The dilemma relating to data protection, published in the May issue of Therapy Today1 raises some complex issues concerning record keeping in private practice that many practitioners remain unclear about. I provide below a fuller response to the one I wrote for publication in Therapy Today, in order to further clarify some of the finer details the dilemma points to.


Matias, an accredited counsellor in private practice, keeps handwritten notes of the main issues discussed in client sessions. He anonymises them by filing them under the client’s initials and stores clients’ contact details in his smartphone. His notes also include a full case history, his hypothesis about clients’ psychopathology, if relevant, and his strategy for working with them. He also uses his notes to process his own countertransference responses, and finds this particularly helpful if he is experiencing a strong negative response to a client.

He has heard about the Data Protection Act, and is aware that some therapists in private practice register with the Information Commissioner’s Office. But, because he doesn’t keep identifiable client records electronically, he doesn’t think this is relevant to him.

Matias has been working with a client whom he experiences as critical of him and of therapy in general. The client also voices his anger towards work colleagues – who he thinks talk about him behind his back – and his difficulty trusting people.

Following a particularly challenging session, after which Matias has written about how hard he finds it to empathise with, or find anything to like about this client, the client asks him if he keeps notes of the sessions and, if so, whether he can see them.


Recording in private practice presents a number of distinct challenges to private practitioners. These can be experienced as being more difficult to manage than similar issues facing those colleagues working for counselling agencies, whether voluntary or statutory in nature. This can also be the case for the same practitioners if they run a private practice in addition to undertaking paid counselling employment. There are a number of different reasons for this. In private practice, records of counselling are probably primarily task related. In other words, the primary purpose of the records is to underpin the therapeutic work with clients, by acting as an aide-memoire for key issues. The records can also provide the administrative basis for running an efficient practice.

However, in an agency setting, recording usually plays a number of key additional roles. Records provide a paper trail of service provision and accountability for the organisation, above and beyond the contribution of any individual practitioner. Client records are increasingly less personalised within agency settings. They are often more standardised in tone, allowing easier communication between therapists, and can provide continuity of care, in case of staff absence or illness. This different approach is often clearly evident to private practitioners when working for EAPs. EAPs will expect compliance with their own in-house recording and assessment systems, and may require the electronic uploading of client notes for agency safekeeping.

Keeping electronic records

The other key aspect of recording in agencies is related to the seismic shift from manual (handwritten) client records to electronic record keeping. Electronic recording requires a much more rule-based approach to record keeping, as opposed to the more personalised records, which are set up, accessed and managed by a sole private practitioner. There are fewer things less forgiving, after all, than an inadvertently pressed ‘send’ or ‘delete’ key, when trying to compose a brief electronic client record.

Electronic record keeping also requires a different mindset, namely of compliance with data protection law. The sweep of data protection law is intentionally very broad. It embraces apparently innocuous activities, such as using a smartphone to store client numbers for phone, email, or text messages. It also includes the use of a tablet, laptop or PC to word-process client records. This applies even if the electronic file is deleted immediately after printing off and a hard copy added to the client’s paper-based file.

Data protection in private practice

A recent survey suggests that electronic record keeping is still an uncharted aspect of practice for many private practitioners. According to Patti Wallace, ‘…most respondents use a paper-based system to record client information and notes, although nearly a third (31%) were interested in moving to an online system’.2 There are now a number of bespoke electronic client recording systems available to private practitioners and small counselling agencies, such as Bacpac. These systems combine case management, a diary booking system and a facility for keeping client notes. However, more ominously, some private practitioners still appear to lack an accurate understanding of their obligations under data protection law: ‘…just 19 per cent were registered with the Information Commission and 58 per cent were not aware they should be registered’.2

Set in this wider context, Matias’s private practice has, unfortunately, serious failings, at a number of different levels. In legal terms, Matias may be in breach of the Data Protection Act (DPA) 1998, by failing to register with the Information Commissioner’s Office (ICO). This is because his smartphone holds identifiable client personal data in electronic form, ie the client’s landline or mobile number, for work or professional purposes. In professional and ethical terms, he may also be in breach of the BACP Ethical Framework, section 14 (f), which requires him to keep up to date with the law and regulations. In therapeutic terms, he may well feel the need to process his countertransference towards the client. However, it may be that the very detailed kind of narrative process records he appears to be keeping are ‘excessive’ in DPA terms. He could, for example, still process his own emotional responses to the client, without necessarily writing in such detail. At the very least, he could make brief ‘post-it’ notes, to be destroyed after use in supervision, rather than to be retained, potentially as part of the permanent client record.

Matias seems ill informed about his obligations under the DPA 1998. In all probability, his storing of personal client data, in electronic format on his phone, means that he should register with the ICO, whether or not he also keeps manual records of therapy and manual process notes. If he is in any doubt, there is a very simple checklist, available on the ICO website, which should quickly resolve any uncertainty on this issue.

Client access to process notes

Assuming that Matias does need to register with the ICO, the client has a general right of ‘data subject’ access to his own files. The Guide to Data Protection3 gives a straightforward example of a client having access to their counselling notes, without making any distinction as to whether this was in a statutory or private setting. This would, therefore, tend to confirm that private practitioners are not exempt from client (or data subject) access requests. The Guide states very clearly that: ‘The right of subject access is central to data protection law’. While, in practice, it is not an absolute right, there are only very limited restrictions on this broad, general principle.

There is another more technical issue here about whether the client can access Matias’s handwritten client and process notes. Process notes are effectively just the therapist’s opinions about the client. However, process notes are not exempt from access by, or disclosure to, the client simply because the therapist doesn’t want to disclose them. Research suggests that professional practice in counselling has shifted broadly to only record factual data about clients, and not keep process notes at all.4 Another practical option would be to keep only short-term process notes, as ‘post-it’ notes, to be shredded after use in supervision. (I provide an example of this kind of recording, using post-it notes for short-term recording of issues to take to supervision, in my book).5

Ultimately, client access to Matias’s handwritten process notes would depend on yet another technical issue, ie on whether these process notes are filed in a highly systematic way, consistent with what is defined as a ‘relevant filing system’ (see Private Practice, Winter 2012, for the criteria for such a system).6

By not keeping up to date with standard data protection requirements, Matias risks a fine from the ICO of several hundred pounds, a professional complaint by his client to BACP and the need to respond to the aggrieved client under the ‘duty of candour’, as required by the Ethical Framework.

Peter Jenkins is the author of Professional Practice in Counselling and Psychotherapy: ethics and the law (Sage, 2017).


1. Therapy Today. This month’s dilemma: must I show my clients what I’ve written in my notes? Therapy Today 2017; 28(4): 39–40.
2. Wallace P. Working in private practice. Therapy Today 2015; 26(7): 47.
3. Information Commissioner’s Office. Guide to data protection. Wilmslow: ICO; 2009.
4. Jenkins P, Potter S. No more personal notes?: data protection policy and practice in higher education counselling services in the UK. British Journal of Guidance and Counselling 2007; 35(1): 131–146.
5. Jenkins P. Professional practice in counselling and psychotherapy: ethics and the law. London: Sage; 2017.
6. Jenkins P. Data protection in private practice. Private Practice 2012; Winter: 22–25.