General data protection regulation (GDPR) and CYP
BACP Children, Young People and Families, December 2018

Since GDPR has been in force for about six months, now is perhaps a good time to summarise its impact and to discuss some of the more common issues and misunderstandings that have come up over the last few months. In particular, Barbara Mitchels and David Membrey focus on some of the issues relevant to working with children and young people.

It’s important to emphasise that there are many elements of GDPR that are still unclear. Full clarity will only gradually appear over the next few years as more guidance is produced and case law defines the precise contours of the legislation. The bedrock underpinning GDPR is transparency, so that even if you are not 100 per cent clear about how you should interpret GDPR, it’s helpful to be absolutely transparent with clients (who are your data subjects) at all stages of the counselling relationship.

Personal data

GDPR only applies to personal data. Personal data are any information relating to an identified or identifiable living person. They could be text, images, video or audio and they can be stored in any manner (normally paper or electronically). Some personal data are more sensitive, and GDPR applies extra rules to their collection and use. This is Special Category Data (sometimes referred to as sensitive data), and the category includes: race; ethnic origin; politics; religion; trade union membership; genetics, biometrics; health; sex life or sexual orientation. Criminal convictions are dealt with separately under GDPR – see ico.org.uk.(accessed 9 October 2018).

Data controllers

It is essential to understand the concept of a data controller and a data processor. The Information Commissioner’s Office (ICO) explains that the data controller exercises ‘overall control over the purpose for which and the manner in which personal data are processed’. A processor on the other hand is ‘any person (other than an employee of the data controller) who processes the data on behalf of the data controller’. In practice, this means that the majority of counsellors and psychotherapists will be data controllers. Some practitioners may wear either of these hats in different situations – for example, in their own private practice and as an employee, they may be a data controller, and as a freelance contractor to an organisation, they may be a data processor. It’s important to examine any applicable contract to see what it says about data protection, and who holds responsibility for the counselling records. If you are personally a data controller, you will need to pay a fee to the Information Commissioner’s Office. You can do this online. If you are an employee of a data controller (such as a school, university or a counselling service), your employer should be registered, and your contract should set out the way in which you are expected to deal with the gathering, storage and protection of personal data in the counselling records.

Data breaches

Recognising data breaches and logging them into a data breach log is essential. Just like an accident book, the data breach log should record all breaches, however minor. That way, if there is a major breach and the ICO does an audit, they will be encouraged to see that we have taken our breach log seriously. The ICO states: ‘A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data are lost, destroyed, corrupted or disclosed; if someone accesses the data or passes them on without proper authorisation; or if the data are made unavailable, for example when they have been encrypted by ransomware, or accidentally lost or destroyed.’ So, for example, if a computer or paper client record is damaged by flood (or coffee!), that could be a significant data breach. The most common cause of breaches is poor email practice. For instance, putting email addresses into the cc field rather than bcc or leaving a long email trail with sensitive earlier email correspondence below the current message. Paper files are just as open to breaches. Leaving a printout in the printer tray for others to see, not adhering to a strict clean-desk policy and failing to lock the computer screen when someone else could see personal data, all can result in breaches that need to be logged.

However, minor breaches may not necessarily need to be reported to the ICO, provided that the controller has identified any possible risk to the client arising from the breach and that any potential risk has been dealt with appropriately so that there is no adverse impact on the client. The ICO states: ‘When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it. …This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors. …So, on becoming aware of a breach, you should try to contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen.’ For more information on this, see Personal data breaches (accessed 9 October 2018).

In the spirit of transparency and openness in our work, BACP’s Ethical Framework requires that we are open with our clients about any breach of confidentiality and that we do our best to minimise any risk to clients or others arising from our actions. The GDPR expects the same ethos of transparency, but the ICO does not want to be overwhelmed by reports of minor breaches which have been dealt with and where there is no risk to the client. If there is any risk to the client, then a report must be made, and you may also need to inform other parties, such as your insurance provider. Where there is any doubt about whether to report a breach, see the ICO website and seek legal or other appropriate advice, eg from the ICO helpline.

Data security

One of the principles of GDPR is that the data controller (and any processors) have an obligation to keep data safe. The level of data security required is directly related to the sensitivity and quantity of data.

We do not have space here to go into how you would implement data security but you should certainly be considering and getting advice on encryption of computers and other devices, password protection of email attachments, use of two-factor authentication,* regular updating of all software, use of high-quality anti-virus and computer security software, secure shredding or destruction of all paper containing personal data, locking filing cabinets etc. You can see the ICO’s guidance on data security and the Government cyber security portal (accessed 10 October 2018).

