GDPR for Psychotherapists - Main ideas about implementation

Next >

< Previous

One in a series

This is one in a series of interconnected blogs about applying the GDPR(2016) law for psychotherapists in the UK. The blogs are somewhat independent, but it would be best to first read the Overview and Introduction blogs, to orient yourself to the wider context and give background.

Disclaimer: these are only my opinions. I am not a lawyer. This is not legal advice, but just sharing how I as one (technically informed but not legally trained) person subjectively interpret the GDPR that will become effective on 25 May 2018.

No affiliation

I do not get paid for, or get any other consideration, and don't have any affiliate arrangements with the organisations, companies or individuals I mention or their products or services. I do use many of the software applications I mention, but receive no discount or anything for mentioning them.

Main sources

The most fundamental source is the law itself. To give a taste, I include some salient quotes in the blog on legal matters. This is a good online version of the full text, with search capability and nicely organised in sections.

The second-most important source is the ICO. There website is pretty authoritative for the UK, and extensive. A slight disadvantage is that it uses links to the fullest extent, and is a bit sprawling. It also covers various stages of the transition of DPA to GDPR, and periods of consultation about the UK implementation. But it is possible to find answers to most questions there.

The ICO site itself is The best source about GDPR is the ICO itself, through its website. Some salient links to consult: Registration

General guide to GDPR


Lawful basis for processing


Contract as lawful basis

Right to be informed


The third range of sources is advice from our professional organisations, and from individuals, either therapists or lawyers, who specifically speak about GDPR for therapists. Despite the higher degree of relevance, all organisations in this category only express opinions, and cannot be taken as gospel truth. Let alone individuals, even lawyers, and including myself -- opinions!!

Some links: GDPR for Therapists Facebook group

BACP on GDPR general

BACP legal details

BACP Peter Jenkins article


Blog by Karen Emery

Status of sources

Different sources have a different standing. The GDPR is of course central. It is a model example of a well-written law that can be read, and made sense of. However, it is clearly a real law too, which means that even now, and certainly over time, parts of it will be interpreted, so that a simple reading and using words in a common-sense way may not be sufficient to get its meaning.

The ICO is the Supervisory Authority for the GDPR in Britain. So its words, while not law, carry a lot of weight, and can to a great deal be relied on.

Any other inputs, even from our professional organisations such as BACP, even from lawyers, or from our insurers, are only opinions. In the end they will not absolve us from our personal responsibility for our choices and actions in the face of the law.

Some of the things you need to do

Analyse what you have

Familiarise yourself with the legal requirements of the GDPR. You are responsible for what you do with the "personal data" (anything personal, starting with a person's name and address) and "special category data" (anything that's at all sensitive, or clinical. Session notes; notes of an intake interview; "diagnosis") of your clients. There are no easy cookbook solutions that you can copy from others. You must review your own unique individual situation, and implement the law for yourself.

Review the data you hold, where you hold them, who has access to them (incl IT providers and specialists), who you communicate with or send data to, and your communications with or about clients

Review the justification for holding and processing client personal data. This is central to the law; you have to take a position in the light of the options of the GDPR (Art ).

Review the paperwork you exchange with clients, and your contract or agreement.

Inventorise and review any privacy statements or notices you currently have.

Consider any procedures or policies you have in place now, especially any processes regarding the obtaining of consent.

Actions to take

  • Register with the ICO for about £40 per year. For the standard psychotherapist I describe, there is no doubt imo that you need to register.
  • Decide what the "lawful purpose" (Art 6) or lawful basis is for the data processing you do. And if you handle "special category" data (Art 9; used to be called "sensitive data" under the DPA), determine under which category of Art 9 you are allowed to process them. Document the choices you make and the reasons for making them. This is a central part of the process, and triggers a number of consequences.
  • Create a customised right-for-you privacy notice or privacy statement. Some will have two, one on the website, one to exchange with clients. Others will have one. Some will incorporate it in a contract with clients. You need to think it through.
  • Adjust and probably rewrite the contract or agreement you have with clients. Under the GDPR it is easier and safer to have written agreements or contracts with all your clients.
  • Redo any procedures and policies you have. And implement these. You need policies for the following:
    • How to handle a request for access to the data you hold
    • How to detect, report and investigate a data breach. Most data breaches need to be reported, initially to the ICO, and probably, in consultation with them, to your clients - unless it is clear that your protection was so good (e.g. through your encryption systems), that you and the ICO are convinced that despite your stole laptop or the hacking into your system, it is very unlikely that the attackers were able to access the actual personal data.
    • Data retention, i.e. how long you hold them, category by category
    • How you delete data in according with the data retention policy, or on request
    • The way in which you protect your computer hardware and mobile phone, and the software you use for communicating with clients (email; messaging; Skyping/ VoIP), for storing or processing client personal data, and your backup arrangements. Make appropriate changes, including introducing encryption. If you have any degree of encryption or serious security in place, you will need to use a password manager.
    • An encryption policy
    • A backup policy describing a realistic plan for backups
  • You do not need a Data Protection Officer. You need to identify and describe yourself as the Data Controller.

