Protecting your Privacy, the ACAT Promise
Who we are
“We” and “us” means Association for Cognitive Analytic Therapy (ACAT). We are a charity and a registered company. ACAT helps to protect the public by accrediting high-quality trainings and holding a public register of accredited members.
Your privacy matters
At ACAT, we are committed to keeping your personal data safe and secure.
This notice sets out in detail the purposes for which we process information about you, who we share it with, what rights you have in relation to that information and everything else we think it’s important for you to know.
If you have any questions about the processing of your personal information, or you would like to exercise any of your rights, please reach out to us with the details mentioned below:
Email us at admin@acat.org.uk
How we process your information
To understand how we process your personal information and to understand your rights, please visit the relevant appendix below:
Appendix 1: CAT Psychotherapist, Practitioner, or Trainees
Appendix 2: Human Resources (Job applicants, employees, volunteers)
Appendix 3: General Information (events, marketing, your rights, complaints)
Changes to this Privacy Notice
We aim to keep this privacy notice regularly updated. This privacy notice is kept under regular review. If we make any significant changes to the way in which we process your information, we will let you know by either reaching out to you or posting a banner on the website.
This was last updated in September 2025.
Appendix 1: CAT Psychotherapist, Practitioner, or Trainees
How and when do we collect information about you?
We collect your personal data in the following ways:
a. When you apply with us to be a registered CAT psychotherapist, practitioner or a trainee
b. When we gain references about your previous work, trainings from third parties
c. When we receive such information through other member bodies
d. When you are person from the public making a complaint against a registrant
The information we collect includes the following: your name, email address, address, details about your circumstances (including health information, and race, ethnicity, religion), information about your previous trainings, educational background, any safeguarding information or concern, financial information.
How is the information used?
We use your information for the following:
1. Inclusion in the Public Register: Your details are added to our official public register to confirm your status and ensure transparency.
2. Investigation of complaints: to fulfil our role as a voluntary regulator for our members for investigating any complaints.
3. Safeguarding and Risk Management: We use the information to identify and address any safeguarding concerns, ensuring the safety and well-being of all individuals involved.
4. Training and Development: Your information helps us tailor and deliver relevant training programs to applicants.
5. Support and Enquiry Handling: We use your details to respond to your enquiries efficiently and accurately.
6. Internal Evaluation and Monitoring: The data contributes to our internal evaluation and monitoring efforts.
What is our lawful basis for processing this information?
1. To fulfil your registration or membership with us or for participation in training courses, we rely on contractual obligation. If your registration is unsuccessful, we rely on legitimate interest to continue storing your information. We rely on additional lawful basis of Substantial Public Interest, read with Protecting the Public condition.
2. To undertake any investigations, we rely on legitimate interest, and substantial public interest read with Protecting the Public condition.
3. To undertake research and development activities, organise conferences, offer guidance on matters, we rely on legitimate interest.
4. Any information about any third parties or member bodies that is shared with us when you are a registrant is processed based on legitimate interest, read with substantial public interest read with Protecting the Public condition.
Who do we share your data with?
1. We may use legitimate interest to share your personal data with other member bodies.
2. To comply with our duty of care and safeguarding, we apply vital interest and legitimate interest as our lawful basis.
How we store your information and for how long?
We retain the personal data of all service users for a period of time in line with our retention periods. If you would like to know more about this, please contact us at the email address above.
Appendix 2: Human Resources
(Job applicants, employees, trustees, volunteers including steering committee members)
How and when do we collect information about you?
You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment/engagement. In some cases, we will collect data about you from third parties, such as employment agencies or former employers when gathering references.
What type of information is collected about you and who provides it?
We keep several categories of personal data to carry out effective and efficient processes. Specifically, depending on your type of engagement with us, we may process the following types of data:
a. personal details such as name, address, phone numbers, marital status
b. name and contact details of your next of kin
e. information of any disability or other medical information you have disclosed
f. right to work documentation, National Insurance number, bank account details
g. information gathered via the recruitment process such as that included in a CV, cover letter or application form, references, details on your education and employment history etc
i. information relating to your employment with us (e.g. job title, job description, salary, terms and conditions of the contract, annual leave records, appraisal and performance indication, formal and informal proceedings involving you such as letters of concern and disciplinary, disciplinary and grievance proceedings)
We may also process special category of data which include health information, sexual orientation, race, ethnic origin. We may also process criminal records information if the role involves DBS check.