Subject access

The concept of the client’s right to have access to any data you hold about them has been enshrined in law since 1998. The main changes brought in by GDPR are that you are no longer allowed to charge people for responding to a subject access request (except in certain very specific situations) and the time within which you have to deliver the data is reduced to one calendar month (in reality you have till the next working day after the closest date to one calendar month). Besides having to find all data relating to the data subject, you will have to redact any references to other people and you will have to explain any technical jargon or codes – so this can be a time-consuming process. There are situations where you can limit some of the personal data you make available, see Right of access (accessed 10 October 2018).

Practice note: There are specific provisions in the GDPR as implemented by the Data Protection Act 2018 (DPA), creating protective limitations on disclosure of children’s personal data to a child client or to others (for example those with parental responsibility for a child who have asked to see the child’s counselling records). Disclosure of data may be refused or limited in situations where there may be any risk to the child or others from such a disclosure, or where a disclosure might jeopardise a social care or police investigation etc – for example, in child safeguarding or child protection situations.

There are also protective legal provisions preventing disclosure of past child abuse data in certain circumstances. For more detail on this, see GPiA 105; GPiA 014; GPiA 031; and watch for two new GPiAs 069 and 071 to be published soon on records and information sharing. If disclosure of personal data about a child client is requested, check these provisions first and seek appropriate legal or other expert advice. For general advice about children and data processing, see the ICO website at Children and Children and the GDPR (accessed 9 October 2018).

Retention

An important pillar of data protection law is that our client’s personal data should be held only for as long as necessary, and for the length of time agreed with the client.

You must consider retention periods for all the personal data you collect, and clients must be aware of the length of time notes will be retained, and how their data will be stored and accessed. This can be done with a ‘privacy notice’ setting out the detail, of which the client should be aware. For child clients, this would need to be in age-appropriate language. Once this period has ended, the notes should be destroyed securely unless they have been legally required, eg by a court order.

Data may be retained outside of GDPR control if it is completely anonymised. Anonymisation in GDPR means removing all possible means of linking the data to a specific individual, and once data are anonymised, GDPR no longer applies to them. Note: The usual system used by counsellors of keeping client contact data in one place and the records in another, linked by a reference number, or other similar data storage systems, are known in GDPR as ‘pseudonymisation’ of the data and are covered by GDPR. The ICO recommends the use of pseudonymisation as a means of reducing the severity of data breaches.

Lawful basis

The GDPR insists that we cannot hold or process anybody’s personal data unless there is a ‘lawful basis’ for doing so. In addition, if we process sensitive data we need an additional lawful basis for this.

1 Lawful basis for processing data

In the counselling professions, we are usually providing a service to clients on the basis of a contract with them, or (in the case of children who are not competent to make a contract) with those with parental responsibility for them. Counsellors working in the NHS healthcare services may be doing so in the context of that service. Other counsellors may work in the context of social care, adoption services, school counselling etc. Therefore, the lawful basis on which we work may vary with the circumstances in which the service is provided. There are six bases: consent; contract; legal obligation; vital interests; public task; and legitimate interest – and no basis is ‘better’ or more important than the others. We must determine our lawful basis before we begin processing.

It is important to get our bases right first time, as the ICO has made it clear that we should not swap to a different lawful basis at a later date ‘without good reason’, and, in particular, that if we choose consent, we cannot ‘usually’ swap to a different basis.

If our therapy working environment and/or professional practice ethics require us to keep appropriate records of our work (see BACP’s Ethical Framework), and records are therefore necessary for our service, then our lawful basis for processing data under GDPR is likely to be ‘necessary for the performance of a contract’. Another possible basis may be ‘legitimate interest’ when we are providing healthcare.

‘Consent’ has a special meaning under the GDPR in the case of lawful basis, different from the colloquial meaning, and so is not always the obvious choice for a basis – the ICO states: ‘If you require someone to agree to processing as a condition of service, consent is unlikely to be the most appropriate lawful basis for processing.’

So – the two possible bases for processing a client’s personal data which are available to a BACP member will usually be ‘contract’ or, in cases where there is no contract, ‘legitimate interest’.

2 Lawful basis for processing special category (sensitive) data

If we are processing special category data, we are further required to identify a special category condition for processing and to document this. The basis for processing special category data will usually be ‘for the provision of health or social care or treatment’ – though consent may in some instances be more appropriate here.

Practice note: If a client is giving explicit consent to the processing of their data, the basis on which data will be gathered, stored, disclosed and destroyed should be clearly set out in a privacy notice, separated from the other terms in the therapy contract (such as modality, session length, fees etc), and the privacy notice should be signed separately from the therapy contract.

Therapy notes

Notes of client sessions are likely to contain sensitive, special category data; for example, information relating to the physical or mental health of the client or information relating to the sexuality or sex life of the client. If these notes are completely anonymous, then GDPR does not apply and this is not special category data.

