Should counsellors register with the ICO? How do the General Data Protection Regulations (GDPR) apply to counsellors? What is their duty under the Data Protection Act 2018?
The following information aims to help you decide whether you should pay the Data Protection Fee to the Information Commissioners Office (ICO)
Key Definitions for Counsellors
First, it is important to understand some of the key phrases when talking about GDPR and data protection.
These include the following.
This is information relating to a person where it is possible to identify them.
The means of identification may be a name. However, it could also be something like an identification number or an IP address.
The data controller is someone who decides what personal data is collected and how. If you’re a sole practitioner in your private practice, you are the data controller.
It is your responsibility to comply with data protection law and pay the fee if necessary.
If you are processing personal data for your business you have to comply with GDPR and data protection law.
The ICO say that processing data includes any of the following:
- obtaining it;
- recording it;
- storing it;
- updating it; and
- sharing it
They also have a longer definition:
- erasure or
That’s quite a comprehensive list. It is evident that counsellors and therapists will be:
- collecting personal data (e.g., email addresses)
- recording details and structuring them in a filing system
- retrieving those details to use them
- disclosing data (e.g., accounting, tax records, cloud computing)
- erasing data after a period of time
An important definition as if you are not processing data on a computer, you are exempt from the fee.
According to the ICO, the following counts as a computer:
- cloud computing
Special Category Data
This is personal data that is particularly sensitive and can include the following:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
It is likely that counsellors will be processing special category data and this is an important consideration when deciding whether to register with the ICO.
When Should Counsellors Register with the ICO?
Since the Data Protection Act 2018 was passed, it is not necessary to register with the ICO. However it is required for data controllers to pay a data protection fee.
The ICO state:
Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt.
See: ICO information
So, the question is, are you exempt?
Not using a Computer
If you are processing personal information without a computer you do not need to pay the data protection fee.
NB see the definition of “computer” above.
It is unlikely that you are not using a computer at all to process the information. For example, if a client sends you an email – even if you are simply obtaining their personal details – that counts as processing on a computer.
It counts as processing even if you delete it from your device immediately.
Accounts and Records
If you are processing personal data purely for the purposes of accounts and records for business purposes, you are exempt.
This sounds promising.
However, the definition of accounts and records appears to be narrow and refer solely to records of payments. The ICO use the phrase “accounts and records i.e. invoices and payments”. It does not say “records, for example, invoices and payments”.
That implies that therapy notes cannot be included in this definition.
If you would like to see if you are exempt, you can click on the following link and do your own self-assessment test:
ICO Self Assessment Questionnaire
Special Category Data
In most circumstances, this is considered so sensitive that it requires explicit consent from an individual to process it. Under the Data Protection Act 2018, counsellors are exempt from the requirement to gain explicit consent.
However, in verbal guidance, the ICO have told me that counsellors should consider paying the Data Protection Fee because they are processing special category data.
This applies even if you are not processing data on a computer.
If you’re reading this and feeling overwhelmed, ask me for help. There’s GDPR training available in the Setting Up in Private Practice module of the Therapy Growth Group
Counsellors: Register with the ICO!
It is more likely than not that you should pay the Data Protection Fee.
The fact that you are reading this blog implies that you have access to electronic equipment that is classed as a computer. If you collect any client personal information via this device, you are not exempt.
The Data Protection Fee for small organisations is £40 per year, reduced to £35 if you pay by direct debit.
Consider how long you have taken to read this article and others relating to the Data Protection Fee.
Register with the ICO and pay the fee. That means you can then concentrate on getting paying clients. It’s a better use of your time.
Remember, you can offset the fee as a business expense. Just pay. It’s not worth your time not to.
(And think of the positive impression clients will gain if you have all your Data Protection systems in place. It says a lot about your professionalism and trustworthiness).
need more help with GDPR?
For more help, you may like to consult my previous blog on GDPR.
However, wading your way through the regulations and working out what they mean takes time. It also looks like a pretty daunting task.
I have prepared a short course for counsellors to help them understand data protection and what they need to do to be compliant. It’s in the Setting Up in Private Practice module in the Therapy Growth Group
Contact me for more information.
The information contained above is provided for information purposes only. The contents of this article are not intended to amount to advice and you should not rely on any of the contents of this article. Professional advice should be obtained before taking or refraining from taking any action as a result of the contents of this article. Josephine disclaims all liability and responsibility arising from any reliance placed on any of the contents of this article.