Data Privacy Policy

Privacy policy updated 04/06/2019


The purpose of this document is to explain to our patients and staff the lawful purpose of storing your personal data, and how we keep your information safe and secure.

The General Data Protection Regulation (GDPR), is EU wide legislation, and is currently being enacted into UK law and will become the 2018 Data Protection Act.  This legislation will affect every business that handles personal data for customers or staff. Personal data has been defined by the act as ‘any information relating to an identifiable person who can be directly or indirectly identified’, this will include such data as name and contact details.

The changes don’t alter what we use your personal information for but make it easier for you to

  1. find out how we use and protect your information, and
  2. understand your increased rights in relation to the information we hold about you.

We will only use your data for the purpose it was collected, which is explained in this privacy policy.

Our Privacy notice makes reference to a number of third-party systems that assist us in the management and security of your data. The privacy policies relating to these third party suppliers (data processors) may be viewed in more detail here.  All third party systems that we used are GDPR compliant and are not authorised by us to share your data.


Data We Collect

We collect personal data when you initially book and attend appointments.  Limited personal data is collected when you make your first booking, such as name and mobile telephone number.   This data allows us to send you text confirmations and reminders for all your appointments. When you attend your first appointment, more personal data is collected on a paper registration form.  Your signature is required on this form as evidence of you consenting to examination and treatment and agreement with our privacy policy.  Your completed and signed form is scanned and held electronically on our practice management system.

Sensitive information relating to your health, relevant medical history, and lifestyle is in part collected on the registration form in the clinical notes our practitioners make during your appointments.  Clinical notes collected by our practitioners are based on the information you have provided during your appointments and held on our practice management system. Clinical notes made during your appointments can only be accessed by the practitioners at our clinic.  Our support staff (receptionists) can access your contact information but they cannot access your clinical notes.

The Practice management system is also used to generate invoices and receipts.  Therefore details of your fee accounts are stored electronically.  Your contact details and appointment history is shared with health insurance companies that may be funding your treatment.

Occasionally, medical records from other sources will be requested by your practitioner, with your signed consent.  Any medical reports you have passed to us will be scanned and held on our practice management system.

You can view a sample registration form here


How We Use Your Data

We use your personal data in the following ways

  • To accurately index your contact data, clinical notes, and fee account.  The ability to quickly access the correct information for you is essential for continuity of care and for ensuring your fee account is accurate.
  • To make clinical decisions about your diagnosis and treatment plans.
  • To communicate with you about your appointments and treatment.
  • To send exercise prescriptions to you.
  • To comply with your various data requests for clinic notes, clinical reports, receipts, and so on.
  • To generate invoices for any third parties that may be funding your treatment – such as health insurance providers.
  • To send you communications relating to matters that affect the services we provide, such as changes to opening times during holidays, updates to booking procedures, or updates to our terms of business and policies.
  • To send you communications relating to our services, special offers, and useful content. These communications will allow you to manage opt-in and opt-out preferences.

We conduct privacy impact assessments periodically to review and refine our data collection process.  This will ensure that we are only collecting information relevant to the service we provide.


Website & Social Media Policy

Our website does not currently utilise cookies or lead generation pages.


Data Retention Policy

Our retention policy for clinical notes is determined by 4 factors

  • The statute of limitation on bringing litigation cases to court
  • The requirements for record keeping, set by our Medical Malpractice Insurer
  • The professional standards set out by the General Osteopathy Council who are our statutory regulators.
  • Record keeping requirements set out by HMRC for taxation purposes.

The retention of your records is also a valuable resource for you, especially if you return to the clinic after a long period.

As a result of the above considerations, your records (personal data and clinical notes) shall be kept for at least 7 years following the last occasion on which treatment was given.  In the case of treatment to minors, records will be kept for at least 7 years after they reach the age of majority (age 18).


How We Share Data

Access to your data within the clinic is restricted depending on the role of the employee/practitioner in the clinic. In this way, only practitioners have access to your clinical notes. Your contact information and fee accounts are accessible by all staff and practitioners at the clinic.

