Suttonwoods Chiropractic Privacy Statement

One of the biggest changes to UK data privacy law came into effect on the 25th May 2018 replacing the current data protection laws. 

The General Data Protection Regulation or GDPR for short is a really positive step towards you having more control over how your data is used and how you are contacted. The changes will also help to better protect your personal data. 


We want you to be confident that we are treating your personal data responsibly, and that we are doing everything we can to ensure that the only people who can access that data have a genuine need to do so. 


Our privacy statement (or - why we collect your personal data and what we do with it)


When you supply your personal details to this clinic they are stored and processed for 4 reasons (highlighted in bold are the relevant terms used in the Data Protection Act 2018, which includes the General Data Protection Regulation – i.e. the law).

1. We need to collect personal information about your health to provide you with the best possible treatment. Your requesting treatment and our agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that we would not be able to provide treatment.

2. We have a 'Legitimate Interest' in collecting that information, because without it we cannot do our job effectively and safely. 

3. We also think that it is important that we can contact you in order to confirm your appointments with us or to update you on matters related to your medical care. This again constitutes 'Legitimate Interest', but this time it is your legitimate interest.

4. Provided we have your consent, we may occasionally send you general health information in the form of articles, advice or newsletters. You may withdraw this consent at any time.


We may disclose information about you for the following purposes:

  • To the extent that we are required to do so by law

  • In connection with any legal/ regulatory proceedings or prospective legal/ regulatory proceedings

  • For insurance purposes

  • In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk)


Retaining Your Personal Data

Whilst you are receiving treatment from the clinic we will continue to store and use your personal data. Your records are paper based and stored in a locked filing cabinet within the offices which are locked out of working hours.  Once you have been discharged, we have a legal obligation to retain your records for a minimum of 8 years after your most recent appointment (or until you are aged 25, if this is longer)


Appointment booking and reminders


When you book and appointment online or over the phone we will store your name, email address, telephone number, date of birth, address, appointment information and any information you have supplied in the notes section of the booking form. This information is used to ensure we can provide you with your appointment(s), contact you if necessary, and enable us to fulfill our contract with you to provide the services we offer.


Your Rights


As we process your personal data, you have certain rights.  These are a right of access, a right of rectification, a right of erasure and a right to restrict processing.  


You may request a copy of your data at any time.  Please make such a request in writing or by email to the Data Controller (details below).


Data Controller: Sarah Sharp


Tel: 07908 482182


3 Rookery Road, Wyboston

Bedfordshire MK44 3AX


Please provide the following information: your name, address, telephone number, email address and details of the information you require.  We will need to verify your identity, so we may ask for a copy of your passport, driving license and/or recent utility bill.


If you believe any of the personal data we hold on you is inaccurate or incomplete, please contact the clinic directly and any necessary corrections to your data will be made promptly.


If you believe we should erase your data (provided the legal minimum period has elapsed), please contact the Data Controller, whose details are shown above.


If you wish us to stop storing or using your data (provided the legal minimum period has elapsed), please contact the Data Controller, whose details are shown above.


Data Breaches


Should your personal data that we control be lost, stolen or otherwise breached, where this constitutes a high risk to your rights and freedoms, we will contact you without delay.  We will give you the contact details of the Data Protection Officer who is dealing with the breach, explain to you the nature of the breach and the steps we are taking to deal with it.


Should You Wish to Complain


You can contact the ICO via their website: should you wish to make a complaint about the way we are processing your personal data.


Automated Decision Making and Profiling


We do not use any system which uses automated decision making or profiling in respect of your personal data. We will never share your data with anyone who does not need access without your written consent.