General Manager

    Complainant documents a further incident in which the individual in question approached very closely while the complainant was mid-exercise in a physically vulnerable position. Complainant formally requests, in writing, a clear timeline for resolution, written confirmation of safeguarding measures, and an explanation of how duty of care is being met in the absence of CCTV.

  • Thu 29 Jan 2026 17:12

    General Manager → Complainant

    General Manager issues a formal written response stating that the investigation has been completed and the matter "addressed in full." The response confirms that: staff have been made aware and will maintain a visible presence; the complainant may use their multisite membership to attend alternative clubs; and no further correspondence regarding the complaint will be entered into, with future emails to be placed on file without reply. No specific or enforceable safeguarding measures are set out in writing.

  • Thu 29 Jan 2026 17:25

    Complainant → General Manager

    Complainant formally records their position that the matter is not resolved, challenges the adequacy of the investigation given the omission of the remark characterised as sexually violent in nature in the initial intervention, and states that the response to close further correspondence is not appropriate where a safeguarding concern remains active. Formally notifies the General Manager of imminent escalation to the CEO.

  • Thu 29 Jan 2026 17:44

    Complainant → CEO

    Complainant writes directly to the CEO of Nuffield Health, formally escalating the complaint following four weeks of unresolved correspondence. The email sets out the full pattern of conduct, documents the absence of written safeguarding measures, raises the inconsistency between the verbal and written accounts provided by management, and requests a governance-level response. No acknowledgement or reply is received.

  • Fri 30 Jan 2026

    Complainant → Nuffield Health Data Team

    Subject Access Request submitted under Article 15 UK GDPR, requesting all personal data held by Nuffield Health including emails, internal correspondence, complaint logs, safeguarding records, and any data associated with the complainant's membership or interactions with staff at both local club and head office level. Request acknowledged the same day.

  • Wed 4 Feb 2026 10:19

    Complainant → MP (Constituency)

    Complainant writes to their local Member of Parliament and, for visibility, a second MP representing the constituency in which the facility is located. The correspondence raises the safeguarding concerns, documents the absence of written concrete safeguards, and requests independent oversight of whether Nuffield Health's safeguarding processes are being applied appropriately. A broader concern regarding women's safety in commercial gym environments is also raised.

  • Fri 6 Feb 2026

    MP → Complainant

    The MP responds, acknowledging the concern and noting that primary jurisdiction rests with the police and Nuffield Health's senior leadership. The MP offers to chase a response from the CEO if one is not received within a reasonable timeframe.

  • Sun 2 Mar 2026 09:07

    Complainant → Nuffield Health Data Team

    Complainant formally notes that the statutory one-month SAR deadline under Article 12 UK GDPR expired on 28 February 2026 without a response being received, and without notification of any lawful extension. A response is requested within 48 hours, with an ICO complaint flagged as the next step.

  • Sun 2 Mar 2026 18:05

    Nuffield Health Data Team → Complainant

    SAR response issued — one month and one day after submission, with no prior notification of an extension. The disclosure is provided in a password-protected document. The response states that emails in which the complainant was a participant have not been included on the basis that the complainant would already hold copies. No statutory exemption is cited for this exclusion.

  • Tue 3 Mar 2026 08:52

    Complainant → CEO (follow-up)

    Having received no acknowledgement of the January CEO escalation, and having now reviewed the SAR disclosure, the complainant sends a detailed follow-up to the CEO raising five distinct governance concerns: the apparent incompleteness of the SAR; the characterisation of the incidents in the adverse event record; the safeguarding threshold determination; the absence of written records of verbal discussions; and the inconsistent application of data protection principles. A governance-level review is formally requested.

  • Mon 10 Mar 2026 18:49

    Complainant → Nuffield Health Data Team & MP

    Having received no response to the questions raised about the scope of the SAR search, the complainant formally notifies the data team that the matter has been escalated to the Information Commissioner's Office. In parallel, the complainant updates the MP, noting the incomplete SAR, the absence of the police reference number from the disclosed records, and the continued silence from the CEO.

  • Wed 11 Mar 2026

    Nuffield Health Data Team → Complainant

    A supplementary SAR disclosure is issued following the ICO escalation, this time including email correspondence. The data team confirms that no written or recorded notes of any verbal conversations exist — all such discussions were conducted verbally without documentation. It is also confirmed that the police reference number provided by the complainant was not recorded in any internal system, with the only record being within email correspondence.

  • Wed 11 Mar 2026

    MP → Complainant

    The MP responds to the complainant's update, noting that the ICO is now the appropriate body to assess SAR compliance. The MP offers to contact the CEO directly on the complainant's behalf once the complainant is ready to pursue that route.