Best Reception, is a virtual reception service that we retain to answer calls and book appointments on our behalf.  They have access to your contact information and our diary for the sole purpose of booking and rescheduling appointments over the phone.  At our request, they may call you to make appointment changes.

With your signed consent, we may write to other health professional requesting them to share medical reports relevant to the treatment you receive at this clinic.

With your consent, we may write referral letters to your GP or other health care professionals whenever this is appropriate to your case.


Health Insurance and Cash Plan providers

From time to time, health insurance and cash plan providers call to verify your claims for fee reimbursement.  As long as they can correctly identify you (name, date of birth and postcode) we will share information about the dates of your appointments.  Any requested reports or clinic notes will only be given with your written consent.


Data access request

You may make a request to see a copy of the information we hold in our data systems. This is known as a subject access request.  These copies are provided free of charge and take up to 30 days to process from the date of receiving your signed request form. Call the clinic on 020 8991 5280 to have a data access request form emailed or posted to you.  You may also walk into the clinic and request one.

Clinic notes are usually written in short form, which would be decipherable by any practitioner of the same discipline or similarly qualified health professional. If you require the notes to be transcribed into long form (ie without abbreviation and jargon) then there will be a charge for the practitioner’s time taken to prepare any transcripts or reports.  You will be notified of the charges at the time of making the request.

The requested information will be sent to you by email as a password protected PDF document.  There is no charge for information sent by email. When you make a request you will be asked to confirm that you want your information sent to the email address that we currently hold.  If a paper copy is requested, it can be collected by hand, or sent by post via the “signed for” Royal Mail service.  There will be a charge to cover the cost of postage.

Third party requests for your clinic notes or reports must be accompanied by your original signed authorisation form.  This form will usually be provided by the third party or you can request a form by calling the clinic on 020 8991 5280.



Staff competency and training

All staff are required to demonstrate the skills required to accurately and securely collect and process data. We review data collection procedures and staff training is provided where necessary. A copy of our Staff Data Security Declaration is available to view here.  All staff are required to comply with the declaration.

All staff have access to the practice management system with security group settings appropriate for their roles.  All staff have their own login credentials.  They are instructed how to set strong passwords and are required to change them periodically.  The user accounts of staff who no longer work here are immediately deactivated.

Devices connected to the Internet

All devices used in the clinic are firewalled, have up to date operating systems and are virus protected. Staff who have the privilege of remote access connection must give the same considerations as they do to onsite connections. Access to PracticePal is set up to disconnect automatically after 30 minutes of inactivity.



We have two cameras in the clinic, both of which are in the retail area. They cover the front door and the reception desk. These low definition cameras primarily act as a deterrent to theft and violent behaviour. They also provide a remote view into the clinic when the burglar alarm is raised. The footage is stored on a hard drive for one month. We have the facility to save clips of footage if needed for evidence.  All views of footage must be for a stated reason and logged. CCTV footage can only be viewed by the clinic management.


Card Payment Machine

Debit or credit card payment made in the clinic are processed by Worldpay.  The chip and pin terminal is managed and maintained by WorldPay. Staff regularly perform visible examinations for tampering of the machine and WorldPay run remote testing of the card machine. Card payments for bookings made using the online facility are processed by Stripe.  Both companies are worldwide leading card payment handlers.  Any mass data associated with card payments are captured and stored by Worldpay and Stripe. See privacy policies for Worldpay and Stripe here

To comply with HMRC requirements, we retain payment card receipts for all transactions at the clinic.  These are stored separately from any paper records containing your personal data.  These receipts are kept for a maximim of 7 years.


Practice Management System

Your personal data clinical notes are stored electronically on the previously mentioned practice management system known as PatientPal. PatientPal uses a 256-bit secure socket layer certificate for their clients to access firewalled data. The PatientPal application is hosted on RackSpace cloud servers within the EU. RackSpace prides themselves on being a world-class data center with state of the art security. RackSpace and PatientPal are compliant with the governmental body which enforces data security, the Information Commissioner’s Office.

