Legal

Privacy Policy

How we collect, use, store, and protect your personal data.

Version2.0
Policy OwnerSam McManus
ApprovedFebruary 2026
Next ReviewFebruary 2027

This document is the property of Kensington Square Therapy Ltd. It must not be reproduced in whole or in part without written permission. Uncontrolled when printed.

Confidentiality, Privacy and Safeguarding

At Kensington Square Therapy (KST), privacy and trust are central to the work we do. Therapy involves sharing personal experiences and feelings, and we are committed to protecting the information entrusted to us.

Everything shared in sessions is treated with care, dignity, and respect. In most circumstances, what is discussed remains confidential between the client and their therapist.

However, there may be times when we are legally or ethically required to share limited information to protect someone from serious harm — for example, if a child or vulnerable person is at risk of abuse or significant danger. We take these responsibilities seriously and share information only when necessary, in line with safeguarding law and professional ethical standards.

1. Purpose

This Privacy Policy (Privacy Notice) explains how Kensington Square Therapy Ltd (“KST”) collects, uses, stores, shares, and protects personal data in the course of delivering therapy, counselling, and wellbeing services to children, young people, families, and schools.

This notice fulfils KST’s transparency obligations under Articles 13 and 14 of the UK General Data Protection Regulation (UK GDPR) and informs data subjects of their rights under UK data protection law.

2. Scope

This policy applies to all personal data processed by KST, across all settings:

  • Private practice (Dyslexia Teaching Centre, 23 Kensington Square, London W8 5HN).
  • School-based counselling and therapy provision within independent schools.
  • Group programmes and facilitator-led services.
  • Online and remote therapy delivered via encrypted video platforms.
  • Administrative and business operations (invoicing, scheduling, compliance).

It applies to data relating to children and young people, parents and carers, school staff, referrers, subcontracted therapists and facilitators, website visitors, and enquirers.

This notice should be read alongside the KST Data Protection Policy, Cookie Policy, Safeguarding Policy, and Consent Form.

3. Definitions

  • Personal Data: Any information relating to an identified or identifiable living individual, as defined by Article 4(1) UK GDPR.
  • Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation (Article 9 UK GDPR). Therapy notes and clinical records routinely contain health-related special category data.
  • Data Controller: KST is the data controller for all personal data processed in connection with its services. This means KST determines the purposes and means of processing.
  • Data Processor: A third party that processes personal data on behalf of KST (e.g. Kiku, Google LLC).
  • Data Subject: The individual to whom the personal data relates.
  • Processing: Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, and destruction.
  • Gillick Competence: The legal principle recognising that children under 16 who demonstrate sufficient understanding and intelligence may consent to or refuse medical treatment (and, by extension, therapy) independently of their parents.
  • DSAR: Data Subject Access Request — a request by a data subject to obtain a copy of their personal data under Article 15 UK GDPR.

4. Legal and Regulatory Framework

This policy operates within the following legal and statutory framework:

  • UK General Data Protection Regulation (UK GDPR).
  • Data Protection Act 2018.
  • Privacy and Electronic Communications Regulations 2003 (PECR).
  • Children Act 1989 and Children Act 2004.
  • Working Together to Safeguard Children 2023.
  • Keeping Children Safe in Education 2024 (DfE).
  • BACP Ethical Framework for the Counselling Professions.
  • NCPS Code of Ethics.
  • ICO Guidance on Children’s Data and the Children’s Code (Age Appropriate Design Code).
  • Limitation Act 1980 (for retention periods).
  • Finance Act 1998 / HMRC requirements (for financial records).

5. Data Controller and Contact Details

Data Controller
Company NameKensington Square Therapy Ltd
Company Number16707111
ICO RegistrationZC022097
Registered OfficeFlat 408, 2 Macfarlane Place, London W12 7RS (statutory filings only)
Trading Address23 Kensington Square, London W8 5HN (Dyslexia Teaching Centre)
Data Protection LeadSam McManus (also Director and Designated Safeguarding Lead)
Contact Email[email protected]
Finance Email[email protected]
Websitewww.kensingtonsquaretherapy.co.uk
InsurerHiscox Underwriting Ltd — Policy OXY8749916

KST is the independent data controller for all personal data processed in connection with its services. Where KST provides services within a school, KST and the school may operate as independent controllers in respect of their own records. KST does not act as a data processor for schools.

6. The Information We Collect

The personal data KST collects depends on the data subject’s relationship with KST. KST collects only information that is necessary and relevant.

