The Data Protection Act 1998 was implemented to give individuals a right of access to ‘personal data’. This personal data relates to any information held by a company or a professional that is needed in order to perform their business activities. Much of the information that counsellors and psychotherapists collect would be classified in this way, and, in addition, as ‘sensitive information’. As such, care needs to be taken to ensure that this information is handled and stored carefully. The Data Protection Act has served as a benchmark for this.
In May 2018, the Act was superseded by the General Data Protection Regulation (GDPR) which maintains some of the Act’s core principles while introducing some significant changes. These changes have an impact for counsellors and psychotherapists, including trainees who are in private practice. As under the DPA, the GDPR requires that if you keep any client records other than paper records, such as tape recordings, computer records, or data on smart-phones, you will need to register with the overseeing body: the Information Commissioner’s Office (ICO). If you only keep paper records, you are not legally required to register with the ICO, although it makes sense to do so. You can register at https://ico.org.uk for an annual fee of £40.
The GDPR consists of eight key principles that must be adhered to. The ones most relevant to counsellors and practitioners are:
- That Information must be processed fairly and lawfully. This means that all personal data must be stored with the consent of the client. There is a duty to be transparent with the client about why you are collecting it and what will happen to it. Most practitioners cover this in the signed contract they agree with a client.
- That information must be kept securely. Most practitioners are already aware of the need to keep client notes in a locked filing cabinet and to keep them separately from identifying data. The GDPR also requires practitioners who use devices such as smart phones, recording devices or computers, to ensure that they use strong passwords, encryption and up-to-date virus protection. If there is a breach in your security (for example, you lose your recording device), you have a duty to report it within 72 hours of the breach occurring.
- That Information must not be held for longer than is necessary. There is currently no consensus within the profession as to how long this should be, but a timescale of seven years is usually suggested, as this just exceeds the time limit for bringing actions against breach of contract, and many private insurance policies stipulate this time frame.
- That Information must be processed in accordance with the individual’s rights. This means that clients have a right to be informed that you keep notes about them, a right to view that information if they request to do so, and a right to demand that you correct, block, erase or destroy information about them. (Please see the section on taking and storing client notes and recordings below.) For more information, see the ICO’s website.