Privacy Notice of Kent Association of Counselling & Psychotherapy (KACP)
We are licensed (as counsellors are in law required to be) with ICO for the safekeeping of records. Registration Reference ZAOO8721
General Data Protection Regulation (GDPR)
GDPR is a new data protection law which came into full effect in 2018. It sets out the main principles of data protection and the responsibilities organisations have when handling personal data.
It protects individuals personal information and improves their control over how it is collected, stored, shared and used
Privacy Policy
Last updated: 12 June 2026
1. Who we are
This privacy policy explains how KACP collects, uses, stores, and protects your personal information.
Practice name: KACP
Therapist: Carolyn Marshall
Contact email: polyshinel [at] aol.com
ICO registration number: ZA008721
I am registered with the Information Commissioner's Office as a data controller, which means I am responsible for deciding how your personal data is used and for keeping it safe.
2. What personal data we collect
I collect and process the following types of personal information:
Contact details
- Your name, address, telephone number, and email address
- Emergency contact details (where you choose to provide them)
Health and therapy-related information
- Presenting issues and reasons for seeking therapy
- Relevant medical history and current medications
- GP details (where relevant and with your agreement)
- Session notes documenting our therapeutic work together
- Risk assessments and safety plans (where applicable)
- Correspondence between us relating to your therapy
Administrative information
- Appointment records
- Invoices and payment records
- Consent forms and agreements
Important: Your health and therapy-related information is classified as "special category data" under Article 9(1) of the UK GDPR. This type of data receives enhanced legal protection because of its sensitive nature. I take additional care to protect this information, as explained throughout this policy.
3. How we collect your data
I collect personal information directly from you in the following ways:
- At first contact — when you telephone, email, or text me to enquire about therapy or book an initial session
- During intake — when you complete assessment forms or provide background information before or during our first meeting
- During sessions — through our therapeutic conversations, whether in person or via video
- Ongoing correspondence — through emails, text messages, or telephone calls relating to your therapy
I do not collect information about you from third parties unless you have given explicit consent for this, or you have been referred through an Employee Assistance Programme (EAP) arrangement where limited referral information may be shared as part of the commissioning process.
4. Why we process your data — lawful basis
UK GDPR requires me to have a valid legal reason for processing your personal data. I rely on the following lawful bases:
Article 6 basis (ordinary personal data)
Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us.
When you engage me as your therapist, we enter into a contract for me to provide therapy services. I need to process your contact details, appointment information, and payment records to fulfil this contract.
Article 9 basis (special category data)
Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional.
The additional DPA 2018 Schedule 1 condition I rely on is Part 1, paragraph 2 (health or social care). This allows me to process your health and therapy-related information because:
- I am providing health care in the form of psychological therapy
- I am a qualified counsellor/psychotherapist bound by professional obligations of confidentiality under the ethical framework of BACP
- Processing your sensitive information is necessary to provide you with safe, effective therapy
5. Professional obligations and CPD
I am required by BACP to attend regular clinical supervision. Supervision is an essential part of professional practice — it helps me reflect on my work and ensures I am providing you with the best possible care.
When I discuss our therapeutic work with my supervisor:
- Your name and any identifying details are not shared with my supervisor
- I use anonymised or pseudonymised case material only — this means I remove or change any information that could identify you
- My supervisor is a qualified professional bound by the same confidentiality obligations as I am
- My supervisor is also bound by their own professional body's ethical framework
Supervision discussions focus on the therapeutic process and my professional development, not on identifying details about you.
6. Clinical will — what happens to your records if I am unable to practise
I am currently putting arrangements in place to ensure your records are handled appropriately in the event that I become suddenly unable to practise due to serious illness, incapacity, or death.
These arrangements will ensure that:
- A nominated professional colleague will be able to securely access my practice records
- Current clients will be contacted and offered appropriate support or referral
- All records will continue to be handled in accordance with this privacy policy and professional confidentiality requirements
- Records will be securely stored for the appropriate retention period and then destroyed
Once these clinical will arrangements are finalised, I will update this policy and inform current clients.
7. Who we share your data with
I take your confidentiality seriously and keep information sharing to the minimum necessary. The following parties may have access to your personal data:
Clinical supervisor
As explained above, I discuss my therapeutic work in supervision using anonymised case material only. Your name and identifying details are not shared.
Employee Assistance Programme (EAP) or referral platform
If you were referred to me through an Employee Assistance Programme, limited information may be shared with the EAP as part of the commissioning arrangement. This typically includes confirmation of attendance and session numbers, but not the content of our sessions. The specific information shared will be explained to you at the start of therapy.
