KM Psychotherapy

Karen Morton MA (Psych & Couns) MBACP (Accred)

Tel: 07423 720694

Privacy Policy

This privacy notice explains how I collect, use and protect your personal information and data.

Practice name: KM Psychotherapy

Therapist: Karen Morton MA(Psych&Couns) MBACP(Accred)

Email: karen@kmpsychotherapy.co.uk

ICO registration number: ZA748597

I am registered with the Information Commissioner's Office as a data controller and am committed to protecting your privacy in accordance with UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

What personal data I collect

I collect and process the following types of personal information:

Contact details:

  • Your name, address, telephone number, and email address
  • Emergency contact details

Health and therapy-related information:

  • Your presenting issues and reasons for seeking therapy
  • Relevant medical history and any medications
  • Session notes recording our therapeutic work together
  • Risk assessments where appropriate
  • Any correspondence between us

Important: Your health and therapy-related information is classified as "special category data" under Article 9(1) of the UK GDPR. This means it receives enhanced protection because of its sensitive nature. I take extra care to ensure this information is kept secure and processed only where there is a clear lawful basis.

Website enquiries: When you submit your contact form, I collect your name and email address along with the content of your message.

How I collect your data

I collect personal information directly from you:

  • When you first make contact with me by telephone, email, or through the website contact form
  • During the intake process and our initial consultation
  • Throughout our therapeutic sessions together
  • Through any correspondence between us (email, telephone, or letter)

I do not collect personal information about you from third parties without your explicit consent.

Why I process your data — lawful basis

Under UK GDPR, I must have a valid legal reason (called a "lawful basis") to process your personal data. Because

I process both ordinary personal data and special category health data, I rely on two separate legal bases:

Article 6 basis (ordinary personal data):

Article 6(1)(b) UK GDPR — processing is necessary for the performance of the therapeutic contract between us. When you engage me as your therapist, we enter into a contract for me to provide you with therapy services. I need to process your personal data to fulfil that contract.

Article 9 basis (special category health data):

Article 9(2)(h) UK GDPR — processing is necessary for the provision of health or social care treatment by a health professional. As a qualified psychotherapist, I am permitted to process your health-related information in order to provide you with therapy.

The additional condition required under the Data Protection Act 2018 is Schedule 1, Part 1, paragraph 2 (health or social care purposes). This processing is carried out by a qualified counsellor and psychotherapist who is subject to the professional obligation of confidentiality under the BACP ethical framework.

Professional obligations and CPD

As a member of BACP, I am required to attend regular clinical supervision. This is an essential part of maintaining high standards of care and my ongoing professional development.

When I discuss our therapeutic work with my supervisor:

  • Your name and any identifying details are not shared with my supervisor
  • I use anonymised or pseudonymised case material only — this means I discuss themes, patterns, or clinical approaches without revealing who you are
  • My supervisor is a qualified professional bound by the same confidentiality obligations as I am.
  • My supervisor is bound by their own professional body's ethical framework

Supervision helps me reflect on my practice, ensures I am working safely and ethically, and ultimately supports the quality of care you receive.

Clinical will — what happens to your records if I am unable to practise

I have appointed a Clinical Executor who will act on my behalf in the event of my death, serious illness, or incapacity.

If I become unable to practise:

  • My Clinical Executor will contact you to let you know that our work has ended
  • They will handle your records with complete confidentiality
  • They will ensure your records are securely stored or destroyed in accordance with this policy
  • If appropriate, they can help you find another therapist to continue your work

My Clinical Executor is a qualified therapist who is bound by professional confidentiality. They will only access the minimum information necessary to contact you and manage records appropriately.

Who I share your data with

I take your confidentiality seriously and share your personal data only where necessary.

Third-party service providers:

I use the following third-party services to run my practice. Each of these services processes limited data on my

behalf:

WordPress — powers this website

WebHealer — website hosting and may collect certain technical data including basic analytics

Zoom — for online therapy sessions where agreed

Microsoft Teams — for online therapy sessions where agreed

Zanda Health — practice management system

Each of these providers is bound by a data processing agreement with me. Links to their privacy policies are available on request.

Clinical supervisor:

My clinical supervisor receives anonymised case material only. Your name and identifying details are never shared.

