Privacy Notice

About this notice

This notice explains how I collect, use, store, share and protect the personal and clinical information you give me, and what your rights are under UK data protection law (the UK GDPR and the Data (Use and Access) Act 2025). I am committed to handling your information carefully and only using it for the purposes set out below. I will never sell your data or pass it to data brokers.

Who is responsible

Ben Katz Osteopathy is a sole practice. I, Ben Katz, am the data controller for your information and also act as the practice’s Data Protection Lead. You can reach me using the contact details at the foot of this notice.

What information I collect and why

Personal information

When you book or enquire about an appointment, I collect basic personal details such as your name, date of birth, address, email address and phone number. I use these to identify you, to respond to your enquiries, to remind you about your appointments and to send you information about your treatment and care.

I may also keep brief records of our correspondence and phone calls where it is relevant to your care or to running the practice.

Information about your health

When you attend an appointment I will ask you about the reasons you are seeking osteopathic treatment and care, as well as general information about your health and aspects of your lifestyle that are relevant to your wellbeing. This information is necessary for me to provide safe, effective, appropriate treatment, advice and care. As a regulated healthcare professional, I am required to create and keep accurate clinical records of your care. Before your first appointment I will ask you to confirm in writing that you have read this notice and understand how your personal data and health information will be created, stored and processed for the purposes of your care. Health information is a special category of personal data and I treat it with the additional care that the law requires.

Website usage and cookies

My website, thelondonosteopath.com, is hosted by Cloudflare and uses a small number of strictly necessary cookies set by Cloudflare to keep the site secure and working properly. These do not identify you and are not used for analytics or marketing.

I also use Google Analytics to understand how people find and use the site, so I can improve it. Google Analytics only loads if you accept analytics cookies on the banner you see on your first visit; if you decline, no analytics cookies are set and no usage data is sent to Google. You can change your choice at any time — if you previously accepted, you can withdraw your consent here.

Online complaints form draft

If you start filling in the online complaints form, your draft is saved automatically in your browser’s local storage on the device you are using, so you can return to it later without losing your progress. Nothing is sent to me until you save or print the completed form yourself; the draft stays on your device only, and you can remove it at any time using the “Clear draft” button on the form.

The lawful bases I rely on

UK data protection law requires me to identify a lawful basis for each way I use your information, and an additional condition for using health information. The bases I rely on are:

• Providing your osteopathic care — performance of the treatment contract between us (UK GDPR Article 6(1)(b)). For health information, the condition is the provision of health care by a regulated health professional (Article 9(2)(h)), which carries an obligation of professional secrecy.
• Appointment communications (booking confirmations, reminders, intake-form prompts, cancellation and rescheduling messages) — performance of the contract (Article 6(1)(b)) and my legitimate interests in running the practice efficiently (Article 6(1)(f)).
• Keeping clinical and business records — compliance with legal and regulatory obligations (Article 6(1)(c)) and the provision of health care (Article 9(2)(h)). This includes record-keeping standards set by the General Osteopathic Council, my insurer, and HMRC.
• Handling complaints — my legitimate interests in resolving concerns fairly (Article 6(1)(f)), and for any health information involved, the establishment, exercise or defence of legal claims (Article 9(2)(f)).
• Optional communications you have asked for — your consent (Article 6(1)(a)). See Optional communications and marketing below.
• Website analytics — your consent (Article 6(1)(a)), given through the cookie banner.

Who I share your information with

I only share your information with others where I need to in order to provide your care, run the practice, meet a legal obligation, or respond to a complaint. I apply the principle of data minimisation — I share only what the matter requires.

Service providers acting on my behalf

A small number of trusted service providers process information on my behalf, under written data-processing agreements that require them to keep your information confidential and secure:

• Cliniko — my practice management system. Your patient record, clinical notes, appointment history, intake forms and invoices are held in Cliniko.
• Google Workspace (Gmail, Google Drive, Google Sheets, Google Calendar, Google Apps Script and Gemini) — the practice email account, the diary, and the systems that send your appointment confirmations and reminders and keep an internal log of those messages for reliability and audit purposes. Gemini is Google’s generative AI assistant, which is available within Google Workspace. Under the Workspace data-processing terms, the content of your information is not used to train Google’s AI models.
• Cloudflare — hosts and protects the practice website.

These providers act only on my instructions and cannot use your information for their own purposes.

