Demystifying GDPR
Private Practice, March 2019

David Membrey and Barbara Mitchels outline the implications for therapists in private practice

Since the General Data Protection Regulation (GDPR) has been in force for nearly a year, now is a good time to summarise its impact and discuss some of the common issues and misunderstandings that have arisen and are relevant to private practice. Many elements of the GDPR are still unclear. Full clarity will only gradually appear over the next few years as more guidance is produced and case law defines the precise contours of the legislation.

Part of the bedrock underpinning BACP’s Ethical Framework¹ and the GDPR is openness and transparency, so that even if you are not 100 per cent clear about how you should interpret the GDPR, it is helpful to be absolutely transparent with clients (who are your data subjects) at all stages of the counselling relationship.

Personal data

The GDPR only applies to personal data, ie personal information relating to an identified or identifiable living person. It could be text, images, video or audio, and it can be stored in any manner (normally paper or electronically). Some personal data are more sensitive and the GDPR applies extra rules to their collection and use. These are Special Category Data (sometimes referred to as sensitive data) and include: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation. Criminal convictions are dealt with separately under the GDPR.²

Data controllers

It is essential to understand the concepts of a data controller and a data processor. The Information Commissioner’s Office (ICO) explains that the data controller exercises ‘overall control over the purpose for which and the manner in which personal data are processed’.³ A data processor, on the other hand, is ‘any person (other than an employee of the data controller) who processes the data on behalf of the data controller’.³ In practice, this means that the majority of counsellors and psychotherapists in private practice are likely to be data controllers. A controller can be an individual or an organisation – this depends largely on the legal entity through which you practise. If you practise on your own and have not set up a company and are not employed by a formal legal structure, such as a company or partnership, you individually will be the controller. If, however, you have set up a company or work with a group of counsellors in a company or partnership, the controller will be the organisation. An organisation that is a legal entity must, under the GDPR, contractually bind its processors (including contractors, outsourced service providers, or volunteers) to participate in processing personal data in accordance with the GDPR and assisting in fulfilling the organisation’s role of controller. If a counsellor is an employee of a data controller (such as a school, university or a counselling service), they will also be a controller, with responsibilities that will be in proportion to their role and seniority in the organisation. The employer should be registered with the ICO, and the counsellor’s contract should set out the way in which they are expected to deal with the gathering, storage and protection of personal data in the counselling records.

From all this, it will be seen that some practitioners may wear a ‘controller’ or a ‘processor’ hat in different situations. For example, they may be a controller in their private practice and as an employee or as part of a partnership. If they operate as a freelance contractor, they will either be a joint controller or a processor, depending on their contract. If you work independently as a freelance contractor to an organisation, for example, those providing employee counselling services (EAPs), the distinction between being an independent contractor and being an employee is important, for tax and for GDPR reasons, so it is important to examine carefully any applicable contract to see what it says about employee status, data protection, and who holds responsibility for the counselling records. If uncertain, it is wise to seek legal advice, which may be available free from your professional insurer, and information is available on the UK Government website.⁴

If you are personally a data controller (and assuming you are using some electronic devices to manage your clients’ personal data), you will need to pay a fee to the ICO (if you have fewer than 11 staff or a turnover of less than £632k, at the moment, the fee is £35 if you pay by direct debit). You can do this online on the gov.uk website.

If you run a small company, it will be your responsibility to ensure that any staff you employ understand their responsibilities under GDPR. And, if you contract any other companies to provide services (for instance, if you operate out of a shared office building where reception is provided by the landlord), you will need a data processor agreement with any contractors that handle any client personal data. Find out more about the GDPR for small businesses.

Data breaches

Recognising data breaches and logging them into a data breach log is essential. Just like an accident book, the data breach log should record all breaches, however minor. That way, if there is a major breach and the ICO does an audit, it will be encouraged to see that you have taken your breach log seriously. The ICO states: ‘A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransom ware, or accidentally lost or destroyed.’⁵

So, for example, if a computer or paper client record is damaged by flood (or coffee!) that could be a significant data breach. The most common cause of breaches is poor email practice. For instance, putting email addresses into the cc field rather than bcc or leaving a long email trail with sensitive earlier email correspondence below the current message. Paper files are just as open to breaches. Leaving a printout in the printer tray for others to see, not adhering to a strict clean desk policy and failing to lock the computer screen when someone else could see personal data, all can result in breaches that need to be logged.

