The Best Way to Keep Counselling Notes for GDPR

What is the best way to keep counselling notes for GDPR?  Do you know what counts as notes?  How should counsellors and therapists store electronic and paper notes?

Keep counselling notes

Photo by XPS on Unsplash

What are counselling notes?

The GDPR actually refers to “records” rather than notes. This is an important definition.

So include the following when thinking about your notes:

  • Notes recording the session
  • Notes about the counsellors thoughts 
  • Contracts
  • Permission to keep records
  • Text messages
  • Emails
  • Calendars
  • Diaries
  • Artwork

For GDPR, records include:

  • anything that directly identifies a client
  • anything that can identify a client when combined with other information

GDPR Principles for counselling notes

Keep in mind the rights that your client has under GDPR.

Right to Be Informed

This means you have to tell your client about what information you collect. You have to tell them how long you will keep it.  For more information on your privacy notice for clients, see the blog on GDPR for Counsellors in Private Practice

Right of Access

Let clients know how they can access their records. Have procedures in place so you know what to do when they ask.

Right to Erasure

You can keep records in order to protect yourself against claims – even if clients ask you to delete them.  See the blog on GDPR for Counsellors in Private Practice and read about your legal basis for processing.

Data Portability

People can ask for their data to be moved to a different electronic platform.  For example they can ask banks to  transfer their account data. This means banks can transfer data in a machine readable form.  Most commercial software applications do have a way to export information.  It seems unlikely that clients will ask you to transfer data. 

If you’re reading this and feeling overwhelmed, ask me for help.  I’m running a short course for counsellors to help them understand what to do.

Safe Storage of Counselling Notes

Counsellors have both a legal (GDPR) and ethical (confidentiality) duty to store notes safely.

Data Protection legislation applies to information on computers or in a filing system.

A paper based filing system where information is stored in a logical way – so that it can be retrieved – falls under this definition.

This includes situations where notes are separated from the client’s personal information.

Even if information is only kept on paper, you should comply with GDPR.

Paper Based Storage

Records should be stored in a lockable cabinet.  Consider fire, flood and theft.

To make it easy for someone to take over should the counsellor fall ill or die, many counsellors keep the client’s contact information separate to the notes of a session.

The notes should still be protected even if they only contain a code.  This is because when combined with the contact information, it is possible to identify the individual.

It is not mandatory to keep contact information separate but counsellors should consider where the information is being stored:

  • in a shared office it is not safe to store everything together due to increased risk of unauthorised access
  • moving around between locations increases the risk of loss or theft so do not keep everything together

Computerised Storage

Remember, under the GDPR, “automated means of storage” includes phones, tablets and even CCTV.  See the blog on Register with the ICO for the definition of computer.

Therefore, think about:

  • Password protecting phones, laptops, PCs and tablets
  • Two factor authentication, for example, gaining a code on your phone in order to access something on your laptop
  • Back ups.  Remember, electronic equipment can fail and you may be storing information for several years. Electronic equipment is at high risk for theft. For this reason, cloud based storage is often recommended
  • Password protecting documents, especially if they are going to be transferred via cloud computing, may not be sufficient.  Consider encryption instead
  • “Encryption at rest” means only someone with the key can access the data.  This is the gold standard.
  • How will you store and remember passwords?
  • Virus protection
  • If transferring data to the cloud, what will the service do about disaster recovery?  Free services often only offer “best effort” recovery, they may not guarantee full recovery
  • If using commercial record keeping software, consider what you will do if the service ceases trading or you wish to transfer data to a different supplier.  Will you be tied in and how can you transfer data?

You can read more about information security in this guide by the Information Commissioners Office

need more help with GDPR?

Wading your way through the regulations and working out what they mean takes time.  There’s also a lot of conflicting guidance about.

It is a pretty daunting task.


I have prepared a short course for counsellors to help them understand data protection and what they need to do to be compliant.

Contact me for more information.

The information contained above is provided for information purposes only. The contents of this article are not intended to amount to advice and you should not rely on any of the contents of this article. Professional advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.  Josephine  disclaims all liability and responsibility arising from any reliance placed on any of the contents of this article.