Who I am:
I am Serena Bruen, a practicing Speech and Language Therapist. I am a sole trader operating from my clinic
located at 3 Landscape Road, Churchtown, Dublin 14, D14 WC65. (the “Clinic”). You may contact me also by
email at: serenabruen@googlemail.com .
When you use my services you trust me with your information. This privacy policy is meant to help you
understand what data I collect, why I collect it, and what I do with it. I have tried to make it as simple as
possible but if you have any questions please contact me.
In the practice of the Clinic, I assume the function of data controller and supervise the clinic’s compliance
with General Data Protection Regulation (GDPR) within the business.

1. Information I collect
2. Where I get my information
3. How I use the information I collect
4. Information I share
5. How and when consent is obtained
6. How I protect your data
7. Protecting your rights to data
8. Security of your personal data
   1. Information I collect
   The Clinic holds personal data as part of conducting a professional service. The data falls underthe
   following headings: healthcare records, educational records, clinical records, general administrative
   records, and financial records.
   1.1 Healthcare records
   A healthcare record refers to all information collected, processed and held both in manual and
   electronic formats pertaining to the service user and their care. Speech and language problems can be
   complex, and a wide range of information may be collected in order to best meet the needs of the
   client, and to maintain a high-quality service which meets best practice requirements. In order to
   provide a high-quality service, a range of information may be collected.

1. Contact details: Name, address, phone numbers, e-mail address,
2. Personal details and Identity data: date of birth, gender
3. Other contacts: name and contact details of Parents, Guardi ans,
   School /Teachers, GP and any other relevant healthcareprofessionals involved.
   For child services:
   • Parent/guardian details
   • Description of family
   • Educational placements.
   • Pre- and post-natal history: This can include information relating to mother’s pregnancy, and
   child’s birth.
   • Developmental data: developmental milestones, feeding history, audiology history.
   • Medical details: such as any relevant illnesses, medications, and relevant family history.
   Reports from other relevant allied health professionals such as: Audiology, Psychology,
   CAMHS (Child & Adolescent Mental Health Services), Occupational therapy, Physiotherapy,
   Ophthalmology.
   For adult services:
   • Employment/vocational history
   • Mental health
   1.2 Educational records
   Relevant Individual Educational Plans (IEPs), progress notes from educational staff and school reports
   may be held.
   1.3 Clinical records
   Specific data in relation to communication skills may be collected and held, such as assessment forms,
   reports, case notes, e-mails, text messages and transcripts of phone. Audio and video files may also be
   collected and stored.
   1.4 General administrative records
   The Clinic may hold information regarding attendance reports and accident report forms.
   1.5 Financial records
   A financial record pertains to all financial information concerning the practice, e.g. invoices, receipts,
   information for Revenue. The Clinic may hold data in relation to: on-line purchasing history, card
   payments, bank details, receipts and invoices. Information will include name of bill payer, client name,
   address and record of invoices and payments made.
   2. Where I get my information
   Personal data will be provided by the client, or in the case of a child (under 16 years), their
   parent(s)/guardian(s). This information will be collected as part of a case history form prior to, or on the
   date of first contact.
   Information may also be provided directly from relevant third parties such as schools, medical
   professionals and allied health professionals, with prior consent from the parent(s)/guardian(s).
   3. How I use the information that I collect
   I use the information I collect to provide assessment and therapy as per the relevant professional
   guidelines, as well as to maintain the general running of the business, such as running my booking
   system, keeping my accounts and updating you of any changes in policies or fees.
   Information may also be used for research purposes, with the written consent of the client or
   parent/guardian.
   3.1 Data retention periods
   The retention periods are the suggested time periods for which the records should be held based on
   the organisation’s needs, legal and/or fiscal precedence or historical purposes. Following the retention
   deadline, all data will be destroyed under confidential means.
   3.2 Client Records
   3.2.1 Clinical Records
   The Clinic keeps both physical and electronic records of clinical data in order to provide a service.
   • The preferred format for clinical data is paper/electronic.
   • Clinical data is deleted/confidentially destroyed after 2 years from last invoiced session. (Usually
   post discharge).
