When offering therapeutic services you will need to collect both personal data (client contact details, GP details and Emergency Contact details) and sensitive data (clinical notes, treatment plans, email correspondence) about your clients.
Under current UK data protection laws (GDPR, 2018) therapists in private practice are therefore classed as data controllers because we determine how client data is collected and stored while providing our service.
It's therefore really important that we understand our obligations under GDPR to ensure that all data remains private and that we are treating our clients fairly in line with this legislation.
Client rights under GDPR
Clients have the following rights over their personal and sensitive data.
1. Right of Access
Clients have the right to view the data that you hold in relation to them at any time by making a Subject Access Request (SAR).
Unless the request is deemed unreasonable, you are not allowed to charge for this provision.
2. Right of Rectification
They can request that you amend any of the data that you hold upon them.
This applies to factual data and does not apply to the opinions that you express in your session notes.
3. Right to be Forgotten
Clients can request that you delete all of the data that you hold upon them at any time.
You do not have to comply with this request if:
- You need to retain this data to continue providing your service
- The data is required by a Court of Law
- You require the data to establish, exercise or defend legal claims
Transparency and consent
GDPR emphasises the importance of transparency with regard to the data that you hold, how you store it and how you use it.
As many of us don't read terms or business or privacy notices, it is good practice to verbally outline the key information so clients are fully aware of the data being held and their rights under GDPR.
Ideally consent should be obtained prior to, or within the first session (unless you feel that it would be insensitive or unethical to do so).
Clients have the right to withdraw their consent at any time and they should be made aware of this when completing the consent form.
As therapists we all understand the importance of client confidentiality and that we need to take care to avoid any data protection breaches. To this end it's good practice to:
- Anonymise all written notes and store in a locked filing cabinet. Kiku automatically anonymises and password protects your electronic client notes.
- If you keep paper records of client contact details or GDPR consent these should be stored separately from your anonymised session notes.
- Your work email address should have two step verification in place to minimise the risk of hacking.
- All diary entries should be anonymised using only the client’s first name.
- Laptops, tablets or phones used to access your work account should be password protected and encrypted to prevent hacking, and have anti-virus software installed and kept up to date.
- Any paper containing client information should be kept out of sight of others and disposed of confidentially.
Any breaches of data protection (mislaid notes, emails sent to the wrong address etc.) need to be reported to ICO within 72 hours.
Data retention rules
GDPR states that we should only hold data that is necessary for our service and only for as long as is deemed reasonable.
This is obviously open to interpretation but as long as you can justify your rule then you will be OK. If you're unsure it's best to stick to the industry standard of 7 years, as “in line with professional standards” is an acceptable rationale.
It is good practice to keep an audit of the data you hold, how long you have decided to retain these records for and your justification for this, to help you to both reflect on your processes and provide evidence of good data protection processes.
Subject Access Requests
At any time a previous client or associate organisation may request to view the data that you hold on them. This may include contact details, attendance history, clinical notes and email correspondence.
Unless the request is deemed “excessive” no fee should be charged for compiling and supplying this information.
Under GDPR guidelines you should respond to the request within 30 days.
Personal data “Contact details, emergency contact, GP details etc.” can be shared immediately.
More thought should be given before sharing the sensitive data held in clinical notes however and it will be important to determine how best to handle the request based on what you know of the client.
We'd recommend that you discuss the request with your supervisor and / or the client before determining how to proceed.
At any time a previous client or associate organisation may request that you delete the data that you hold on them. This may include contact details, attendance history, clinical notes and written correspondence.
Requests can be made verbally or in writing. If made verbally the client should be asked to complete an erasure request form that you'll keep for your records.
You must respond to a requests within 1 calendar month, writing to the client to confirm your decision and any action that you've taken.
When complying with an erasure request, you'll need to ensure that any written records are destroyed confidentially e.g. via a shredding service or incineration.