Date: March 11 2026
Next Review Date: March 11 2027
Author: Sandie Ennis
Who are we?
In this document, “we”, “our”, or “us” refer to Sandie Ennis T/A Osteopathy in Dulwich / Pilates in Dulwich, who is the Data Controller responsible for the personal data described in this policy.
We provide healthcare advice and treatment, as well as movement therapy and exercise rehabilitation services in the UK.
Introduction
This policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and what choices you have.
It relates to all our business activities, not just this website.
This policy is designed to comply with UK data protection law, including the UK General Data Protection Regulation and the Data Protection Act 2018.
How do we collect information from you?
We obtain information about you when you contact us about our services.
We also collect information from you if you leave a comment on our blog or fill in our feedback or help forms.
We collect information about you when you complete an online appointment booking or when you book by phone, email, or message.
We collect medical information during your appointments.
What information do we collect & how is it used?
We collect information to respond to enquiries.
We also collect information to fulfil our obligations to our patients. This includes fulfilling appointments, conducting a thorough assessment and diagnosis, and documenting diagnostic reasoning and treatment.
We also collect your information if you leave a comment on our blog.
Legal basis for processing data
Under the UK General Data Protection Regulation, we rely on the following lawful bases for processing personal data:
Sensitive Data
Medical data is classified as Special Category Data.
Our condition for processing this data is the provision of healthcare services.
This is permitted under Article 9(2)(h) of the UK General Data Protection Regulation (processing necessary for the provision of health or social care).
We do not gather any other sensitive personal data (e.g., political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, or criminal convictions) unless it is directly relevant to your healthcare.
Third Parties
We will not sell or rent your information to third parties.
We will not share your information with third parties for marketing purposes.
We may pass your information to third-party service providers we have engaged to provide services to you on our behalf.
Examples may include:
We disclose only the personal information that is necessary to deliver the service.
Where these providers process personal data on our behalf, they act as Data Processors and are required to comply with data protection law.
Where personal data may be transferred outside the UK, this will occur only where appropriate safeguards are in place, such as UK International Data Transfer Agreements (IDTAs) or adequacy regulations.
Use of Artificial Intelligence (AI)
This practice may use secure digital tools, including artificial intelligence systems, to assist with tasks such as clinical documentation and administrative correspondence.
Where these tools are used:
Privacy
Your health data is normally accessed only by your practitioner.
If another practitioner needs access to your data for clinical reasons, they will be subject to the same confidentiality and data protection obligations.
Administrative staff may have access to the practice management system for appointment administration, but do not have access to clinical notes unless necessary for operational reasons and subject to confidentiality obligations.
Your data will not normally be shared without your consent unless there is a legal requirement or safeguarding obligation to do so.
The statement above refers specifically to the sharing of information, not the lawful basis for processing personal data. The processing of patient records is already justified under the lawful bases described earlier in this policy.
Controlling your information
Updating or correcting your information
The accuracy of your information is important to us.
If you change your email address or any of the information we hold is inaccurate or out of date, please contact us so we may correct our records.
Your data protection rights
Under UK data protection law, you have the following rights:
Access to your own information
At any time, you may review or update personally identifiable information that we hold about you by signing in to your account on our website.
To obtain a copy of any information not provided on our website, you may send us a request by email.
After receiving the request, we will let you know when we expect to provide the information and whether we require any additional information.
Clinical opinions and professional judgments recorded in medical notes form part of the clinical record and will not normally be altered unless they are factually inaccurate. If you disagree with an opinion recorded in your notes, you may request that your comments be added to the record.
Where records contain information relating to other individuals, we may need to redact or withhold that information to protect those individuals’ privacy rights.
Deleting your information
You have the right to request erasure of your personal information.
However, healthcare providers have legal and professional obligations regarding record retention.
Clinical records for adults are normally retained for 8 years after the last consultation.
Records for children are normally retained until the patient reaches 25 years of age.
After this time, records are securely deleted.
Website Privacy: Cookies
Like many other websites, ours uses cookies.
Cookies are small files stored on your device to help the website function effectively.
Our use of cookies
The cookies we use are first-party cookies.
We do not use third-party advertising cookies that track behaviour across websites to deliver targeted advertising.
Google Analytics
Google Analytics may set cookies to help us estimate the number of visitors to our website and to understand how it is used.
This helps ensure our website is responding to user needs in the best possible way.
Use of the site by children
We do not sell products or provide services for purchase by children, nor do we market to children.
If you are under 16, you may use our website only with consent from a parent or guardian.
Security
We take security seriously.
To protect your information from loss, misuse or unauthorised access or disclosure, we have put in place suitable and reasonable physical, electronic and procedural safeguards.
These include:
However, no security programme is completely foolproof, and we cannot guarantee the absolute security of your personal information.
Data Breaches
Our Data Security Policy includes a process for handling a personal data breach should one occur.
Where appropriate, we will notify you of any unauthorised access to your personal information.
Complaints
If you wish to raise a complaint about how we have handled your personal information, you can contact us directly.
If you are not satisfied with our response or believe we are processing your personal information unlawfully, you can complain to the Information Commissioner’s Office.
Website: https://ico.org.uk
Concerns about the professional conduct of an osteopath can also be raised with the General Osteopathic Council.
Website: https://www.osteopathy.org.uk
Changes to this Policy
We reserve the right to amend this Policy at any time and will post all changes on our websites.
You should review the Policy periodically.
If we make a material change to this Policy, we will provide appropriate notice as required by law.
Data Controller and Contact
Sandie Ennis T/A Osteopathy in Dulwich / Pilates in Dulwich is the Data Controller responsible for your personal data.
For any queries regarding this policy or to exercise your data protection rights, please contact: Email: sandie@osteopathyindulwich.co.uk