GDPR Privacy Notice


 Privacy Notice

This notice explains why we collect your personal data, what we do with it, and also ensures we are working in accordance with the new EU General Data Protection Regulation (GDPR); terms from the regulation are indicated in bold.

When you supply your personal details to the clinic diary, to one of our practitioners, when we communicate by email or text, and when we take notes in the clinic, this information is stored and processed for four reasons in line with the GDPR requirements:

  1. We may need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes in law an (unwritten) contract.
  2. We have a legitimate interest in collecting this information, because without it we couldn’t practice effectively and safely.
  3. We keep records of your contact information because we think it is important that we can contact you in order to confirm your appointments, or to update you on matters related to your medical care. This again constitutes a legitimate interest, but this time it is your legitimate interest.
  4. Provided we have your consent (and this only needs to be verbal consent), some practitioners may occasionally send you individualised health information by email or text in the form of articles, links or advice. We will never send out generalised leaflets or advertisements. You may withdraw this consent at any time – just let us know by any convenient method.

We have legal obligations (acupuncturists, osteopaths and chiropractors) to retain your records for 8 years after your most recent appointment (or after you have reached the age of 25, if this is longer), but after this period you can ask us to delete your records if you wish. Otherwise, we will retain your records in order that we can provide you with the best possible care should you wish to see us at some future date. Your clinical records are stored in individual paper files in a secure lockable cabinet in the clinic, or in the care of your practitioner. Your emails and telephone numbers are stored on devices (mobile phones, tablets) which are password protected and secure. Some practitioners may store your records on devices or laptops, and again these will be password protected and secure.

The practitioner is the only person who has access to your records, texts and emails. We will never share your information with anyone who does not have a legal right of access without your written consent. In the case of referral to another practitioner this would only be done with your full knowledge and permission. Our reception staff may retrieve and store paper files for practitioners.

Some patients and prospective patients return questionnaires or tell us about their medical conditions and medication by email or text. We are unable to send or receive encrypted emails so you should be aware that any emails we send or receive may not be protected in transit. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. We also keep accident records for any patients, visitors or staff who are involved in accidents at our clinic in accordance with UK Health and Safety legislation including the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR).

You have the right to see what personal data of yours we hold, and you can also ask us to correct any factual errors. We are legally required to respond to any request from a client to see their personal data within a timescale of 30 days. We would, of course, ensure that we responded as soon as possible to any reasonable request for access to personal records.

In the event that anything should happen to your practitioner which would render them unable to oversee your records, then, and only then, another practitioner at the clinic of the same or similar discipline would be entrusted with the handling of your clinical records.

I want you to be absolutely confident that we are treating your personal data responsibly, and that we will do everything we can to make sure that the only people who access that data have a genuine need to do so.

Of course, if you feel that we are mishandling your personal data in any way, you have the right to complain. Please first raise your concern with us, as we hope very much we will be able deal with any concerns you might have. However, you can also raise a concern directly with the Information Commissioner’s Office on

CCAC – Danny Blyth, May 2018


Website Privacy: When someone visits our website we use a third party service (Google Analytics) to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If in the future we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it. We use a third party service (, to host our website including publishing our blog. This site is hosted at (and which is run by YinYang Hosting. We use a standard website host service to collect anonymous information about users’ activity on the site (for example the number of users viewing pages on the site), to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors that want to post a comment to enter a name and email address. For more information about how WordPress processes data, please see ( uses cookies to improve your experience of our website and to ensure the website functions correctly.
Click here to see our Cookie Policy.