What should a GDPR-compliant consent form for online therapy include?

A GDPR-compliant consent form for online therapy needs to clearly communicate several key pieces of information to clients: Who is collecting the data : Include the therapist's name, the practice's identity, and their contact details. Why the data is being collected : Explain the purpose behind processing the client's personal information. What data is being collected : Specify the exact types of information being gathered. How the data will be handled : Provide details about the legal basis for processing, how long the data will be retained, and the security measures in place. Client rights : Outline their rights, such as accessing, correcting, or requesting the deletion of their data. Relevant authority contact details : For clients in the UK, this would typically be the Information Commissioner's Office (ICO). By addressing these points, the form ensures clarity and gives clients greater control over their personal information, aligning with GDPR's transparency requirements.

Private Practice

minutes

GDPR and Informed Consent in Online Therapy

Q: What is the difference between obtaining consent and relying on contractual necessity under GDPR in online therapy?

Under GDPR, consent and contractual necessity are two separate legal grounds for processing personal data, particularly relevant in online therapy settings. Consent involves obtaining a client’s clear, informed, and freely-given permission for specific activities, such as storing session notes or recording video calls. Importantly, clients must always have the ability to withdraw their consent whenever they choose. On the other hand, contractual necessity comes into play when processing data is essential to deliver the agreed services. For instance, storing a client’s contact details to schedule appointments or managing payments typically falls under this category. Determining the correct legal basis for each type of data processing in your practice is crucial. Platforms like Konfidens can simplify this process by helping you manage data in compliance with GDPR regulations.

Guidance for therapists on GDPR in online therapy: protecting mental health data, securing platforms and documenting clear informed consent.

GDPR and Informed Consent in Online Therapy

Handling client data in online therapy requires strict compliance with GDPR and the Data Protection Act 2018. This includes safeguarding sensitive mental health information, ensuring transparency, and meeting legal standards for informed consent. Therapists must balance ethical responsibilities with legal obligations to protect client privacy while navigating the complexities of digital tools and platforms.

Key Points:

Special category data: Mental health records are highly protected under GDPR.
Informed consent: Must be clear, specific, and unambiguous, covering risks like data breaches and platform security.
Legal basis for data processing: Often tied to healthcare provision, not just consent.
Core principles: Include data minimisation, accuracy, storage limits, and confidentiality.
Digital risks: Unencrypted platforms, insecure Wi-Fi, and inadequate safeguards can lead to breaches.
Consent forms: Should outline data use, client rights, and security measures in plain language.
Platform security: Use tools with encryption, role-based access, and compliance agreements.

Therapists should clearly communicate risks, implement robust security measures, and regularly review their consent and data handling processes to remain compliant and protect client trust.

7 Core GDPR Principles for Online Therapy Compliance

In the UK, data protection is governed by the UK GDPR (the post-Brexit version of the EU GDPR) and the Data Protection Act 2018. Together, these laws set the rules for how therapists collect, store, and use personal data - especially sensitive information like mental health records ^[9]. As a therapist, you are considered a "data controller", meaning you decide why and how client data is processed. This responsibility applies whether you work alone or within a larger practice ^[9].

To comply with GDPR, you must identify a lawful basis for processing data under Article 6 of the UK GDPR (often tied to fulfilling a contract, such as therapy services) and a separate condition under Article 9 for handling health data (commonly linked to providing health or social care) ^[9]. Beyond these legal grounds, you need to ensure transparency, data security, and accountability by maintaining clear and documented policies and procedures ^[9]. These obligations form the foundation for the core principles discussed below.

Under Article 5 of the UK GDPR, several key principles guide how therapists should handle client data ^[9].

