How Therapists Handle Payment Data Under GDPR

Managing payment data is a legal responsibility for therapists in the UK. Under UK GDPR and the Data Protection Act 2018, payment information like invoices, transaction records, and client names must be handled securely to protect privacy and comply with the law. Mishandling this data can lead to fines, reputational damage, or client complaints. Here's what therapists need to know:

• Lawful bases for processing payment data: Typically "Contract" (for therapy services) or "Legal obligation" (for tax records). Special category data (e.g., therapy-related invoices) may require additional conditions.
• Privacy notices and contracts: These documents must explain why payment data is collected, how it’s used, and clients’ rights.
• Data storage and security: Use encryption, strong passwords, two-factor authentication, and secure platforms. Avoid storing unnecessary details like full card numbers.
• Retention periods: Keep financial records for at least six years (or until a child client turns 25).
• Working with third-party processors: Ensure payment platforms are GDPR-compliant, with clear data processing agreements.
• Handling breaches: Act quickly to contain issues, notify the ICO within 72 hours if required, and inform affected clients if risks are high.

Therapists must balance legal compliance with protecting client trust. Using GDPR-compliant tools and clear documentation simplifies this process while safeguarding sensitive information.

Lawful Bases for Processing Payment Data

Whenever you handle payment data - whether it's recording transfers, issuing invoices, or storing card details - you need a valid lawful basis under UK GDPR. The appropriate basis depends on the reason behind the processing. For therapists in private practice, the most relevant bases are often Contract and Legal obligation.

When managing payments for therapy sessions, Contract is typically the most fitting lawful basis. Processing payment details is essential for fulfilling the therapy agreement with your client. Without this, providing your service wouldn’t be possible. This includes activities like accepting BACS transfers, processing card payments, issuing invoices, and keeping transaction records ^[1].

On the other hand, Legal obligation applies when keeping financial and tax records. UK accounting regulations and HMRC require you to retain certain payment records - usually for at least six years for tax purposes. Even after therapy ends, you’re legally required to maintain invoices, fee records, and bank statements that document your business income and expenses ^[2].

It’s important to note that different purposes for the same data may require different lawful bases. For example, recording a client’s payment to manage ongoing therapy sessions falls under Contract, while retaining the same record for tax compliance is justified by Legal obligation. These distinctions must be clearly documented in your records and privacy notice.

Consent isn’t suitable for routine payment processing. Since payment is a precondition for therapy, clients can’t freely refuse to provide payment details without affecting their access to the service. Guidance for UK counsellors recommends using Contract for client data required to deliver therapy ^[1][3]. However, consent might be relevant for optional matters, like sending marketing emails or sharing detailed invoices with a family member paying on the client’s behalf.

For tasks such as debt recovery or fraud prevention, Legitimate interests is the appropriate basis. When using this, you must document an assessment to ensure your interests don’t override the client’s rights.

Therapists should also be aware that payment data can sometimes reveal special category information. While basic details like card numbers or transaction amounts aren’t automatically considered special category data, certain information - such as a merchant description on a bank statement that includes your practice name with terms like "therapy" - might indirectly indicate mental health services. In these cases, you’ll need both an Article 6 basis (e.g., Contract or Legal obligation) and an Article 9 condition, such as the health or social care condition, to process the data lawfully.

The ICO defines health data as any personal information about an individual’s physical or mental health, including healthcare services provided, that reveals their health status. For example, a receipt or invoice showing therapy sessions may fall into this category. Even when processing payment data primarily for financial purposes, you must apply extra care if it reveals health-related details.

The table below summarises key purposes, lawful bases, and conditions for UK therapists:

Purpose of Processing Payment Data	Typical Lawful Basis (Article 6 UK GDPR)	Special Category Condition (Article 9) Needed?	Notes for UK Therapists
Charging and collecting session fees (card, bank transfer, cash records)	Contract	Only if the record reveals health/therapy information – then use the health/social care condition	Core administrative function; consent is not appropriate.
Issuing and retaining invoices/receipts that may show "therapy session"	Legal obligation (for tax and accounting requirements)	Often yes – invoices can reveal that psychotherapy was provided; rely on the healthcare provision condition	Retain records for tax and professional retention periods (often six years or more).
Keeping financial records for HMRC and accounting requirements	Legal obligation	If records reveal therapy attendance or mental health treatment, the health/social care condition applies	Must be retained for at least six tax years; for clients seen as children, until age 25.
Debt recovery or fraud prevention	Legitimate interests	Depends on whether the data reveals health information	Requires documentation of a legitimate interest assessment.

