The way personal data is held and processed across the EU is changing from May 2018 with the introduction of the General Data Protection Regulation (GDPR), which supersedes its predecessor the Data Protection Act. The General Data Protection Regulation is far more extensive than the Data Protection Act, and along with the Privacy and Electronic Communications Regulations (PECR), seeks to protect and enhance the rights of EU data subjects. These rights cover the safeguarding of personal data, protection against the unlawful processing of personal data and the unrestricted movement of personal data within the EU and its storage within the EEA.
Who are we?
Form & Function clinic is a practice providing acupuncture, sports rehabilitation and osteopathic diagnosis and treatment to our patients. Osteopathic services are carried out in accordance with the Institute of Osteopathy’s “Patient Charter” (view at www.iosteopathy.org) and the General Osteopathic Council’s “Osteopathic Practice Standards” (view at www.osteopathy.org.uk).
What information do we collect about you?
- We collect detailed medical information that is relevant and necessary for your treatment.
- We also collect contact details such as telephone numbers, email addresses, postal addresses.
- We will only collect the information we need to provide you with the services you require.
How will we use the information about you?
- Osteopaths require detailed medical information for the purposes of providing diagnosis and treatment. We will only collect information that is relevant and necessary for your treatment. When you visit our practice, we will make notes which may include details concerning your medical history, medication, treatment and other issues affecting your health.
- This data is always held securely and is not shared with anyone not involved in your treatment, although for data storage purposes it may be handled by pre-vetted non-osteopathic staff who have all signed an integrity and confidentiality agreement.
- Contact details provided by you such as telephone numbers, email addresses, postal addresses may be used to respond to your enquiries, remind you of future appointments and provide reports or information concerning your treatment or other information we believe may be of interest to you, including questionnaires and surveys for research or marketing purposes. In making initial contact with the practice you consent to the practice maintaining a dialogue with you and holding your contact details until you opt out, which you can do at any time.
- Data we hold about you is stored on paper notes, electronically on local hard drives or on internet-based servers by companies that are deemed to be data processors on our behalf, and who conform to industry-standard encryption protocols and from whom we hold confirmation of their compliance with UK GDPR regulations. If any data is stored outside the EEA, this will be with companies that have demonstrated their compliance with UK GDPR regulations.
Who do we share your data with?
- We will not share your data with anyone, unless compelled to (in order to meet legal obligations, regulations or valid governmental requests), or unless you ask us to. 
- We do not sell or broker data we hold to third parties.
- Your contact details are used by us solely to contact you about matters concerning your relationship with us.
- From time to time, it is necessary and desirable to communicate with other health professionals (such as your doctor). This will only be done with your explicit consent, and after discussion with your osteopath. We will ask you to sign a consent form allowing us to share your data, and all information will be communicated securely.
What is our legal basis for processing your data?
We are required to have a lawful basis to hold data concerning you. The lawful bases for processing are set out in Article 6 of the GDPR. Different types of data we hold about you may require different lawful bases. We hold your data on the lawful basis of:
Legal obligation*: This requires that the data processing is necessary to comply with the law (The Osteopaths Act 1993).
Special Category Data (Article 9 of GDPR)**: This applies to the holding of sensitive data (such as medical data).
Legitimate interests pursued by Osteopaths: To promote treatments for patients with all types of health problems indicated for osteopathic care.
Consent: Through agreeing to this privacy notice you are consenting to Form and function clinic processing your personal data for the purposes outlined. You can withdraw consent at any time by using the postal, email address or telephone number provided at the start of this Privacy Notice.
*The lawful basis of Legal obligation applies because osteopathic services in the UK (including the gathering and retention of medical data) are regulated by the General Osteopathic Council (GOsC), a statutory regulatory body constituted by act of parliament. By law, osteopaths must be registered with the GOsC in order to practise in the UK. The GOsC places legal obligations on us regarding the gathering and holding of medical data from our patients which must be considered in conjunction with the provisions contained within the General Data Protection Regulation, and limits our capacity to comply with requests to erase data.
**Special category status applies as Article 9 of GDPR deems that “processing [of sensitive data] is necessary for reasons of . . . ensuring high standards of quality and safety of health care . . . .”
How long will we hold on to your data?
The GDPR requires that we hold data about data subjects only for as long as is necessary for the purpose that the data is required. As osteopaths operating under statutory regulation (Osteopaths Act 1993), our regulatory body (The General Osteopathic Council) requires us to retain medical records of our patients for a minimum period of 8 years from the last recorded treatment (for adults) and for minors who have received treatment we are required to keep the records until that patient has reached the age of 25. We are, however, permitted to retain data for longer than this period if there is a reason to do so. As we have many patients who return for treatment many years after a previous visit, it is our policy for adequate provision of their continuing care to retain medical records for a period of 20 years from the date of their last treatment, and in certain circumstances (for legal or clinical reasons) we may retain records for longer.
Important rights you have regarding the data we hold about you
1.The right of access to your information and correction
You have a right to see the data we hold about you. If you would like copies of some or all of the personal information we hold about you, please contact us using the contact details listed at the top of this Privacy Notice. We have an obligation to provide you with this information within one month of application. 
Our aim is that all the data we hold about you is accurate and complete. If this is not the case, you have the right to ask us to correct the information we hold.
In certain circumstances you can ask for the data we hold about you to be erased from our records. In the event that Osteopaths refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge.
You also have the right to ask us how we process your data, and who can see your data.
2. Your right to be forgotten
You have the right to ask us not to contact you again. We will respect this whilst not prejudicing our legal obligation to retain your medical records.
3.The right of portability
You have the right to transfer the data we hold about you to other organisations. As we have a legal obligation to retain your original records within our practice, our policy is to provide, on request, copies of your records, or a written summary to transfer to other organisations. Your osteopath will be able to provide guidance on the most appropriate format for your data transfer.
4. The right to object
You have the right to withdraw your consent for us to process your data at any time, within the constraints placed on us by our obligation to retain your medical data for statutory reasons. Please inquire from the Data Controller named at the top of this notice about the implications of withdrawing your consent on your osteopathic care.
We have an obligation to report any data breaches to the Information Commissioner’s Office (ICO) within 72 hours of the discovery of any breach.
In the event that you wish to make a complaint about how your personal data is being processed by us you have the right to complain to us. Please contact the person named as Data Controller at the top of this notice. If you do not get a response within 30 days, you can complain to the ICO. The ICO can be contacted at:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Telephone: +44 (0) 303 123 1113
1. Or to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of its staff.
2. We will accept the following forms of identification (ID) when information on your personal data is requested: a copy of your driving licence, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If Form & Function Clinic is dissatisfied with the quality, further information may be sought before personal data can be released.
I explicitly consent to you creating and storing medical records concerning my treatment, which may include details concerning my medication, treatment and other issues affecting my health conditions, in accordance with the General Data Protection Regulation (GDPR). I understand that these records will be retained for eight years, (or until I reach 25 in the case of someone aged 16 – 18), when treatment is ceased in order to comply legal guidance. I understand that these records will be processed in accordance with your 2018 Privacy Notice, a copy of which I have seen.