  • Mon 17 Mar 2026

    Complainant → MP

    Complainant formally requests that the MP contact the CEO on their behalf, given that the CEO escalation of 29th January remains unacknowledged after over six weeks. A copy of the CEO correspondence is provided to the MP for context.

  • Wed 19 Mar 2026

    MP → Complainant / MP → CEO

    The MP confirms that contact has been made with the CEO on the complainant's behalf and that a response will be forwarded upon receipt.

  • Wed 16 Apr 2026

    Complainant → MP (follow-up)

    Approximately one month after the MP's contact with the CEO, the complainant follows up to enquire whether a response has been received. No direct communication from Nuffield Health has been received by the complainant.

  • Thu 17 Apr 2026

    MP's Office → Complainant

    The MP's office confirms that no reply has been received from Nuffield Health and that a further chase has been sent. The office notes that it cannot compel a private organisation to respond.

  • Sun 20 Apr 2026

    Nuffield Health → MP

    A response is issued to the MP by a Senior Customer Relations Coordinator — not the CEO. The response states that the matter has been reviewed by the safeguarding team, that no safeguarding concerns have been identified (a conclusion contested by the complainant on the grounds set out in Sections 03–07 of this case study), that this outcome has been communicated to the member, and that Nuffield Health will not be engaging in any further discussion on the matter. No further substantive detail is provided.

  • Tue 21 Apr 2026

    Complainant → Nuffield Health CEO

    A draft case study documenting the full complaint history is formally provided to Nuffield Health's Chief Executive Officer in advance of publication, with a genuine and formal invitation to submit a response, correction, or contextual statement for inclusion. A 14-day right of reply window is extended. The document is provided for the purpose of responsible pre-publication review and not shared with any third party during this period.

  • Thu 24 Apr 2026

    Nuffield Health Customer Relations → Complainant

    Nuffield Health issues its written response to the right of reply document. Rather than engaging with or contesting any specific factual assertion in the case study, the response invokes the organisation's Persistent Complainants Policy and explicitly indicates the possibility of membership termination. The response does not address the outstanding Article 16 UK GDPR rectification request, does not provide a copy of the Persistent Complainants Policy despite invoking it, and does not contest the characterisation of the complaint in adverse event record ADV-89039. The full text of this response is reproduced at Section 09 of this case study.

  • Sat 25 Apr 2026

    Whistleblower → Nuffield Health / ICO / Charity Commission / MPs

    Final notice issued to Nuffield Health Customer Relations, copied to the Data Protection Team and the Office of the Chief Executive. The notice formally places on record the inconsistencies in Nuffield Health's response, reiterates the outstanding Article 16 rectification request, and advises that the following external steps have been taken: the ICO complaint has been updated; a formal report has been submitted to the Charity Commission; and the published case study — including Nuffield Health's response of 24th April 2026 reproduced in full — has been provided to three Members of Parliament for their awareness.

  • Sat 25 Apr 2026

    Publication

    This case study is published at thecozieraudit.co.uk in the public interest, based solely on documented written correspondence and statutory disclosures. Nuffield Health's written response of 24th April 2026 is reproduced in full. All individual names and the specific facility location remain anonymised. The ICO referral and Charity Commission report remain active. The Article 16 rectification request remains outstanding. Status: Unresolved.

Section 05

Escalation to the CEO

Following the General Manager's formal closure of the complaint on 29th January 2026, and having received no satisfactory written safeguarding outcome from either local management or the national safeguarding team, the complainant wrote directly to the CEO of Nuffield Health the same evening.

The initial CEO escalation, submitted on 29th January 2026, set out the full history of the complaint and identified five specific concerns: the absence of any written, enforceable safeguarding measures; the continued unrestricted access of the individual involved; the inconsistency between what had been discussed verbally and what had been documented formally; the incompatibility between the outcome reached and Nuffield Health's own membership terms; and the attempt by local management to close down further correspondence while the safeguarding concern remained, in the complainant's view, unresolved.

No acknowledgement or reply was received from the CEO following the January escalation.

On 3rd March 2026, having received and reviewed the Subject Access Request disclosure, the complainant sent a second and more detailed email to the CEO. This correspondence raised five further governance-level concerns arising directly from the disclosed documentation, which are addressed in Section 06 of this case study. A governance-level review was formally requested, independent of the local branch management team. This correspondence also remained unanswered.