Other healthcare professionals

As part of my obligations as a primary healthcare practitioner, there may be circumstances where I need to share information with other healthcare professionals or organisations involved in your care — for example your GP, a consultant, a surgeon, or a medical insurance company funding your treatment. This may include information about your health, such as details of your treatment, ongoing care or working diagnosis. I will always consult you first, unless I am under a legal obligation to comply.

My professional indemnity insurer

I hold professional indemnity insurance through the Institute of Osteopathy. If you raise a concern or complaint, I may seek their advice on how best to handle it. Any information I share with them for this purpose is limited to what is necessary to take that advice, is treated in confidence, and is processed on the basis of my legitimate interests in responding to your complaint properly (and, where health information is involved, for the establishment, exercise or defence of legal claims under Article 9(2)(f)).

Regulators, legal and safeguarding disclosures

I may also disclose information where I am required to do so by law, by a court order, or by a regulator such as the General Osteopathic Council, or where I have a serious concern for the safety of you or another person. Where this happens I will tell you, unless doing so would itself be unlawful or unsafe.

Where your information is stored

Your information is held within the secure systems of the service providers listed above. Cliniko stores my practice’s data on its Australian server infrastructure; Google Workspace and Cloudflare may also store or process information outside the UK. Where any of these transfers takes place, it is protected by the safeguards required under UK data protection law (such as the UK’s International Data Transfer Addendum or the equivalent Standard Contractual Clauses), which are incorporated in each provider’s written data-processing terms with me.

How long I keep your information

Your clinical records are an important part of your personal health history, and previous diagnoses, treatment responses and contraindications can be directly relevant to safe and effective care if you return to me at any point in the future. For that reason, I keep clinical records indefinitely.

You can ask me to delete your records at any time (see Your rights below). I am, however, required by law to retain your records for a minimum of eight years after you cease to be a patient or, for children, until the child has reached the age of 25; within that period I cannot agree to delete them.

Other records held for the running of the practice — for example the internal log used by the appointment-reminder system, bounce-matching information, and short-lived tokens used for secure links — are kept only as long as they are needed (typically between 30 days and a year) and pruned automatically. Complaints records are retained alongside the clinical record they relate to.

Optional communications and marketing

From time to time I may offer optional communications such as a newsletter, general health information, a reminder after a course of treatment ends that it may be time to think about rebooking, an invitation to leave a review, or an automated invoice for each appointment. Each of these is treated separately, and each will only ever be sent to patients who have specifically asked to receive it. You can withdraw your agreement to any of them at any time by contacting me, and you can object to direct marketing at any time without giving a reason.

Your rights

For as long as I hold or process your personal information, you have the following rights under UK data protection law:

• Right of access — you can ask for a copy of the information I hold about you.
• Right of rectification — you can ask me to correct information that is inaccurate or incomplete.
• Right to erasure — in certain circumstances you can ask me to delete information I hold about you.
• Right to restriction of processing — where certain conditions apply, you can ask me to limit how I use your information.
• Right of portability — you can ask me to transfer the information I hold about you to another organisation.
• Right to object — you can object to certain types of processing, including direct marketing.
• Right to object to automated decision-making — you have the right not to be subject to decisions based solely on automated processing that have a significant effect on you. I do not make any such decisions about you.
• Right to withdraw consent — where I rely on your consent (for example for analytics cookies or optional communications), you can withdraw it at any time.

Exercising your rights

To exercise any of these rights, please contact me using the details below.

To protect your privacy I will need to be reasonably satisfied of your identity before I release any information. For an active patient that will usually mean speaking to you on the phone or in person at the clinic, or confirming details only you would know against your record; in other cases I may ask for a proportionate form of ID. I will only ask for what I need to be confident I am dealing with the right person.

After the period during which I am legally required to keep your records has ended, you may ask me to delete them. If I refuse a request — for example because I have to keep certain information to meet an ongoing legal or regulatory obligation — I will explain why and tell you how you can challenge that decision.

Contact me

Ben Katz, Data Protection Lead, Ben Katz Osteopathy

Email: [email protected]

Telephone: 07816 848 044

Concerns or complaints about your data

If you are unhappy with how I have handled your personal information, please tell me first — I will look into it under my complaints procedure and respond without undue delay, and always within 30 days. If you are not satisfied with my response, you can complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113 · Website: www.ico.org.uk

The ICO normally expects you to raise your complaint with me first, and to give me the chance to respond, before it will consider the matter.

Changes to this notice

I review this notice at least once a year, and update it whenever I introduce a new service, automated communication or system that changes how your information is handled. The version, effective date and review dates below tell you which version you are reading.