The costs of all this are minor, and tax-deductible. The time you need to spend on it is likely to be considerable.

The lawful basis for processing (Art 6 and 9)

TL;DR I believe "contract" is the most natural basis for private psychotherapists.

It may be good to start with this. The basis of the GDPR is that no people have the right to arbitrarily gather, collect, keep and 'process' personal data on other people without a good reason or excuse, a "purpose". Unless you have a well-defined and lawful purpose for collecting and processing personal data, you are not allowed to do so.

Now given that a client comes to see a counsellor for 'something', that the counsellor provides some sort of service to the client, that there (usually) are regular meetings involved, and that the client pays the counsellor a financial consideration, it is legally straightforward and in a way obvious to construe this as a "contract". (I am well aware that on the psychotherapeutic side the merits of this can be and are debated; but this is not the place for that discussion)

If it is a contract, it is easy to incorporate the processing of data into the contract, and that is then the "lawful purpose" under the GDPR.

If for whatever reason client and therapist don't want to have a contract between them, the GDPR suggests as another option that the therapist would need to obtain the client's for all the data gathering and processing that will take place - a second available "lawful purpose" under the GDPR Art 6.

Only if you believe you have to avoid these two options does it become possible to try to draw in other purposes. In my opinion "vital interests", "legal obligation" or "public interest" simply cannot cover a private psychotherapist. Even "vital interests" would only sometimes apply. That leaves only "legitimate interests" as a third option.

From the general ICO guidance about the "lawful basis for processing".

"Your privacy notice should include your lawful basis for processing as well as the purposes of the processing."

"If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data." Psychotherapy data in general fall into the 'special category' of health data (Art 9(h)).

ICO - Lawful basis for processing

The privacy statement

The privacy statement is central to the whole GDPR. There may be a shortened version on your website, but the full privacy statement is one of the main items you use to communicate with your clients. If you chose Contract as your main lawful basis for processing, the privacy statement will be fully integrated as part of the contract with your clients.

The GDPR requires centrally that whatever is done with the personal data of persons, they will be fully informed. Art 12 (1) states that this information will be provided to the data subject "in a concise, transparent, intelligible and easily accessible form, using clear and plain language"

Art. 13 lists the many individual aspects of their personal data and the processing of such data that must be made available - in the form of a Privacy statement, which may be incorporated into the agreement between client and therapist.

The Privacy statement can usefully be divided into several main headings, e.g. using the following:

  • How we collect the information about you
  • What we do with it, where and how we hold it
  • Who has access to the information
  • What are the rights you have concerning the information

Article 13 specifies a number of elements that need to be incorporated into the Privacy statement (mostly copied from the text of the law, but slightly shortened):

  • the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or [...].
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority [the ICO];
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Technology, encryption and general technical aspects of security

There are three levels at which you can operate, whether thinking about data stored or data in transit:

  • No attempt at encryption - leaving data unencrypted
  • The data are encrypted, but others (typically a big company provider) control the passwords or keys. Many well-known systems provide this. Gmail to gmail communication. MS hotmail and Live Outlook. Mimecast. Dropbox. Stayprivate. Virtru. Egress. Trend Micro.
  • The data are encrypted on a "private encryption" aka "zero-knowledge" basis: only you can by using the password or keys decrypt the information.

It is not said that the GDPR or the ICO will consider the middle option unacceptable. You need to determine for yourself whether you think it is sufficient, or if you prefer to take the small extra effort of having private encryption.

To give a concrete example, if a 12-year old schoolboy, whether Russian or English, happens to hack one evening into your email (which is technically very easy) they might be able to establish the names of (some of) your clients. And they might try to do something with that (eg bragging to friends or parents; try to blackmail the person in question or yourself; or go to the press). In any such case, if this all comes out and gets investigated, you could be fined for not having sufficiently protected their personal information, even in the case of non-clinical information but still personal information such as their address details, and the sheer fact of them being in psychotherapy.

