What should my privacy notice include to comply with GDPR when handling therapy notes?

To align with GDPR requirements, your privacy notice needs to clearly outline how you handle your clients' personal data, including therapy notes. It should be straightforward, written in plain English, and easy for clients to access and understand. Here’s what to cover: The type of data you collect : This could include session notes, contact information, and payment details. The purpose of data collection : For example, providing therapy services or meeting legal obligations. How you store and secure the data : Specify measures like encrypted digital systems or locked filing cabinets. Data retention periods : Explain how long you keep the data and the criteria for deciding retention timelines. Clients' rights under GDPR : Highlight their rights to access, correct, or request deletion of their data. Any data sharing : If applicable, mention who you might share the data with, such as supervisors or legal authorities. Your contact information : Provide details for clients to reach out with questions or concerns about their data. For therapists in the UK, platforms like Konfidens can be a practical solution for securely managing session notes. These tools ensure compliance with GDPR while helping you maintain the trust and confidence of your clients.

What should I do if a client requests access to their therapy notes under GDPR?

Under the GDPR, clients have the right to access their personal data, including therapy notes, by submitting a Subject Access Request (SAR) . Once you receive an SAR, you’re required to respond within one month . Here’s what to keep in mind when handling an SAR: Carefully review the therapy notes to ensure they are relevant to the client’s request. Remove any details that could identify third parties unless you have explicit consent to include them. Present the information in a way that is clear and easy to understand. If you're uncertain about the process, it’s wise to seek guidance from a legal or data protection expert. Using platforms like Konfidens can also make things easier by securely storing your therapy notes and ensuring they comply with GDPR requirements.

GDPR Rules for Therapy Notes Explained

GDPR protects all therapy notes you keep on clients, whether handwritten or digital. As a therapist in the UK, you're legally required to handle this data responsibly under the UK GDPR and Data Protection Act 2018. Here's what you need to know:

Therapy notes are sensitive data: They fall under "special category data" because they often include health information. This means stricter rules apply.
Legal requirements: You need a lawful basis (e.g., a contract or legitimate interests) and a condition for processing special category data (e.g., health or social care purposes).
Your role as a data controller: If you're in private practice, you're responsible for how client data is collected, stored, and used.
Retention and storage: Keep notes for around seven years (or until minors turn 25). Use secure methods like locked cabinets or encrypted systems.
Client rights: Clients can access, correct, or request deletion of their data. However, you can withhold information if sharing it may cause harm or breaches others' privacy.

To comply, register with the ICO, provide a privacy notice, and use GDPR-compliant tools for note-taking and storage. Transparency and secure practices build trust while meeting legal obligations.

Legal Bases for Processing Therapy Notes

When handling therapy notes under UK GDPR, two conditions must be met: an Article 6 lawful basis for processing personal data and an Article 9 condition for special category data under the Data Protection Act 2018. These legal requirements must be satisfied before collecting or storing client information.

Understanding these legal principles is crucial for maintaining a compliant practice. They shape how you document your work and what you communicate to clients about how their data is used and safeguarded. Let’s break down these legal bases and conditions.

Understanding Legal Bases for Data Processing

For most self-employed therapists in private practice, performance of a contract is the primary Article 6 lawful basis. When a client agrees to therapy - through a signed contract or verbal agreement - you need to maintain clinical records to deliver the service and ensure continuity of care.

Alternatively, you might rely on legitimate interests as your lawful basis. This applies when you have a valid business reason to process data, such as ensuring safe and effective practice, keeping proper clinical records, and adhering to professional standards. To use legitimate interests, you must demonstrate that your need to process data does not outweigh the client’s privacy rights. For therapy notes, this balance is reasonable since record-keeping supports ethical practice and client safety.

For special category data under Article 9, therapists generally rely on the provision of health or social care condition (Schedule 1, paragraph 2 of the Data Protection Act 2018). This allows health professionals to process sensitive health data to provide care. Your privacy notice should explain that clinical notes are essential for providing therapy, managing appointments and payments, and meeting professional standards set by organisations like BACP, UKCP, or BPC.