Lawfulness, fairness, and transparency: You need a valid legal basis for processing data, ensure clients are treated fairly, and provide clear, accessible information - like a privacy notice - explaining what data is collected, why, and who it may be shared with ^[9].
Purpose limitation: Data collected for therapy must only be used for defined therapeutic purposes, such as assessment or treatment, and not for unrelated activities like marketing unless a separate lawful basis is established ^[9].
Data minimisation: Only collect the information you genuinely need to provide therapy ^[3].
Accuracy: Keep client records up to date. For instance, promptly update contact details or risk-related information to maintain reliability in decision-making ^[9].
Storage limitation: Retain records only for as long as required by legal or professional standards, after which they should be securely deleted or anonymised ^[9].
Integrity and confidentiality: Implement robust technical and organisational measures to protect data. This includes using encrypted video platforms, secure messaging, strong passwords, and role-based access controls. Avoid standard messaging apps that lack adequate security ^[9].
Accountability: Demonstrate compliance through written policies, data protection impact assessments (DPIAs), documented consent processes, staff training records, and contracts with any third-party data processors ^[9].

These principles are not just theoretical - they directly shape the everyday practices you adopt in online therapy.

Data Protection Risks in Online Therapy

Even with clear principles in place, online therapy comes with specific risks. Data transmitted digitally is more vulnerable to interception. For example, unencrypted video calls or messages can be intercepted, email accounts could be accessed without permission, and data might leak over unsecured Wi-Fi networks ^[3]. To address GDPR’s integrity and confidentiality requirements, you should use secure, end-to-end encrypted communication tools, avoid public Wi-Fi, and protect your devices with strong authentication methods ^[9]. Sending sensitive information through unsecured messaging apps can also breach GDPR if safer options are available ^[3]. Choosing secure, GDPR-compliant tools is essential.

Another challenge is inadequate platform security, which can lead to data breaches ^[9]. Any platform you use should offer strong security features like encryption (both during transmission and when stored), robust access controls, regular updates, and clear data-processing agreements. If your platform acts as a processor, you’ll need a written agreement under Article 28 to confirm their compliance with GDPR standards ^[9]. Additionally, if the platform stores data outside the UK or transfers it to other countries, you must ensure proper safeguards - such as standard contractual clauses or adequacy decisions - are in place to protect client data ^[9].

Taking therapy into the digital realm adds layers of complexity not typically encountered in face-to-face sessions. Clients need to grasp technology risks, platform security, cross-border data transfers, and how their digital data is processed ^[4]^[10]. For therapists and clients alike, this can feel daunting, especially with GDPR requiring consent to be freely given, specific, informed, and unambiguous ^[5]^[7]. In practice, this means breaking down technical concepts into simple, understandable terms while ensuring clients fully comprehend what they’re agreeing to. Explaining encryption, cloud storage, and data routing in a clear way is no small feat. Let’s explore these challenges and practical ways to address them.

Explaining Technology Risks to Clients

One major challenge is explaining technology risks in a way that’s easy to understand. Clients need to know how video platforms function, what encryption does, and the potential risks, such as hacking, unauthorised access, or data being stored on servers outside the UK ^[5]^[7]^[10]. For instance, using public devices or unsecured Wi-Fi can put sensitive information at risk.

The tricky part is avoiding legal or technical jargon that might confuse clients. It’s equally important to outline the limits of confidentiality online - no system is completely secure. Clients should know what happens if there’s a data breach and how they’ll be informed ^[4]. The Human Givens Institute’s guidelines for online therapy advise therapists to educate clients on safe technology use and warn against storing confidential data on public platforms like Facebook ^[2]. Analogies can help simplify these concepts. For example, you might compare a video call to having a private conversation in a busy room where others could overhear. Including clear safety tips in consent forms and privacy policies can also help safeguard client data while maintaining trust.

Once technology risks are explained, the next step is to ensure that consent is properly documented within your digital systems.

Documenting consent digitally comes with its own set of challenges. GDPR explicitly states that silence, pre-ticked boxes, or inactivity do not count as consent. Clients must take a clear, affirmative action - like ticking a box or selecting specific settings - to indicate agreement ^[5]^[7]. This means that online forms and booking systems need to be carefully designed, with unticked checkboxes for each distinct purpose, such as therapy delivery, reminders, or marketing communications.