Administrative support:

I occasionally use administrative help for calendar management and appointment coordination. They may have access to your name and contact details to manage scheduling, but they do not have access to your clinical notes or any health-related information. Any administrative help I use is bound by confidentiality.

International data transfers

Some of the third-party services I use may transfer personal data outside the United Kingdom:

  • WordPress (Automattic Inc, USA)
  • Zoom (Zoom Video Communications Inc, USA)
  • Microsoft Teams (Microsoft Corporation, USA)
  • WebHealer (WebHealer Ltd, UK — no international transfer)

Where data is transferred to the USA, I rely on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs) as appropriate safeguards, in accordance with UK GDPR Chapter V and the updated requirements of the Data (Use and Access) Act 2025. The USA does not currently have a UK adequacy decision.

Zanda Health: For specific details on their data handling practices, international transfers (if any), and applicable safeguards, please refer to their own privacy policy. I can provide additional information on request.

You can request a copy of the relevant transfer safeguards by contacting me at karen@kmpsychotherapy.co.uk.

How long I keep your data

I keep your data only for as long as necessary. The retention periods below reflect my professional judgement, in line with the Limitation Act 1980 and standard professional indemnity insurance requirements:

  • Therapy records (including session notes, assessments, and correspondence)7 years after our last session
  • Financial records (invoices, payment records): 6 years (HMRC legal requirement)
  • Website enquiries from non-clients: 12 months

How records are destroyed:

At the end of the applicable retention period:

  • Paper records are shredded using a cross-cut shredder
  • Electronic records are permanently deleted using secure deletion software

Your rights

You have the following rights regarding your personal data. These rights are written into law and I am committed to respecting them:

Right to be informed You have the right to know how your data is being used. This privacy policy fulfils that right.

Right of access You can request a copy of the personal data I hold about you. This is sometimes called a "subject access request." Under the Data (Use and Access) Act 2025, I will conduct a reasonable and proportionate search to locate your data.

Right to rectification If any information I hold about you is inaccurate or incomplete, you can ask me to correct it.

Right to erasure You can ask me to delete your personal data in certain circumstances. However, this right does not apply where I need to keep your data for legal reasons, insurance purposes, or in line with professional requirements. I will explain if this applies to your request.

Right to restrict processing You can ask me to limit how I use your data in certain circumstances — for example, while a complaint is being investigated.

Right to data portability Where technically feasible, you can ask for your data to be transferred to another provider in a commonly used electronic format.

Right to object You can object to certain types of processing, although this is unlikely to apply to therapy records which are processed under contract and for health care purposes.

Rights related to automated decision-making I do not use automated decision-making or profiling in my practice.

To exercise any of these rights, please contact me at karen@kmpsychotherapy.co.uk. I will respond within one month.

Data protection complaints — your right under the Data (Use and Access) Act 2025

You have the right to make a data protection complaint directly to me. I take all complaints seriously and will respond promptly.


To make a complaint:

  • Visit https://kmpsychotherapy.policydiary.co.uk and select the "Make a complaint" tab
  • Or email me at karen@kmpsychotherapy.co.uk

I will acknowledge your complaint within 7 days and provide a full response within 28 days.


If you are not satisfied with my response:

You may escalate your complaint to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Confidentiality exceptions

Everything you share with me in therapy is confidential. However, there are rare circumstances where I may need to share information without your consent:

  • Risk of serious harm: If I believe you or someone else is at serious risk of harm, I may need to contact appropriate services to help keep people safe.
  • Safeguarding concerns: If I become aware of concerns about a child or vulnerable adult being harmed or at risk of harm, I have a legal and ethical duty to report this to the appropriate authorities.
  • Court order: If a court orders me to disclose information, I am legally required to comply.

Whenever possible, I will discuss any disclosure with you first, unless doing so would itself put someone at risk. Iwill only ever share the minimum information necessary.

Changes to this policy

I review this privacy policy annually and whenever my practices change. If I make significant changes that affecthow your data is processed, I will inform you directly.

Contact

If you have any questions about this privacy policy or how I handle your personal data, please contact me:

Email: karen@kmpsychotherapy.co.uk

Compliance page: https://kmpsychotherapy.policydiary.co.uk

Changes to this notice

Changes to this notice: This privacy notice was last updated on 13th June 2026.

© KM Psychotherapy | Karen Morton | Psychotherapist Hertfordshire

Powered by WebHealer