An upgrade for data privacy?
Counselling at Work, January 2018: Issue 95

Peter Jenkins examines the changing legal framework surrounding the General Data Protection Regulation and explains the implications for therapists and organisations.

The issues of data security, personal privacy and the overarching role of the internet are rarely out of the news. Google is in trouble for seeking access to NHS data.¹ Firms such as TalkTalk have been fined for data breaches,² prompting its boss to describe cybercrime as ‘the crime of our generation’.³ The reported epidemic of trolling, cyberbullying and web abuse have sparked even the normally sanguine leader writers of The Guardian to lament that ‘the internet can be a vile place...’⁴

This changing view of the web, as a dark and troubled landscape, has led to increasing calls for monitoring and policing the internet, to protect personal data and privacy. The Crown Prosecution Service is now seeking stiffer penalties for abuse on Twitter, Facebook and other social media.⁵ There is a proposal for an ‘internet ombudsman’ to police the internet.⁶ The normally reticent Information Commissioner’s Office (ICO) has lately become more forceful in taking action. Now, the Government proposes to enforce major fines of £17m, or four per cent of global turnover of organisations failing to prevent cyberattacks causing major disruption to transport, health or electricity.⁷ This comes as part and parcel of the General Data Protection Regulation (GDPR), which comes into force in May 2018, and is credited with having major effects on counsellors and counselling organisations.

Counselling and data security breaches

Counsellors and counselling agencies might be thought to be less at risk of censure for data protection problems, given our strong professional and ethical commitment to protecting client confidentiality. However, respect for client confidentiality is no guarantee for understanding the fine detail of data protection, either in the past, or in the future under the GDPR. There are examples of counselling agencies losing sensitive client records, eg through the theft of unencrypted memory sticks, in the case of one bereavement agency.⁸ The BPAS was subject to an eye-watering fine of two hundred thousand GBP for systematic failures in its website security.⁹ The advice agency, AnxietyUK, was also subject to a recent enforcement notice, following similar concerns over levels of data security on its website.¹⁰ While much writing on the ICO and data protection tends to emphasise its rather scary role as an enforcer, it is clear that, major abuses aside, the ICO sees its role as a ‘light-touch’ educator, rather than as a heavy-handed regulator. The broad-brush basics of data security are not that complex to learn or to put into practice (see figure 1).

Changes due to GDPR

The changes introduced by the General Data Protection Regulation represent a shift in orientation towards the processing of personal data. Necessarily, this is a key task for counsellors and counselling organisations. In broad terms, the changes operate firstly at the level of organisational policy and then at the level of practice. At the policy level, organisations need to establish appropriate policies, for example, by nominating a data protection lead, with overall responsibility for data protection. Agencies need to develop sufficient levels of awareness among staff about good data security. Clearly, organisations need to notify the ICO of their data processing activities, or to ‘register’, with it, in everyday language. Where data processing is outsourced, e.g. by being held in a computing ‘cloud’, then care needs to be taken that the level of protection is compliant with the high levels already required within the European Community. The GDPR is designed to be Brexit-proof and will not be affected by the outcome of the Brexit negotiations. The Government is fully committed to implementing the GDPR and an updated Data Protection Act will follow on and become law in 2018.

General Data Protection Regulation: main changes from the Data Protection Act 1998

New requirements on data processors, those carrying out data processing activities, i.e. to maintain records of their work; greater legal liability for data breaches;
New, broader, definition of personal data, eg to include identifying IP addresses; term ‘sensitive personal data’ replaced by ‘special categories of personal data’, to include identifying genetic or biometric data;
New ‘accountability principle’, whereby organisations need to show how they comply with the data protection principles, eg by recording their activities, and by appointing a data protection officer;
Enhanced protection of the rights of children with regard to data processing, e.g. the right to remove material from social media; no requirement for parental consent for data processing related to counselling;
Information about data processing (‘data subject access request’) to be free, rather than require a fee of ten GBP;
Duty to report data breaches, e.g. loss of client confidentiality, within seventy-two hours;
GDPR to provide a ‘floor’ of EU standards for data processing, with additional UK-specific areas, such as law enforcement and national security, to be covered by the proposed Data Protection Act 2018.

