The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy. Basically, if you or an organisation collects personal data on any persons in the UK, then you have a responsibility to protect the rights of that person in accordance with the regulation.
When running a therapy business you will need to collect and store both personal data (client contact details, GP details and emergency contact details) and sensitive data (clinical notes, treatment plans, email correspondence) in relation to your clients.
Under GDPR, 2018 therapists in private practice are classed as data controllers because we determine how our counselling client data is collected and stored while providing our service.
It’s therefore really important that we understand our obligations under GDPR and shape our private practice counselling policies and procedures accordingly, to ensure that all data remains private and that we are treating our clients fairly in line with this legislation.
What are our counselling clients' rights under GDPR?
The key rights of your clients and their data protected by GDPR, in a nutshell, are:
- To be informed
- The right of access
- To rectification of records
- To ‘erasure’
- To restrict processing
- To data portability
- To object
1. The Right to be Informed
At the start of therapy you'll need to tell clients what information you will be collecting, why you need this data and how you will use it in your practice; how clients can modify it, access it, retract consent to hold and process their records and raise a complaint if they wish to do so.
Ideally this should be communicated in writing as well as explained verbally in session. It's good practice to obtain consent at this point, either written or digital, alongside their agreement to your terms of business.
We've put together a client agreement template for you to help with this.
2. The Right of Access
You'll need to make sure your clients know that they have the right to view the data you hold on them (contact details & session notes) at any time. When setting up your counselling business and putting your policies and procedures together you'll need to think about how you would handle a right of access request, as the possible impact on the client when reading your clinical notes needs to be carefully considered on a case by case basis.
3. The Right to Rectification
Your counselling clients have the right to request that you change any of your records that relate to them. Again you will need to have a policy in place for how you will handle such a request.
4. The Right to Erasure
Counselling clients can request that you delete all of the data that you hold upon them at any time. You do not have to comply with this request however if: you need to retain this data to continue providing your service; the data is required by a Court of Law; you require the data to establish, exercise or defend legal claims.
5. The Right to Restrict Processing
Your client can withdraw their consent to data processing and storage at any time.
6. The Right to Data Portability
This means you will need to ask the permission of clients to be able to move their personal data from one system to another.
7. The Right to Object
Your counselling clients need to know they have the right to object to their data being used in any other way than that agreed at the start of the counselling process e.g. for marketing purposes. It's important that your counselling clients are not subject to automated decision making about their data. This is relevant if you are required to provide data to health insurance companies or employers, or in instances where a third party has requested access to your client's clinical notes (e.g. the police or solicitors).
GDPR compliance in your counselling business
You are responsible for protecting the rights of your clients and their data. You'll need to ensure that you clearly communicate your data protection policy to your counselling clients, obtain their consent to this and store their data securely at all times.
If you choose to keep paper records, these will need to be stored in a locked filing cabinet and personal contact details should be stored separately from your anonymised clinical notes.
If you use a practice management system, it should be GDPR compliant and you should communicate in clear terms to your clients all the necessary ways in which you collect and use their data.
The best practice management software will hold all of your client’s data securely in one place, automatically anonymise clinical notes and diary entries on your behalf and have a GDPR compliant archiving procedure in place.
Kiku was designed by counsellors who know your professional needs. Our practice management software for UK therapists is fully encrypted and both password and two-factor authentication protected to ensure that the client information we process and store is always safe and secure.
We've put together all of the GDPR document templates you'll need for your private practice counselling policies and procedures here.
Store your client data securely with Kiku
Try for free