How is the information used?
We are required to use your personal data for various legal and practical purposes for the administration of your contract of employment or your volunteer/ trustee agreement, without which we would be unable to employ you or engage with you. Holding your personal data enables us to meet various administrative tasks, legal obligation or contractual/agreement obligation. We process information in relation to the DBS for our safe recruitment practices.
What is our lawful basis for processing this information?
We mainly use ‘contractual obligation’ as a lawful basis for processing personal data for employees, job applicants and freelancers. We mainly use ‘legitimate interest’ for trustees.
Some special categories of personal data, such as information about health or medical conditions is processed in order to carry out employment law obligations and for health and social care obligations. We may also process information about ethnic origin, sexual orientation, health or religion or belief based on substantial public interest for the purposes of equal opportunities monitoring. For administering any grievance or disciplinary processes, we rely on legitimate interest.
When processing criminal records (for example, in order to perform a DBS check), the organisation relies on the lawful basis of legitimate interest and additional conditions of the UK GDPR and DPA 2018.
Who do we share your data with?
Personal Data in relation to your salary is shared with HMRC as part of our legal obligation. When sharing information with third parties, we have data sharing agreements, data processing agreements or contracts in place to ensure data is not compromised. These third parties implement appropriate technical and organisational measures to ensure the security of your data.
How long do we keep your data?
We only keep your data for as long as we need it for, which will be at least for the duration of your employment/engagement with us though in some cases, we will keep your data for a period of 7 years after your employment/engagement has ended. If you’ve applied for a vacancy but your application hasn’t been successful, we will keep your data only for 12 months. Some data retention periods are set by the law. Retention periods can vary depending on why we need your data. Please get in touch by contacting us using the details above if you want to know more about retention period.
Data is destroyed or deleted in a secure manner as soon as the retention date has passed.
Appendix 3: Events, Marketing and General Information
Events
We host many events in a year, and your personal information is collected when you register for an event with us. We may collect basic personal information, such as your name, email, phone number. We rely on legitimate interest to administer your registration for the event. When we collect other information such as dietary information, we rely on your explicit consent.
If you have attended an event with us previously, we may reach out to you to invite you for our future events. We rely on consent (to send you emails) and legitimate interest (to call you on your registered number with us).
Marketing
We may also send you marketing communications if you have signed up for marketing emails. We use texts, email, and calls for marketing.
We rely on your consent to send you email communications (except where this is a business email address, whereby we rely on legitimate interest).
If you would like to change your marketing preferences, please reach out to us on the email address provided in the first section of this privacy notice, or you can simply unsubscribe with the option on the bottom of the emails.
We may also use post as a mode of sending you marketing communications, relying on legitimate interest. If you would like us to not send such communications, please do reach out to us.
Your rights as a Data Subject
You have the following rights:
• ‘Right to be informed’, which means we will be completely clear and transparent about how we plan to use your personal information.
• ‘Right of access’, which means you can request details of the personal information we hold about you and how we use it. We will provide this within one month.
• ‘Right to rectification’, which means you can ask us to update or amend the personal information we hold about you, if it is incorrect.
• ‘Right to restrict processing’, which means you can ask us to change, restrict or stop the way we are using your personal information.
• ‘Right to erasure’ (or ‘right to be forgotten’), which means you can ask us to remove your personal information from our records.
• ‘Right to object’, which means you can object to us using your personal information for marketing purposes.
• ‘Right to data portability’, which means you can obtain the personal information we hold about you and reuse it for your own purposes.
• ‘Right not to be subject to automated decision making’, which means if we use systems to make a decision about you, you have the right to ask for a person to intervene, which may change the outcome.
• Right to lodge a complaint with a supervisory authority, such as the Fundraising Regulator or the Information Commissioner’s Office (ICO), if you are not satisfied with our response to a request you make to us, or you feel we are not using your information correctly.
International Data Transfers
Where personal data is stored outside of the UK and the EEA, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).
Complaints procedure
If you are unhappy with the way we process your data, please get in touch using the contact details mentioned above.
You can also make a complaint to the Information Commissioner’s Office (ICO), which regulates the use of information in the UK. They can be contacted at 0303 123 1113 or you can write to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
September 2025