However, minor breaches may not necessarily need to be reported to the ICO, provided that the controller has identified any possible risk to the client arising from the breach, and that any potential risk has been dealt with appropriately, so that there is no adverse impact on the client. The ICO states: ‘When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk, then you must notify the ICO; if it’s unlikely, then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it… This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case-by-case, looking at all relevant factors… So, on becoming aware of a breach, you should try to contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen.’⁵

In the spirit of transparency and openness in our work, BACP’s Ethical Framework¹ requires that we are open with our clients about any breach of confidentiality and that we do our best to minimise any risk to clients or others arising from our actions. The GDPR expects the same ethos of transparency, but the ICO may not necessarily want to be overwhelmed by reports of minor breaches that have been dealt with and where there is no risk to the client. If there is any risk to the client, a report must be made, and you may also need to inform other parties, such as your insurance provider. Where there is any doubt about whether to report a breach, see the ICO website and seek legal or other appropriate advice, eg from the ICO helpline.

Data security

One of the principles of the GDPR is that the data controller and any processors have an obligation to keep data safe. The level of data security required is directly related to the sensitivity and quantity of data. We do not have space here to explain in detail how to implement data security in your private practice (which is legally regarded as a business), so we would encourage you to get advice from a trusted local IT service. It would be helpful to put some or all of these basic measures in place, as appropriate to the service you provide:

Find out how to encrypt your computers, tablets and phones in order to protect client data, and safeguard your personal data too.
Password-protect email attachments. If you are sending any personal information by email, it is best to put it into a file and password-protect the file. If you use a version of Microsoft Office, you can find information on how to do this on the Office support website. Remember that, for best protection, if you have emailed over a password-protected document, you should then send the password by another means, such as by text, and not to the same email address.
Find out how to obtain and use two-factor authentication wherever possible. This is a service that is increasingly available for many online services, such as email and cloud hosting. It means that your password alone does not provide access to the service; they typically send a code to your mobile phone that you also need to enter. This is particularly important for your email account, but it would also apply to your Dropbox or other online file storage service.
Keep all your software updated. The operating system of your PC or phone should be updated as regularly as possible to ensure any faults or weaknesses that have been identified are patched (ie repaired).
Use a high-quality anti-virus and internet security package.
It is helpful to have a separate email account for your counselling work that is supplied by an email service that is secure and encrypted by default. A trusted IT advisor can help to identify these. Some of the most widely used services include Protonmail, Countermail and Hushmail.
Use a privacy screen on your smart phone so that people cannot easily see any information over your shoulder in shared or public spaces.

There are a number of security measures that apply to paper records, such as:

Secure shredding or destruction of all paper containing personal data.
Use of a robust, lockable filing cabinet.
Where personal data are printed out, retain them as part of the client record only for so long as is necessary for the therapy work and as agreed with the client in the therapy contract.
If you wish to keep a ‘back-up’ copy of client data, keep the copies in separate places, then, if one set of data is destroyed, the other may be safe. However, if you hold identical client data on computer and on paper, be aware of the protection required for both forms of data storage.
Protect documents from others’ view and maintain a strict ‘clean desk’ policy. If you work in shared premises or rooms, or from home, do not leave the computer, tablet, or phone on when leaving the room, allowing others to view any unencrypted client data, emails or files. See the ICO’s guidance on data security or the government cyber security portal.

Subject access

The concept of the client’s right to have access to any data we hold about them has been enshrined in law since 1998. The main changes brought in by the GDPR are that we are no longer allowed to charge people for responding to a subject access request (except in certain very specific situations), and the time within which we have to deliver the data is reduced to one calendar month (in reality, we have until the next working day after the closest date to one calendar month). Besides having to find all data relating to the data subject, we will have to redact any references to other people and also explain any technical jargon or codes – so this can be a time-consuming process.

Remember that our views and opinions expressed in the client record are also covered by subject access requests, so be wary of writing down any thoughts about clients or the work together that you would not want the client to see or that it would be difficult to justify or substantiate. Remember, too, that the courts may also request your records. There are situations where we can limit some of the personal data we make available. For further information, see Right-of-access.

For more detail on confidentiality and disclosures, see BACP’s Good Practice in Action (GPiA) resources GPiA 105;⁶ GPiA 014,⁷ GPiA 031;⁸ and look out for two new resources, GPiA 069⁹ and GPiA 071 to be published soon on records and information sharing.

Disclosures and risk

Schedule 3 of the Data Protection Act 2018¹⁰ lists exemptions to the general provisions of Article 15 of the GDPR regarding disclosures. Under these exemptions, data controllers may refuse disclosure of information about the data subject (eg including a disclosure to the data subject themselves, or to those with parental responsibility for a child who is a data subject), where the result of that disclosure could cause serious harm to the physical or mental health of the data subject or another individual (eg in child protection, medical, social work or educational situations). In this situation, it is best to seek appropriate legal advice and/or the assistance of a suitably qualified person. Part 5 of Schedule 3 of the Data Protection Act 201810 applies a separate additional exemption relating to maintaining the confidentiality of child abuse data. See the ICO website for general advice about children and data processing - children and children and the GDPR.

