At Pennington Osteopathy, we are committed to maintaining the trust and confidence of our clients.  We won’t sell or trade your personal information to other businesses for marketing purposes.  We appreciate that the information we hold about our clients may be of a personal and sensitive nature, and you may have concerns about how this information is stored and used.  In this Privacy Notice, we set out what information we collect from you, how we use it, how we keep it secure, and under what limited conditions we share it with others.

Who are we?

Pennington Osteopathy is committed to protecting the rights of our clients in line with the Data Protection Act 1998 and the new General Data Protection Regulation (GDPR).

You can contact us at:

15 Pennington Drive
Surrey KT13 9RU
07748 632351


What information do we collect from you?

We collect personal, social and medical information about you.  This will be used solely to administer your account and deliver the services you have requested from us.  Only information that is relevant to provision of these services is collected.  Such information may include:

  • Basic details such as name, address, date of birth, contact information.
  • Information about your health status, medical history and medication.
  • Details and records of treatment and care provided.
  • Records of communications you may make with us.

It may also include other sensitive information such as your race, sexuality, religious beliefs, any disability, allergies or health conditions.


Why do we collect this information?

We need this information to be able to deliver and communicate with you about your care. Medical and social data is necessary to plan and deliver safe and effective osteopathic services appropriate to your needs.  That means we have a “legitimate interest” in collecting the information, because we couldn’t do our job without it.  Your requesting treatment and our agreement to provide that treatment constitutes a contract.  You have the right to refuse to provide the information, but in that case, we would be unable to provide osteopathic services.

You also have a “legitimate interest” in receiving appointment confirmations and being kept up-to-date with matters relating to your care; we use your personal information to provide these services.

Provided we have your consent, we may occasionally send you general health information in the form of articles, advice or newsletters.  You may withdraw this consent at any time – just let us know by any convenient method.


Who might we share your information with and how is it kept secure?

Your records are stored electronically (“in the cloud”), using a specialist medical records service.  Access to this data is password-protected.  This system is designed for purpose and all information is encrypted, securely held in a UK-based data centre, and replicated to a geographically separate location.  The provider has given us their assurance that they are fully compliant with the General Data Protection Regulations.  You can find information about their security policy here.

Some information is also stored locally on clinic devices – these are password protected, backed up regularly and kept secure.

We will not, without your permission, sell, publish or share information you entrust to us that identifies you or any other person.

Occasionally, in order to provide the best healthcare for you, it might be helpful to share information with other healthcare practitioners.  In each case, this will be discussed with you in advance and you can choose whether or not to allow this to happen.

If you choose to pay by credit / debit card, such information as is necessary to process the payment will be passed to the card payment company.  This company uses encryption to handle sensitive data, such as your credit card number, and is PCI DSS (Payment Card Industry Data Security Standard) approved.  Find more information here.

Further to that, information will only be shared in line with our legal obligations.


What do we do with your information?

We use it to:

Communicate – with you about your treatment and care.
Maintain – your records and ongoing care plan.
Administrate – any services you request from us.

In addition, anonymised data may be used for research purposes.


How long do we keep hold of your information?

We are legally required to maintain client records for a period of 8 years from the date of the most recent contact.

In the case of children, we are required to hold records until the child reaches 25 years of age, or 8 years from the most recent contact if that’s longer.  After this period, you can ask us to delete your records if you wish.  Otherwise, we will retain your records indefinitely in order that we can provide you with the best possible care should you need to see us at some future date.


How can I access the information you hold about me?

You have the right to request a copy data held about you.  You can do so by applying to us in writing.  There is no charge associated with this.
We want to make sure your data is accurate and up-to-date.  If you think any of our information is incorrect, you can request to have errors altered or removed.
You have the right to request erasure of your information, which can be done after your records have been held for the legally required length of time (see above).


If you feel your personal data is being mishandled in any way, you have the right to complain.  Complaints should be sent to the Data Controller (Mrs. Diana Rowlands) at the above address.  If you are not satisfied with our response, then you have the right to raise the matter with the Information Commissioner’s Office.