Privacy Policy

At The Natural Practice your privacy is important to us. We take great care to safeguard the personal information provided by our patients and to process such data fairly and lawfully in accordance with data protection regulations and clinical confidentiality guidelines. This Privacy Policy explains details of what personal and special data (personal information) we collect from you, the lawful basis we have for processing your data, what we do with it, how secure it is and who we might share it with. In this policy ‘Personal Data’ includes any information relating to an identified or identifiable person e.g. names and addresses, dates of birth and telephone numbers and ‘Special Category’ are personal data which reveals the health status of an individual.

Why we collect information about you

At The Natural Practice we aim to provide you with the highest quality of healthcare. Our lawful basis for collecting and processing your data is that it is necessary for the provision of healthcare and that processing the data we hold is in the vital interests of our patients. In order to provide you with healthcare we must keep records about you, your health and the treatment we have provided or plan to provide to you i.e. both personal and special categories of data. The information we collect may include:

  • basic details about you such as your name, address and date of birth
  • contact we have had with you such as consultations
  • notes and reports about your health that you have given to us or have given us express permission to get from a third party
  • details and records about your treatment and care
  • results of any tests e.g. blood test results
How your records are used

Our practitioners use your records to:

  • provide a good basis for all health decisions made in consultation with you
  • deliver appropriate health care
  • contact you from time-to-time with other information about the practice and with the practice newsletter

At The Natural Practice we maintain our duty of confidentiality to you at all times. We will not disclosure your personal information to a third party without your consent, other than when it is required to deliver the service we provide e.g. if you pay your account using a debit or credit card your details will be shared with the card payment company. Your details will never be shared with another company for marketing purposes. The practice will only disclose your personal information to a third party without your consent when it is required to do so by law e.g. under a court order or if it is justified in the public interest.

Security of your personal information

We take the security of your personal information very seriously and have taken appropriate measures to prevent unauthorised access or information being lost, damaged or destroyed.

In order to support the delivery of our service we may, on occasion, use third party companies e.g. to manage our healthcare software, to process payments and for the confidential destruction of patient records. In every instance these companies are contractually obliged to be operating within General Data Protection Regulations (GDPR) guidelines.

We use E-clinic to store our patient records electronically which has the highest security rating of any healthcare software provider. Its data centres are based in the UK and are ISO 27001 compliant and Tier 3 secured. Data is encrypted at approximately double the encryption rate of most connections and, in addition, all data is securely backed up.

Personal information which is held in paper files is stored securely at the practice, which is fully alarmed when not in use.

All of our staff receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

In the unlikely event of a data breach involving your personal information and affecting your privacy rights, a report will be made to the Information Commissioner’s Office (ICO) within 72 hours.

Online security and use of cookies

The Natural Practice does not capture and store any personal information about individuals who access its website, except when personal details are given voluntarily either via email or using an online form. Any information provided in this way is used exclusively by the practice to provide you with information about our services. Personal information will never be disclosed to a third party for marketing purposes.

It is not possible to guarantee the security of personal information transmitted over the internet and any information submitted on our website or by email is at your own risk. By submitting information to us in this way, you agree to its transfer, processing or being stored. Any information received in this way will be treated securely and in line with this policy.

When you enter the practice website your computer will automatically be issued with a cookie. Cookies in themselves do not identify the individual user, just the computer being used. Many websites use cookies whenever a user visits them in order to track traffic flows. Cookies from the practice website will no longer be stored on your computer once your browser is closed. 

The cookies on The Natural Practice website are only used to identify your computer to our server in order to do the following:

  • monitor which areas of the site you use during your visit so that we can assess which areas of the site are of most interest and plan future development accordingly
  • provide online services which provide information to be passed from page to page during the course of their execution

You are able to set your computer to notify you when a cookie is issued or to not receive cookies at any time. If you decide to not receive cookies it means that certain personalised services cannot be provided to you.

By using The Natural Practice website you consent to our use of cookies.

Transferring personal information to a country outside the EU

On very rare occasions the practice may wish to transfer a patient’s personal information to a country outside of the European Union (EU). GDPR allow personal information to be transferred to countries with what the European Commission has determined to be ‘adequate’ levels of data protection. Transfers may also be allowed to non-EU countries which are not considered to offer adequate levels of data protection under certain circumstances. Should there be a need to transfer patient information to such a country, the Practice Manager will investigate whether or not it is in fact possible to make the transfer on a case-by-case basis. If it is deemed that the transfer is allowable, personal information will only be sent with the express consent of the patient.

Your rights

You have a right under GDPR to view information the practice holds about you, to have that information amended should it be inaccurate or to have it erased. In general, if you would like to see your information, request any changes or have your record erased then you should contact the Practice Manager in writing. You will receive a written reply within one month. It may be possible, however, to make some simple changes e.g. correcting a telephone number, by contacting a member of the reception team. If you are not sure who to contact, the Practice Manager will be happy to guide you to the correct person. Other than for simple changes you may be required to provide appropriate evidence of your identity (for this purpose we will normally accept sight of your original passport, or a copy certified by a solicitor, plus an original copy of a utility bill dated within the last 3 months showing your current address).

There may be exceptions to your right to view your record or have it amended or deleted e.g. if you request a copy of your medical record and a practitioner believes that it contains information that, if released, might cause serious harm to your physical or mental health, or to that of any other person, this information may be redacted. In addition, any information from, or identifying, a third party will be removed unless consent has been received from the third party that it can be included. Medical records are also required by law and practice policy to be kept for a minimum period of time and cannot be deleted before this. You do, however, have the right to opt out of receiving any contact from the practice at any time. Furthermore, if you request an alteration to your record but your practitioner believes that it represents a fair account of your diagnosis and treatment, then the practitioner is not obliged to alter your record in any way.

If you are unhappy about the way in which your data are being handled by the practice you have the right to complain to the ICO.


If you have any queries about this policy please contact the Practice Manager who will be happy to help.

Data Controller

For the purposes of GDPR the data controller is The Natural Practice with registered address at Bradford House, 106 Stockbridge Road, Winchester, Hampshire, SO22 6RL.