Despite the publicity surrounding the GDPR, there is still a nagging suspicion that there is actually rather less here than meets the eye, at least in terms of a radical overhaul of data protection. With the GDPR, however, it does seem that the devil will be in the detail. According to the ICO, ‘many data security breaches are accidental and result from insider actions,’ rather than from external hacking. Counsellors will already have a keen awareness of the importance of maintaining confidentiality, but can sometimes be hazy on the fine detail of data protection practice, particularly at the more ‘high tech’ end of things. In terms of the practical application of the GDPR, organisations need to be clearer about how they protect client privacy, i.e. clarifying what client information is kept, how it is processed, how long it is kept for and for what purposes (see below: draft privacy and consent form for counselling clients).

State who is the Data Controller and whether they are registered with the ICO
Set out the purposes and legal basis for processing client personal data
Clarify the circumstances in which data may be shared with other agencies (e.g. immediate risk of substantial harm to self or others; or under a legal requirement, e.g. terrorism, drug money laundering; or via court order for disclosure)
State how long client records are kept, before being securely destroyed
Explain client rights under data protection law, i.e.
to access a copy and explanation of their personal data
to request correction or erasure, in certain circumstances
to request limiting or ceasing data processing, where applicable
to compensation for substantial damage or distress caused by data processing, where applicable

Under the GDPR, there is a greater emphasis on client rights, such as the right to ask for their records under ‘data subject access requests’. The knotty, and still largely unresolved, question, i.e. of how long client records should be kept for, needs to be tackled by agencies and practitioners, by setting clear timescales for retaining, and then securely destroying, client notes. Generally, staff, including students on placement and volunteers, need to be well briefed and ‘on board’ with the fine detail of data security. This will apply at the most basic level, as in the form of ‘clear desks and clear screens’ practices (e.g. by using ‘Ctrl-Alt-Delete’ to lock screens). Counsellors will need to comply with minimal good practice in data security, by adopting and frequently changing ‘hard to guess’ passwords, and by minimising their use of personal smartphones, laptops and tablets for work purposes. Basic data security will involve using passwords and encryption to protect any sensitive client material sent as email attachments. There will also be a greater emphasis on obtaining and recording explicit client consent for data processing needed for counselling activities (although this is acknowledged as not necessarily the ‘silver bullet’ of good practice, according to the ICO).¹²

Data protection and time limits for keeping records

One of the issues raised at every workshop on record keeping is: how long should we keep records? Unhelpfully, there are several different answers to the question, depending on the context of counselling practice. Some records, e.g. in the NHS, may have statutory time limits set. Professional indemnity insurance policies may need checking before setting time limits for keeping counselling records, as these often stipulate that records are kept for substantial time periods, as defensive material in the case of professional complaint, or litigation. Access to client records by the police, Crown Prosecution Service, solicitors and courts, for use in legal cases involving clients, seems to be increasing, according to anecdotal evidence, although this need not directly influence the time limit set for retaining records as such. Research into data protection in higher and further education found that many counselling services in this sector applied a time limit of around six years, but often with no clear rationale for deciding on this limit. (Six years is the time limit for bringing legal action for breach of contract, which may be one, if not necessarily the sole, deciding factor here.)¹³ However, there is a clear principle under data protection law to keep records ‘no longer than is necessary’. This countervailing principle can actually empower agencies and practitioners to set lower time limits for keeping client counselling records, according to their own context, agreed priorities and ‘standard industry practice’.¹⁴

Figure 2: Time limits for keeping counselling records in further and higher education

Impact of the GDPR

The impact of the GDPR will probably vary, according to the work or practice context of counsellors and counselling agencies. The three main contexts are those, firstly, of working in private practice, secondly, in small voluntary, or third sector, counselling organisations, and, finally, in larger public sector organisations.

Data protection in private practice

Patti Wallace, formerly BACP’s professional lead for private practice, carried out an email questionnaire survey of BACP members working in this sector (n: two thousand five hundred and forty-four). She found that ‘most respondents use a paper-based system to record client information and notes, although nearly a third (thirty-one per cent) were interested in moving to an online system. However, just nineteen per cent were registered with the ICO, and fifty-eight per cent were not aware that they should be registered.’¹⁵ This suggests that there could be a strategic awareness, training and compliance gap regarding data protection in this sector. Clearly, some private practitioners work in a range of settings, so may already have wider exposure to training and updating in data security, which they could easily transfer to their private work. Private practitioners, for example, engaged by employee assistance providers (EAPs), may be more likely to use bespoke electronic recording systems and to be required, via contract, to follow EAP data security policy and practices. Despite the seeming complexity of data protection law, the requirement for private practitioners to register with the ICO is fairly straightforward, that is, if using a smartphone, laptop, tablet or PC, to process any client personal data. (see figure 3)