Retention

Our clients’ personal data should be held only for as long as necessary, and for the length of time agreed with the client. Consider retention periods for all the personal data collected and make clients aware of the length of time notes will be retained, and how their data will be stored and accessed. This can be done with a ‘Privacy Notice’, setting out the detail, of which the client should be aware. Once this period has ended, the notes should be destroyed securely unless they have been legally required, eg by a court order.

Data may be retained outside GDPR control provided they are completely anonymised. Anonymisation in GDPR means removing all possible means of linking the data to a specific individual, and once data are anonymised, GDPR no longer applies to them.

Note: the usual systems used by counsellors of keeping client contact data in one place and the records in another, linked by a reference number, or other similar data storage systems, are known in the GDPR as ‘pseudonymisation’ of the data and are covered by the GDPR. The ICO recommends the use of pseudonymisation as a means of reducing the severity of data breaches.

Lawful basis

The GDPR insists that we cannot hold or process anybody’s personal data unless there is a ‘lawful basis’ for doing so. In addition, if we process sensitive data, we need an additional lawful basis for this.

1. Lawful basis for processing data

In the counselling professions, we are usually providing a service to clients on the basis of a contract with them or (in the case of children who are not competent to make a contract), with those with parental responsibility for them. Counsellors working in the NHS healthcare services may be doing so in the context of that service. Other counsellors may work in the context of social care, adoption services, schools counselling etc. Therefore, the lawful basis on which we work may vary with the circumstances in which the service is provided. There are six bases:

consent
contract
legal obligation
vital interests
public task
legitimate interest.

No basis is ‘better’ or more important than the others. We must determine our lawful basis before we begin processing. It is important to get our bases right first time as the ICO has made it clear that we should not swap to a different lawful basis at a later date ‘without good reason’, and, in particular, that if we choose consent, we cannot ‘usually’ swap to a different basis.

If our therapy working environment and/or professional practice ethics require us to keep appropriate records of our work (see BACP’s Ethical Framework¹), and records are therefore necessary for our service, our lawful basis for processing data under the GDPR is likely to be ‘necessary for the performance of a contract’. Another possible basis may be ‘legitimate interest’ when we are providing services without a personal direct client contract, for example in the context of providing NHS healthcare or social care services.

‘Consent’ has a special meaning under the GDPR in the case of lawful basis, which is different from the colloquial counselling meaning (eg where a client gives their consent for therapy), and so where the keeping of records is a condition of receiving therapy, ‘consent’ is not always the obvious choice for a lawful basis – the ICO states, ‘If you require someone to agree to processing as a condition of service, consent is unlikely to be the most appropriate lawful basis for processing.’¹¹

So, the two most likely bases for processing a client’s personal data that are available to a BACP member will usually be ‘contract’ or, in cases where there is no contract, ‘legitimate interest’. There may be other circumstances where ‘consent’ may be appropriate. If in any doubt, seek legal advice on this issue, or consult the ICO small business advisors, through the ICO website.

2. Lawful basis for processing special category (sensitive) data

If we are processing special category data, we are further required to identify a special category condition for processing and to document this. The basis for processing special category data will usually be ‘for the provision of health or social care or treatment’, though consent may in some instances be more appropriate here.

Note: If a client is giving explicit consent to the processing of their data, the basis on which data will be gathered, stored, disclosed and destroyed should be clearly set out in a Privacy Notice, separated from the other terms in the therapy contract (such as modality, session length, fees etc) and the privacy/confidentiality consent form should be signed separately from the therapy contract.

Therapy notes

Notes of client sessions are likely to contain sensitive special category data, for example information relating to the physical or mental health of the client or information relating to the sexuality or sex life of the client. If these notes are completely anonymous, then the GDPR does not apply and these are not special category data.

As explained earlier, the GDPR applies to all personal data in our notes and records that are not completely anonymised. It therefore applies to all other systems and types of notes and records, including those records that are linked by a reference code etc to protect them to some extent from unauthorised access.

Privacy notice

The privacy notice is an opportunity to demonstrate transparency to all those whose data we process – or may process in the future. This should be available to clients before – or as soon as possible after – they share any data with us. For those with a website, this is the obvious place to put it. Otherwise, we can produce a leaflet or letter or the information in another accessible format and give it to our clients when we first meet them or email it to them. If the privacy notice is on a website, it will be straightforward to link to it on email signatures and elsewhere. The section of the privacy notice that relates to clients and former clients can be included as an appendix to the therapy contract with clients.

BACP’s own privacy notice¹² also acts as a model for members. It is important to ensure that the privacy notice has sections that relate to all the different groups of people whose data may be processed in the current and future provision of the therapy service.

Children

Our clients may be parents, or carers of children, and may have parental responsibility for a child. Under the data protection law, the offer of ‘information society services’, meaning broadly in our context, ‘online services’ to a child under the age of 13, will require the consent of a person with parental responsibility for that child.