Processing Purpose	Typical Article 6 Basis	Special Category Condition (Article 9 / DPA 2018)	What to Document
Session notes and clinical records	Contract (therapy provision) or Legitimate interests (safe practice)	Health or social care provision (Schedule 1, para 2)	Privacy notice explaining notes are necessary for therapy and professional standards
Appointment scheduling and contact details	Contract or Legitimate interests	Not usually required (unless health details included)	Privacy notice covering how contact information is stored and used
Invoices and payment records	Contract	Not usually required (unless health details included)	Privacy notice explaining financial record-keeping and retention
Supervision discussions (anonymised)	Legitimate interests (professional development)	Health or social care (if identifiable)	Supervision agreement and privacy notice covering use of anonymised material
Safeguarding disclosures	Legal obligation, Vital interests, or Legitimate interests	Substantial public interest (Schedule 1, para 18)	Document decision-making process and specific basis for each disclosure

When drafting your privacy notice and therapy contract, make sure to separate sections. One should cover the agreement to enter therapy - covering fees, cancellations, and modality - while another explains how you handle client information, including the lawful bases you rely on. This clarity helps clients understand both their therapeutic relationship with you and their data rights.

It’s important to distinguish between consent to therapy and consent for data processing. Consent to therapy means the client agrees to work with you and understands the nature of the therapeutic relationship. This is an ethical requirement forming the foundation of your therapeutic contract. However, this does not automatically satisfy GDPR requirements for processing personal data.

Under GDPR, consent for data processing must be freely given, specific, informed, and unambiguous. Importantly, consent cannot be considered freely given if it is a precondition for receiving a service. For example, if clients are told they can only receive therapy if they consent to you keeping notes, this would not meet GDPR standards because they lack a genuine choice. This is why lawful bases like contract or legitimate interests are more appropriate for therapy notes - these notes are necessary for delivering the service, not an optional extra requiring separate consent.

Explicit consent is only required when sharing data beyond therapy purposes. For instance, if a client asks you to send a report to their GP or an insurance company, you would obtain explicit consent for that disclosure. Similarly, if you want to use anonymised case material for teaching or publication, you should seek the client’s consent even after anonymisation.

To explain this to clients, you could say: "I keep notes of our sessions because they’re necessary to provide therapy and meet my professional obligations. You don’t need to give separate consent for me to keep these records - they’re part of the service. However, if you ever want me to share information with someone else, such as your GP, I’ll always ask your permission first unless there’s a legal or safety reason requiring me to share it."

Confidentiality and Privacy Requirements

Your duty of confidentiality under GDPR requires you to protect client information. Professional bodies like BACP, UKCP, and BPC reinforce this obligation, requiring you to keep client information private, except in clearly defined circumstances. GDPR adds enforceable client rights - such as access, erasure, and restriction - and explicit requirements for transparency and record-keeping.

When selecting your lawful bases, ensure they align with your ethical codes. Notes should only be kept to the extent necessary for competent practice and safeguarded against unauthorised access. Your confidentiality policy, limits to confidentiality, and lawful bases should all be explained in a single, coherent statement, typically in your therapy agreement and privacy notice. This helps clients understand both your ethical commitment to confidentiality and the legal framework protecting their data.

Key limits to confidentiality include situations involving serious risk of harm to the client or others, safeguarding concerns involving children or vulnerable adults, substantial risk of serious crime, or legal obligations such as court orders. You should clearly explain these limits at the start of therapy and share information on a "minimum necessary" basis, ideally discussing any disclosure with the client if it is safe to do so.

Under GDPR, these disclosures are justified by lawful bases such as vital interests (risk to life or serious harm), legal obligation (court orders, statutory duties), or legitimate interests (preventing harm), alongside the usual health-care condition for special category data. You must document both the decision-making process and the specific lawful basis used when sharing information. Reflect these standard limits in your privacy notice and confidentiality statement so clients are aware of the circumstances in which their notes might be disclosed.

When discussing confidentiality, align your wording with UK GDPR by addressing typical limits like serious harm risks, safeguarding, court orders, and legal obligations relating to terrorism or money laundering. For supervision, explain that cases may be discussed with a clinical supervisor but are generally anonymised or shared with minimal identifiable information. The BPC advises that process notes containing identifiable details are part of the "record" and subject to UK GDPR, so these should be anonymised if kept separately from the formal clinical record.