This is just a variation on the pre-internet theme of being in a public place such as theatre or train station and encountering a somewhat well-known client. The ethics have always been that therapists are discreet, and do not ostentatiously take the initiative of greeting them in public.

Exchanging emails is almost the same as talking with someone in public, as it can so easily be discovered. Hence the need for careful consideration of handling emails, and also how and where you keep your emails stored.

The ICO has made clear over the years, already under the Data Protection Act, and even more under the GDPR, that the “scheduling matters and non-clinical content” of any such emails with clients constitutes “personal information” under the meaning of the acts, hence needs to be protected. Reason is that they can make it likely or certain that that person is your client.

And that can already become disclosed by the “Subject” of the email, which technically is “metadata”. (This is important as many encryption systems only encrypt the “content”, and don’t encrypt the headings / metadata). E.g. when the heading is “invoice” and you are a therapist, that makes it very likely that the recipient is your client.

Conclusion: The principle of treating this personal information reasonably confidentially is no different whether your client is newsworthy and famous or not. And the only remedy seems (to me) that not only do you have the email content (reasonably) encrypted, but also that you take special care and avoid saying anything that discloses a professional relationship (such as “Invoice”) in the (usually unencrypted) Subject line.

Encrypting communication in the form of emails is all the more essential, when that includes correspondence with third parties such as solicitors, the DWP, doctors, etc.

The international position, and Dropbox

This is dealt with in Articles 44 to 49 of the GDPR. The ICO have already stated that the countries that were "cleared" under the DPA will have the same status. In future the status of non-European countries will remain under review, but the starting position is clear.

There are two laws. The old Data Protection Act (DPA), and the new GDPR which will become effective on 25 May. Under the DPA in the UK there never was a general ban on keeping data abroad. The DPA and the ICO's guidance were clear, that data could be kept anywhere in an EEA country (this excludes the USA and Switzerland, but includes Iceland, Liechtenstein and Norway), but also in other countries with "adequate" data protection. For reasons of workability the ICO had published a list of "adequate" countries, which was: Andorra Argentina Guernsey Isle of Man Israel Jersey New Zealand Switzerland Uruguay. Keeping data with commercial companies in Canada was also allowed. In addition, for the USA after a lot of legal wrangling and court cases, there was a special "Privacy shield" status under which data can be kept in the USA. This is uncontroversial, has been the case for years, and there was never any doubt that under the DPA it was as permissible to keep data in the USA, Switzerland, Norway or New Zealand as it was to keep them in Germany or in the UK itself.

The ICO has decided that any countries that were adequate under earlier legislation (i.e. the DPA) will still be adequate on 26 May and beyond, as before. Of course the adequacy is reviewed regularly by the ICO. If the ICO changes a country's status, then it will be necessary to follow such a ruling, if you don't want to break the law. Unless there are major changes happening politically (which is of course ), it seems a bit unlikely that the USA and the UK would in future go to a kind of cyberwar where they would mutually not allow free traffic of personal data between servers. The consequences for big business in particular would be very hard to deal with.

Dropbox gives us two things. Firstly written assurance that its data are kept on servers either in the USA or in the EU (Germany in particular). They also guarantee in writing that they will make sure that their customers who keep data with them will comply with the GDPR. If they would break that promise, it would expose them to fantastic levels of liability, specifically under the GDPR. It seems very unlikely that they would take that risk.

In short, there is no issue about keeping data with Dropbox in terms of its location, under the GDPR.

The final question is whether one believes that it will be permissible to keep personal data on servers, wherever that is, without encryption. For instance on Dropbox servers, the data are encrypted, but encrypted by Dropbox with keys that Dropbox possesses. So there will be personnel inside Dropbox who could and can read those data. That is a difficult question.

So the encryption issue can be an issue with Dropbox. There are a number of suppliers with products that are less widespread than Dropbox, but with virtually the same functionally, and that allow you to have data encrypted with your own password. SpiderOak One, in the USA, and Tresorit in Switzerland, are big, and come to mind immediately. They keep your data encrypted with a key which you control yourself. They would certainly protect your data better than Dropbox does. The third much-used possibility is to keep data on Dropbox, but encrypt them yourself. For that the highest market-share product is called Boxcryptor.

Some links as background, if you want to read it for yourself. All well readable.

ICO - International

ICO - USA and the Privacy Shield

ICO - International transfers of personal data Dropbox on the GDPR