Privacy notice

Celine Leonard Ph.D, Lic.Ac.

British Acupuncture Council, Register of Chinese Herbal Medicine, Irish Register of Chinese Herbal Medicine

33 Lower Pembroke Street, Dublin 2.

Tel: 01 6114819


The General Data Protection Regulation (GDPR) sets strict new standards for the collection and protection of data – that is any information which can lead to the identification of a person (called a ‘data subject’ in the legislation).  This is particularly important since we now live in a digitalised world where much information is transmitted and stored electronically.

Some of that data is classified as sensitive or special category data. Such data as that relating to health, a medical history or medical records is now categorised as sensitive.   Since I am a sole practitioner of chinese medicine and I collect and collate personal and medical information for the purposes of effective treatment with acupuncture and chinese herbal medicine, for the purposes of the legislation I am now a ‘data controller’.  Therefore I need to tell you why and how I collect and protect any information relating to you as a patient and/or prospective patient.

The GDPR requires clarity about the legal basis for collecting data:

  1. I need to collect personal information about your health in order to provide you with the best possible treatment. Your requesting treatment and my agreement to provide that care constitutes a contract. You can, of course, refuse to provide the information, but if you were to do that I would not be able to provide treatment.
  2. I have a “legitimate interest” in collecting that information, because without it I couldn’t do my job effectively and safely.
  3. I also think that it is important that I can contact you in order to confirm your appointments with me or to update you on matters related to your medical care. This again constitutes “legitimate interest”, but this time it is your legitimate interest.

To whose information does this privacy notice apply?

This privacy notice applies to information we collect from:

  • patients
  • prospective patients
  • former patients
  • visitors to our website

How do I process your personal data? 

I comply with my obligation under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. I use your personal data for the purposes set out below. 

Sections 1 – 18 apply to my patients, prospective patients, former patients

  1. I am required by my professional associations to ask for your name and address. I use your mobile telephone number and email address so that I can respond to any queries and make and rearrange appointments. I also use email addresses to send out prescriptions and to assess response to those herbal prescriptions between appointments. Where a query submitted to me, I only use the information given to deal with the query.
  2. I use your date of birth to help identify patients with the same name. This is to avoid mistakes being made as to safe and appropriate treatment, for identification purposes if referring a patient to another health practitioner and for identification purposes if writing to a registered medical practitioner so that they correctly identify the patient.
  3. I record your presenting complaint and any symptoms reported by you for the purposes of making a full traditional diagnosis, formulating treatment strategy and treatment planning with acupuncture and/or chinese herbal medicine. This case history is done on a face to face basis, recorded in hard copy and kept as a patient file in a locked filing cabinet.
  4. I use any relevant medical and family history you have told me for making a full traditional diagnosis, formulating treatment strategy and treatment planning.  Any information sent digitally is printed out, the email deleted and the printed copy kept in your patient file in a locked filing cabinet.
  5. I keep a digital copy of prescriptions so that I can adapt them quickly and send out modified prescriptions as needed. These digital copies are kept on an password protected and/or encrypted digital device.
  6. I ask for your GP’s name and address in the event that I need to contact your GP in the event of an emergency and because it is a mandatory requirement in the British Acupuncture Code of Professional Conduct.
  7. I use my clinical findings about your health and wellbeing for making a full traditional diagnosis and formulating treatment strategy and treatment planning with acupuncture and/or Chinese herbal medicine.
  8. I keep a record of and refer to that record of any treatment(s) and herbal prescriptions given and details of progress of your case, including reviews of treatment planning to enable me to: review the full traditional diagnosis, treatment strategy and planning so as to make sure your treatment is optimised.  This is also required by my professional associations
  9. I record and use any information and advice that I have given, especially when referring patients to any other health professional so as to help you to receive the most appropriate treatment. I am also required to do so by my professional associations
  10. I record any decisions made in conjunction with you to help you to receive the most appropriate treatment. I am required to do so by my professional associations
  11. In the event of a possible adverse incident occurring to any of my patients I am required to report the matter to the British Acupuncture Council or to the Register of Chinese Herbal Medicine
  12. Where relevant I maintain records of the patient’s consent to treatment, or the consent of their next-of-kin in order to be able to prove that the patient (and/or parent/guardian/next of kin) has given informed consent to treatment.
  13. When someone visits my website,, I may use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. I do this to establish such things such as the number of visitors to the various parts of the site. This information is processed in a way which does not identify any individual. I do not make, and do not allow Google to make, any attempt to find out the identities of those visiting my website.
  1. There is a contact facility on my website. Email addresses are automatically deleted after the contact facility has been used.
  2. I use website cookies to improve user experience of my website by enabling the website to ‘remember’ users, either for the duration of their visit – using a ‘session cookie’ – or for repeat visits – using a ‘persistent cookie’.
  3. I use JET Design to help maintain the security and performance of my website.
  4. I use a third party service to host my website. This site is hosted at Register 365, which is run by Namesco Ireland.
  5. My mobile phone, iPad and Laptop are password protected and encrypted so that any information kept on them is secure.

Sharing your personal data 

Your personal data will be treated as strictly confidential and will be shared:

  • with named third parties only with your explicit consent;
  • with a relevant authority if necessary, keeping you informed of the process

How long do I keep your personal data?

I have a legal obligation to retain your records for 7 years after your most recent appointment (or age 25, if this is longer), but after this period you can ask me to delete your records if you wish.  At any time you may request that changes are made to your contact details.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have certain rights with respect to your personal data as set out below.

  • The right to request a copy of your personal data which I hold about you.
  • The right to request that I correct any personal data if it is found to be inaccurate or out of date.
  • The right to request your personal data is erased where it is no longer necessary for me to retain such data.
  • The right to withdraw your consent to the processing at any time. This right does not apply where I am processing information using a lawful purpose other than consent.
  • The right to be informed if your data is lost. In this event I shall also inform the relevant authorities in accordance with the time limits of the GDPR.
  • The right to lodge a complaint.