One in a series
This is one in a series of interconnected blogs about applying the GDPR(2016) law for psychotherapists in the UK. The blogs are somewhat independent, but it would be best to first read the Overview blog, to orient yourself to the wider context and give you the background.
This blog series, long as it is, remains a partial product, essentially a list of opinions. What I write, I believe I have some expertise in, have carefully considered, and uses my life and work experience. There are many aspects of the law that I do not cover. I recommend everyone who reads this to do their own research, to consider joining a workshop or training (Tania Taylor; Stillpoint; many others provide it at the moment), and to read directly the sources, especially for the GDPR in general the Information Commissioner's Office (ICO), who have a rich website which is pretty authoritative, and for counsellors and psychotherapists specifically some of our organisations such as BACP, UKCP, NCH and others.
I take the law as given. I assume that the reader is interested in the law, tries to take the law and their own values and standards as guidance, and tries to do the "right thing". The law can be critiqued, as any law can; even the existence or applicability of laws can be challenged. But I won't do that here. I take the law as given.
I am not interested in what insurance companies have to say. Everyone has a different relationship with their insurer. Insurers are different. You only speak with a spokesperson, and rarely get a formal opinion in writing. Of course it is good to think about this angle. But I do not cover it. And whatever an insurer says will not impact the law.
Our professional organisations and our insurers can only impose extra conditions they would like to see. Nothing in what they say can invalidate or limit the applicability and reach of the law.
What I try to cover
I try to give some idea of what might work to satisfy the GDPR in one fairly "standard" situation of a psychotherapist in private practice in the UK. The law precisely asks of you to carefully analyse your own unique individual situation, and to act accordingly in a responsible way. I assume this psychotherapist to have a private practice (the only thing I write about), that they have a website, keep at least part of their information about clients on their computer (or other electronic device, mobile, iPad, tablet,etc.), at least some of the time, have some email exchanges with clients, and now and then may write a letter to authorities or other health professionals about a client, composed on the computer. Of course the less you use a computer, the less you are affected - though the law will always apply to you if you keep any information that is "personal data" in any form, even names and addresses on a piece of paper.
You may have dual or multiple roles or capacities. If you work for the NHS, you are covered by NHS rules and procedures, and the NHS will take care (and instruct you) how to satisfy the GDPR in that context. In that case you are only a "data processor", not the "data controller". If you work for a charity, or a practice group combining a group of therapists with their own procedures, and central handling of data on a separate computer system, that organisation will need to comply with the GDPR and do what's required. That's independent of what happens with the clients you see in your private practice.
If you work in two capacities (e.g. psychotherapist and lawyer; psychotherapist and nurse; psychotherapist and web developer), you will typically have two different systems anyway - two websites, two organisations that you belong to, two sets of qualifications and diplomas; two distinct groups of clients; possibly even two names or identities under which you operate. For each of these capacities or roles or jobs or functions you'll need to completely think through everything in the GDPR, and you need to separately comply with the law. This note only deals with the situation of psychotherapists in private practice.
I do not cover the important topic of the personal data of children. The GDPR has made some important extensions here to support the protection of children. There is a good introduction in the ICO section on children