Third-party service providers
I use the following third-party services which may process limited personal data:
- Doxy.me — for secure video therapy sessions
- Google Analytics — to understand how visitors use my website
- WebHealer — the platform my website is built on
Each of these services is bound by a data processing agreement and has its own privacy policy. Links to their privacy policies are available on request.
I never sell your personal data.
I may also be legally required to share information in the limited circumstances described in Section 12 (Confidentiality exceptions).
8. International data transfers
Some of the third-party services I use may transfer personal data outside the United Kingdom:
| Service | Provider | Location | Transfer safeguard |
|---|---|---|---|
| Google Analytics | Google LLC | USA | Standard Contractual Clauses (SCCs) / International Data Transfer Agreement (IDTA) |
| WebHealer | WebHealer Ltd | UK | No international transfer |
| Doxy.me | Doxy.me Inc | USA | Standard Contractual Clauses (SCCs) / International Data Transfer Agreement (IDTA) |
The USA does not currently have a UK adequacy decision. Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025.
You can request a copy of the relevant transfer safeguards by contacting me.
For specific details on each provider's data handling practices and applicable safeguards, please refer to each provider's own privacy policy. You can request additional information from me at any time.
9. How long we keep your data
I retain your personal data for the following periods:
| Type of record | Retention period | Reason |
|---|---|---|
| Therapy records | 7 years after our last session | In line with the Limitation Act 1980 and standard professional indemnity insurance requirements |
| Financial records (invoices, receipts) | 6 years | HMRC legal requirement |
| Website enquiries (non-clients) | 12 months | Legitimate interest in responding to enquiries |
How records are stored
Your therapy records are kept as paper records in a locked filing cabinet in a secure room. Access is restricted to me alone.
How records are destroyed
After the applicable retention period, paper records are destroyed by secure shredding.
10. Your rights under UK GDPR
You have the following rights regarding your personal data:
Right to be informed
You have the right to know how your data is being used. This privacy policy fulfils that right.
Right of access
You can ask me for a copy of the personal information I hold about you. This is sometimes called a "subject access request." I will respond within one month. Under the Data (Use and Access) Act 2025, I will conduct a reasonable and proportionate search to locate your information.
Right to rectification
If any information I hold about you is inaccurate or incomplete, you can ask me to correct it.
Right to erasure
In some circumstances, you can ask me to delete your personal data. However, this right does not apply where I am required to keep records in line with the Limitation Act 1980 and standard professional indemnity insurance requirements. I will explain if this applies to your request.
Right to restrict processing
You can ask me to limit how I use your data in certain circumstances, for example if you are contesting its accuracy.
Right to data portability
In some circumstances, you can ask me to provide your data in a commonly used format so you can transfer it to another service.
Right to object
You can object to certain types of processing, though this is unlikely to apply to therapy records processed under contract and health care grounds.
Rights related to automated decision-making
I do not use automated decision-making or profiling in my practice, so this right is unlikely to be relevant.
How to exercise your rights
To exercise any of these rights, please contact me at info@kacp.co.uk I will respond within one month. There is no fee for most requests, though I may charge a reasonable fee if a request is clearly unfounded or excessive.
11. Data protection complaints — your right under the Data (Use and Access) Act 2025
You have the right to make a data protection complaint directly to me if you are unhappy with how I have handled your personal data.
How to complain to me
- Submit a complaint at https://kacp.policydiary.co.uk (Make a complaint tab)
- Or contact me at info@kacp.co.uk
I will acknowledge your complaint within 7 days and provide a full response within 28 days.
If you are not satisfied with my response
You may escalate your complaint to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
The ICO is the UK's independent regulator for data protection.
12. Confidentiality exceptions
Everything you share with me in therapy is confidential. However, there are limited circumstances where I may need to share information without your consent:
- Risk of serious harm — if I believe there is a serious and immediate risk of harm to you or to another person
- Safeguarding concerns — if I become aware of safeguarding issues involving a child or vulnerable adult
- Legal requirement — if I receive a court order requiring disclosure, or if disclosure is required by law
In most circumstances, I will always try to discuss any disclosure with you first and explain my reasons, unless doing so would itself put someone at risk.
I will only ever share the minimum information necessary in these situations.
13. Changes to this policy
I review this privacy policy annually and whenever my practices change. If I make significant changes that affect how your data is processed, I will inform you directly.
The "last updated" date at the top of this policy shows when it was most recently revised.
Contact
If you have any questions about this privacy policy or how I handle your personal data, please contact me:
Carolyn Marshall KACP
Email:info@kacp.co.uk
Full compliance documents: https://kacp.policydiary.co.uk