How to Take, Store, and Retain Therapy Notes

Once you've grasped the legal basis for processing therapy notes, the next step is putting those principles into action. This means deciding what details to record, where to store them, and how long to keep them. These decisions don’t just ensure compliance with GDPR - they also help build trust with clients and support safe, effective therapy. By focusing on these practices, you can integrate GDPR requirements into your daily record-keeping seamlessly.

The UK GDPR is guided by key principles that shape how therapy notes should be handled. One of the most important is data minimisation - only recording information that’s necessary for assessment, treatment, risk management, supervision, or legal obligations. The British Psychoanalytic Council advises therapists to keep notes "minimal but clinically useful" ^[2]. This means focusing only on clinically relevant facts, which not only respects client privacy but also supports effective therapy.

Professional guidelines often suggest dividing recorded information into two categories:

Category 1: Basic client details like name, address, contact information, confirmation of therapy, and appointment specifics.
Category 2: More sensitive information, such as the client’s personal history, family background, presenting issues, and session details. Care should be taken to avoid including identifying details about the client or third parties outside the formal clinical record.

Other key principles include:

Storage limitation: Only keep personal data for as long as necessary, securely deleting or anonymising it afterward.
Integrity and confidentiality: Protect records from unauthorised access or accidental loss.
Accuracy: Ensure records are up to date and correct errors promptly.
Accountability: Maintain documented policies to demonstrate compliance.

Secure Storage Options for Paper and Digital Notes

The way you store therapy notes depends on whether you use paper records, digital systems, or both. Each method comes with specific security measures.

Paper Notes:
Keep paper records in a locked filing cabinet with restricted access. Use an organised filing system to make it easy to locate, update, or remove records when needed. To add an extra layer of security, consider separating identity data from clinical notes by using codes or ID numbers. When records are no longer needed, dispose of them securely - using a cross-cut shredder or a professional confidential waste disposal service.

Digital Notes:
For digital records, robust security is essential. This includes full disk encryption, strong and unique passwords, and two-factor authentication. If you use cloud-based storage, ensure data is encrypted both in transit and at rest, restrict access to authorised personnel, and have clear data-processing agreements with third-party providers. Regularly back up your data using encrypted systems to safeguard against loss or corruption.

When choosing digital tools, look for platforms designed with security and GDPR compliance in mind. For example, Konfidens is a European-built practice management platform offering encrypted session notes, secure client messaging, file sharing, and video chat - all in one system.

Proper storage is just one part of the process - managing how long you keep therapy notes is equally important.

Retention Policies for Therapy Notes

GDPR requires that personal data not be kept longer than necessary. Many therapists follow professional guidelines, which typically recommend retaining session notes for around seven years after therapy ends. If the client was a minor during treatment, legal requirements may extend this period. For example, your privacy notice might state:

"We retain your session notes for seven years after the end of therapy, or until a client who was under 18 at the time of treatment reaches 25 years of age."

To stay compliant, create a clear retention policy outlining what data is kept, why, and for how long. At the end of the retention period, review the records and either securely destroy or anonymise them - unless there’s a valid reason to keep them longer. This ensures your records remain compliant throughout their lifecycle.

Client Rights and Access Requests

Your clients have rights under GDPR that you’re obligated to respect, particularly when it comes to their therapy notes. These rights apply during and after treatment. Knowing how to handle access requests and when to share information with third parties is vital for protecting your clients and safeguarding your practice.

Under UK GDPR, therapy clients hold several rights over their personal data, including session notes and related records. These rights include:

Access: Clients can request to see the data you hold about them.
Rectification: They can ask to correct inaccuracies.
Erasure: Known as the "right to be forgotten", clients can request data deletion.
Restriction of Processing: Clients can limit how their data is used.
Data Portability: They can request their data in a transferable format.
Objection: Clients may object to certain types of data processing.

However, these rights aren’t absolute. For instance, you may withhold or redact information if sharing it could seriously harm the client’s physical or mental health, or if it includes details about a third party who hasn’t given consent. Additionally, information protected by legal privilege can be withheld.

