Data Protection and the Law

As a therapist, you’ll be used to dealing with sensitive information, including personal details, psychological or physical conditions, treatment records and information about medication. You’ll already understand the ethics around client confidentiality, and as part of this you will hopefully have already thought about the data that you collect and how you keep it safe. In private practice, ethics is not your only concern; you have legal duties, too, to comply with. 

The UK’s most recent Data Protection Act was passed in 2018, and runs alongside the EU General Data Protection Regulation (GDPR) , which also came into effect in May 2018. You’ll no doubt have heard a lot about GDPR at the time.

The Data Protection Act and GDPR in a nutshell...

When you collect personal information about someone, they have certain rights, protected by law. These rights cover how their information is collected, stored, used and also shared. As the person who collects that personal information, you are known as a ‘Data controller’.

It is your responsibility to keep all personal information safe and secure (whether on paper or electronically), collect it responsibly, destroy it where necessary, and only share it with others when you have permission.

GDPR and the Data Protection Act fill many business owners with dread, but they’re much needed in today’s world where personal information is regularly lost or passed to companies without permission. Being a responsible Data controller and complying with the law can seem very daunting, but don’t worry - if you spend some time reading the information that we signpost you to, you’ll be up and running in no time.

Begin by taking fifteen minutes to make some notes about the following:

- What personal data do you collect?

- How do you collect it? Via the telephone, electronically, face to face?

- Where is it stored? Is it secure? What steps could you take to improve security?

- Do you collect information that is not actually needed or becomes redundant? 

- If someone asks you to delete their information, what steps will you take?

- Do you share information with others? Who, and how?

- Do you currently tell people what information you collect and what you do with it, in the form of a privacy policy?

Finished? Congratulations - you have made a great start and taken some practical steps to complying with your legal obligations. 

The Information Commissioner’s Office (ICO)

The ICO is the public body that upholds data protection in the UK. Here you’ll find extensive information about the Data Protection Act and, in particular, GDPR. 

One of your legal requirements under the Data Protection Act is to register with the ICO as a data controller, get a registration number and pay a small annual fee. You’ll find out more about this requirement on their website. 

You’ll also find a number of useful guides to GDPR and data protection in the business section of the ICO website.

We would highly recommend that you read these guides to get a general overview. However, not everything in those guides will apply to you and your business - make sure you read the articles below too, for a more balanced and relevant approach.

GDPR and how it applies to therapists

Bob Bond from Writeupp has written a number of fantastic articles explaining how GDPR applies to the world of private practice, and the steps you should take to ensure you comply.

Here are our favourites:

GDPR: An opportunity, not a threat

GDPR: A practical perspective

GDPR: Email encryption

More information on the Private Practice Hub 

On our website you can read more about:

Client confidentiality

Document management


Practice management software 

Encryption software


You can also download a privacy policy tailored for therapists from our documents section if you become an Exclusive member.

To access this page please login or Register today.