6.1 Children and Young People

  • Name, date of birth, gender, school, and year group.
  • Parent or guardian names and contact details.
  • Relevant background information provided by parents, schools, or referrers to support therapy (e.g. educational, developmental, or family context).
  • Session notes, assessments, and progress information (special category health data).
  • Safeguarding records (where applicable).
  • Attendance records.

6.2 Parents and Carers

  • Name, contact details (email, telephone, address).
  • Relevant family, educational, or contextual information shared in consultation or communication.
  • Invoice and payment records (where applicable).
  • Consent records.

6.3 Schools and Referrers

  • School staff names, roles, and contact details.
  • Referral information and presenting concerns.
  • Progress summaries and safeguarding communications.
  • Contractual and administrative information.

6.4 Subcontracted Therapists and Facilitators

  • Name, contact details, qualifications, and professional body registrations.
  • DBS certificate details, insurance documentation, and supervision records.
  • Payment and invoicing records.
  • Training and compliance records.

6.5 Website Visitors and Enquirers

  • Information submitted through the website contact form (name, email, enquiry details).
  • Cookie data and analytics data (see KST Cookie Policy).
  • IP address and browser information collected via server logs and analytics.

7. Lawful Bases for Processing

KST processes personal data under the following lawful bases as defined by Article 6(1) UK GDPR:

Processing ActivityLawful Basis (Art. 6)Explanation
Delivering therapy and counsellingContract (Art. 6(1)(b))Necessary for performance of the therapy service agreement with the client or their parent/carer.
Safeguarding and child protectionLegal obligation (Art. 6(1)(c)); Vital interests (Art. 6(1)(d))Required by Children Act 1989/2004, Working Together 2023, and KCSIE 2024.
Clinical record keepingLegal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f))Professional and regulatory requirement; legitimate interest in defensible clinical practice.
School reporting and communicationLegitimate interests (Art. 6(1)(f))Necessary for effective school-based provision; balanced against data subject rights.
Parent communication and updatesContract (Art. 6(1)(b)); Consent (Art. 6(1)(a))Contractual where part of service agreement; consent-based for discretionary sharing.
Financial administrationLegal obligation (Art. 6(1)(c))HMRC accounting and tax obligations.
Supervision (clinical)Legitimate interests (Art. 6(1)(f))Professional requirement; names typically anonymised.
Website contact form enquiriesLegitimate interests (Art. 6(1)(f))Responding to enquiries from prospective clients.
Website analytics (cookies)Consent (Art. 6(1)(a))Consent obtained via cookie consent mechanism (see Cookie Policy).

7.1 Special Category Data (Article 9)

Therapy notes, clinical assessments, and safeguarding records contain health-related special category data. KST processes this data under the following conditions:

  • Article 9(2)(a): Explicit consent — obtained through the KST Consent Form at the start of therapy.
  • Article 9(2)(b): Employment, social security, and social protection obligations — where processing is necessary for safeguarding purposes.
  • Article 9(2)(c): Vital interests — where necessary to protect the life of the data subject or another person, and the data subject is incapable of giving consent.
  • Schedule 1, Part 1, Paragraph 2 DPA 2018: Health or social care purposes.

7.2 Children’s Data

KST processes the personal data of children and young people in accordance with the ICO’s Children’s Code (Age Appropriate Design Code) principles. Where a child is assessed as Gillick competent, KST will seek the child’s own views regarding data sharing, particularly in relation to progress updates to parents and schools.

KST does not profile children, make automated decisions about children, or use children’s data for marketing purposes.

8. Sharing Information

KST respects confidentiality and shares personal data only when necessary, lawful, and proportionate. KST will aim to discuss any necessary sharing with the data subject (or their parent/carer) in advance, unless doing so would increase risk to a child or vulnerable person.

KST may share limited personal data with the following recipients:

  • Clinical supervisors: To support ethical and effective practice. Names are anonymised unless the nature of the concern requires identification.
  • Schools: Where a child is seen as part of a school counselling programme. Sharing is limited to what is necessary for the child’s welfare and the school’s safeguarding duties.
  • Parents and carers: Progress updates are provided with the child’s agreement (where the child is Gillick competent). Detailed session content is not routinely shared.
  • Safeguarding agencies: Local authority children’s services, police, or the Local Authority Designated Officer (LADO) where there is a serious safeguarding concern. This may occur without the data subject’s consent where necessary to protect a child.
  • Accountants and regulators: For lawful compliance (financial records only).
  • Insurers: In the event of a claim or regulatory enquiry (limited to what is necessary).

KST does not sell, rent, or trade personal data. KST does not share personal data for marketing purposes.