The British Psychoanalytic Council (BPC) emphasises transparency in its Confidentiality and UK GDPR Guidance (March 2024). Clients should be informed from the start about what data is collected, how it’s used, the lawful basis for processing, and their rights. This information should be detailed in your privacy notice.

It’s important to remember that your professional duty of confidentiality complements GDPR. While GDPR allows clients access to their data, it doesn’t permit unauthorised disclosure to third parties. These principles ensure secure data management and guide how you handle access requests.

How to Handle Subject Access Requests

A Subject Access Request (SAR) is a formal request from a client to view all personal data you hold about them. Under UK GDPR, you must respond within one calendar month. If the request is particularly complex or involves a large volume of data, you can extend this by two months. However, you must notify the client of the delay within the first month and explain why more time is needed.

Processing a SAR is free of charge, and the information must be provided in a clear, accessible format, whether as a printed document or an electronic file. Here’s how to handle a SAR effectively:

Log the request: Record the date and method of the request.
Verify identity: Confirm the client’s identity to prevent unauthorised access.
Search all records: Include electronic files, paper notes, emails, and payment records.
Review the data: Check for sensitive information that may need to be withheld, such as details about third parties.

If you decide to withhold certain information, document your reasoning thoroughly. Clearly explain to the client what has been withheld and why, and inform them of their right to challenge your decision or file a complaint with the Information Commissioner’s Office (ICO).

Keeping therapy notes concise and clinically relevant can make the SAR process smoother and reduce potential complications.

Requests for therapy notes from third parties, such as solicitors, insurance companies, or courts, require careful consideration. In most cases, you should not share therapy notes without the client’s explicit consent. However, there are exceptions, such as legal obligations. For example, a court order or subpoena may require you to disclose records unless a legal exemption, like legal professional privilege, applies.

If a solicitor requests notes without a court order, ensure they provide written confirmation of the client’s consent, or ask them to obtain a court order before releasing any information. If disclosure could cause harm or breach confidentiality, seek legal advice before proceeding.

When sharing information with third parties, ensure there’s a clear legal basis, whether it’s the client’s consent, a statutory requirement, or another lawful reason under GDPR. Log each request, noting the date, requester, information shared, and your response. Where appropriate and legally allowed, inform the client about the disclosure.

For routine data sharing, such as with a client’s GP, use secure platforms like Konfidens. Designed to meet UK GDPR and EU privacy standards, Konfidens provides encrypted storage for session notes and secure messaging, helping you maintain confidentiality and compliance ^[1].

Meeting GDPR requirements doesn’t have to be overwhelming. By understanding your responsibilities and establishing straightforward routines, you can ensure client data remains protected. Here are the key steps to embed GDPR compliance into your practice.

Registering with the ICO and Paying the Fee

ICO

If you handle client information electronically - whether through emails, online booking systems, digital notes, or payment records - you’ll likely need to pay a data protection fee to the Information Commissioner’s Office (ICO). While the old requirement to "register" has been removed, paying this fee is still mandatory for most therapists who use electronic records.

To determine if this applies to your practice, use the ICO’s self-assessment tool, available on their website. This tool will guide you through the process and help you identify the appropriate fee tier. Many therapists fall into the lowest tier, which is currently around £40 per year (excluding VAT). Once you’ve completed the assessment, pay the fee online and set a reminder for the annual renewal. Make sure to store the ICO’s confirmation as part of your compliance records, as it may be required during inspections or in response to complaints.

Don’t assume that being a sole practitioner exempts you from this obligation. If your practice details change - such as a new address or name - update your records with the ICO. Even if you conclude that the fee doesn’t apply to you, keep a dated record of your assessment and reasoning.

A privacy notice is essential for informing clients about how their personal data is handled. This document must be shared with clients before or at the start of therapy and should cover key details, including:

What data you collect and why
The lawful basis for processing the data
How long you’ll retain the information
Who the data might be shared with
Clients’ rights regarding their data
How to file complaints, including contact details for the ICO

Include the privacy notice in your client intake pack and make it accessible on your website. To ensure compliance, keep a record showing that your clients received it - this could be a signed acknowledgement or an online tick-box confirmation. Regularly review and update the notice, especially if you change how you process data or introduce new tools. This step complements secure storage practices and demonstrates your commitment to transparency.