The CEO did not respond directly to either piece of correspondence, nor to the subsequent contact made on the complainant's behalf by the MP. When a response was eventually provided to the MP on 20th April 2026 — some 81 days after the initial CEO escalation — it was issued by a Senior Customer Relations Coordinator rather than by the CEO or a member of the executive team. That response stated that the matter had been reviewed by the safeguarding team, that no safeguarding concerns had been identified, and that no further discussion would be entered into.

Section 06

Subject Access Request and ICO Referral

On 30th January 2026, the complainant submitted a formal Subject Access Request (SAR) to Nuffield Health under Article 15 of the UK GDPR. The request sought all personal data held by the organisation relating to the complainant, including emails, internal correspondence, complaint logs, safeguarding records, and any data associated with the complainant's membership or interactions with staff at both local club and head office level.

Timeliness of the SAR Response

The statutory deadline for a SAR response under Article 12 UK GDPR is one calendar month from the date of receipt. The complainant's request was acknowledged on 30th January 2026; the statutory deadline therefore fell on 28th February 2026. No response was received by that date, and no notification of a lawful extension — as required under Article 12(3) — was issued. The complainant formally raised this lapse on 2nd March 2026. A disclosure was provided later that day, one day beyond the statutory deadline, without any explanation for the delay or reference to an extension having been applied.

Completeness of the Initial Disclosure

The initial SAR response explicitly excluded all emails in which the complainant was a participant, on the stated basis that the complainant would already hold copies of those communications. No statutory exemption was cited for this exclusion. The complainant formally challenged this position, noting that their request encompassed all personal data processed by the organisation — including internal correspondence referencing them — regardless of whether they had been copied into those communications at the time.

Following the complainant's escalation to the Information Commissioner's Office on 10th March 2026, a supplementary disclosure was issued on 11th March 2026 which included email correspondence. This supplementary disclosure confirmed that no written or recorded notes of any verbal conversations during the investigation process exist — all such discussions had been conducted verbally without documentation. It was further confirmed that the police reference number provided by the complainant to management had not been recorded in any internal system, including the incident log, safeguarding records, or the gym membership management system. The only record of this information was within email correspondence.

The Adverse Event Record: ADV-89039

The SAR disclosure included the internal adverse event record created in relation to this complaint, designated ADV-89039 and dated 9th January 2026 with an event date of 5th January 2026. Several aspects of this document are of note.

The brief summary of the event records that "members spoke unpleasantly about each other" — a phrase quoted verbatim from internal adverse event record ADV-89039, as disclosed pursuant to the Subject Access Request of 30th January 2026. On the face of the two documents, and in the complainant's submission, this characterisation appears materially inconsistent with the substance of the complaint as formally submitted, which documented a direct verbal threat and a remark characterised by the complainant as explicitly sexual and violent in its phrasing — two distinct incidents of differing character and severity. The complainant formally challenged this characterisation as inconsistent with the requirements of Article 5(1)(d) UK GDPR, which requires that personal data be accurate.

The adverse event form records the presence of witnesses as "NO." This is consistent with the facts in relation to the direct verbal threat on 2nd January 2026, which occurred without witnesses present. However, the investigation summary contained within the same document references the General Manager having spoken to two members identified by the complainant as witnesses to the remark characterised as sexually violent in nature. The form therefore appears to record witness status for the complaint as a whole rather than distinguishing between the two separate incidents. The complainant had formally notified management that the two incidents involved different evidence bases.

The adverse event form records the safeguarding field as "NO" — meaning the matter was assessed as not constituting a potential safeguarding concern. It records the degree of harm as "0 — No harm — prevented (near miss)." The investigation conclusion records "No Further Action Required." The complainant formally requested clarification of the safeguarding criteria applied, whether a formal risk assessment was conducted, and what monitoring or preventative measures, if any, were put in place. No substantive response to these questions was received.

The investigation summary within the adverse event record also confirms that the General Manager spoke to one of the witnesses identified by the complainant regarding the remark characterised as sexually violent in nature, and that this individual indicated the comment was said by the reported member. This detail had not been disclosed to the complainant during the investigation period and was only made known through the SAR disclosure.

Absence of Written Investigation Records

The supplementary SAR disclosure confirmed that there are no written or recorded notes of any verbal conversations relating to the complaint or the investigation. All substantive discussions — including conversations between management and the individual at the centre of the complaint, and conversations with witnesses — were conducted verbally and not documented. This is consistent with the complainant's repeated written requests, throughout the complaint period, for all communications to be conducted in writing, which were not consistently observed.