   • Clinical data used for research purposes, may be kept for longer than 2 years.
   • Video records/voice recordingsrelating to client care/videoconferencing records may be recorded
   with consent, analysed and then destroyed. If written consent is provided to use recordings for
   training purposes, the client will have the option to withdraw consent at any time.
   3.2.2 Financial Records
   The Clinic keeps electronic/paper records of financial data from those who use my services.
   Section 886 of the Taxes Consolidation Act states that the Revenue Commissioners require records to
   be retained for a minimum period of six years after the completion of the transactions, acts or
   operationsto which they relate. These requirements apply to manual and electronic records equally.
   • Financial Data is kept for 6 years to adhere to Revenue guidelines.
   • Financial Data (including non-payment of bills) can be given to Revenue at Revenue’s request.
   3.2.3 Contact Data
   Contact Data is kept for 6 years to allow processing of Financial Data if required. (This may be retained
   for longer for safety, legal request, or child protection reasons.)
   3.3 Exceptions
   If under investigation or if litigation is likely, files must be held in original form indefinitely, otherwise
   files are held for the minimum periods set out above.
   4. Information Ishare
   I do not share personal information with companies, organisations and individuals outside theClinic
   unless one of the following circumstances apply:
   4.1 With your consent:
   I will share personal information with other relevant health care providers or educational providers
   when I have your written consent to do so. I require opt-in consent for the sharing of any sensitive
   information.
   4.2 For legal reasons:
   I will share personal information with companies or organisations outside of the Clinic ifdisclosure of
   the information is reasonably necessary to:
   ▪ Meet any applicable law, regulation, legal process or enforceable governmental request.
   ▪ Meet the requirements of the Children First Act 2015.
   ▪ To protect against harm to the rights, property or safety of the Clinic, my service users orthe
   public as required or permitted by law.
   4.3 For processing by third parties/external processing
   The following third parties are engaged for processing data:
   Who Type of data Purpose
   Administrative staff Record keeping, typing,
   correspondence.
   Updating records
   Accountant Financial Processing financial accounts
   5. Sharing Data
   5.1 Legal requirements
   The Clinic is required to share data with external parties in the following circumstances:
4. Compliance with local tax and audit laws.
5. Compliance with child protection.
6. Compliance with law enforcement.
   5.2 Financial requirements
   The Clinic also is required to share financial data with our accountancy service provider in order to
   comply with local tax laws.
   5.3 Other parties
   Any transfers outside the above which contain Personal Identifying Information (PII) to third parties
   such as hospitals, GPs, other medical professionals, are only made once the owner of the data has
   given express written permission by letter or email to do so.
   5.4 Transfer of personal data outside the EEA
   In certain instances, personal data may be transferred outside the EEA, e.g. to the US or other
   countries. This would be for specific purposes such as email and web-based appointment scheduling.
   In such instances, the Clinic will use third parties which meet the privacy standards of GDPR.
   5.5 Clinical supervision
   The code of professional ethics and professional practice guidelines that apply to speech and language
   Therapists require us to engage in “clinical supervision”. This process involves us discussing and
   reviewing consultations and assessments we have carried out with other speech and Language therapy
   colleagues, for the purpose of ensuring that we are providing the best possible clinical service to our
   clients. Any personal data that we share in the course of clinical supervision is disclosed on a strict
   “need to know” basis. The colleague in question is subject to the same duties as us to ensure that all
   personal data is protected and treated strictly in accordance with their professional, ethical and legal
   obligations, including the requirements of Data Protection Law.
   6. How and when we obtain consent
   Prior to initial assessment or consultation, a link to the data protection policy will be provided to clients
   along with a statement of consent and a client case history form. A statement of consent form will need
   to be signed by the client prior to commencing the service. Copies of the signed consent forms will be
   retained in the client file and will be available on request.
   Should a client wish to withdraw their consent for data to be processed, they can do so by contacting
   the Clinic.
   7. How I protect your data
   In accordance with the General Data Protection Regulation (GDPR), I will endeavour to protect your
   personal data in a number of ways:
   7.1 By limiting the data that I collect in the first instance
   All data collected by me will be collected solely for the purposesset out at 1 above and will be collected
   for specified, explicit and legitimate purposes. The data will not be processed any further in a manner
   that is incompatible with those purposes save in the special circumstances referred to in section 5.1.
