Privacy Policy

Accessing the Website

This website, with the exception of the items listed below, does not store or capture personal information, but merely logs the user's IP address (Internet Protocol: standard allowing data to be transmitted between two devices) which is automatically recognised by the webserver. This site uses cookies to keep track of your browser session, otherwise, it does not collect any personal information about you except that required for system administration of the website. Cookies are pieces of data created when you visit a site, and contain a unique, anonymous number. They are stored in the cookie directory of your hard drive, and do not expire at the end of your session

Cookie policy

Cookies are small text files stored on your computer by your browser. They're used for many things, such as remembering whether you've visited the site before or to help us work out how many new website visitors we get each month. They contain information about the use of your computer but don't include personal information about you (they don't store your name, for instance).

This is standard practice for all websites and are essential in helping us deliver a high quality website experience to you. If you do not know what cookies are, or how to control or delete them, then we recommend you visit AboutCookies.org for detailed guidance.

If you are not happy for us to use cookies, then you should either not use this site, or you should delete this site's cookies after visiting it, or you should browse the site using your browser’s anonymous usage setting (called Incognito in Chrome, InPrivate for Internet Explorer, Private Browsing in Firefox and Safari etc.)

Policy Scope

This privacy statement only covers this website. Links within this site to other websites are not covered by this privacy policy.


Privacy Notice
(Why we collect your personal data and what we do with it)

Why we collect your data

When you supply your personal details to this practice they are stored and processed for four reasons (the terms in bold are those relevant terms used in the Data Protection Act 2018, which includes the General Data Protection Regulation):
1. We need to collect personal information about your health in order to provide you with the best possible treatment. You requesting treatment and our agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that we would not be able to provide treatment.
2. We have a “Legitimate Interest” in collecting that information, because without it we couldn’t do our job effectively and safely.
3. We also think that it is important that we are able to make contact with you in order to confirm your appointments with us or to update you on matters related to your medical care. This again constitutes “Legitimate Interest”.
4. Provided we have your consent, we may occasionally send you general health information in the form of articles, advice or newsletters. You may withdraw this consent at any time by unsubscribing or by getting in touch with us in a way most convenient to yourself.

We have a legal obligation to retain your medical records for 8 years after your most recent appointment (or up to the age of 25, where the records are those of a child), but after this period you can ask us to delete your records if you wish.
Your medical records are stored on paper, in locked filing cabinets, and the building is always locked and alarmed out of working hours.

Your non-medical records are stored electronically (“in the cloud”). We have taken steps to ensure that this provider is fully compliant with the General Data Protection Regulations. Access to this data is password protected, and the passwords are changed regularly.
Some non-medical data is stored on our office computers. These are password -protected, backed up regularly, and the building is locked and alarmed out of working hours.

To communicate within the practice we make use of ‘Slack’, an encrypted messaging software. Here your personal non-medical information may be communicated between reception and the relevant practitioner or teacher to facilitate your appointment or treatment. Slack are self-certified with the EU-US Privacy Shield.

What we do with your data

  • We will never share your data with anyone who does not need access without your written consent. Only the following people will have routine access to your data:
  • Your practitioner(s) in order that they can provide you with treatment;
  • Our reception staff, because they prepare our osteopath’s notes and in order to organise our practitioners’ diaries, and coordinate appointments. All reception staff have signed stringent non-disclosure agreements;
  • We use Mailchimp to coordinate our messages, so your name and email address may be saved on their server. Mailchimp is fully GDPR compliant.
  • From time to time, we may have to employ consultants to perform tasks which might give them access to your personal data (but not your medical notes). We will ensure that they are fully aware that they must treat that information as confidential, and we will ensure that they sign a non-disclosure agreement.

Your rights

  • You have the right to see what personal data of yours we hold, and you can also ask us to correct any factual errors. Contact us for a Data Subject Request Form.
  • Provided the legal minimum period has elapsed you can also ask us to erase your records. Contact us for a Data Subject Erasure Request Form.
  • Under certain conditions you have the right to restrict processing of your data
  • You have the right to have your data transferred to other organisations including but not limited to osteopaths, medical consultants, physiotherapists and insurance companies.

We want you to be absolutely confident that we are treating your personal data responsibly, and that we are doing everything we can to make sure that the only people who can access that data have a genuine need to do so.
Of course, if you feel that we are mishandling your personal data in some way, you have the right to complain. Complaints need to be sent to what is referred to as the “Data Controller”. Here are the details you need for that:
Joanna Mitchell
email: jo@thesunflowercentre.co.uk
telephone: 020 8694 2714
address: 81 Tressillian Road, Brockley, London SE4 1XZ

If you are not satisfied with our response, then you have the right to raise the matter with the Information Commissioner’s Office. Address: Wycliffe House, Water Lane, Wilmslow, SK9 5AF Telephone: 0303 123 1113 Email/Website: https://ico.org.uk

To view this Privacy Notice as a pdf, please click here.