Staunton’s Holistic Healthcare
Acupuncture Council of Ireland, National Reflexology Register of Ireland
2nd Floor, Chapel Lane, Naas, Co. Kildare.
The General Data Protection Regulation (GDPR) sets strict new standards for the collection and protection of data – that is any information which can lead to the identification of a person (called a ‘data subject’ in the legislation). This is particularly important since we now live in a digitalised world where much information is transmitted and stored electronically. Some of that data is classified as sensitive or special category data. Such data as that relating to health, a medical history or medical records is now categorised as sensitive. Since I am a sole practitioner of Chinese medicine and I collect and collate personal and medical information for the purposes of effective treatment with acupuncture and Chinese herbal medicine, for the purposes of the legislation I am now a ‘data controller’. Therefore I need to tell you why and how I collect and protect any information relating to you as a patient and/or prospective patient.
The GDPR requires clarity about the legal basis for collecting data:
1. I need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and my agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that I would not be able to provide treatment.
2. I have a “legitimate interest” in collecting that information, because without it I couldn’t do my job effectively and safely.
3. I also think that it is important that I can contact you in order to confirm your appointments with me or to update you on matters related to your medical care. This again constitutes “legitimate interest”, but this time it is your legitimate interest. To whose information does this privacy notice apply? This privacy notice applies to information we collect from:
• prospective patients
• former patients
• visitors to our website
How do I process your personal data?
I comply with my obligation under the GDPR by keeping personal data up to date; by storing and
destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data
from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures
are in place to protect personal data. I use your personal data for the purposes set out below.
Sections 1 – 18 apply to my patients, prospective patients, former patients
1. I am required by my professional associations to ask for your name and address. I use your mobile
telephone number and email address so that I can respond to any queries and make and rearrange
appointments. Where a query is submitted to me, I only use
the information given to deal with the query.
2. I use your date of birth to help identify patients with the same name. This is to avoid mistakes being
made as to safe and appropriate treatment, for identification purposes if referring a patient to
another health practitioner and for identification purposes if writing to a registered medical
practitioner so that they correctly identify the patient.
3. I record your presenting complaint and any symptoms reported by you for the purposes of making a
full traditional diagnosis, formulating treatment strategy and treatment planning with acupuncture, reflexology
and/or Chinese herbal medicine. This case history is done on a face to face basis, recorded in hard
copy and kept as a patient file in a locked filing cabinet. I am the sole holder of the key and only I
4. I use any relevant medical and family history you have told me for making a full traditional diagnosis,
formulating treatment strategy and treatment planning. Any information sent digitally is printed out, the printed copy kept in your patient file in a locked filing cabinet.
5. I ask for your GP’s name and address in the event that I need to contact your GP in the event of an
6. I use my clinical findings about your health and wellbeing for making a full traditional diagnosis and
formulating treatment strategy and treatment planning with acupuncture, reflexology and/or Chinese herbal
7. I keep a record of and refer to that record of any treatment(s) and herbal prescriptions given and
details of progress of your case, including reviews of treatment planning to enable me to: review the
full traditional diagnosis, treatment strategy and planning so as to make sure your treatment is
8. I record and use any information and advice that I have given, especially when referring patients to
any other health professional so as to help you to receive the most appropriate treatment.
9. I record any decisions made in conjunction with you to help you to receive the most appropriate
10. In the event of a possible adverse incident occurring to any of my patients I am required to report
the matter to my professional registrar The Acupuncture Council of Ireland or to the Nationa Reflexology Register of Ireland.
11. Where relevant I maintain records of the patient’s consent to treatment, or the consent of their next-
of-kin in order to be able to prove that the patient (and/or parent/guardian/next of kin) has given
informed consent to treatment.
12. When someone visits my website, www.stauntonsholistic.ie, I may use a third party service,
Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.
I do this to establish such things such as the number of visitors to the various parts of the site. This
information is processed in a way which does not identify any individual. I do not make, and do not
allow Google to make, any attempt to find out the identities of those visiting my website.
14. There is a contact facility on my website. Email addresses are automatically deleted after the contact
facility has been used.
15. I use website cookies.
16. I use Cetacea Creative to help maintain the security and performance of my website.
17. I use a third party service to host my website. This site is hosted by A2 Hosting who store all of their EU customers’ data within the EU.
18. My mobile phone and Laptop are password protected and encrypted so that any information kept on
them is secure.
Sharing your personal data
Your personal data will be treated as strictly confidential and will be shared:
with named third parties only with your explicit consent;
with a relevant authority if necessary, keeping you informed of the process
How long do I keep your personal data?
I have a legal obligation to retain your records for 7 years after your most recent appointment, but after this period you can ask me to delete your records if you wish. At any time you may request that changes are made to your contact details.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you have certain rights with respect to your personal data
as set out below.
• The right to request a copy of your personal data which I hold about you.
• The right to request that I correct any personal data if it is found to be inaccurate or out of date.
• The right to request your personal data is erased where it is no longer necessary for me to retain such
• The right to withdraw your consent to the processing at any time. This right does not apply where I
am processing information using a lawful purpose other than consent.
• The right to be informed if your data is lost. In this event I shall also inform the relevant authorities in
accordance with the time limits of the GDPR.
• The right to lodge a complaint.