Figure 3: Do I need to register with the Information Commissioners Office

Data protection in small third sector organisations

This perception of problematic data protection compliance is also found in smaller, third sector organisations. The ICO has carried out its own small-scale research into policy and practice among victim support services (n: twenty-seven)¹⁶ and charitable organisations (n: thirty-two).¹⁴These agencies are generally characterised by large numbers of volunteers, and consequent high staff turnover, while handling large volumes of sensitive client data, sometimes of a therapeutic nature. The surveys found good physical and building security and high levels of staff commitment to data protection. However, in practice, there were significant weaknesses in terms of a lack of policies for data security regarding staff while working from home, and in using personal electronic devices. This also applied in terms of a lack of basic IT security, such as using strong passwords, encryption and updated virus protection. Where agency work was subcontracted to third parties, contracts often failed to specify data protection roles and responsibilities, such as who was the data controller. Across the board, agencies failed to set out clear data retention policies and security, bearing out apocryphal tales of some manual client records being archived in employees’ lofts. Regular staff and volunteer training would thus appear to be critical in overhauling the data security culture in this field.

Data protection in larger public sector organisations

Larger public sector organisations, such as schools, universities, the police and the NHS, will presumably already have data protection officers and policies in place. They may also have less of an immediate problem with the provision of staff training, although it would be good to make less frequent use here of the ‘fear factor’ as a prime motivator. Much online staff training in data protection in this sector seems incomplete without frequent references to sacked admin staff, or disgraced marketing managers, brought low by lazy email etiquette, or by poor data security. Large public sector organisations are perhaps at higher risk, in terms of the sheer volume of sensitive data they need to handle (e.g. about mental health, disability), frequently leading to heavy ICO fines when files are lost, or inappropriate information is emailed and systems are hacked. In terms of protecting counselling confidentiality within larger organisations, it has been very useful, in the past, to have sector-specific codes of practice, such as the unfortunately now-defunct JISC Code of Practice for further and higher education.¹⁷ This could often prove useful for protecting counselling client confidentiality and in warding off the enquiring efforts of over-zealous data protection officers.

Privacy as a data protection issue

What is perhaps most striking is the emerging focus on privacy as a key data protection issue. As counsellors, we may well pride ourselves on being alert to the need to protect client confidentiality, i.e. the content of client-counsellor interactions. Privacy, as distinct from confidentiality, ‘refers to information about the client attending counselling’, such as their identity, or other key personal characteristics.¹⁸ Privacy issues are clearly central to counselling as a professional activity. Examples of potential challenges to privacy include, for example, the particularly sensitive issues for trans people, concerning their medical records, which may refer to a previous gender.¹⁹ The increasing use of CCTV in hospitals and in schools raises real concerns about threats to privacy, especially when used in counselling suites.²⁰ Agencies with a counselling remit may also come unstuck in trying to adapt to new technology. This apparently happened in the case of the Samaritans’ use of a Twitter ‘Radar’ app, designed to alert Sams when service users were ‘struggling to cope’.²¹

Privacy issues can be particularly acute for specific client groups, such as children and young people. The campaign group iRights has highlighted the case for young people to have embarrassing and irrelevant material deleted from social media, via ‘take down notices’.²² Thus, in Northern Ireland, a girl aged fourteen is currently suing Facebook, in order to remove a ‘revenge’ naked photo from its web pages.²³ There has also been the recent successful challenge to Scottish government information-sharing policy required for Getting It Right For Every Child (GIRFEC), again on privacy grounds.²⁴

Privacy issues are thus being taken more and more seriously within the law generally; witness the recent, perhaps surprising, judgment protecting employees’ right of privacy, regarding personal emails at work.²⁵ The law on privacy is a fast-developing field, in which the GDPR and new DPA 2018 are likely to make an increasingly significant contribution. This is a major legal shift since even the Naomi Campbell privacy case, in 2003. Here, the Data Protection Act 1998 was seen to be of little relevance in resolving the case, compared with the more influential Human Rights Act 1998 (Campbell v MGN Limited [2004] UKHL 22).

