Privacy policy.
This Privacy Policy explains how Reform Health Hub (referred to as "we," "us," or "our") processes and protects the personal data of our patients. We are committed to ensuring your privacy is protected and that we comply with all applicable data protection laws, including the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Irish Data Protection Act 2018.
1. Our Commitment to Your Privacy
As healthcare providers, we are bound by strict professional codes of conduct, including those of the Physiotherapists Registration Board (CORU) and the Irish Society of Chartered Physiotherapists (ISCP). Confidentiality is a fundamental part of our practice. We understand that your health information is highly sensitive, and we are dedicated to protecting it with the utmost care and security.
2. Data Controller
For the purposes of the GDPR, Reform Health Hub is the Data Controller. This means we determine the purposes and means of processing your personal data.
3. What Information We Collect
To provide you with the highest standard of physiotherapy care, we collect and process various types of personal data, including:
Personal Identification Data: Your name, address, date of birth, and contact details (phone number, email address).
Special Category Data (Health Data): This is highly sensitive information and includes:
Your medical and health history.
Details of your medication, treatments, and other health issues relevant to your care.
Notes from your consultations and treatments.
Information about your GP and other medical consultants.
X-rays, scans, and other diagnostic reports.
Administrative and Financial Data: Details regarding your health insurance, legal representatives (if applicable for a medical-legal claim), and payment information.
Technical Data: Information collected from our website, such as your IP address, browser type, and interaction with our website, primarily for security and to improve user experience. This does not contain your health data.
4. How We Collect Your Data
We collect your personal data directly from you through:
Registration forms, questionnaires, and other forms.
Consultations and appointments, both in-person and via tele-consultation.
Correspondence, including emails, letters, and telephone calls.
We may also collect your data from third parties, but only with your explicit consent or where legally required. These third parties may include your GP, medical consultants, or other healthcare professionals involved in your care.
5. The Legal Basis for Processing Your Data
Under the GDPR, we must have a legal basis to process your personal data. For the majority of your health data, the legal basis is a combination of:
For providing healthcare: Processing is necessary for the purposes of preventative or occupational medicine, for medical diagnosis, for the provision of healthcare or treatment, or for the management of health systems and services (GDPRArticle9(2)(h)). This is our primary legal basis.
For administrative and contractual purposes: Processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract (GDPRArticle6(1)(b)). This applies to data like appointment scheduling and payment processing.
Legitimate Interests: We may process some data for our legitimate business interests, such as managing our clinic, and communicating with you about your appointments (GDPRArticle6(1)(f)).
For certain types of processing, such as sending you a newsletter or marketing materials, we will rely on your explicit consent (GDPRArticle6(1)(a) and GDPRArticle9(2)(a)). You have the right to withdraw this consent at any time.
6. How We Use Your Data
We use the data we collect for the following purposes:
To provide you with safe and effective physiotherapy treatment.
To maintain accurate and up-to-date patient records.
To communicate with you about your appointments and treatment.
To correspond with other healthcare professionals (with your consent) to ensure continuity of care.
To manage the clinic's administration and financial records.
To comply with our legal and regulatory obligations, including professional standards and audits by CORU.
To improve the quality of our services and for internal clinical audits. In such cases, your data will be anonymised wherever possible.
7. Data Security and Confidentiality
We are committed to ensuring that your information is secure. We have implemented appropriate technical and organisational measures to protect your personal data from unauthorised access, alteration, disclosure, or destruction. These measures include:
Secure, encrypted practice management software for storing digital records.
Secure storage of all paper records in a locked filing system.
Strict access controls for all staff, with access granted only on a "need-to-know" basis.
Confidentiality agreements signed by all staff members who have access to patient data.
8. Sharing Your Information
We will not share your personal information with any third party without your explicit consent, unless there is a legal or professional obligation to do so. In these rare circumstances, sharing may be necessary:
For the continuity of your care, e.g., with your GP or a medical specialist.
To comply with a legal obligation, such as a court order or a request from a regulatory body.
To protect your vital interests in an emergency where you are unable to give consent.
9. Data Retention
We will retain your personal data for no longer than is necessary for the purposes for which it was collected. For patient records, we are required to comply with the Irish Health Service Executive's (HSE) guidelines and the professional standards of our governing bodies.
Adult Patient Records: We will retain your records for a minimum of 8 years after your last attendance.
Child Patient Records: We will retain your records until you reach the age of 25 (or 26 if you were 17 at the end of treatment).
After this period, your records will be securely destroyed.
10. Your Data Protection Rights
Under GDPR, you have the following rights regarding your personal data:
The Right to Access: You have the right to request a copy of the personal data we hold about you.
The Right to Rectification: You have the right to ask us to correct any data you believe is inaccurate or incomplete.
The Right to Erasure ('Right to be Forgotten'): You have the right to request that we erase your personal data in certain circumstances. Please note that we are legally required to retain certain health records for a specific period, and therefore, this right is not absolute in a healthcare setting.
The Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
The Right to Object to Processing: You have the right to object to our processing of your personal data in certain circumstances.
The Right to Data Portability: You have the right to have the data we hold about you transferred to another organisation.
To exercise any of these rights, please contact us in writing at the details provided below. We will respond to your request within one month.
11. Complaints
If you have a concern or complaint about how we have handled your personal data, we would encourage you to contact us in the first instance. We are committed to resolving any issues you may have.
You also have the right to lodge a complaint with the Data Protection Commission (DPC), the supervisory authority for data protection in Ireland.
Data Protection Commission: 21 Fitzwilliam Square, Dublin 2, D02 Y582
Email: info@dataprotection.ie
Website: www.dataprotection.ie
12. Contact Details
If you have any questions about this privacy policy or our data practices, please contact:
Galen Carroll
g.carroll@reformhealthhub.ie
Reform Health Hub
Unit 17, Hilliard House
High Street
Killarney
V93 K0DN
This privacy policy was last updated on September 5, 2025.