Privacy Policy


This privacy policy outlines your rights, and our obligations to you, regarding the recording and storage of your personal information. In this privacy policy we will let you know what information we need to collect from you before we begin therapy, and what information we need to collect from you during therapy. We will also set out how we will look after your personal information, for how long we will store it, and who we will share it with. In addition, we will let you know what you are able to request from us regarding this information.

What is personal information?

The Data Protection Act 1998 (DPA) defines personal information as any information that can be used to identify a living individual. Individuals can be identified by various means including their name, address, telephone number or email address for example.

Why do you want to process my personal information?

We need to process your personal information to fulfil our contractual obligations to you as an organisation, for example to assess whether we can offer you counselling/psychotherapy in the first place, and then to deliver it effectively to you if therapy commences. Your personal information helps guide both our assessment process, and our clinical decision-making during therapy. Our contractual obligations to you as a counselling and psychotherapy centre are the lawful basis for our processing of your personal information.

What are the laws that protect my personal information?

The DPA and the General Data Protection Regulation (GDPR) require that all organisations that store personal information about people may only do so provided that the information is: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes; adequate, relevant and limited to what is necessary; accurate and, where necessary, kept up to date; kept in a form that permits identification of information for no longer than is necessary for the purposes for which the personal information are processed and processed in a manner that ensures appropriate security of the personal information.

How will you collect my personal information?

We will collect your personal information in the following ways: over the telephone, in writing, and in person during our meetings.

How will you treat my personal information?

We will treat your personal information in a way that is compliant with the DPA and the GDPR. The lawful and proper treatment of your personal information is important to us, not least in order to maintain your confidence in us, but also to maintain the confidence of other clients and staff.

How will you store my personal information?

We will store your personal information physically and, in some cases, electronically. Personal information is stored electronically on devices that are password-protected. Names and contact details are stored separately from other personal information. Information is stored physically using paper records held securely in locked storage.

How long will you store my personal information?

According to the GDPR, your personal information should be stored for no longer than is necessary. In practical terms, we will usually store your information for 3 years following the termination of your treatment. However, we may need to store your information for longer than this if DPA or GDPR require it, for instance when holding information after completing therapy with a person under 18 years old or to comply with our insurance terms and conditions.

What types of information will you collect about me?

We will collect several types of information about you either by phone or face to face:

  • a) When you first contact us - name, address, telephone, email, who has referred you, your reason for seeking counselling, your GP’s contact details,
  • b) When you have an assessment to determine suitability for counselling – the issues you are seeking help with, whether you have had previous counselling, outline of mental health, alcohol or drugs issues, emergency contact number, current medication, your availability, any special requirements or things we should know about you to keep you safe.
  • c) Once we have agreed that counselling/psychotherapy with us is right for you, and your therapy commences, we will collect further information from you that may include goals for therapy, details about previous therapy, network of support, financial and employment circumstances, health and physical issues, appetite and sleep, family structure, overview of your family situation, and early memories of caregivers.

What is ‘special category’ information, and why do you need to process this too?

Special category information is defined by the GDPR as being information that is more sensitive than other personal information, and therefore requiring of higher levels of protection. Examples of this type of information could include information about your health, race, sexuality, sex life, or religion. To lawfully process special category information, we are obliged to identify a specific condition for processing it under Article 9 of the GDPR and communicate this to you. The condition of the GDPR that we apply to the processing of your special category information is that it is ‘pursuant to contract with a health professional.’ This means that, if you begin therapy with us, or ask us to assess whether you are eligible for therapy, then we will need to process items of special category information about you. Usually, this is information about your mental health, and we need to process it to fulfil our contractual obligations to you in delivering safe, effective psychotherapy.

What is a ‘data controller,’ and who is the ‘data controller’ for Cedar House Preston CIO?

The GDPR defines a ‘data controller’ as the person in an organisation who: ‘determines the purposes and means of processing personal data.’ For the purposes of the GDPR, the ‘data controller’ for Cedar House Preston CIO is The Manager Cedar House Preston CIO, 23 Mount St Preston PR1 8BS

Who else will you collect information about?

We collect and process information about the individuals with whom our organisation operates. These include clients, staff, suppliers, and other business contacts.

Who will my personal information be shared with?

Some of your personal information may be shared with your G.P., or other healthcare professional, under certain exceptional circumstances. These include the requirements of a court of law, the threat of serious physical harm to you or to others, or therapists during their regular consultations with professional supervisor. Some of your personal information such as website visits, telephone call data, or payment information, is shared with the website provider, mobile phone operator, or card payment provider, respectively. These providers operate under their own privacy policies, and these can be provided upon request.

Can I ask for a copy of the personal information that you store about me?

Yes. The DPA gives you the right to find out what information that we store about you by requesting a copy of it. Any request that you make to obtain a copy of the personal information that we hold about you is called a ‘Subject Access Request.’ You can write to the Manager at the above address and ask for a copy of the information that we hold about you. We must respond to your request without delay, and usually within one month at the latest. We may charge a fee for providing this information based on the administrative costs involved.

Can I request that you delete my personal information?

Yes. This is known in legislation as the Right to Erasure. You can request for your personal information to be deleted either verbally, or in writing. You can address this request to us at the above address. There may be an administrative charge for this. We may also have the right to refuse to comply with your request, for example to comply with our insurance terms and conditions, and we will let you know our response to your request within one month of receiving it.

Can I object or complain about the processing of my personal information by Cedar House Preston CIO?

Yes. Whilst we hope that the policy outlined above will be sufficient to reassure you of the security of your personal information, should you wish to object or complain about the way that your personal information is being handled by us, then do please feel free to communicate this to us at the earliest possible opportunity. We will do our best to address your concerns and take steps to try and resolve whatever issues you may raise. You can write to us at the above address. Should you wish to take the matter further, please contact the Information Commissioner’s Office on 0303 123 1123 or visit for more information.