To ensure compliance, use secure, GDPR-compliant tools to record and store consent. These records should be tamper-proof, timestamped, and easy to retrieve for audits. GDPR specialist Sarah D Rees highlights the importance of stating in contracts and privacy policies how long data, including consent records, will be kept - typically six years for legal reasons - and how it will be securely deleted afterwards ^[11]. Additionally, clients must be able to withdraw consent just as easily as they give it ^[5]^[7]. For example, provide a simple link in emails or a setting in the client portal to revoke optional consents, such as for marketing, without affecting access to therapy. This approach ensures accountability and protects sensitive data throughout the client-therapist relationship.

It’s also important to clarify the distinction between consent and contractual requirements.

A common area of confusion is understanding the difference between "consent" and "contractual necessity" as lawful bases for data processing under GDPR. In therapy, most data is processed under contractual necessity, not consent. Clients need to understand which data processing is essential for therapy and which is optional. For example, basic information like name, contact details, and clinical history is necessary for therapy to proceed. Refusing to provide this information could halt therapy altogether. For sensitive health data, therapists usually rely on Article 9(2)(h) - processing necessary for health or social care - alongside safeguards provided by a recognised professional body, rather than relying solely on consent ^[6].

This distinction is crucial because consent can be withdrawn at any time, whereas contractual processing cannot ^[5]^[7]. According to Sarah D Rees, a GDPR-compliant therapy agreement ensures the client’s signature confirms they understand how their data will be used and stored, while explicit consent is reserved for specific activities like recording sessions or sharing data with third parties ^[11]. Clients should clearly know what they must agree to for therapy to proceed and what is optional, such as newsletters, testimonials, or non-essential analytics. Using consent only for optional activities where clients have a genuine choice helps maintain transparency and accountability, aligning with GDPR requirements and fostering trust in the therapeutic process.

Creating a clear and accessible consent process is crucial for ensuring legal compliance and earning client trust in secure online therapy. This process tackles the challenges of explaining technological risks, documenting consent, and adapting as technology and regulations change. By maintaining GDPR-compliant documentation, you can help clients fully understand what they’re agreeing to, while clear communication ensures nothing is misunderstood. Regular reviews will keep your procedures aligned with both technological advancements and legal updates.

A GDPR-compliant consent form for online therapy must address several essential areas. Begin by identifying yourself as the data controller, including your name, practice details, and contact information. Clearly outline the data you collect, its purpose, the legal basis for processing, and how it will be stored, accessed, retained, and eventually disposed of. For most therapy sessions, data processing is justified by its necessity for healthcare provision. However, explicit consent is needed for optional activities like sending marketing emails or recording sessions.

You should also detail the limits of confidentiality. This might include safeguarding concerns, risks of harm, court orders, serious crimes, or situations requiring input from other professionals. Additionally, list all client rights under UK GDPR, such as the rights to access, rectification, erasure, restriction, data portability, and the right to lodge a complaint with the Information Commissioner's Office.

Explain the security measures in place, such as end-to-end encryption for sessions, while being transparent that no system is entirely risk-free. Optional consents - like receiving SMS reminders, joining a mailing list, or allowing session recordings - should be presented with unticked checkboxes so clients can decline without affecting their access to core therapy services. Use plain English, clear headings, and short, easy-to-read paragraphs to ensure accessibility.

Sharing consent information securely and clearly requires careful planning. Send an initial email with essential details, such as session dates and a link to your secure portal, but avoid attaching sensitive documents to avoid data exposure. Instead, upload consent forms to the secure portal, where clients can view them safely.

Use GDPR-compliant platforms for document sharing and electronic signatures. Tools like Konfidens cater specifically to UK therapists, offering features like secure session notes, video calls, and payment processing. By integrating online forms, consent checkboxes, and automated logs into one system, you minimise administrative risks and maintain consistency. During the first video session, go over the key points verbally - especially those related to technology risks, confidentiality, and client rights - and document this discussion in your clinical notes. For clients with limited digital skills, screen-sharing the document can be particularly helpful.

