Privacy Policy - Osteo Herts Osteopathic Clinic

Effective Date: [Date]
Last Updated: [Date]
Data Controller: Osteo Herts

1. Introduction

Osteo Herts Osteopathic Clinic is committed to protecting your privacy and personal data in accordance with UK data protection legislation. This Privacy Policy explains how we collect, use, store, and protect your personal information under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and professional standards set by the General Osteopathic Council (GOsC).

As a registered osteopathic practice, we are required to maintain patient confidentiality in accordance with the GOsC's Code of Practice and the common law duty of confidentiality.

2. Data Controller Information

Data Controller:Osteo Herts
Registered Address: 142 High Street, Codicote, Hitchin, SG48UB
GOsC Registration: 9215

Data Protection Officer: Lucy Edwards
Contact: info@osteoherts.co.uk 07368490061

3. Legal Basis for Processing

We process your personal data under the following lawful bases:

3.1 Healthcare Treatment (Article 9 UK GDPR)

• Lawful Basis: Vital interests and healthcare purposes

• Special Category Basis: Healthcare treatment and medical diagnosis

• Purpose: Providing osteopathic treatment and ongoing care

3.2 Contractual Obligations (Article 6(1)(b) UK GDPR)

• Purpose: Fulfilling our treatment contract with you

• Activities: Appointment scheduling, treatment delivery, payment processing

3.3 Legal Obligations (Article 6(1)(c) UK GDPR)

• Purpose: Compliance with professional and legal requirements

• Activities: GOsC reporting, safeguarding obligations, clinical governance

3.4 Legitimate Interests (Article 6(1)(f) UK GDPR)

• Purpose: Practice management and quality improvement

• Activities: Clinical audit, training, business operations

4. Personal Data We Collect

4.1 Patient Information

• Identity Data: Full name, date of birth, address, contact details, NHS number (if provided)

• Medical History: Previous treatments, current symptoms, medical conditions, medications, allergies

• Clinical Records: Examination findings, treatment notes, progress records, referral letters

• Lifestyle Information: Occupation, exercise habits, relevant lifestyle factors

• Emergency Contacts: Next of kin details and emergency contact information

4.2 Special Category Data (Sensitive Personal Data)

• Health and medical information

• Details of physical or mental health conditions

• Treatment and care records

• Information about disabilities or health-related adjustments

4.3 Financial Information

• Payment details and billing information

• Insurance information (if applicable)

• Direct debit or standing order details

4.4 Digital Information

• Website usage data and cookies

• Patient portal login information

• Email communications and appointment confirmations

5. How We Use Your Personal Data

5.1 Direct Patient Care

• Providing osteopathic assessment, diagnosis, and treatment

• Monitoring your progress and treatment outcomes

• Coordinating care with other healthcare professionals

• Providing follow-up care and health advice

5.2 Administrative Purposes

• Appointment scheduling and management

• Processing payments and managing accounts

• Maintaining accurate clinical records

• Practice management and quality assurance

5.3 Legal and Professional Obligations

• Compliance with GOsC professional standards

• Clinical governance and risk management

• Safeguarding reporting where required

• Responding to legal requests and investigations

5.4 Legitimate Business Interests

• Staff training and professional development

• Clinical audit and service improvement

• Business continuity and disaster recovery

• Insurance and legal compliance

6. Sharing Your Personal Data

6.1 Healthcare Professionals

We may share your information with:

• GPs and Consultants: For coordinated care and referrals

• Other Osteopaths: For continuity of care or second opinions

• Allied Health Professionals: Physiotherapists, chiropractors, etc.

• NHS Services: Where treatment coordination is required

6.2 Legal and Regulatory Bodies

• General Osteopathic Council (GOsC): For regulatory compliance

• Local Authorities: For safeguarding obligations

• Courts and Legal Bodies: When legally required

• Professional Insurers: For indemnity and claims purposes

6.3 Service Providers

• IT Support Companies: For secure data processing and storage

• Billing Services: For payment processing (if outsourced)

• Professional Advisors: Legal, accounting, and business consultants

• Cleaning and Maintenance: Under strict confidentiality agreements

6.4 Emergency Situations

In medical emergencies, we may share information without consent to:

• Emergency services and hospitals

• Next of kin or emergency contacts

• Relevant healthcare professionals involved in emergency care

7. Your Rights Under UK GDPR

7.1 Right of Access (Subject Access Request)

• Request copies of your personal data

• Understand how your data is being processed

• Receive information about data sharing

7.2 Right to Rectification

• Correct inaccurate or incomplete data

• Update your personal information

• Amend clinical records where appropriate

7.3 Right to Erasure ('Right to be Forgotten')

• Request deletion of your data in specific circumstances

• Note: Clinical records must be retained for legal and professional requirements