The online booking system is also powered by the PracticePal software used at the clinic.  Therefore, any personal data captured when making online bookings are kept on a common platform to data captured at the clinic.

You can find the link to Practicepal’s Data Protection Policy here


Email System

We use Google email at the clinic which, by default, creates a contact database. There is an email account for the reception and administration staff –, and for individual practitioners eg

Text messages (often appointment confirmations and reminders) are sent from the practice management system – PracticePal.  The IT administrator at the clinic has the ability to view emails on all accounts.  The Head of Practice is the current IT Administrator.


Feedback forms

Feedback forms are powered by Google Apps and are returned to us without your personal information. You may add your name, but this is optional.

You may also be contacted by email, requesting that you write a review about your customer experience on media platforms such as Google Maps.  These requests will not be excessive.

Database downloads

Any bulk information downloaded for accounting or business analysis purposes will have any associated personal data removed from the dataset.  Any reports from the practice management system containing patient data – ie receipts are downloaded to a temporary folder which is deleted weekly.  Any files uploaded to the practice management system – ie medical reports, are saved to the same temporary folder.


Exercise Prescriptions

We use a cloud-based application called Rehab My Patient to generate your exercise prescriptions. The application stores your name and email address along with the history of exercise programs we have compiled for you.  Rehab My Patient is GDRP compliant.  You can find the link to their privacy policy here.


Content and Marketing Systems

Our Marketing communications include the following preferences.  You will be able to manage whether you receive some, all or none of them.

  • Birthday vouchers sent by SMS in the month of your birthday
  • Useful articles about health and lifestyle matters
  • Special Offers prices for treatments
  • Clinic events

We use Mail Chimp to send email marketing communications if you have subscribed to this service. The Mail Chimp app is integrated with Practicepal – our practice management system.  From 25th May 2018 as a newly registered patient, you will be asked to consent to our privacy policy.  As a result, you will be sent a welcome email, to give you more information about our service.  This will give you the option to subscribe or unsubscribe from any future marketing communications.

If you were registered as a patient before the 25th May 2018, and we have your consent to opt into marketing communications, you will continue to receive these.

All patients will have the facility to opt in or out of our marketing communications at any time. You will also be able to manage preferences for the content you chose to receive.


Vulnerability Management

We have a vulnerability management policy which involves assigning a risk ranking to our data and device security. We run internal and external vulnerability tests after any significant network changes and bi-annually as standard. The card payment company, Worldpay, run their own remote vulnerability tests on our payment device.  Any suspicious events are logged and investigated.

The Information Commissioner’s office will be notified if an attempted data breach is found to be successful, whether it was by an outside malicious party or an internal staff error.

If you suspect that we are the source of any data security breach or compromise, please let the practice leader – Lola Phillips – know immediately.


Choice and Access

You have choices regarding our use of your personal data.  If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails you will continue to receive communications necessary to continue providing our services to you. These may include emails regarding your appointments and treatments, text reminders, and notifications regarding disruptions to service.


How you can access or change your Personal Data.

If you would like to review, correct, or update personal data that you have previously disclosed to us, you may do so by contacting us. If emailing us your request, please make clear in the email what personal data you would like to have changed. For your protection, we may only implement requests with respect to the personal data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as possible.


Right to Erase

A can make a request to exercise your right to have your data erased from our databases. In these cases, electronic data will be permanently erased, and hard copies of data will be securely destroyed.  A request form must be submitted and we will give you our decision in up to 30 days. Your request will be considered in light of our retention policy and your circumstances.

We have a specialist contractor who will securely destroy paper records for us.  Our practice management system has a permanent erase feature.


Updates to this privacy policy

We may change this privacy policy to reflect improvements and changes in legislation. The title of this privacy policy indicates when this privacy policy was last revised. Any changes are effective when we post the revised privacy policy on our website. Electronic updates of this policy have the same meaning and effect as if we had provided you with a hard copy.


This document was compiled by:-

Lola Phillips – Head of Practice

Eds Chesters – Practice Manager

Original post 12/05/2018

Updated post 04/06/2019 – Email requests for customer experience reviews