Make sure clients can download or print documents for their records and provide clear ways for them to ask questions before signing. This could be through secure messaging, a quick phone call, or a dedicated Q&A section in your portal. This approach transforms consent from a simple formality into a meaningful dialogue.

Once you’ve shared consent information securely, it’s essential to keep it updated. Regular reviews ensure your consent processes stay compliant and relevant. Review your forms and privacy notices at least annually, or whenever you update platforms, introduce new services, or face legal changes. For example, if you switch to a new video platform, start using AI-assisted note-taking, or alter your data storage arrangements, your documentation must reflect these changes. Keep a version history of all forms and link each client to the specific version they agreed to, which is crucial for demonstrating compliance during audits.

If any significant changes affect existing clients - such as adopting a new platform or adding a data processor - inform them through a clear email or portal notification, and collect updated consent as needed. In group practices or clinics, ensure all clinicians are trained to use the latest consent templates and workflows. Regular reviews also allow you to incorporate updated guidance from the ICO or professional organisations, ensuring your practice remains aligned with the latest standards in data protection and online therapy.

Data Security Measures for Online Therapy

Once you’ve established consent processes, the next priority is safeguarding client data with robust technical and organisational measures. Under UK GDPR, therapists act as data controllers and are required to implement "appropriate technical and organisational measures" to mitigate risks. This includes ensuring encryption, confidentiality, integrity, availability, and resilience of systems ^[9]. Mental health information falls under special category data, which demands stricter protection than standard personal data ^[6]^[9]. By incorporating practical, testable safeguards into your daily operations, you can maintain data integrity throughout every step of your practice.

Choosing the right platform is a critical decision when it comes to data security. Therapists must evaluate several factors: Is the data hosted within the UK, EEA, or under equivalent protections? Is data encrypted both in transit and at rest? What access controls are available - such as role-based permissions, two-factor authentication, and audit logs? Will the vendor sign a data processing agreement? How long is data retained, and how is it ultimately deleted? ^[3]^[9]. A compliant platform ensures transparency and aligns seamlessly with your consent processes.

Platforms like Konfidens, tailored for UK private practice, offer GDPR-compliant infrastructure for tasks such as scheduling, secure notes, video calls, online bookings, payment collection, and directory services - all within a single system ^[3]. This eliminates the hassle of juggling multiple tools and negotiating separate data agreements. Konfidens adheres to stringent privacy, health data, and cybersecurity regulations across the EU, UK, and Norway. It features end-to-end encrypted video and messaging, automatic session note saving, and clear access controls, making it a reliable choice for therapists ^[1].

Secure Data Storage and Access Controls

Beyond encryption and access controls, maintaining robust protocols for device and account security is essential. Any device storing client data should employ full-disk encryption, strong authentication, automatic screen locks, and multi-factor authentication. Clinical records must be stored in encrypted systems with access controls and audit logs to track who accessed what and when ^[9].

For solo practitioners, the focus should be on ensuring only you can access client files, using unique logins and two-factor authentication ^[3]^[9]. In group practices or clinics, role-based access controls are vital. These ensure that staff only access information relevant to their roles - for example, receptionists might see appointment details but not clinical notes ^[3]^[9]. Konfidens supports these needs with configurable user permissions and centralised access management, reducing the risk of unauthorised internal access ^[3]. Additionally, it’s crucial to maintain regular, secure backups of records. These backups should be encrypted, stored separately, and tested periodically to ensure data can be restored in case of device failure or ransomware attacks ^[9].

Data Disposal Procedures

Proper data disposal is just as important as secure storage. When client data reaches the end of its retention period, it must be securely deleted. For paper records, use cross-cut shredding; for digital files, employ secure deletion tools. When retiring devices, follow recognised standards to wipe or physically destroy drives ^[9]. Check how your software or cloud provider handles data deletion, including backups, and document destruction dates. Ensure any processors you work with are contractually obligated to follow GDPR-compliant disposal practices ^[3]^[7]^[9].