Conclusion

If the GDPR, ICO, DPA, and other agency initials, are there to protect client privacy, the real difficulty lies in the growing commercial value now placed on exploiting personal data, whether we choose to call this the new ‘data capitalism’, or not.²⁶ In this global marketplace, ‘personal data is the “gold” of a new category of companies... that sell this information...’²⁷ This presents a real tension around the position of counsellors, as custodians of their clients’ personal data, given the growing pressures to exploit health data, amidst the mediating role of regulatory bodies, such as the ICO. But maybe we need to look well beyond this, and try also to understand the web at much more of a symbolic and relational level. On these lines, a Guardian journalist, Charles Arthur²⁸ has referred to the internet in a striking image of the ideal Victorian prison. In what he tellingly calls ‘the panopticon of the web’, here everything is revealed and nothing is ever forgotten – rather like the unconscious, in fact. The real challenge for therapists, perhaps lies in helping to decode some of the more symbolic meanings of the web, while protecting the privacy of client secrets shared in therapy, and by continuing to explore the implications for our own practice.

Peter Jenkins is a counsellor, trainer, researcher and supervisor. He is the author of Professional Practice in Counselling and Psychotherapy: Ethics and the Law, published by Sage.

References

1 Quinn B. Google offshoot given access to health data of 1.6m NHS patients. The Guardian 2014; 4 May.
2 Press Association. TalkTalk fined £100,000 for customer data breaches. The Guardian 2017; 11 August.
3 Khomami N. TalkTalk boss: cyber attacks are the crime of our generation. The Guardian 2015; 16 December.
4 Leader. The net needs to be policed but the task is neither easy nor simple. The Guardian 2017; 22 August.
5 Dodd V. Crackdown on social media hate crimes. The Guardian 2017; 21 August.
6 Bowcott O, Gibbs S. Internet ombudsman to curb hate crime. The Guardian 2017; 22 August.
7 Asthana A. Fines for digital security failures. The Guardian 2017; 8 August.
8 Crook A. Families’ tragic files stolen. Manchester Evening News 2007; 6 June.
9 Information Commissioner’s Office. Monetary Penalty Notice. 28 February 2014. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2014/03/british-pregnancy-advice-service-fined-200-000/
10 Information Commissioner’s Office. Data Protection Act 1998: undertaking follow-up. Anxiety UK. ICO Reference: COM0570983. 2014. https://ico.org.uk/media/action-weve.../anxiety-uk-undertaking-follow-up-20160323.pd.
11 Information Commissioner’s Office. ICO’s top tips for improving data protection. 2012. Posted 14 September 2012. https://ico.org.uk/for-organisations/charity/
12 Information Commissioner’s Office. Consent is not the silver bullet for GDPR compliance. 2017. https://iconewsblog.org.uk/2017/08/16/consent-is-not-the-silver-bullet-for-gdpr-compliance/
13 Jenkins P, Potter S. Record keeping and the law. AUCC 2007; December: 27-29.
14 Information Commissioner’s Office. Findings from ICO advisory visits to 32 charitable organisations. 2013. https://ico.org.uk/for-organisations/resources-and-support/advisory-visits/
15 Wallace P. Working in private practice. Therapy Today 2015, 26(7): 47.
16 Information Commissioner’s Office. Findings from ICO advisory visits and contact with victims’ services alliance organisations. 2015. https://ico.org.uk/for-organisations/resources-and-support/advisory-visits/
17 Joint Information Systems Committee (JISC). Code of practice for the further and higher education sectors on the data protection act 1998. JISC Legal; 2008. www.jisclegal.ac.uk
18 Jenkins P. Professional practice in counselling and psychotherapy: ethics and the law. London: Sage; 2017.
19 Lancashire Care NHS Foundation Trust. Respecting the privacy rights of trans people. Preston: Lancashire Care NHS Foundation Trust. 2009.
20 Weaver M. Use of CCTV ‘puts patient privacy at risk’. The Guardian 2017; 19 January.
21 Orme J. Samaritans suspends app over privacy worries. The Guardian 2014; 8 November.
22 Khomami N. Let children delete social media posts, says report. The Guardian 2015; 29 September.
23 McDonald H, Jackson J. Facebook loses legal attempt to stop girl suing over naked picture. The Guardian 2016; 13 September.
24 Brooks L. Child support scheme is judged risk to privacy. The Guardian 2016; 29 July.
25 Bowcot O, Rawlinson K. Judges endorse right to privacy in work emails. The Guardian 2017; 6 September.
26 Garside J. ‘Data octopus’ Google alarms EU chiefs. The Guardian 2014; 13 September.
27 Nissenbaum H. Privacy as contextual integrity. Washington Law Review 2004; 79(1): 119–158.
28 Arthur C. The end of privacy? The Guardian 2012; 29 February.