ICO Referral

On 10th March 2026, having received no response to the questions raised about the scope and completeness of the SAR, the complainant formally referred the matter to the Information Commissioner's Office. As at the date of publication, that referral remains under investigation by the ICO.

Section 07

Key Observations on Systems and Processes

The following observations are drawn directly from the documented correspondence. They relate to systems, processes, and procedural decisions rather than to the conduct of any individual member of staff.

  • Absence of Interim Safeguarding Measures

    At no point in the documented correspondence was the complainant informed of any concrete, enforceable interim safeguarding measures put in place while the complaint was under investigation. Verbal assurances and staff awareness were referenced, but no written controls — such as a formal instruction for physical separation, adjusted access, or temporary suspension pending investigation — were communicated.

  • No CCTV Coverage of the Gym Floor

    The General Manager confirmed in writing that CCTV does not cover any area of the gym floor at the facility in question. This means there is no independent visual record of the incidents reported. This is a significant limitation in any operator's ability to investigate, verify, or deter misconduct in the main exercise environment, and has implications for how assurances of safety can be substantiated.

  • Remark Characterised as Sexually Violent Not Raised in Initial Intervention

    It was confirmed to the complainant by the General Manager that the remark characterised by the complainant as sexually violent in nature — made about a female member — was not raised with the individual in question when he was initially spoken to by management. This omission meant that the most serious element of the reported conduct was not addressed in the first substantive intervention, a fact the complainant identified as materially undermining the adequacy of the investigation.

  • Standard Complaint Process Applied to a Safeguarding Concern

    The National Safeguarding Lead's initial response advised that Stage 1 complaints are responded to within 20 working days. The complainant formally challenged the appropriateness of applying a standard service complaint timeline to a matter involving witness-corroborated accounts of language characterised as sexually violent in nature, and a credible physical threat, where the individual remained on the gym floor throughout.

  • Mitigation Directed Solely at the Complainant

    The mitigations proposed by both local management and the National Safeguarding Lead consistently directed the complainant to modify their own behaviour: to attend at alternative times, to use alternative facilities, or to rely on the visible presence of staff or personal contacts. Neither the local nor national response documented any measure that addressed the source of the reported risk.

  • Communication Conducted Primarily by Telephone

    A number of substantive discussions and interventions in this case took place by telephone or in person, without a corresponding written record being provided to the complainant. The complainant formally and repeatedly requested that all communications be conducted in writing to ensure an accurate audit trail. The documented correspondence confirms this request was not consistently observed.

  • Complaint Formally Closed Without Written Safeguarding Outcome

    On 29th January 2026, the General Manager issued a written response declaring the matter "addressed in full" and stating that no further correspondence would be entered into. This closure took place without any specific, enforceable safeguarding measure having been set out in writing, and while the complainant had formally and repeatedly stated that they did not feel safe. The complainant did not accept this as a resolution.

  • CEO Did Not Respond Directly

    The complainant wrote to the CEO on 29th January 2026 and again on 3rd March 2026. Neither received an acknowledgement. When a response was eventually provided to the MP's enquiry on 20th April 2026 — 81 days after the initial escalation — it was issued by a Senior Customer Relations Coordinator, not the CEO. The response stated that no further engagement would be entered into.

  • Subject Access Request Returned Late and Initially Incomplete

    The SAR submitted on 30th January 2026 was not responded to within the statutory one-month deadline, and no notification of a lawful extension was issued. The initial disclosure excluded all emails in which the complainant was a participant without citing a statutory exemption. A supplementary disclosure was only provided after escalation to the ICO. As at the date of publication, that referral remained under investigation.

  • Adverse Event Record Appears Inconsistent with the Complaint as Submitted

    The internal adverse event record disclosed via the SAR — ADV-89039 — characterises the complaint as "members spoke unpleasantly about each other." On the face of the two documents, and in the complainant's submission, this characterisation appears inconsistent with the formally submitted allegations of a direct verbal threat and a remark characterised by the complainant as sexually violent in nature. The same record notes no witnesses and no safeguarding concern, while the investigation summary within the same document references witness corroboration. No written record of any verbal discussions during the investigation was found to exist.

Section 08

Wider Safeguarding Context: Commercial Gym Environments

This case does not exist in isolation. Safeguarding in commercial leisure and fitness environments has become an area of increasing public concern in the United Kingdom. Unlike regulated settings such as schools, hospitals, or local authority leisure centres, private commercial gyms operate without a mandatory statutory safeguarding framework specifically tailored to their environment. Their obligations derive from a combination of common law duty of care, the Occupiers' Liability Act 1957, the Equality Act 2010, the Protection from Harassment Act 1997, and their own contractual membership terms.

