Data Protection & Privacy Policy

CBT Maidenhead specialises in delivering psychological therapy to clients on behalf of individuals and organisations and clinical supervision for other healthcare professionals.

Although we need to collect and hold certain personal data in order to deliver our services to you, we are committed to protecting and respecting your privacy. This policy provides an overview of how we comply with General Data Protection Regulation (GDPR) in regards to any personal data we hold about.

How we obtain personal information:

If you contact us, whether by telephone, email, or other means, we may keep a record of that correspondence. We may ask you to complete various questionnaires and other forms that we will use to tailor our services to your needs. We may keep records of any meetings and sessions in the form of written notes and electronic notes. We may receive correspondence from you or from other healthcare professionals relating to your case. We may also produce notes, assessments or reports outside of sessions, requested by third parties such as your insurance company if they have referred you to our service.

What personal information we collect and how we use it:

The information we may hold on you falls into two categories, Personal Data and Special Category Data. Although we need to hold both categories of information in order to deliver our service to you, we will ask for your explicit written consent to our holding Special Category data.

Contact information

We hold contact information that you have provided to us and which we use to contact you about appointments or your treatment with us. This information may include:

  • Your full name including title,
  • Your address,
  • Your telephone number(s),
  • Your email address.

If you are a supervision client, and you have agreed that we may do so, we may use this information to send you details of services that we believe may be of interest to you. If you are a personal therapy client, then we will not send you any correspondence that does not directly relate to your case unless you have specifically requested that we do so.

Wherever possible we will always respect your preferred method of communication if you have stated one.

General information

We hold general information that you have provided to us and which we use to manage the delivery of our service to you. Some of this information also enables us to comply with our legal or regulatory obligations. This information may include:

  • The individual or organisation that referred you to us (where relevant),
  • Your date of birth,
  • A record of appointment dates and attendance,
  • General and admin correspondence, and
  • Information on the type and location of sessions.

Familial relationships

We will always ask for a nominated ’emergency contact’ to ensure that we are able to comply with sensible health and safety arrangements. If we require consent from a parent or guardian to deliver services to you, or if a family member, guardian, or other agreed person is directly involved in your case, then we will need to hold contact and general information about those individuals.

Special Category data

Due to the nature of our services we may need to process data relating to your physical and mental health. The General Data Protection Regulations deem data concerning health as a special category of personal data which means that we need specific reasons for processing this data. These reasons relate to the type of services that we deliver to you, but we believe it is also important to get your informed consent to our holding this data. This information may include:

  • Your reasons for contacting us
  • The name and contact details for your GP
  • The name and contact details for other healthcare professionals involved in your case
  • Significant physical or mental health details, including medication
  • The type of therapeutic service that is being provided to you
  • Completed questionnaires and scores
  • Correspondence from or to you about your case,
  • Correspondence from or to other healthcare professionals about your referral and treatment
  • Correspondence from third parties about your referral
  • Mobile communications (including texts or WhatsApp messages) from or to you about your case
  • Voicemail messages from you or others about your case,
  • Writing or drawing or objects that you have produced as part of the therapeutic work, or given to the therapist
  • Diagrams produced collaboratively in sessions
  • Completed consent forms
  • Session notes

Payment Information

We are required to hold information on payments received for our financial records. This information may include:

  • Your full name and title,
  • The date and amount of the transaction
  • If payment is made on your behalf, we will need to record the details of the person or organisation making the payment.

Who we share your data with:

We may share your Special Category Data with other healthcare professionals involved in your case, but we will make sure you are aware of this.

We are required to undergo formal supervision. As part of these sessions it may be necessary to discuss your Personal or Special Category data with the supervisor who will be a qualified healthcare professional operating under terms of confidentiality.

We use software to securely store and remotely access all our electronic data, including Special Category Data. This software is compliant with the General Data Protection Regulation, and your data will not be shared with other third parties.

Your rights under data protection legislation

You have various rights under the relevant data protection legislation. Here is a summary of those rights but please contact us via email at CBT if you would like to know more.

Subject Access

You have the right to see what information we hold about you. Any access request may be subject to a small fee to meet our costs in providing you with details of the information we hold about you.


You have the right to ask us to correct any personal data we hold about you that is wrong. If you feel this is the case, then please let us know.


You have the right to ask us to erase any information we hold about you. However, this right may be limited by our need to comply with statutory or regulatory requirements for retaining data.


You have the right to ask us not to contact you. This may be for specific purposes or you may not wish to be contacted at all. Obviously, we will need permission to contact you if you are an active client so that we can continue to deliver the agreed services to you.

How we keep your data secure:

The personal data we hold on you is stored either physically or electronically. All physical media is secured in locked storage when not in use. All electronic media is secured by password access and where possible by encryption.

In the unlikely event of data being lost or compromised we will tell you what has happened, unless you have stated that you do not wish to be contacted by us.

Data retention and destruction

We do not keep information about you any longer than is necessary. The length of time we keep your data may be determined by statutory or regulatory requirements. We delete or destroy all personal data when it is no longer required.