9. Data Storage and Security

KST uses secure, encrypted systems to store and manage personal data:

Data Storage Systems
Clinical records (therapy notes)Kiku — GDPR-compliant, encrypted, UK-hosted therapy platform
Administrative recordsGoogle Workspace (Drive, Gmail, Sheets, Forms) — encrypted, access-controlled
Financial recordsGoogle Workspace and Xero (where applicable)
Website contact form submissionsFluent Forms via WordPress — server-hosted, access-controlled
Paper recordsLocked cabinet at trading address; destroyed by cross-cut shredding when no longer required

Security measures include:

  • All devices are password-protected, encrypted, and subject to automatic screen lock.
  • Multi-factor authentication (MFA) is enabled on all KST accounts.
  • Access to clinical records is restricted to the assigned therapist and the Director.
  • No personal data is stored on personal devices or unencrypted removable media.
  • Regular review of access permissions and account security.

10. International Data Transfers

Google Workspace data may be processed on servers located outside the United Kingdom. Google LLC operates under UK International Data Transfer Agreement (IDTA) safeguards and has certified compliance with applicable data protection standards.

Kiku stores clinical data on UK-based servers. No clinical data is transferred outside the United Kingdom.

KST reviews the transfer mechanisms of its data processors annually and will update this notice if the legal basis for international transfers changes.

11. How Long We Keep Information

KST retains personal data only for as long as necessary. The following retention periods apply:

Record TypeRetention PeriodLegal Basis
Therapy notes (child clients)Seven years after end of therapy, or until the child reaches age 25, whichever is longerLimitation Act 1980; professional guidance
Therapy notes (adult clients)Seven years after end of therapyLimitation Act 1980
Safeguarding recordsRetained in line with local authority guidance; may exceed standard retentionChildren Act 1989; Working Together 2023
Consent formsDuration of therapy plus seven yearsContractual and legal obligation
Invoices and financial recordsSix years from end of financial yearHMRC requirements; Finance Act
Subcontractor records (DBS, insurance)Duration of engagement plus six yearsLegal obligation; insurance requirements
Website contact form submissionsTwelve months, or until enquiry resolvedLegitimate interests
Complaints recordsSix years from date of closureLimitation Act 1980
DSAR recordsThree years from date of responseICO accountability requirements

After the applicable retention period, records are securely deleted (electronic) or destroyed by cross-cut shredding (paper). Deletion is logged.

12. Your Data Rights

Under UK GDPR, data subjects have the following rights:

  • Right of access (Article 15): To obtain a copy of your personal data held by KST.
  • Right to rectification (Article 16): To request correction of inaccurate personal data.
  • Right to erasure (Article 17): To request deletion of personal data where there is no compelling reason for continued processing. This right is subject to exceptions, including legal obligations and safeguarding duties.
  • Right to restriction (Article 18): To request that processing is restricted in certain circumstances (e.g. while accuracy is contested).
  • Right to data portability (Article 20): To receive personal data in a structured, commonly used format and to transmit it to another controller.
  • Right to object (Article 21): To object to processing based on legitimate interests. KST will cease processing unless there are compelling legitimate grounds.
  • Rights relating to automated decision-making (Article 22): KST does not carry out automated decision-making or profiling.

To exercise any of these rights, contact the Data Protection Lead at [email protected]. KST will respond within one calendar month. Identity verification may be required before information is released. Complex or numerous requests may be extended by a further two months, with notification provided within the first month.

Where a request is made by a parent on behalf of a child who is assessed as Gillick competent, KST will consider the child’s own views before responding.

13. Safeguarding and Legal Exceptions

Confidentiality is central to effective therapy but cannot be absolute. KST may share limited personal data without the data subject’s consent where:

  • A child or young person is at risk of significant harm or abuse.
  • An adult is at risk of serious harm.
  • There is a risk to the welfare of a child as defined by Working Together to Safeguard Children 2023.
  • Disclosure is required by law (e.g. a court order, statutory enquiry, or police investigation).
  • Disclosure is necessary to prevent a serious crime.

Any such sharing is proportionate, recorded, and reported to the Director (as DSL). For full details, see the KST Safeguarding Policy.

14. If Therapy Ends or You Change Schools

When therapy concludes, records are securely stored for the applicable retention period set out in Section 11.

If a child changes school or moves to another therapist, KST can provide a brief handover summary to the new provider with written consent from the parent (and the young person’s consent, where the child is Gillick competent). Records are never transferred automatically.

At the end of the retention period, records are securely deleted or destroyed. KST encourages discussion about record management at the conclusion of therapy.

15. Data Breach Response

In the event of a personal data breach, KST will follow the KST Data Breach Response Plan (v1.0-2026). Where a breach poses a risk to the rights and freedoms of individuals, KST will notify the Information Commissioner’s Office within 72 hours and, where the risk is high, will notify affected individuals without undue delay.

