Privacy Policy

December 2025 

This Privacy Policy explains how Dr Cassie & Associates (“we”, “our”, “the clinic”) collects, stores, and processes your personal information. We recognise that the information we hold about you is confidential and often sensitive. We are committed to handling it securely, lawfully, and transparently. 

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all relevant professional and ethical standards. 

This policy also provides additional information about privacy notices you may encounter on our website (such as cookie notices). 

This Privacy Policy was last updated on 5^th December 2025 

1. Data Controller 

The Data Controller for Dr Cassie & Associates is: 

Dr Cassie Coleman
Clinical Director, Dr Cassie & Associates 

In addition, clinicians working within Dr Cassie & Associates act as data controllers for the patients they work with directly. 

2.1 Initial Contact Information 

When you first contact us, we may ask you for personal details, including: 

• Name 
• Postal address 
• Email address 
• Telephone number 
• Date of birth 
• School details (for children) 
• GP details 
• Health insurance information (if applicable) 
• NHS number 

2.2 Clinical Information 

We also collect information necessary to assess and support your care. This may include: 

• Presenting difficulties and concerns 
• Past medical, developmental, or educational history 
• Family background 
• Assessment results, reports, and clinical notes 
• Information about risks or safeguarding concerns 

This information is categorised as special category (sensitive) data under UK GDPR and is processed only where necessary to provide safe, appropriate clinical care. 

2.3 Information from Your Use of Our Website 

If you submit our website contact form, we collect: 

• Your name 
• Your email address 
• The reason for your enquiry 

We store this information only for the purpose of responding to your query. 

2.4 Information Provided by Third Parties 

If your care is commissioned or referred by another organisation (e.g., GP, insurer, local authority), they may provide: 

• Contact details 
• Relevant medical, educational, or referral information 

3. How Do We Use Your Information? 

We use your information to provide the services you request, specifically to: 

• Contact you regarding appointments, reports, or treatment updates 
• Conduct assessments and deliver therapeutic intervention 
• Maintain accurate clinical records 
• Invoice you or your insurance provider 
• Communicate with relevant third parties, with your consent, to support safe and effective care 
• Manage clinical risk and safeguarding where required 

We do not use your information for marketing purposes, and we do not sell or share your data with third-party marketers. 

3.1 Lawful Bases for Processing 

We process personal data under one or more of the following bases: 

• Performance of a contract – to deliver healthcare services 
• Legitimate interests – such as responding to enquiries 
• Legal obligation – including safeguarding duties 
• Vital interests – if someone is at serious risk of harm 
• Consent – particularly for sharing information with third parties 

4. Who Has Access to Your Information? 

Your information is accessible only to staff directly involved in your care or administrative management. 

With your consent, we may share relevant information with: 

• Your GP 
• Schools or colleges 
• CAMHS/PCAMHS 
• Social services 
• Psychiatrists or other allied professionals 

4.1 Situations Where We May Share Without Consent 

We may need to share information if: 

• There is a legal obligation (e.g., a court order) 
• There is a risk of harm to you or to someone else 
• Safeguarding concerns require referral to appropriate agencies 

Where possible and safe to do so, we will discuss any required disclosures with you first. 

5. How and Where We Store Your Information 

We take security seriously and use safeguards to protect your data: 

• Paper records are kept to a minimum and stored in locked filing systems. 
• Electronic clinical records are stored securely using Cliniko, a GDPR-compliant, password-protected platform. 
• Access is strictly limited on a need-to-know basis. 
• Sensitive information is only sent by email where you have consented, and devices are password or biometric protected. 
• Data is backed up regularly and stored securely. 
• Website and email enquiries are stored in a secure, GDPR-compliant online system. 

6. How Long Do We Keep Your Information? 

Retention is based on Department of Health and professional guidance: 

• Children and young people: Until age 25, or 26 if the young person was 17 at the conclusion of treatment; or 8 years after death. 
• Adults: 7 years from the date of the final contact. 
• Financial records (including invoices) are retained for 7 years in accordance with HMRC requirements. 

7. Your Rights Under UK GDPR 

You have the right to: 

7.1 Access Your Information 

You can request a copy of all personal data we hold about you or your child.
Requests should be made in writing to Dr Cassie Coleman (Data Protection Lead).
We will respond within 30 days. A small administrative fee may apply. 

7.2 Request Correction 

If information is inaccurate or incomplete, you may request that we correct it.
If we have shared incorrect information with another professional, we will notify them of the correction. 

7.3 Request Deletion 

You may request deletion of your information.
Please note that clinical records typically cannot be deleted for legal, regulatory, or insurance reasons. 

7.4 Restrict or Object to Processing 

You may ask us to stop using your information—for example, to pause appointment reminders. 

7.5 Request Transfer of Data 

You may request that we transfer your information electronically to another healthcare professional. 

8. Data Breaches 

We maintain strong security measures to prevent data breaches. 

In the unlikely event that a breach occurs: 

• We will assess the risk promptly 
• We will notify the Information Commissioner’s Office (ICO) within 72 hours where required 
• We will notify affected individuals where there is any potential risk 
• We will take steps to prevent recurrence 

The Data Protection Lead (Dr Cassie Coleman) oversees breach response procedures. 

9. Complaints or Concerns 

If you have any concerns about how your data is handled, you may: 

1. Contact us directly – enquiries@drcassie.co.uk, or 
2. Contact the Information Commissioner’s Office (ICO):