Protecting and respecting your privacy is important to us. We will endeavour to comply with General Data Protection Regulation (GDPR) and the Data Protection Act (2019). Our policy below outlines what we do to keep your information safe.

Data controller

The Cooley Practice is the data controller for any information gathered about you from enquiries and during the confidential work carried out. We are registered with the information commissioner’s office (ICO).

What personal data do we process?

From your initial contact:

  • Personal data that will enable us to contact you such as your name, address, email and phone number.
  • If you have contacted us via our website, self-referral form or other online portals, the details you provide are sent to our secure email address and are then transferred to our GDPR compliant Microsoft Cloud space.
  • If you are referred by a third party or through health insurance, we will collect and process personal data provided by this third party. This may include basic contact information, referral information, health insurance policy number and authorisation.
  • Before or during your first appointment with us, you will be asked to complete our ‘Personal Details Form’, which asks for your name and contact information, emergency contact details, GP details and current health information.

During assessment and on-going appointments:

  • During and after your appointment(s), your practitioner will take handwritten notes to help them formulate and plan your sessions. These notes will either be stored in a locked filling cabinet or digital copies will be created for our secure online cloud-based storage.

The lawful basis for processing personal data

The Cooley Practice takes your privacy seriously. We have a legitimate interest in using the personal data and sensitive personal data we collect, as it is necessary for us to provide a service to our clients. The information we collect about you is solely used to provide a service to you. If you choose not provide the personal information requested, the quality of our service may be compromised and we may be unable to offer you a service.

We may also ask for your feedback on our service, for the purpose of our own service development and marketing research. No information you provide is passed on without your consent and we will never sell your information to others.

How do you protect the security of my personal information?

  • Notes and reports are only accessed by your practitioner and those from The Cooley Practice who undertake supervisory and auditing roles.
  • Our electronic devices are password protected using two-factor varification software.
  • Our electronic data is protected by Microsoft advanced security features such as ‘Microsoft Defender’ and ‘Exchange Online Protection’, which protects against sophisticated cyber threats. We are also able to remotely wipe data from our devices should they be lost or stolen.
  • Any handwritten notes taken during sessions are stored in a lockable filing cabinet and will be destroyed once they are transferred to digital storage.
  • Personal information is minimised in phone and email communication. Any sensitive personal data will be sent to clients in an email attachment that is password protected. We would also encourage you to password protect any personal documentation that you send to us. We will never use open or unsecure Wi-Fi networks to send any personal data.
  • In the event of online communication using video sessions or other forms of online support, we will discuss the available options to best suit your needs. End-to-end encrypted methods will be recommended and the need to use a secure network will be emphasised.
  • Both you and your practitioner are forbidden from recording an appointment without express permission of the other party. Similiarly, neither the client nor practitioner should have a third party observing or overhearing an appointment without express permission of the other party. This is to be upheld regardless of whether an appointment is face-to-face, or held over telephone or video call.

Who might you share my personal information with?

We hold information about you and the service you receive in confidence. This means that we will not normally share your personal information with anyone else.

However, there are exceptions to this when there may be a need to share your information with other parties:

  • If you are referred by a third party or health insurance provider, we may be asked to provide treatment updates with that organisation or to share appointment schedules for the purposes of billing.
  • The regulating bodies governing our practitioners emphasise the importance of continuing professional development and accessing supervision with other senior professionals. This requirement ensures best clinical practice and the maintenance of the highest standards of care. This means that your practitioner may discuss aspects of your case in supervision sessions, but identifying details will not be shared. Supervisors are bound by the same confidentiality as laid in this policy.
  • In exceptional circumstances, there may be times when your practitioner needs to share information with you GP, or another healthcare provider. Your practitioner will discuss with you if they believe it is in your best interest to share information.
  • In accordance with your practitioner’s duty of care, if circumstances arise where there are significant concerns for your safety or the safety of another person, information made need to be passed to another service.
  • In the case of a disclosure concerning serious and unreported criminal activity (e.g., terrorism, vulnerable adult or child protection issues, drug trafficking etc.), your practitioner will be obligied to pass this information on to the relevant authority.
  • The Cooley Practice is also bound to provide information when requested by a UK court of law.

How long do you store my personal information?

We will only store your personal information for as long as it is required. Basic contact information held on company devices is deleted within 6 months of the end of your contact with our service. Details gained from initial enquiries where no further contact or action is taken will be deleted immediately.

In accordance with regulations, we are required to keep your records and personal data for 7 years after the end of your contact with our service. Once 7 years has lapsed, we will delete or shred and dispose of your notes at the end of each calendar year.

Can I access the personal information you hold about me?

You have a right to access the information we hold about you. We will usually share this with you within 30 days of receiving a request. A copy of your personal information will usually be sent to you in a permanent form (i.e., a printed copy). You have a right to have your personal information corrected if it is inaccurate.

If you have any concerns then please contact us or the ICO on https://ico/


This website uses cookies. A cookie is a small text file stored in your computer containing text data. We use cookies for certain functions to improve the usability of the website. However, enabling cookies in your web browser is necessary if you wish your selections to be remembered for future visits on the same computer. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. For more information about cookies and instructions on how to adjust your browser settings to restrict or disable cookies, see the IAB website at If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.