   Furthermore, all data collected by me will be adequate, relevant and limited to what is necessary in
   relation to the purposes for which it is collected which include, inter alia, the assessment, diagnosis
   and treatment of speech, language and communication disorders.
   7.2 By transmitting the data in certain specified circumstances only
   Data will only be shared and transmitted, be it on paper, electronically or otherwise, only asisrequired,
   and as set out in section 3.
   7.3 By keeping only the data that is required,
   Data will be kept only for so long as it is required and by limiting its accessibility to third parties.
   7.4 By disposing of/destroying the data once the individual has ceased receiving treatment
   Data will be destroyed within 2 years of the completion of treatment apart from the categories of
   personal dataasset out at 1.1 above. Where data isrequired to be held by me for longer than the
   period of 2 years,I will put in place appropriate technical and organisational measures to ensure a
   level of securityappropriate to the risk. These may include measures such as the encryption of
   electronic devices,pseudonymisation of personal data, and/or safe and secure storage facilities
   for paper/electronicrecords.
   7.5 By retaining the data for only as long asisrequired
   The standard data retention period is 2 years except for circumstances in which retention of data is
   required in circumstances set out at part 1.1 above or in certain specific circumstances as set out at
   Article 23(1) of the GDPR.
   7.6 By destroying the data securely and confidentially after the period of retention has
   elapsed.
   This could include the use of confidential shredding facilities or, if requested by the individual, the
   return of personal records to the individual.
   7.7 By ensuring that any personal data collected and retained is both accurate and up-todate.
   8. Protecting your Rightsto Data
   8.1 Adult clients
   Adults have the right to request data held on them as per article 15 of GDPR. A request must be made
   in writing. Further information regarding accessing your personal data are available in the document
   ‘Rights of Individuals under the General Data Protection Regulation’, downloadable from:
   www.gdprandyou.ie
   8.2 Children
   For children under the age of 16, data access requests are made by their guardians. When a child turns
   16, then they may make a request for their personal data. However, this is subject to adherence with
   the Children First Act.
   9. Security
   The Clinic, as with most providers of healthcare services is aware of the need for privacy. As such,I aim
   to practice privacy by design as a default approach, and only obtain and retain the information needed
   to provide you with the best possible service.
   All persons working in, and with the Clinic in a professional capacity, are briefed on the proper
   management, storage and safekeeping of data.
   All data used by the Clinic, including personal data may be retained in any of the following formats:

1. Electronic Data
2. Physical Files
   The type of format for storing the data is decided based on the format the data exists in.
   Where applicable, the Clinicmay convert physical filesto electronic recordsto allow usto providea better
   service to clients.
   9.1 Data Security
   The Clinic understands that the personal data used in order to provide a service belongs to the
   individuals involved. The following outlines the steps which the Clinic uses to ensure that the data is
   kept safe.
   9.1.1 Electronic Data
   All electronic data is contained in the following systems:
   Gmail.
   Write-Up.
   9.1.2 Physical Files
   All physical data is located in:
   3 Landscape Road, Churchtown, Dublin 14, D14 WC65

• Only Serena Bruen has access to these records.
• These records are kept in a secured manner under lock and key.
  9.2 Security Policy
  9.2.1 The Clinic understands that requirements for electronic and physical storage may change with time
  and the state of the art. As such, the data controller in the Clinic reviews the electronic andphysical
  storage options available to the Clinic every 12 months.
  9.2.2 All persons working in the Clinic are aware and briefed on the requirementsfor gooddata hygiene every
  12 months. This briefing compliance is monitored by the data controllerand includes, but is not limited
  to:
  ▪ Awareness of client conversations in unsecure locations.
  ▪ Enabling auto-lock on devices when leaving them unattended, even within the Clinic
  locations.
  ▪ Use of non-identifiable note taking options. (initials, not names).
  ▪ The awareness of the Clinic procedure should a possible data breach occur, either
  through malicious (theft) or accident (loss) of devices or physical files.