Privacy Notice  

Overview 

Your personal data may be required in order to: 

  • provide healthcare, 
  • arrange appointments, 
  • manage fees and payments, 

and also to respond to any enquiries you may have.  

This Privacy Notice explains: 

  • what data is collected and stored, 
  • who this data is obtained from, 
  • why and how this data is used, 
  • what measures are taken to keep your data safe and secure, 
  • how you can find out more, or raise a concern about data protection with us. 

We are committed to keeping your data safe and secure, and meeting the requirements of the General Data Protection Regulation (GDPR), namely that personal data be: 

  • obtained fairly and lawfully, 
  • obtained for a specific and lawful purpose, 
  • adequate and relevant, but not excessive, 
  • accurate and kept up to date, 
  • held for no longer than necessary, 
  • processed in accordance with the rights of those to whom the data pertains, 
  • kept subject to appropriate security measures. 

 Data Controller 

The Data Controller, Susan Farwell, is responsible for determining the purposes and means of processing personal data. She may be contacted by post at 15 Warwick Street, Oxford OX4 1SZ or by email at osteopath@susanfarwell.co.uk. 

ICO registration number is ZA375576  

Summary of Data Use  

Please click here to view the table summary.

Table 1 shows: 

  • what data is collected, 
  • who it is obtained from, 
  • why this data is collected and processed, 
  • the legal basis for processing this data, 
  • who processes this data, 
  • how long this data is kept, and what happens to it once it is no longer needed, 
  • how this data is kept safe. 

 Data Security  

Your data is kept secure at all times against unauthorised or unlawful access or loss using: 

  • restricted access filing cabinets, 
  • password protected device access, 
  • GDPR compliant email storage, 
  • written confidentiality and data protection agreements for data processors. 

Data Transfer Outside of the EU  

The Data Controller uses an email service which is GDPR compliant, which means that any data stored in this email inbox is appropriately protected should it be stored on a server outside of the EU.  Data transfer outside of the EU can also occur if we communicate via email and your email inbox is hosted on a server outside of the EU, or if we communicate by phone and one of us is located outside the EU. In such cases this will be because  

  • it relates to provision or administration of your healthcare 
  • is for reasons of public interest 
  • is necessary for legal reasons 

in accordance with Article 49(1)(b)-(f) of the GDPR.  

What Happens if There is a Data Breach?  

In the event of a data breach that is likely to result in a risk to people’s rights and freedoms, the data breach will be reported to the Information Commissioner’s Office (ICO), not later than 72 hours after it has come to light.   

Your Rights  

  • Access – you have a right to confirmation that we are processing your data, and a copy of any of your personal data which we hold. 
  • Rectification – you have a right to correct data that we hold about you that is inaccurate or 
  • incomplete. 
  • Erasure – in certain circumstances, you have a right to ask for the data we hold about you to be erased from our records (see also table 1). 
  • Restriction of processing – in certain circumstances, you have a right to restrict the processing of your personal data which we hold. 
  • Portability – where data is processed on the basis of consent or performance of a contract, and in addition by automated means, you have the right to have your data transferred to another Data Controller. 
  • Objection – under certain circumstances, you have the right to ask us to stop processing your personal data. 
  • Automated decision-making including profiling – you have the right not to subject to legal or similarly significant effects which are based solely on automated processing. 

 If you wish to exercise any of these rights, please contact the Data Controller. In the event that the Data Controller refuses your request, you will be given a reason as to why, which you may challenge legally and/or with the Information Commissioner’s Office (ICO). 

 Raising a Concern 

 In the event that you have a concern about how your personal data has been handled, you have a right to complain to the Data Controller. If the situation cannot be resolve to your satisfaction, then you may contact the Information Commissioner’s Office (ICO). Details of how to do so can be found at ico.org.uk/concerns/.  

Reviewing and Revising our Privacy Notice and Policy  

We aim to incorporate best practice into our policies, and as such a review of our privacy notice and policy will take place 6 months (November 2018) after the GDPR becomes law on May 25th 2018. This review may take place sooner if additional relevant or significant information becomes available. After this, review will take place annually. Notice of any amendment to this Privacy Notice will be made available on this website.