o zone login
  1. You are at:
  2. Home
  3. Standards
  4. Guidance for osteopaths
  5. Data protection

Data protection

When patients give you their personal information, they expect you to keep it securely and use it appropriately. The Information Commissioner’s Office (ICO) is the body that ensures compliance with the Data Protection Act in the UK.

The Information Commissioner

The ICO’s role includes registering people and organisations that process personal data, acting to improve their behaviour, and handling concerns about data management.

It has the power to issue fines of up to £500,000 for breaches of data security. The ICO provides advice and guidance to help organisations and people who run their own businesses, such as osteopathic practices, to comply with data protection requirements.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and meant some changes to previous requirements. For more information, visit the ICO website.

Data controllers

People and organisations who process personal information are data controllers and must register with the Information Commissioner’s Office, so you need to establish who the data controller is for your patient records.

To find out if you are a data controller and how to register see https://ico.org.uk/for-organisations

Retention of patient records

Osteopathic Practice Standard D5 (3) says that you should keep patient records:

  • for a minimum of eight years after their last consultation;
  • if the patient is a child, until their 25th birthday.

Further guidance

The ICO also provides guidance on:

Further information about data protection

For more information about complying with data protection law, visit the Information Commissioner’s Office (ICO) website or phone the ICO helpline on 0303 123 1113 or 01625 545745.