Who am I?

My company is JG Osteopathy. My website address is: http://jgosteopathy.co.uk. The data controller is John Graham.

JG Osteopathy provides osteopathic services to our patients. My service is carried out in accordance with the Institute of Osteopathy’s “Patient Charter” (view at www.iosteopathy.org) and the General Osteopathic Council’s “Osteopathic Practice Standards” (view at www.osteopathy.org.uk).

What personal data I collect and why I collect it

As a primary healthcare practitioner, I take data protection and confidentiality issues very seriously. This Privacy Policy outlines what personal information I collect about you, how we collect it, and how it is used and stored.

  • I collect detailed medical information that is relevant and necessary for your treatment.
  • I also collect contact details such as telephone numbers, email addresses, postal addresses.
  • I will only collect the information I need to provide you with the services you require.

How will I use the information about you?

Confidentiality is a legal requirement of osteopaths, and it is of paramount importance that patients can trust me with your information.

  • I require detailed medical information for the purposes of providing diagnosis and treatment. I will only collect information that is relevant and necessary for your treatment. When you visit me, I will make notes which may include details concerning your medical history, medication, treatment and other issues affecting your health. 
  • This data is always held securely and is not shared with anyone not involved in your treatment.
  • Contact details provided by you such as telephone numbers, email addresses, postal addresses may be used to respond to your enquiries, remind you of future appointments and provide reports or information concerning your treatment or other information I believe may be of interest to you.
  • Data I hold about you is stored in accordance with UK GDPR regulations.
  • My website by default uses cookies, if you do not wish to have cookies placed on your computer should set your browser to refuse cookies before using my website.

Who do I share your data with?

  • I will not share your data with anyone, unless compelled to (in order to meet legal obligations, regulations or where there is a serious safety risk), or unless you ask us to.
  • We do not sell or broker data we hold to third parties. 
  • Your contact details are used by us solely to contact you about matters concerning your relationship with me. 
  • From time to time it is necessary and desirable to communicate with other health professionals (such as your doctor). This will only be done with your explicit consent, and after discussion with you. I will ask you to sign a consent form allowing me to share your data, and all information will be communicated securely.

COVID-19 UPDATE: Whilst the government’s ‘Track and Trace’ scheme is operating, I may be contacted to provide data (name, phone number and email address) of people, including patients, who I have been in close contact with. In this situation, the Information Commissioner and government have confirmed that public health interest takes priority over your GDPR data protection rights. I will therefore be obliged to release this information.

What is our legal basis for processing your data?

I am required to have a lawful basis to hold data concerning you. The lawful bases for processing are set out in Article 6 of the GDPR. Different types of data I hold about you may require different lawful bases. I hold your data on the lawful basis of:

Legal obligation: This requires that the data processing is necessary to comply with the law (The Osteopaths Act 1993). 

Special Category Data (Article 9 of GDPR): This applies to the holding of sensitive data (such as medical data). 

Legitimate interests pursued by Osteopaths: To promote treatments for patients with all types of health problems indicated for osteopathic care.

Consent: Through agreeing to this privacy notice you are consenting to me processing your personal data for the purposes outlined. You can withdraw consent at any time by contacting me.

How long will we hold on to your data?

The GDPR requires that I hold data about data subjects only for as long as is necessary for the purpose that the data is required. As osteopaths operating under statutory regulation (Osteopaths Act 1993), myr regulatory body (The General Osteopathic Council) requires me to retain medical records of our patients for a minimum period of 8 years from the last recorded treatment (for adults) and for children who have received treatment we are required to keep the records until that patient has reached the age of 25.

Your rights

Right of access – you have the right to request a copy of the information that we hold about you.

Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.

Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.

Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.

Right of portability – you have the right to have the data we hold about you transferred to another organisation.

Right to object – you have the right to object to certain types of processing such as direct marketing.

Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.

In the event that I refuse your request under rights of access, I will provide you with a reason as to why, which you have the right to legally challenge. At your request I can confirm what information I hold about you and how it is processed.

Data breaches

I have an obligation to report any data breaches to the Information Commissioner’s Office (ICO) within 72 hours of the discovery of any breach.


In the event that you wish to make a complaint about how your personal data is being processed by me you have the right to complain. Please contact me to discuss your complaint. If you do not get a response within 30 days, you can complain to the ICO. The ICO can be contacted at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Telephone: +44 (0) 303 123 1113

Email: https://ico.org.uk/global/contact-us/email/