A number of features specific to commercial gym environments create particular safeguarding challenges. These include the high volume and regular recurrence of members sharing the same space; the semi-public, unsupervised nature of the exercise floor; the limited or, as documented in this case, absent CCTV coverage of exercise areas; the reliance on verbal interaction to manage member conduct; and the fact that membership creates an ongoing relationship which makes exclusion decisions more complex than in one-off public settings.

The incidents described in this complaint — specifically the remark characterised by the complainant as sexually violent in nature, made about a female member in a shared exercise environment — raise questions about the effectiveness of the mechanisms available to operators for identifying, investigating, and responding to predatory or threatening conduct among their membership. Where CCTV is absent, where no written record of informal interventions is created, and where the investigative process relies substantially on conversations with the individual accused, the capacity for independent verification is significantly limited.

The complainant's experience also raises a question of consistency between published membership terms and their application in practice. Nuffield Health's membership terms include provisions permitting action — including termination of membership — where a member uses threatening, offensive, or sexually inappropriate language or conduct, or where their behaviour may place other members at risk. The complainant formally raised this inconsistency in correspondence, and it was not substantively addressed in any written response received.

Summary of Systemic Issues Identified

  • No interim safeguarding controls communicated in writing at any point during the complaint period
  • Absence of CCTV coverage on the gym floor, limiting independent verification of all reported incidents
  • The remark characterised by the complainant as sexually violent in nature — the most serious element of the complaint — was not raised in the initial management intervention
  • A standard 20-working-day complaint response window applied to an active safeguarding concern
  • Mitigation consistently directed at the reporting party rather than the source of risk
  • Substantive investigative discussions conducted verbally with no written records created or retained
  • Complaint formally closed without any written, enforceable safeguarding outcome
  • CEO did not respond directly to two formal written escalations spanning over 11 weeks
  • MP's enquiry to the CEO answered by a Customer Relations Coordinator rather than the CEO or executive team
  • Subject Access Request returned one day late with no notification of extension, and initially incomplete
  • Internal adverse event record ADV-89039 (disclosed via SAR) characterises the complaint as "members spoke unpleasantly about each other" — on the face of the documents, inconsistent with the formally submitted allegations
  • Police reference number provided by complainant not recorded in any internal system
  • ICO complaint submitted and under investigation as at the date of publication
  • Persistent Complainants Policy invoked against a member in direct response to the exercise of statutory rights, engagement with elected representatives, and submission of a pre-publication document for right of reply
  • Membership termination threatened in the same written communication as the right of reply response
Section 09

Right of Reply

Nuffield Health — Final Position

Refusal to Rectify & Retaliatory Policy Notice

On 24th April 2026, Nuffield Health's Customer Relations department provided their written response to the right of reply document served on the Chief Executive Officer. Rather than engaging with or contesting any specific factual assertion in the case study, or addressing the outstanding Article 16 UK GDPR rectification request regarding adverse event record ADV-89039, Nuffield Health elected to invoke its Persistent Complainants Policy and indicate the possibility of membership termination.

The response is reproduced in full below, without editorial alteration.

Written response received from Nuffield Health on 24th April 2026:

"Dear Mr Cozier,

Further to our responses to your complaint and your subsequent responses to various Nuffield Health staff members over a number of weeks, we are writing to you with a further update.

Following a thorough review of your complaint it has been established that you have exhausted the Nuffield Health Complaints Procedure and appropriate responses have been provided to all of your concerns. Despite this, it is clear that you remain dissatisfied and after careful consideration we must inform you that we now feel that it is necessary to invoke our Persistent Complainants Policy.

You initially made a complaint about being threatened by a fellow member on 2nd January 2026 at Nuffield Health, Kingston. This complaint was escalated to the General Manager who investigated the allegation. After speaking to all parties, the investigation was concluded with no further action to be taken.

You then raised your complaint as a safeguarding complaint to the National Safeguarding Lead. Again, this complaint was investigated by the National Safeguarding Lead, with input from the General Manager and again no further action was required.

After this you raised a Subject Access Request, which was handled by our Data Protection Team. The Data Protection Team responded with all records held on file for yourself as requested.

We subsequently received a request from your MP to advise that you had raised a safeguarding concern and responded to confirm that this had been addressed by Nuffield Health in full.

Please note that, as explained previously, unfortunately, we cannot assist you further and we will not be carrying out any further investigation of your complaint.

