Privacy Policy

December 2025 

This Privacy Policy explains how Dr Cassie & Associates (“we”, “our”, “the clinic”) collects, stores, and processes your personal information. We recognise that the information we hold about you is confidential and often sensitive. We are committed to handling it securely, lawfully, and transparently. 

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all relevant professional and ethical standards. 

This policy also provides additional information about privacy notices you may encounter on our website (such as cookie notices). 

This Privacy Policy was last updated on 5^th December 2025 

1. Data Controller 

The Data Controller for Dr Cassie & Associates is: 

Dr Cassie Coleman
Clinical Director, Dr Cassie & Associates 

In addition, clinicians working within Dr Cassie & Associates act as data controllers for the patients they work with directly. 

2.1 Initial Contact Information 

When you first contact us, we may ask you for personal details, including: 

• Name 
• Postal address 
• Email address 
• Telephone number 
• Date of birth 
• School details (for children) 
• GP details 
• Health insurance information (if applicable) 
• NHS number 

2.2 Clinical Information 

We also collect information necessary to assess and support your care. This may include: 

• Presenting difficulties and concerns 
• Past medical, developmental, or educational history 
• Family background 
• Assessment results, reports, and clinical notes 
• Information about risks or safeguarding concerns 

This information is categorised as special category (sensitive) data under UK GDPR and is processed only where necessary to provide safe, appropriate clinical care. 

2.3 Information from Your Use of Our Website 

If you submit our website contact form, we collect: 

• Your name 
• Your email address 
• The reason for your enquiry 

We store this information only for the purpose of responding to your query. 

2.4 Information Provided by Third Parties 

If your care is commissioned or referred by another organisation (e.g., GP, insurer, local authority), they may provide: 

• Contact details 
• Relevant medical, educational, or referral information 

3. How Do We Use Your Information? 

We use your information to provide the services you request, specifically to: 

• Contact you regarding appointments, reports, or treatment updates 
• Conduct assessments and deliver therapeutic intervention 
• Maintain accurate clinical records 
• Invoice you or your insurance provider 
• Communicate with relevant third parties, with your consent, to support safe and effective care 
• Manage clinical risk and safeguarding where required 

We do not use your information for marketing purposes, and we do not sell or share your data with third-party marketers. 

3.1 Lawful Bases for Processing 

We process personal data under one or more of the following bases: 

• Performance of a contract – to deliver healthcare services 
• Legitimate interests – such as responding to enquiries 
• Legal obligation – including safeguarding duties 
• Vital interests – if someone is at serious risk of harm 
• Consent – particularly for sharing information with third parties 

4. Who Has Access to Your Information? 

Your information is accessible only to staff directly involved in your care or administrative management. 

With your consent, we may share relevant information with: 

• Your GP 
• Schools or colleges 
• CAMHS/PCAMHS 
• Social services 
• Psychiatrists or other allied professionals 

4.1 Situations Where We May Share Without Consent 

We may need to share information if: 

• There is a legal obligation (e.g., a court order) 
• There is a risk of harm to you or to someone else 
• Safeguarding concerns require referral to appropriate agencies 

Where possible and safe to do so, we will discuss any required disclosures with you first. 

5. How and Where We Store Your Information 

We take security seriously and use safeguards to protect your data: 

• Paper records are kept to a minimum and stored in locked filing systems. 
• Electronic clinical records are stored securely using Cliniko, a GDPR-compliant, password-protected platform. 
• Access is strictly limited on a need-to-know basis. 
• Sensitive information is only sent by email where you have consented, and devices are password or biometric protected. 
• Data is backed up regularly and stored securely. 
• Website and email enquiries are stored in a secure, GDPR-compliant online system. 

6. How Long Do We Keep Your Information? 

Retention is based on the Department of Health and professional guidance: 

• Children and young people: Until age 25, or 26 if the young person was 17 at the conclusion of treatment; or 8 years after death. 
• Adults: 7 years from the date of the final contact. 
• Financial records (including invoices) are retained for 7 years in accordance with HMRC requirements. 

7. Your Rights Under UK GDPR 

You have the right to: 

7.1 Access Your Information 

You can request a copy of all personal data we hold about you or your child.
Requests should be made in writing to Dr Cassie Coleman (Data Protection Lead).
We will respond within 30 days. A small administrative fee may apply. 

7.2 Request Correction 

If information is inaccurate or incomplete, you may request that we correct it.
If we have shared incorrect information with another professional, we will notify them of the correction. 

7.3 Request Deletion 

You may request deletion of your information.
Please note that clinical records typically cannot be deleted for legal, regulatory, or insurance reasons. 

7.4 Restrict or Object to Processing 

You may ask us to stop using your information—for example, to pause appointment reminders. 

7.5 Request Transfer of Data 

You may request that we transfer your information electronically to another healthcare professional. 

8. Data Breaches 

We maintain strong security measures to prevent data breaches. 

In the unlikely event that a breach occurs: 

• We will assess the risk promptly 
• We will notify the Information Commissioner’s Office (ICO) within 72 hours where required 
• We will notify affected individuals where there is any potential risk 
• We will take steps to prevent recurrence 

The Data Protection Lead (Dr Cassie Coleman) oversees breach response procedures. 

9. Complaints or Concerns 

If you have any concerns about how your data is handled, you may: 

1. Contact us directly – enquiries@drcassie.co.uk, or 
2. Contact the Information Commissioner’s Office (ICO): 

Safeguarding Statement: Dr Cassie and Associates

Our clinic is committed to providing a safe, supportive, and child-centred environment for all children and families who use our services. Safeguarding is integral to everything we do, and we adhere to national legislation, statutory guidance, and best-practice standards for the protection and wellbeing of children and young people.

We ensure that:

• All staff are appropriately trained in safeguarding and child protection, including recognising signs of abuse, responding to concerns, and understanding their duties under relevant safeguarding frameworks. Training is updated regularly to reflect current guidance.
• Robust recruitment and vetting procedures are in place, including enhanced background checks for all clinicians, support staff, and volunteers, in line with safer recruitment standards.
• Clear safeguarding policies and procedures guide our practice. These include reporting pathways, escalation processes, and designated safeguarding leads who oversee safeguarding governance within the clinic.
• Children’s rights, privacy, and dignity are prioritised throughout assessment and support. Our clinical processes are designed to minimise distress, promote inclusion, and consider the child’s developmental needs at every stage.
• Information is shared appropriately and securely with families, professionals, and partner agencies, in accordance with data protection law and safeguarding best practice. Concerns about a child’s welfare are acted upon promptly using established multi-agency procedures.
• A culture of safety and transparency is actively promoted. Families are encouraged to voice concerns, participate in decision-making, and provide feedback to help us continually improve our safeguarding practice.

By embedding safeguarding within our clinical, organisational, and ethical framework, we ensure that every child accessing our neurodevelopmental services is protected, valued, and supported to achieve positive outcomes.

Cancellation and Non-Attendance Policy

At Dr Cassie & Associates, we kindly ask families to provide at least 48 hours’ notice if an appointment needs to be cancelled or rearranged; otherwise, you’ll be charged up to 50% of the fee for less than 48 hours’ notice, and the full fee for less than 24 hours’ notice or no shows.  Monday appointments need to be cancelled by Thursday before noon please.

This helps us offer appointments to other families who may be waiting. Appointments cancelled at very short notice or not attended will usually be charged in full, as the clinician’s time has been reserved specifically for your child and cannot typically be reallocated at short notice.