Note: there is a specific exception for counselling services, with the GDPR stating: ‘The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.’¹³ This concept is reinforced by the ICO in its guidance on children.¹⁴

For children who have the capacity to give consent to a therapeutic alliance, therefore, it is assumed that the Gillick criteria will continue to apply and the consent of those with parental responsibility is not required.⁶ However, for those children under the age of 16 who do not have the capacity to consent to a therapeutic alliance, it is assumed that the normal legal principles of consent for children will apply, subject to current safeguarding principles and practice.⁶ For legal issues in relation to counselling in schools in England, Wales and Northern Ireland, please see GPiA 002.¹⁵ For issues of consent and capacity, see GPiA 014,⁷ 069,⁹ and 029.¹⁶ For safeguarding children, see GPiA 031⁸ and 030.¹⁷

David Membrey MPhil, Dip Lib, DChA, is a consultant with Adapta Consulting and has been supporting BACP through the process of GDPR compliance. He specialises in all aspects of information systems improvement within membership and other not-for-profit organisations. adaptaconsulting.co.uk.

Dr Barbara Mitchels PhD, LLB, MBACP (Snr Accred), is a Fellow of BACP and the Director of Watershed Counselling Services in Devon. She is also a retired solicitor, providing online consultancy, resources and workshops around the UK for therapists on a variety of therapy-based topics and on the relationship of law, therapy and the courts.

References

1 British Association for Counselling and Psychotherapy. Ethical framework for the counselling professions. Lutterworth: BACP; 2018.
2 Information Commissioner’s Office. Criminal offence data. [Online.] ICO; 2018. https://ico.org.uk/fororganisations/ guide-to-the-general-data-protectionregulation-gdpr/ lawful-basis-for-processing/criminal-offence-data/ (accessed 20 November 2018).
3 Information Commissioner’s Office. Data controllers and data processors: what the difference is and what the governance implications are. [Online.] ICO; 2014. https://ico. org.uk/media/for-organisations/ documents/1546/ data-controllers-and-dataprocessors-dp-guidance.pdf (accessed 20 November 2018).
4 UK Government. Employment status [Online.] Crown Copyright; nd. https://www.gov.uk/employmentstatus/ selfemployed-contractor (accessed 20 November 2018).
5 Information Commissioner’s Office. Personal data breaches. [Online.] ICO; 2018. https://ico.org.uk/fororganisations/guide-to-the-general-dataprotectionregulation-gdpr/personal-data-breaches/ (accessed 20 November 2018).
6 BACP. GPiA 105 Legal resource: The General Data Protection Regulation (GDPR) legal principles and practice notes for the counselling professions. (Content editor Mitchels B). Lutterworth: British Association for Counselling and Psychotherapy; 2018.
7 BACP. GPiA 014 Legal resource: Managing confidentiality within the counselling professions. (Content editors Mitchels B, Bond T). Lutterworth: British Association for Counselling and Psychotherapy; 2018.
8 BACP. GPiA 031 Legal resource: Safeguarding children and young people. (Content editor Mitchels B). Lutterworth: British Association for Counselling and Psychotherapy; 2016.
9 BACP. GPiA 069 Legal resource: Sharing records. (Content editor Mitchels B). Lutterworth: British Association for Counselling and Psychotherapy; 2018.
10 UK Government. Data Protection Act 2018. [Online.] Crown Copyright; 2018. https://www.legislation.gov.uk/ ukpga/2018/12/schedule/3 (accessed 20 November 2018).
11 Information Commissioner’s Office. When is consent appropriate? [Online.] Crown Copyright; 2018. https://ico. org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/when-is-consent-appropriate/ (accessed 20 November 2018).
12 BACP. Privacy notice. [Online.] BACP; 2018. https://www. bacp.co.uk/privacy-notice/ (accessed 20 November 2018).
13 European Parliament and Council. EU general data protection regulation (Article 38). [Online.] EUR-Lex; 2016. https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri= CELEX:32016R0679&from=EN (accessed 20 November 2018).
14 Information Commissioner’s Office. Children and the GDPR. [Online.] ICO; 2018. https://ico.org.uk/media/ for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-thegdpr-1-0.pdf (accessed 20 November 2018).
15 BACP. GPiA 002 Legal resource: Counselling children and young people in England, Northern Ireland and Wales in school contexts. (Content editor Mitchels B). Lutterworth: British Association for Counselling and Psychotherapy; 2017.
16 BACP. GPiA 029 Legal resource: Mental health in England and Wales. (Content editor Mitchels B). Lutterworth: British Association for Counselling and Psychotherapy; 2018
17 BACP. GPiA 030 Legal resource: Safeguarding vulnerable adults. (Content editor Mitchels B). Lutterworth: British Association for Counselling and Psychotherapy; 2018