There is an expectation that all of our customers will behave in a reasonable and appropriate manner at all times. The policy sets out further steps which will be taken if you do not adhere to the standards which we would expect. These include, but are not limited to:

  • Restricting contact with Nuffield Health staff members – this may include confirming a single point of contact and restricting your contact to one method of communication.
  • Terminating your relationship with Nuffield Health.

We would like to reassure you that your complaint has been taken very seriously, and all efforts have been made to ensure a satisfactory resolution for you. This does, therefore, mean that any communication regarding this matter with any member of Nuffield Health staff will be placed on file, however, we will not be able to provide a response.

We are hopeful that you understand the reason why we have taken these steps, and hope that you are able to respect our decision.

Kind regards,
Customer Relations
Nuffield Health"

Section 10

Final Notice & Escalation

The Cozier Audit — Closure of Internal Resolution

In response to Nuffield Health's written response of 24th April 2026 — which invoked the organisation's Persistent Complainants Policy and indicated the possibility of membership termination, without engaging with or contesting any specific factual assertion in the case study provided — the internal resolution period was formally closed. The following final notice was issued to Nuffield Health's Customer Relations team on 25th April 2026, copied to the Data Protection Team and the Office of the Chief Executive.

Final notice issued to Nuffield Health on 25th April 2026:

Dear Customer Relations,
CC: Data Protection Team; Office of the Chief Executive

Thank you for your written response dated 24th April 2026.

I am writing to formally acknowledge receipt of that response, to place several material points on the record, and to advise you of the external steps that have been taken as a consequence of its contents. I note that Nuffield Health has chosen to invoke its Persistent Complainants Policy in response to correspondence that included, in full:

— A formal safeguarding complaint submitted via your own web portal
— A statutory Subject Access Request submitted under Article 15 UK GDPR
— Correspondence with elected Members of Parliament, which is a constitutional right of every citizen
— A pre-publication case study provided to Nuffield Health in advance of publication, with a genuine and formal invitation to respond

I would respectfully observe that none of the above constitutes unreasonable or vexatious conduct. Each step was taken sequentially, proportionately, and only after the preceding avenue had been exhausted without a satisfactory written outcome. A Persistent Complainants Policy is a legitimate instrument for managing genuinely abusive or unreasonable contact. It does not, however, supersede a member's statutory rights under UK GDPR, nor does it constitute a lawful basis for characterising the exercise of those rights as conduct warranting punitive action.

I also note that a copy of this policy has not been provided despite it being invoked against me. I would ask that a copy be provided in writing.

Your letter states that the Subject Access Request was responded to with all records held on file. I must place on the record that this is inconsistent with what occurred. The initial SAR disclosure was materially incomplete and required a supplementary disclosure to be issued — one that was only provided following my escalation to the Information Commissioner's Office on 10th March 2026. This sequence is fully documented.

The SAR disclosure further confirmed that the internal adverse event record ADV-89039 characterises my formal complaint — which documented a direct verbal threat and a remark I formally described as sexually violent in nature — as 'members spoke unpleasantly about each other.' I have formally challenged this characterisation as inconsistent with the requirements of Article 5(1)(d) UK GDPR, which requires that personal data be accurate. That challenge has not been substantively addressed in any written response received, including your letter of 24th April 2026.

Article 16 UK GDPR confers on me the right to request rectification of inaccurate personal data without undue delay. The invocation of a Persistent Complainants Policy does not extinguish that statutory right. I am formally requesting, again and for the record, that the characterisation of my complaint in ADV-89039 be corrected to accurately reflect what was formally submitted.

Your letter states that all efforts have been made to ensure a satisfactory resolution. I note for the record that the sole written safety measure communicated at any point — an increased staff presence on the gym floor — was not in evidence during the specific training hours in question, as I formally notified management in writing at the time. I further note that, as local management confirmed in writing, there is no CCTV coverage of any area of the gym floor, meaning any assurance of increased monitoring is, by definition, unverifiable. Neither of these points has been addressed in any written response.

I wish to be unambiguous on this point. I value Nuffield Health's facilities, I have been a continuous member for approximately seven years, and I have no desire to end that relationship. I am raising these concerns precisely because I believe Nuffield Health is capable of better, and because the safety of members — including female members training in an environment with no CCTV coverage of the gym floor — is a matter that deserves to be taken seriously.

I remain a member. I intend to continue using the facilities. I am asking only that my internal records be accurate and that the processes applied to safeguarding concerns reflect the seriousness with which they are submitted.

Given that your response did not engage with the substance of the case study provided, did not contest or seek to correct any specific factual assertion within it, and instead invoked a policy instrument and indicated the possibility of membership termination, I must advise you that the following steps have been taken today.

