top of page

Privacy Policy

Information Held

The following information is collected: Patient name, address, date of birth, email address, phone

numbers, GP details, past medical history, family medical history and case history for treatment

carried out at clinic. All information is given by the patient or their carer, parent or legal guardian.

Data Collection

Information collected is sufficient for the purpose of making informed clinical decisions.

Data is collected verbally on the phone by reception staff or practitioners to book appointments and

take contact details. Medical information is collected by osteopaths verbally at a face to face


Patient contact details and appointments are stored on the computer/tablet on a secure online application. Patient clinical records are electronic and are protected with passwords and in the case of the tablet finger print recognition.

Data Storage

Information is stored on an online software package called Clinikothe servers are located in Australia

but have paper work in place to comply with the EU standardspaper notes are not stored or taken, only electronic notes are taken. Personal information and consent forms are stored on Dropbox servers (whom comply with EU standards) and accounts are password protected.  Archived notes and personal information will be stored in a separate folder also on the Dropbox servers.

Data disposal

(minimum 8 years, 25 years of age for children)

Records cannot be deleted before statutory requirements for data retention- 8 years or up to 25 years of age for children

Notes are archived after 8 years(or 25 years of age for children). They are then securely stored on Dropbox servers

Paper Notes are destroyed by shredding/incineration after 8 years or 25 years of age for children. Electronic records are deleted from the system after 8 years or 25 years of age for children.


Patient data is also used for appointment reminder text messages, a newsletter and marketing which patients opt in to with a tick box/verbally on their first visit. We check patients still want to receive communications on a regular basis.

We process your data using the lawful basis of consent for marketing, and fulfilment of contract and legitimate interest for processing your medical record and sending you health information and exercises relating to your condition. Your medical record is processed as Special Category Data under Article 9 2(h) of the GDPR. Parents must give consent for communication with children under 16 years. 


Data Sharing

Information is only shared with other persons with patient’s permission. This would usually be with other health professionals. Patient information is never passed on to other practitioners, persons or companies. Data would extremely rarely be shared without consent if there was a legal order or in cases of serious safety risks.

Data Checks

Every year we perform checks on 50% of our patient’s data records to make sure they are accurate. AND/OR Every year we check all active patient data is correct.



Access to paper records is restricted to practitioners and admin staff who have signed a confidentiality agreement.

All electronic data is password protected and access to information can be restricted. Systems are kept updated and antivirus security systems are in place and updated. Passwords are changed every 6 months/year. Data breaches will be detected by observing signs of unauthorized entry to storage areas, monitoring communications or becoming aware of a security breach (e.g. a virus or unauthorized log on or change to permissions) on the computer system. Data breaches will be investigated and reported to the Information Commissioner’s Office within 72 hours by the appointed person.

Patient’s will be informed if we believe a data breach has occurred.

Patients may contact the Information Commissioner’s Office if they believe a data breach has occurred.

Information Commissioner’s Office: 0303 123 1113

bottom of page