When selecting tools for tasks like scheduling, note-taking, video sessions, and payments, it’s crucial to ensure they meet UK GDPR requirements. These tools should provide secure storage, encryption, and clear data processing agreements. Relying on multiple systems - such as spreadsheets, personal email accounts, or generic cloud storage - can increase risks and make compliance more challenging.

Instead, opt for platforms designed with GDPR in mind. Look for features like encrypted storage, secure messaging, automatic saving, and audit trails that log access details. For example, Konfidens offers an all-in-one solution with scheduling, secure note-taking, video calls, and payment processing - all built to meet GDPR standards. Tools like this simplify compliance while ensuring data security.

In addition to choosing the right tools, establish clear procedures for handling data breaches and subject access requests. For breaches, act quickly: revoke access, update passwords, assess the potential risk to clients, and document every action taken. For subject access requests, verify the requester’s identity, log the request, locate all relevant data, and respond within one month. Using templates for responses and maintaining a simple log (with dates, issues, and decisions) can make these processes more manageable.

Conclusion

Adhering to GDPR is a must for ensuring therapy in the UK remains both safe and ethical. Therapy notes fall under special category data, making it your responsibility as a data controller to safeguard client privacy and comply with legal obligations.

The main steps are simple: establish a lawful reason for processing client data, secure both paper and digital records, set clear retention policies, and respect your clients' rights to access and manage their information. Paying the annual ICO fee (around £40), updating your privacy notice, and using tools that align with GDPR requirements are key starting points for compliance.

These measures create a solid foundation for accountability. Accountability matters. Keep detailed records of your decisions, document your processes, and periodically review your practices to ensure they stay relevant as your work evolves. Tools like Konfidens, which are built with GDPR in mind and provide encrypted storage, secure messaging, and audit trails, can help you avoid hefty fines. More importantly, they show your clients that their trust is well-placed and that their sensitive information is handled with the utmost care.

FAQs

To keep your therapy notes in line with GDPR regulations, it’s crucial to use a secure, encrypted platform that meets these standards. Any digital tool you select should store data within the EU and have strong security measures to safeguard client confidentiality.

For therapists in the UK, Konfidens stands out as a reliable choice. It ensures your session notes are encrypted and securely stored, giving you confidence that your practice complies with GDPR. Plus, it streamlines compliance with features like secure storage, AI-assisted note-taking, and workflows designed with GDPR in mind.

To align with GDPR requirements, your privacy notice needs to clearly outline how you handle your clients' personal data, including therapy notes. It should be straightforward, written in plain English, and easy for clients to access and understand.

Here’s what to cover:

The type of data you collect: This could include session notes, contact information, and payment details.
The purpose of data collection: For example, providing therapy services or meeting legal obligations.
How you store and secure the data: Specify measures like encrypted digital systems or locked filing cabinets.
Data retention periods: Explain how long you keep the data and the criteria for deciding retention timelines.
Clients' rights under GDPR: Highlight their rights to access, correct, or request deletion of their data.
Any data sharing: If applicable, mention who you might share the data with, such as supervisors or legal authorities.
Your contact information: Provide details for clients to reach out with questions or concerns about their data.

For therapists in the UK, platforms like Konfidens can be a practical solution for securely managing session notes. These tools ensure compliance with GDPR while helping you maintain the trust and confidence of your clients.

Under the GDPR, clients have the right to access their personal data, including therapy notes, by submitting a Subject Access Request (SAR). Once you receive an SAR, you’re required to respond within one month.

Here’s what to keep in mind when handling an SAR:

Carefully review the therapy notes to ensure they are relevant to the client’s request.
Remove any details that could identify third parties unless you have explicit consent to include them.
Present the information in a way that is clear and easy to understand.

If you're uncertain about the process, it’s wise to seek guidance from a legal or data protection expert. Using platforms like Konfidens can also make things easier by securely storing your therapy notes and ensuring they comply with GDPR requirements.

GDPR Rules for Therapy Notes Explained

Legal Bases for Processing Therapy Notes