All counsellors in private practice should address GDPR – the General Data Protection Regulations. GDPR came into law in the UK under the Data Protection Act 2018. Even though it originates from the EU, it will still exist after Brexit. It is mandatory for anyone processing data for business purposes.
In your private practice you are the Data Controller.
That means you have to take responsibility for complying with GDPR.
However, don’t be scared by it. Counsellors know how to protect their clients’ data. It is, after all, what you do day in and day out.
This guide will help you comply with the law. For simplicity, it is divided into five steps.
1. Work Out What Data You Need
The first step is to work out the following:
- What data you collect on your clients (everything from email addresses to medical history)
- Whether anything is unnecessary and doesn’t need to be collected (when I completed this exercise, I realised I did not need to collect data about a client’s children)
- What you are doing to keep the data safe
- How long you need to keep your data
- Whether you share your data with any third parties – such as accountants or online services such as Google or Dropbox
Identify “special category data”
As part of this process, work out if you are collecting “special category data.” This is data such as:
- gender identity
- medical history
- membership of trade unions or political parties.
Counsellors are likely to be collecting some of this special category data in their assessments or notes. As a result, they should have a written GDPR policy.
2. Decide Your Lawful Basis for Processing
You have to have a legal reason to process data and should pick from the six reasons stated in the GDPR.
For counsellors in private practice, the easiest ones to use are:
- Contract: you cannot offer your services without holding data such as an email address or telephone number
- Legal obligation: you need to hold data for legal purposes such as providing tax records
- Legitimate interest: you need to hold and store data for the purposes of running your practice and protecting your interests
Surprisingly, consent as a lawful base is not recommended for private practice. Because counsellors are accustomed to gaining consent for storing notes and records it is easy to think this is the lawful basis for processing under GDPR. In fact other lawful bases may be better – such as contract – as consent can be withdrawn.
3. Write a GDPR Data Inventory
- Your name if sole trader, or company name, and contact details
- Where personal data is obtained (e.g., direct from client)
- The types of data being processed (e.g., email address/date of birth/medication)
- Whether this includes special category data
- The purpose for processing (e.g., to contact client, to keep counselling records)
- The legal basis for processing (e.g., contract)
- How much data you process (e.g., less than 1,000 clients)
- The retention period (e.g., five years)
- Any third party to whom data is transferred and the country of origin
- How data is protected when transferred
4. Register with the ICO
The ICO is the Information Commissioners Office – the body responsible for overseeing data protection in the UK. (If you are reading this blog from outside the UK, you need to identify the regulatory organization in your own country).
There is always a lot of debate as to whether registering with the ICO is necessary for counsellors in private practice. A further blog will explain the reasons why most counsellors should register.
You can access a questionnaire to test whether you should register by clicking: here
And if you want to pay the fee immediately, click here
If you’re reading this and feeling overwhelmed, ask me for help. I’m running a short course for counsellors to help them understand what to do.
You can use the information from your data inventory together with the principles of GDPR. These are standards such as fairness, transparency and accuracy.
You can read about GDPR principles by clicking on the link: here
- How you collect data
- How you store data
- How long you keep client records
- How you will delete data when it is no longer necessary
- How you will deal with “subject access requests”: when a client wants to know what data you are storing about them
- How clients can correct data
- How you will ensure data is up to date
- What you will do if data is lost, stolen or accidentally deleted
GDPR Privacy Notice
The Privacy Notice is the information you provide to clients about how you handle their information.
You can refer to your privacy notice in your emails, publish it on your website, and include it when contracting with clients.
It should include:
- Your identity and contact details
- The purposes of processing, e.g, to provide services and fulfil legal obligations
- The legal basis for processing, e.g., the performance of a contract
- Third party recipients of data, e.g., accountants, HMRC, IT professionals, Supervisor – if you do not use pseudonymisation
- International transfers (e.g., if you are using Cloud storage such as Dropbox or Google)
- The period for which personal data is retained
- The right to subject access requests – how people can request access and correction or deletion of their data
- The right to lodge a complaint with a supervisory authority (i.e., the ICO)
You can view a sample privacy notice for counsellors by clicking on the link: here
need more help with GDPR?
Wading your way through the regulations and working out what they mean takes time. It also looks like a pretty daunting task.
I have prepared a short course for counsellors to help them understand data protection and what they need to do to be compliant.
Contact me for more information.
The information contained above is provided for information purposes only. The contents of this article are not intended to amount to advice and you should not rely on any of the contents of this article. Professional advice should be obtained before taking or refraining from taking any action as a result of the contents of this article. Josephine disclaims all liability and responsibility arising from any reliance placed on any of the contents of this article.