Publication: The case study — including your response of 24th April 2026, reproduced in full — is now published at: https://www.thecozieraudit.co.uk. It is published in the public interest and based solely on documented written correspondence.

ICO: My existing complaint with the Information Commissioner's Office has been updated with your letter of 24th April 2026, specifically in relation to the Article 16 rectification request and the characterisation of statutory data rights as grounds for punitive action.

Charity Commission: A formal report has been submitted to the Charity Commission noting the invocation of a policy instrument against a member in direct response to a formally submitted safeguarding concern, and the threatened termination of membership in the same correspondence.

Parliamentary: The Members of Parliament for Kingston upon Thames, the constituency in which Nuffield Health's head office is located, and my own constituency have each been provided with the published case study and your response of 24th April 2026 for their awareness.

I note your statement that future communications regarding this matter will be placed on file without response. I respect that position and I am not writing to invite further correspondence from the Customer Relations team.

However, should Nuffield Health wish to engage substantively on the outstanding Article 16 rectification request, or on any matter arising from the ICO or Charity Commission referrals, I would ask that such correspondence be directed by Nuffield Health's Legal or Corporate Governance team rather than Customer Relations. All such correspondence will be forwarded to the relevant case officers at the ICO and the Charity Commission as a matter of course.

I hope that this letter conveys what I intend it to. I am not acting in bad faith, I am not seeking to cause unnecessary damage to Nuffield Health, and I remain genuinely open to a straightforward resolution: an accurate internal record and an acknowledgement that the local process fell short of what a member raising a safeguarding concern deserved.

Yours faithfully,

Luke Rudderham-Cozier
25th April 2026
https://www.thecozieraudit.co.uk

Section 11

External Regulatory Summary

Following the formal closure of internal communications with Nuffield Health on 25th April 2026, the following external steps were taken to ensure the documented concerns are subject to appropriate independent oversight. Each action was taken proportionately and in direct response to the contents of Nuffield Health's written response of 24th April 2026.

  • Information Commissioner's Office (ICO): The existing complaint was formally updated to include Nuffield Health's written response of 24th April 2026. The update specifically records the outstanding Article 16 rectification request — the right to correction of inaccurate personal data under UK GDPR — in relation to the characterisation of the complainant's formal safeguarding complaint in internal adverse event record ADV-89039. The update further notes that the exercise of statutory data rights was cited as part of the basis for invoking the organisation's Persistent Complainants Policy. The ICO referral remains active as at the date of publication.
  • The Charity Commission: A formal report was submitted to the Charity Commission in relation to the invocation of an administrative policy instrument against a member in direct response to a formally submitted safeguarding concern, and the explicit threatened termination of that member's relationship with the organisation in the same written communication. As a registered charity, Nuffield Health is subject to the Charity Commission's oversight in matters of governance and operations consistent with its charitable objects, which include the advancement of health and wellbeing.
  • Parliamentary Notification: The published case study — including Nuffield Health's written response of 24th April 2026, reproduced in full — was provided to the Members of Parliament for Kingston upon Thames, the constituency in which Nuffield Health's head office is located, and the complainant's own constituency. Each was notified for their awareness in their capacity as elected representatives.
  • Public Audit Publication: This case study was published at thecozieraudit.co.uk in the public interest, as a transparent and fully documented account of the complaint-handling process and its outcomes, based solely on written correspondence and statutory disclosures. It is published responsibly: all individual names and the specific facility location have been anonymised, a genuine right of reply was offered to and responded to by Nuffield Health prior to publication, and no events, motivations, or outcomes have been speculated upon beyond the written record.
Section 12

Requirements for Formal Resolution

The following sets out, transparently and in good faith, what a genuine resolution of this matter would look like. Each requirement is grounded in a statutory obligation, a contractual commitment made by Nuffield Health to its members, or what any member raising a serious safeguarding concern in good faith would reasonably expect. None of these requirements is extraordinary. All remain outstanding as at the date of publication.

1. Statutory Data Rectification

Correction of internal adverse event record ADV-89039 to accurately reflect the substance of the formal complaint as submitted on 2nd January 2026 — which documented a direct verbal threat and a remark formally characterised by the complainant as sexually violent in nature. This is a formal and outstanding request under Article 16 UK GDPR, which confers the right to rectification of inaccurate personal data without undue delay. The request has been formally submitted on multiple occasions and has not been substantively addressed in any written response received.