7.4 Right to Restrict Processing

• Limit how we use your data in certain circumstances

• Object to processing based on legitimate interests

7.5 Right to Data Portability

• Receive your data in a structured, machine-readable format

• Transfer your data to another healthcare provider

7.6 Right to Object

• Object to processing based on legitimate interests

• Opt out of direct marketing communications

7.7 Rights Related to Automated Decision-Making

• Protection against purely automated decision-making

• Right to human intervention in automated processes

8. Data Retention

8.1 Clinical Records

• Adult Patients: Minimum 8 years from last treatment

• Children: Until 25th birthday or 8 years from last treatment, whichever is longer

• Mental Health Records: 20 years from last treatment

• Deceased Patients: 8 years from date of death

8.2 Administrative Records

• Appointment Records: 3 years from last appointment

• Financial Records: 6 years from end of accounting period

• Correspondence: 3 years from date of communication

• Consent Forms: Duration of clinical record retention

8.3 Digital Records

• Website Analytics: 26 months maximum

• CCTV Footage: 30 days (if applicable)

• Email Communications: As per clinical record retention

9. Data Security Measures

9.1 Physical Security

• Secure storage of paper records in locked cabinets

• Restricted access to clinical areas

• Visitor access controls and sign-in procedures

• Secure disposal of confidential waste

9.2 Technical Security

• Encrypted data storage and transmission

• Secure network infrastructure and firewalls

• Regular security updates and patches

• Multi-factor authentication for system access

• Regular data backups with encryption

9.3 Organisational Security

• Staff training on data protection and confidentiality

• Confidentiality agreements for all staff and contractors

• Regular security risk assessments

• Incident response procedures

• Clear data access controls and permissions

10. International Data Transfers

We do not routinely transfer personal data outside the UK. If international transfers are necessary:

• We will ensure adequate protection mechanisms are in place

• We will obtain your explicit consent where required

• We will use approved transfer mechanisms under UK GDPR

11. Cookies and Website Privacy

11.1 Essential Cookies

• Session management and security

• Patient portal functionality

• Appointment booking system operation

11.2 Analytics Cookies

• Website usage statistics (anonymised)

• Performance monitoring and improvement

• User experience enhancement

11.3 Your Cookie Choices

You can control cookies through your browser settings. Disabling cookies may affect website functionality, particularly for the patient portal and appointment booking system.

12. Children and Young People

12.1 Parental Responsibility

• Parents/guardians provide consent for children under 16

• Young people aged 16-17 can consent to their own treatment

• Special consideration for Gillick competence in under-16s

12.2 Safeguarding

We have a duty to protect children and vulnerable adults. We may share information without consent where there are safeguarding concerns, in accordance with local safeguarding procedures.

13. Data Breach Procedures

In the event of a personal data breach:

• We will assess and contain the breach within 72 hours

• The ICO will be notified within 72 hours if required

• Affected individuals will be informed without undue delay

• We will document the breach and our response

• We will review and improve our security measures

14. Complaints and Concerns

14.1 Internal Complaints

Practice Manager: Lucy Edwards
Address:142  High  Street, Codicote, Hitchin, SG4 8UB
Phone:07368490061
Email:info@osteoherts.co.uk

14.2 Information Commissioner's Office (ICO)

If you're not satisfied with our response: ICO Helpline: 0303 123 1113
Website: www.ico.org.uk
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

14.3 General Osteopathic Council

For professional conduct concerns: GOsC: 020 7357 6655
Website: www.osteopathy.org.uk
Address: 176 Tower Bridge Road, London SE1 3LU

15. Changes to This Privacy Policy

We will update this Privacy Policy as necessary to reflect:

• Changes in data protection legislation

• Updates to our data processing activities

• New services or technologies

• Regulatory guidance or requirements

Significant changes will be communicated through:

• Website notification

• Direct communication to active patients

• Notice in the clinic reception area

16. Contact Information

Data Protection Enquiries:
Lucy Edwards
Osteo Herts
142  High  Street, Codicote, Hitchin, SG4 8UB
Phone: 07368490061
Email: [info@osteoherts.co.uk

Practice Information
GOsC Registration:9215
Professional Indemnity: Institute of Osteopathy
ICO Registration: [Number] (if applicable)

This Privacy Policy complies with UK GDPR, the Data Protection Act 2018, and General Osteopathic Council professional standards. For specific legal advice regarding your data protection rights, please consult with a qualified UK data protection solicitor.