Create a retention schedule that balances clinical needs, professional guidelines, and UK legal requirements. For instance, adult therapy notes might be retained for a specific number of years after the last session, with longer retention periods for children’s records when necessary ^[3]^[9]. Your privacy notice and consent forms should clearly explain how long data will be stored and the secure methods used for its destruction. Contracts with cloud or platform providers should also clarify what happens to your data when accounts are closed, including timelines and deletion methods for both active systems and backups ^[9].

Conclusion

This article has explored GDPR obligations, consent challenges, and data security measures within the context of online therapy. Complying with GDPR isn't just about meeting legal requirements - it’s about aligning ethical practices with the protection of sensitive mental health information. As a data controller, you carry the responsibility to safeguard client data, provide clear and transparent privacy notices, and uphold their rights to access, correct, or delete their personal information ^[3].

Beyond these legal requirements, your professional role calls for ongoing, open communication about digital risks. This means clearly explaining potential technology-related vulnerabilities and treating consent as an evolving process rather than a one-time formality ^[2].

Strong consent practices and robust data protection protocols are essential for building trust. By clearly outlining how data is handled and ensuring clients have control, you demonstrate both accountability and professionalism. Tools like well-crafted privacy notices, secure digital platforms, and transparent workflows not only strengthen the therapeutic relationship but also distinguish your practice as trustworthy and forward-thinking.

To maintain compliance and adapt to changing circumstances, regular reviews of data handling and consent procedures are critical. As technology advances and client needs shift, these reviews help ensure your practices remain aligned with GDPR standards ^[8].

Platforms like Konfidens can support your efforts by streamlining scheduling, securely storing notes, encrypting sessions, and handling payment processing within a GDPR-compliant framework. Such tools not only simplify compliance but also enhance your professional credibility ^[3].

Protecting client data is more than a regulatory requirement - it’s a fundamental aspect of ethical therapy. By embedding GDPR principles and informed consent into the core of your online practice, you not only safeguard clients but also create a service that is both trustworthy and modern.

FAQs

Under GDPR, consent and contractual necessity are two separate legal grounds for processing personal data, particularly relevant in online therapy settings.

Consent involves obtaining a client’s clear, informed, and freely-given permission for specific activities, such as storing session notes or recording video calls. Importantly, clients must always have the ability to withdraw their consent whenever they choose.

On the other hand, contractual necessity comes into play when processing data is essential to deliver the agreed services. For instance, storing a client’s contact details to schedule appointments or managing payments typically falls under this category.

Determining the correct legal basis for each type of data processing in your practice is crucial. Platforms like Konfidens can simplify this process by helping you manage data in compliance with GDPR regulations.

How can therapists help clients understand the risks of using technology in online therapy?

Therapists can help clients understand the risks linked to online therapy by offering clear, no-nonsense information about potential concerns, such as data breaches, unauthorised access, or technical glitches. This should be part of the informed consent process, giving clients the chance to ask questions and fully grasp how their personal data will be managed.

To meet GDPR requirements and establish trust, therapists should rely on secure, GDPR-compliant platforms for tasks like video calls, record-keeping, and communication. For instance, platforms like Konfidens are specifically designed to prioritise privacy and security while streamlining practice management. Therapists can further reassure clients by detailing the measures in place to protect their data, such as encryption, secure storage systems, and routine software updates.

A GDPR-compliant consent form for online therapy needs to clearly communicate several key pieces of information to clients:

Who is collecting the data: Include the therapist's name, the practice's identity, and their contact details.
Why the data is being collected: Explain the purpose behind processing the client's personal information.
What data is being collected: Specify the exact types of information being gathered.
How the data will be handled: Provide details about the legal basis for processing, how long the data will be retained, and the security measures in place.
Client rights: Outline their rights, such as accessing, correcting, or requesting the deletion of their data.
Relevant authority contact details: For clients in the UK, this would typically be the Information Commissioner's Office (ICO).

By addressing these points, the form ensures clarity and gives clients greater control over their personal information, aligning with GDPR's transparency requirements.