2. Acknowledgement of Process Failure

A written acknowledgement from an appropriate level of Nuffield Health's leadership — whether Corporate Governance, the Executive Team, or the national Safeguarding function — that the local complaint-handling process fell short of what a member raising a formal safeguarding concern deserved. This does not require an admission of legal liability. It requires only an honest recognition that the process, as documented, did not meet the standard a seven-year member acting in good faith had a right to expect.

3. Withdrawal of the Persistent Complainants Policy Invocation

Written confirmation that the invocation of the Persistent Complainants Policy in response to the complainant's letter of 24th April 2026 has been reviewed and withdrawn in this case, and that any associated markers or records arising from that invocation have been removed from the complainant's membership file. The complainant's correspondence prior to that date comprised a formal safeguarding complaint, a statutory Subject Access Request, engagement with elected Members of Parliament, and a formally served pre-publication document — none of which constitutes the kind of conduct a Persistent Complainants Policy is a legitimate instrument to address.

4. Documented Safeguarding Review

Written confirmation that the absence of CCTV coverage on the gym floor — formally acknowledged by local management in correspondence — has been considered as part of an internal review of how safeguarding concerns at this facility are investigated, verified, and recorded. The complainant is not prescribing the outcome of such a review. The concern is that, without CCTV coverage and without written records of investigative conversations, the capacity for independent verification of any reported incident is materially limited — and that this limitation has implications for the safety of all members, including female members, using the facility.

Current Status: UNRESOLVED

Should Nuffield Health engage substantively with any of the above, the complainant remains genuinely open to that conversation. Any meaningful engagement will be reflected in this audit as it occurs. The complainant is not seeking compensation, publicity for its own sake, or the permanent reputational damage of an organisation whose facilities and wider membership community he continues to value. He is seeking an accurate record, an honest acknowledgement, and reasonable assurance that the processes applied to safeguarding concerns at this facility are fit for purpose.

Last Audit Update: 25th April 2026 | Status: Escalated to Regulators — ICO referral and Charity Commission report active

Section 13

Conclusion

This case study documents a formal safeguarding complaint raised in good faith by a long-standing member of a national fitness operator, and the full sequence of escalations that followed over a period of nearly four months. The complaint involved two distinct incidents of a serious nature: a direct verbal threat made in the gym environment, and a remark made publicly about a female member which the complainant characterised in formal correspondence as explicitly sexual and violent in its phrasing. The complainant engaged consistently, constructively, and transparently throughout — escalating formally and proportionately at each stage when the responses received were considered inadequate.

The documentary record, now supplemented by the Subject Access Request disclosure and Nuffield Health's written response of 24th April 2026, indicates a series of procedural inconsistencies that, taken together, meant the complainant did not receive a written, concrete, or independently verifiable safeguarding outcome despite sustained engagement over an extended period. The internal adverse event record ADV-89039 — disclosed via the SAR — characterises the complaint as "members spoke unpleasantly about each other," a description that, on the face of the documents and in the complainant's submission, appears inconsistent with what was formally reported. No written record of any investigative conversation was created or retained. The police reference number provided by the complainant was not recorded in any internal system. The CEO did not respond to two formal written escalations. When the MP's enquiry was eventually answered — 81 days after the initial CEO correspondence — it was by a Customer Relations Coordinator, who stated that no further discussion would be entered into.

The Subject Access Request was returned one day beyond the statutory deadline with no prior notification of extension, and initially excluded emails in which the complainant participated without citing a lawful exemption. A supplementary disclosure was only provided after the complainant escalated to the Information Commissioner's Office, whose investigation remains ongoing as at the date of publication.

When a pre-publication case study documenting these matters was formally provided to Nuffield Health for right of reply, the organisation's written response did not contest a single factual assertion. It invoked a Persistent Complainants Policy and indicated the possibility of membership termination. That response is reproduced in full at Section 09 of this document.

It is not the purpose of this case study to assert that any individual acted in bad faith. Local management and the national safeguarding team did engage with the complaint, and the investigation summary within the adverse event record confirms that conversations with the relevant parties did take place. What the full documentary record does not demonstrate is a systematic, written, enforceable, and transparent safeguarding response proportionate to the nature of the concerns raised — nor an internal record that accurately reflects the substance of those concerns.

Commercial gym operators occupy a position of ongoing responsibility for the safety and wellbeing of their members. Where incidents of this nature are reported, the processes applied to investigate and respond to them matter — not only for the individuals directly involved, but for the broader confidence of members, particularly female members, in the safety of shared fitness environments. The manner in which complaints are documented internally is equally important: records that do not accurately reflect the substance of what was reported cannot form the basis of a robust safeguarding assessment. This case study is intended to contribute to that conversation.