Data Protection Policy

Privacy Notice for Patients – Children & Adults


How we use your personal information


General Data Protection Regulations are changing from 25th May 2018. We have always been fully compliant with the legal requirements of the Data Protection laws in the UK and we are fully compliant with the new regulations. We will continue to process your information in a lawful and transparent manner. 


The health care professionals, who provide your care, maintain records about your health and any treatment or care you have received here or previously. These records help provide you with the best possible health care. Our records are electronic and on paper and we use a combination of working practices and technology to ensure your information is kept confidential and secure. Records which this clinic holds about you may include the following information:

  • Details about you, such as your address, contact details, previous medical history and previous investigations
  • Any contact with the clinic has had with you, such as appointments, clinic visits, advice given over the phone or email, emergency appointments etc.
  •  Notes about your and/or your child’s health
  • Details about your and/or your child’s treatment and care
  • Relevant information from other health care professionals

Information may be used within the clinic for clinical audit purposes to monitor the quality of the services we provide. All of your information is held securely on our premises and may be used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested for research purposes – in such instances we will always ask your consent before releasing such information.


How do we maintain the confidentiality of your records


We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Rules 2018
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • General Chiropractic Council Code of Conduct

Every member of staff who works at The Whitchurch Clinic has a legal obligation to keep information about you confidential. We have put in place measures to protect the security of your information against accidental loss or disclosure, alteration, unauthorised access, destruction or abuse. We have implemented processes to guard against such. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

How do we store your information?


Your records are initially stored on paper, in locked filing cabinets, and then transferred to electronic format (“in the cloud”), using a specialist medical records service 'Cliniko'. This provider has given us their assurances that they are fully compliant with the General Data Protection Regulations. Access to this data is password protected, and the passwords are changed regularly on our office computers. These are password-protected, backed up regularly, and the office(s) are locked and alarmed out of working hours.


We will never share your data with anyone who does not need access without your written consent. Only the following people/agencies will have routine access to your data:

  • Your practitioner(s) in order that they can provide you with treatment
  • Our reception staff, because they organise our practitioners’ diaries, and coordinate appointments and reminders (but they do not have access to your medical history or sensitive personal information)

We also use Mailchimp to coordinate our email messages so your name and email address may be saved on their server. Click to see their privacy policy and terms of use policy.


In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. 


Care Response


We use ‘Care Response’ to collect patient data. It is a system created to help practices gather and report clinical outcome and patient satisfaction information. Care Response is owned and operated by Clinical Transparency Ltd, and is registered in the UK. They  have confirmed they are GDPR compliant.


Patients can opt-in or out of using Care Response through the initial email sent before they click through to the initial form, or upon arrival at the clinic. Consent can be withdrawn at any time, please just notify our reception staff, or contact the Data Controller (Andrea Howell).



At the clinic we have two cameras, one covering the front door and another on the reception area. These cameras record to record traffic through the clinic and ensure security. Videos are stored on a password protected computer, and when they are no longer required they are deleted. Videos are kept for a maximum of 1 month.

Who do we share your information with?

We only ever pass on information about you to others, if there is a genuine need for it and you have given your consent. This may be your GP, private consultants or imaging facilities, dentist or other health care professionals, a solicitor or for court proceedings.

We will not disclose any information about you to any third party without your written permission or in case of a child’s information the parental consent, unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and/or in accordance with the Caldicott principles.

From time to time, we may have to employ consultants to perform tasks which might give them access to your personal data (but not your medical notes). We will ensure that they are fully aware that they must treat that information as confidential, and we will ensure that they sign a non-disclosure agreement.


Access to your personal information


You have a right under the General Data Protection Rules 2018 to request access to view or obtain copies of what information The Whitchurch Clinic holds about you and to have it amended should it be inaccurate. In order to request this you need to do the following:

  • Your request must be made in writing to the clinic.
  • We are required to respond to you within 30 days.
  • You will need to give us proof of name (Photo ID) so that your identity can be verified.


How long we keep your data for


In line with data protection principles, we only keep your data for as long as we need it. We have a legal obligation to retain your records for 8 years after your most recent appointment (or age 25, if this is longer), but after this period you can ask us to delete your records if you wish. Otherwise, we will retain your records indefinitely in order that we can provide you with the best possible care should you need to see us at some future date. Once we no longer have a lawful use for retaining your information, we will dispose of it in a secure manner than maintains data security.


Right to withdraw consent


Where you have provided consent to the collection, processing and transfer of your data, you have the right to withdraw that consent at any time. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate legal reason for doing so. For example the General Chiropractic Council rules oblige us to keep your data for 8 years. To withdraw consent, contact Andrea Howell.




We hope you never need to but should you have any concerns about how your information is managed at the clinic, please contact the Clinic Managers (Mrs Susan Pahl & Alison Sparey) in the first instance. If you are still unhappy following a review by Clinic Owner Andrea Howell, you can then complain to the Information Commissioner’s Office via their website (


Change of details


It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for us to correct it.



Website Privacy Policy


There are links to our cookie and website privacy policy in the footer of our website



Notification & Data Controller


Andrea Howell is registered with the Information Commissioner’s Office as the Data Controller for The Whitchurch Clinic.