Privacy Statement

Privacy Notice for Patients
Data Collection + Processing

IONA Physiotherapy aims to ensure the highest standard of care for our patients. We understand that our Practice must be governed by an ethic of privacy and confidentiality. How we deal with your information is consistent with the privacy principles of the General Data Protection Regulation (GDPR). Patient consent is a key factor in dealing with patient health information. This notice is about making consent meaningful by informing you of our policies and practices for dealing with your personal information.

1. How your information will be used
In order to provide for your care here we need to collect and keep information about you and your health on our records. IONA Physiotherapy collects and processes this personal and sensitive, data on the legal basis of your explicit consent, and in order to form an opinion about and to provide treatment for your presenting health condition. Your personal data will not be used for any other purpose. We will only ask for and keep information that is necessary and keep it as accurate and up-to-date as possible. We will explain the need for any information we ask for if you are not sure why it is needed.

We ask you to inform us about any relevant changes that we should know about, such as any new medical history, treatment or change of contact details.

Your data will be processed in a fair manner. All persons in the practice (not already covered by a professional confidentiality code) sign a confidentiality agreement that explicitly makes clear their duties in relation to handling personal health information and the consequences of breaching that duty. Practice staff may have access to your records for:
• Typing referral letters to GPs, Hospital consultants etc.
• Opening letters or encrypted emails from GPs, consultants or insurance referrals. These letters may be appended to your paper record or scanned into your electronic record.
• Scanning clinical letters, reports and any other documents not available in electronic format.
• Photocopying or printing documents for referral.
• Handling, printing, photocopying and mailing or emailing medico-legal, health insurance reports etc. and associated documents.
Externally, our answering service, Kendlebell ltd. have access to our electronic database in order to make and change appointments. Their database access is limited to demographic data only i.e. name, phone number, address and email address. They do not have access to sensitive (healthcare) data.
Our clinic website makes use of Google Analytics and uses standard ‘cookies’ to collect information about users. Google Analytics is a tool that helps us measure how web users interact with our website content. As a user navigates between web pages, Google Analytics provides us with JavaScript tags (libraries) to record information about the page a user has seen, for example the URL of the page. The Google Analytics JavaScript libraries use HTTP Cookies to ‘remember’ what a user has done on previous pages / interactions with the website. More information about how cookies are used is available at

2. Disclosure of information to others
Access to patient records is regulated to ensure that they are used only to the extent that enables the practice staff to perform their tasks for the proper functioning of the Practice. In this regard, we may need to pass some of your information to other health and social care professionals in order to provide you with the treatment and services you need. Only the relevant part of your record will be released. These other professionals are also legally bound to treat your information with the same duty of care and confidentiality that we do.

Your personal data may be shared with the person who referred you for physiotherapy, with your family doctor (GP), with a medical consultant or other specialist practitioners. Other examples of people with whom your data may be shared, subject to your prior agreement, include your Legal Advisors, employers, Insurers, team/club medical staff+ management in order to facilitate your return to normal activities. Your Data will not be shared with any other third party outside of the Clinic without getting you permission to do so.

3. How your data will be stored
We will retain your information securely. Your data will be retained by IONA Physiotherapy for a period of 7 years after your last attendance. In the case of children, records are maintained for 7 years beyond maturity, so potentially up to the age of 25 years. Your data will be stored securely and protected during this time as set out in our Data Protection Policy which is available to you if you wish to have it.

Your data will at no time be transferred outside the EU. We utilise a web (cloud) based patient / clinic management systems, hosted by PPS Rushcliff Ltd. PPS Rushcliff holds this data in secure UK data centres managed by iomart. This supplier is ISO 27001 certified and employs an array of methods to ensure that your data is kept safe and secure.

Your data will not be subjected to automated processing by this clinic. The use of text reminders for appointments will be undertaken only for those who have explicitly consented to this.

4. Your Personal Data Rights
Under the General Data Protection Regulation (GDPR) and The Data Protection Act (DPA), you have a number of rights in relation to your personal data held by this clinic. These include
a. the right to request from us access to and rectification or erasure of your personal data,
b. the right to restrict processing, object to processing as well as in certain circumstances the right to data portability,
c. The right to withdraw your consent for the processing of your data (in certain circumstances) at any time which will not affect the lawfulness of the processing before your consent was withdrawn,
d. The right to lodge a complaint to the Data Commissioners Office if you believe that we have not complied with the requirements of the GDPR or DPA with regard to your personal data.

The Data Controllers for IONA Physiotherapy are the Practice Principals; Ciara Shields and Louise Keating. All other physiotherapy and administrative staff are Data Processors.

If you have any concerns as to how your data is processed you can contact: Practice Principal / Data Protection Officer, Ciara Shields MISCP. Tel: 01 797 9545 Email: [email protected]