Osteopathy in Dulwich Logo Transparent
020 8761 0959

Privacy Policy

Date: March 11 2026
Next Review Date: March 11 2027
Author: Sandie Ennis

Who are we?

In this document, “we”, “our”, or “us” refer to Sandie Ennis T/A Osteopathy in Dulwich / Pilates in Dulwich, who is the Data Controller responsible for the personal data described in this policy.

We provide healthcare advice and treatment, as well as movement therapy and exercise rehabilitation services in the UK.

Introduction

This policy explains when and why we collect personal information, how it is used and the circumstances in which it may be shared.

This policy applies to our services and website.

It is designed to comply with UK data protection law, including the UK General Data Protection Regulation, the Data Protection Act 2018, and updates introduced by the Data (Use and Access) Act 2025.

How do we collect information from you?

We may collect information when you:

  • Contact us about our services
  • Complete website contact or feedback forms
  • Attend classes or sessions
  • Complete an online appointment booking or book by phone, email or message

We collect medical information during your appointments.

What information do we collect and how is it used?

We collect information to:

  • Respond to enquiries
  • Fulfil our obligations to patients, including appointments, assessment, diagnosis and treatment
  • Document clinical reasoning and treatment
  • Manage and improve our services and website
  • Process blog comments where applicable

Legal basis for processing data

Under the UK General Data Protection Regulation, we rely on the following lawful bases:

Article 6(1)(b) – Contract
Processing is necessary to provide the services requested by you.

Article 6(1)(f) – Legitimate Interests
Processing may be necessary for the management and administration of the business, including managing bookings, communicating with patients, maintaining records and ensuring safe delivery of services, provided these interests do not override your rights.

Where we process information about health, injuries or physical conditions, we rely on:

Article 9(2)(h) – Provision of health or social care
Processing is necessary for the provision of healthcare or health-related services.

Where appropriate, we may also rely on explicit consent, particularly where information is provided voluntarily and is not required for the safe delivery of services.

Special Category Data

Medical data is classified as Special Category Data.

Our condition for processing this data is the provision of healthcare services under Article 9(2)(h) of the UK General Data Protection Regulation.

We do not collect other sensitive personal data (such as political opinions, religious beliefs, trade union membership, sexual orientation or criminal convictions) unless it is directly relevant to your care.

Third parties

We do not sell or rent personal information.

We may share limited information with service providers who help operate the business, for example:

  • Cliniko: Practice management and clinical records system
  • Stripe: Payment processing
  • Google Analytics: Website usage analysis
  • Website hosting providers: Website infrastructure and security

These providers act as data processors on our behalf and process personal data only in accordance with our instructions and applicable data protection law.

Some providers may store or process data outside the UK. Where this occurs, appropriate safeguards such as UK International Data Transfer Agreements (IDTAs) or adequacy regulations are used.

Use of Artificial Intelligence (AI)

This practice may use secure digital tools, including artificial intelligence systems, to assist with tasks such as clinical documentation and administrative correspondence.

Where these tools are used:

  • They support documentation only
  • All records are reviewed and finalised by the osteopath
  • The osteopath always makes clinical decisions
  • Identifiable personal data is not entered into publicly accessible AI systems

Where third-party digital tools are used, they act as data processors and must comply with data protection law.

Patients may request further information about how digital tools are used.

Where AI-assisted documentation tools are used during consultations, you will be informed and may request that they are not used.

Privacy and confidentiality

Your personal information is accessed only where necessary to deliver services or manage bookings.

Any information relating to injuries, health conditions or physical limitations is recorded only where necessary to support safe and appropriate instruction and is handled confidentially.

Your information will not normally be shared without your consent unless there is a legal requirement or safeguarding obligation to do so.

Your data protection rights

Under UK data protection law, you have the right to:

  • Request access to your personal data
  • Request correction of inaccurate information
  • Request deletion of your data where appropriate
  • Restrict or object to certain types of processing
  • Request your data in a portable format where applicable

Requests can be made using the contact details below.

Access to your information

You may request a copy of the personal information we hold about you.

If information is inaccurate, you may request that it be corrected.

Session notes and clinical records form part of your record and will not normally be altered unless factually incorrect.

If you disagree with an opinion recorded in your notes, you may request that your comments be added to the record.

Where records include information about other individuals, some details may be redacted to protect their privacy.

Retention of records

Personal information is kept only as long as necessary to provide services and meet legal, professional and administrative obligations.

In general:

  • Records relating to patient health, injuries or physical conditions are retained in line with professional guidance:
    • Adult records are retained for 8 years after the last session
    • Records for children are retained until the patient reaches 25 years of age (or 26 if 17 at the time of the last session)
  • Financial records are retained for at least 6 years to meet legal and tax obligations, including requirements set by HM Revenue & Customs

When records are no longer required, they are securely deleted.

Cookies

Our website may use cookies to improve functionality and understand how the site is used.

Google Analytics may be used to help analyse website traffic.

Where cookies are not strictly necessary, they will only be used with your consent. You can manage or withdraw your preferences through your browser settings or any cookie banner presented on the website.

Use of the site by children

Our services are not marketed to children.

Anyone under 16 should use the website with the consent of a parent or guardian.

Security

We take reasonable steps to protect personal information from loss, misuse or unauthorised access.

These include data minimisation, password protection, secure systems and appropriate data protection awareness.

However, no system can guarantee absolute security.

Data breaches

If a personal data breach occurs, we follow established procedures.

Where required by law, we will report relevant breaches to the Information Commissioner’s Office within 72 hours and notify affected individuals where there is a high risk to their rights and freedoms.

Complaints

If you have concerns about how your personal information has been handled, you may contact us directly.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office. Website: https://ico.org.uk

Concerns about the professional conduct of an osteopath can also be raised with the General Osteopathic Council. Website: https://www.osteopathy.org.uk

Changes to this policy

We may update this policy from time to time. Updates will be posted on our website.

Data Controller and contact

Sandie Ennis T/A Osteopathy in Dulwich / Pilates in Dulwich is the Data Controller responsible for your personal data. For questions about this policy or to exercise your data protection rights, please contact:

Email: sandie@osteopathyindulwich.co.uk