16. Risk Management

RiskMitigationLikelihoodImpact
Unauthorised access to clinical recordsKiku access controls; MFA; device encryption; annual access reviewLowHigh
Data shared without lawful basisLawful basis documented per processing activity; consent forms; staff trainingLowHigh
Retention periods not enforcedRetention schedule maintained; annual deletion review; deletion loggedMediumMedium
DSAR not responded to within statutory timeframeDSAR procedure documented; response template maintained; Director tracks deadlinesLowMedium
International transfer safeguards changeAnnual review of processor transfer mechanisms; IDTA monitoringLowMedium
Child’s Gillick competence not assessed before sharingGillick assessment documented; therapist training; consent form addresses thisLowHigh
Data breach not detected or reportedBreach response plan; incident reporting training; Kiku audit logs; Google Workspace auditLowHigh

17. Record Keeping

  • Record of Processing Activities (ROPA): Maintained by the Data Protection Lead, documenting all processing activities, lawful bases, recipients, transfers, and retention periods.
  • Consent Records: Signed consent forms stored securely in Google Workspace.
  • DSAR Log: All data subject access requests recorded and tracked.
  • Breach Register: All personal data breaches logged, regardless of whether ICO notification was required.
  • Data Processor Register: Register of all third-party processors with DPA status and review dates.

All records are stored securely within Google Workspace with access restricted to the Director.

18. Training Requirements

  • Director / Data Protection Lead: UK GDPR compliance, DSAR handling, breach response, children’s data, ICO guidance updates. Reviewed annually.
  • Subcontracted Therapists and Facilitators: Data protection awareness, confidentiality boundaries, safeguarding interface, secure record keeping. Covered at induction and reviewed annually.

Training completion is recorded in the KST Training Log.

19. Monitoring and Audit

  • Annual data protection audit: Review of all processing activities, lawful bases, retention compliance, processor agreements, and security measures.
  • ROPA review: Record of Processing Activities updated at least annually.
  • Processor review: Annual review of all data processor agreements and international transfer mechanisms.
  • ICO guidance monitoring: Data Protection Lead monitors ICO publications, enforcement actions, and guidance updates.

20. How to Contact Us or the ICO

If you have any questions or concerns about how KST handles your personal data, please contact:

KST Data Protection Lead
NameSam McManus
Email[email protected]
AddressKensington Square Therapy Ltd, 23 Kensington Square, London W8 5HN

If you are dissatisfied with how your data has been handled, you have the right to lodge a complaint with the Information Commissioner’s Office:

Information Commissioner’s Office
Websiteico.org.uk/make-a-complaint
Helpline0303 123 1113

KST recommends raising any concern with the Data Protection Lead in the first instance, as many issues can be resolved directly and promptly.

21. Review Cycle

This policy will be reviewed annually or sooner if:

  • UK GDPR, DPA 2018, or ICO guidance changes.
  • A data breach, DSAR, or complaint identifies a need for revision.
  • KST introduces new processing activities, systems, or service settings.
  • A data processor changes its terms or transfer mechanisms.
  • The annual data protection audit identifies weaknesses.

22. Related Policies

  • KST Data Protection Policy (v1.0-2025)
  • KST Cookie Policy (v1.0-2026)
  • KST Terms of Use (v1.0-2026)
  • KST Safeguarding Policy
  • KST Confidentiality Policy
  • KST Consent Form (v1.0-2026)
  • KST Data Breach Response Plan (v1.0-2026)
  • KST DSAR Procedure (v1.0-2026)
  • KST Complaints Procedure (v1.0-2026)

23. Governance Maturity Assessment

Governance Maturity
Current Maturity LevelLevel 4 – Audit Ready
Target Maturity LevelLevel 5 – Board-Level Best Practice
Actions to Reach TargetComplete ROPA; implement automated retention enforcement; conduct tabletop DSAR exercise; integrate privacy impact assessments into service design
12-Month TargetAchieve Level 5 through documented ROPA, evidenced annual audit, tabletop exercises, and privacy-by-design integration

24. Version Control

VersionAuthorApproved ByDate IssuedReview DateSummary of Changes
1.0Sam McManusSam McManusOctober 2025October 2026Initial release
2.0Sam McManusSam McManusFebruary 2026February 2027Major revision: restructured to 24-section governance format; lawful basis table added; retention schedule table added; international transfers section added; children’s data and Gillick competence addressed; risk register added; DPIA position stated; governance maturity assessment added
© Kensington Square Therapy Ltd – All rights reserved.