As explained earlier, GDPR applies to all personal data in our notes and records that are not completely anonymised. It therefore applies to all other systems and types of notes and records, including those records that are linked by a reference code etc to protect them to some extent from unauthorised access.

Privacy notice

The privacy notice is an opportunity to demonstrate transparency to all those whose data we process – or may process in the future. This should be available to clients before – or as soon as possible after – they share any data with us. For those with a website, this is the obvious place to put it. Otherwise, we can produce a leaflet or letter, or put the information in another accessible format, and give it to our clients when we first meet them, or email it to them. If the privacy notice is on a website, it will be straightforward to link to it on email signatures and elsewhere. The section of the privacy notice that relates to clients and former clients can be included as an appendix to the therapy contract with clients.

BACP will shortly be publishing separate guidance on the content and structure of privacy notices, and BACP’s own privacy notice also acts as a model that members may make use of. It is important to ensure that the privacy notice has sections that relate to all the different groups of people whose data may be processed in the current and future provision of the therapy service.

Children

For legal issues in relation to counselling in schools in England, Wales and Northern Ireland, please see GPiA 002. Contracts also need to make clear the status and storage of the counselling records; for example, they should clarify whether these are regarded as part of the school record or are separately maintained and owned by the counsellor, state where the counselling records will be stored, and describe the security and access arrangements for the counselling records in accordance with the current data protection law. It is vital that, at the outset, the counsellor has clarified with the school the status of client records, because confidentiality law and data protection legislation may permit and/or require client access to the school records and/or counselling records, subject to certain legal safeguards – see below.

Under the GDPR, Article 8, as applied by the 2018 DPA, the offer of ‘information society services’ to a child, meaning broadly, in our context, ‘online services’, will require the consent of a person with parental responsibility for all children under the age of 13 years. Note: there is a specific exception for counselling services.

In addition, there is a general provision in the GDPR, applicable to protection of data in all forms of services to children:

‘Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.

The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.’ (GDPR (38)).

This concept is reinforced by the ICO in its guidance on children accessed 10 October 2018).

In therapy, we are not only contracting about data processing, we are also contracting for the provision of therapy with a child. For children who have the capacity to give consent to a therapeutic alliance, therefore, it is assumed that the Gillick criteria will continue to apply and the consent of those with parental responsibility is not required (see GPiA 105, Part 11.1). However, for those children under the age of 16 who do not have the capacity to consent to a therapeutic alliance, it is assumed that the normal legal principles of consent for children will apply (see GPiA 105 Part 11.1).

Under data protection law, a child with capacity to make their own decisions has a right to see their own records. If the child does not have the capacity to make his or her own decisions, then those with parental responsibility for the child will have the right to make decisions relevant to therapy, and under data protection law will also have the right to see the child’s therapy records. (Note that there are certain legal exceptions allowing the therapist and school to maintain secrecy to safeguard the health or safety of the child or others, or to safeguard a police or other investigation in the context of child protection.)

Note also that if a counselling record is regarded as part of the school record, then, under data protection legislation, those with parental responsibility may usually have a right of access to their child’s records if the child is not competent to make his or her own decisions (in the context of the Gillick case), or if a competent child has not expressed his or her wish to have their confidentiality protected, but the counsellor needs to be aware of certain specific legal safeguards for information relating to child protection issues and other information that may, if disclosed, cause a risk to the child or others.

Practice note: Situations where client information may have special protection from disclosure, including response to requests from the data subject:

Under Schedule 3 of the Data Protection Act 2018, there are listed exemptions to the general provisions of Article 15 of the GDPR regarding disclosures. Under these exemptions, data controllers may refuse disclosure of information about the data subject (eg including a disclosure to the data subject themselves, or to those with parental responsibility for a child who is a data subject), where the result of that disclosure could cause serious harm to the physical or mental health of the data subject or another individual (eg in child protection, medical, social work or educational situations). In this situation, it is best to seek appropriate legal advice and/or the assistance of a suitably qualified person. Part 5 of Schedule 3 of the Data Protection Act 2018 applies a separate additional exemption relating to maintaining the confidentiality of child abuse data.

*Two-factor authentification is a service that is increasingly available for many online services such as email, cloud hosting etc. It means that your password alone does not provide access to the service. The service typically sends a code to your mobile phone that you also need to enter.

David Membrey is a consultant with the firm Adapta Consulting and has been supporting BACP through the process of GDPR compliance. David specialises in all aspects of information systems improvement within membership and other not-for-profit organisations. For more information, see www.adaptaconsulting.co.uk

Barbara Mitchels BACP Registered (Snr Accred) is a Fellow of BACP and the Director of Watershed Counselling Services in Devon. Barbara is also a retired solicitor, providing online consultancy, resources and workshops around the UK for therapists on a variety of therapy-based topics and on the relationship of law, therapy and the courts. See www.therapylaw.co.uk