Ensure these lawful bases are clearly outlined in your privacy notice and therapy contract to maintain transparency and compliance with data protection rules.

Including Payment Data in Privacy Notices and Contracts

Documenting how you handle payment data in your privacy notice and therapy contract is vital for GDPR compliance and building client trust. These documents should outline your practices clearly and in plain English.

Your privacy notice should explain in detail how payment data is processed. This document should be easily accessible, whether on your website or as a handout/PDF. Key points to include are:

• What payment data you collect – such as names, contact details, payment methods (direct or via third parties), transaction records, invoice details, and any payment arrangement notes.
• Why you process payment data – for example, taking payments, managing bookings, maintaining accounts, complying with tax laws, or handling unpaid fees and fraud prevention.
• The lawful basis for each purpose – e.g., "We process your payment information to manage your therapy sessions (Contract)" or "We retain invoices for tax compliance (Legal obligation)". If the data reveals health information, include the healthcare condition for special category data.
• Who you share payment data with – this might include banks, card processors, HMRC, accountants, or practice management platforms. Note that third-party processors act under data processing agreements.
• How long you retain the data – for example, "Invoices and payment records are kept for six years after the tax year they relate to, in line with HMRC requirements."
• Clients’ rights – explain how clients can access, correct, or request deletion of their data (subject to legal retention rules).

Your therapy contract should focus on payment terms and methods - whether BACS transfer, card, cash, or online - and clarify that payment details are processed as part of delivering the agreed service. The contract should also refer clients to your privacy notice for more details on data processing, lawful bases, and retention policies.

Collecting, Storing, and Retaining Payment Data

Handling payment data responsibly is a cornerstone of GDPR compliance. At the heart of this is data minimisation - only collect and keep the information you truly need for financial and legal purposes. This approach not only safeguards sensitive data but also limits unnecessary exposure.

When gathering payment details, stick to the basics. You generally need enough information to issue invoices, reconcile payments, and meet tax requirements. This typically includes the client’s name, the amount paid, the date, and a transaction reference or method (e.g., "bank transfer" or "card payment"). Avoid storing full card numbers - only keep the last four digits - and there’s no need to duplicate bank transfer details that already appear on your bank statement.

Separating payment records from clinical notes is both practical and essential for compliance. Financial data - such as invoices, receipts, and payment logs - should be stored in systems dedicated to financial management, entirely separate from therapy notes or case files. This reduces risks when sharing financial records with accountants and ensures different retention periods are easier to apply.

For in-person payments, consider card machines that don’t store card details locally, accept cash with a receipt, or, if using cheques, log the payment without photocopying the cheque unless absolutely necessary. For remote payments, bank transfers are a common method in UK private practices. Clients transfer funds directly to your business account, and you log the transaction using your bank statement. Online payment links can further streamline the process, allowing clients to pay securely without you handling their card details.

Security Measures for Payment Data

Protecting payment data requires robust technical and physical safeguards. For digital records - like PDFs of invoices or accounting software databases - encryption and access controls are non-negotiable.

Encrypt devices where payment data is stored. This ensures that even if a device is lost or stolen, the data remains secure. Use cloud storage and accounting software that operate over secure, encrypted connections (look for "https" in the URL) and enable two-factor authentication whenever possible. Use strong, unique passwords for each system, ideally managed through a password manager, and avoid sharing credentials or leaving devices unattended.

Implement access controls to limit who can view or modify payment data. If you’re a sole practitioner, you’ll have sole access. In group practices, administrative staff handling billing should only access financial systems, while clinicians don’t need to see payment details. Regularly review permissions, especially when staff leave or change roles.

For paper records - such as printed invoices or bank statements - physical security is crucial. Store them in locked cabinets or cupboards in secure premises, with keys held only by authorised personnel. When sharing paper records (for example, with a bookkeeper), use sealed envelopes or lockable bags, avoid leaving documents in vehicles, and keep a log of what’s been taken off-site. When the retention period ends, shred or cross-cut destroy paper records rather than disposing of them in regular recycling.

Digital record-keeping offers clear advantages for GDPR compliance. It’s easier to encrypt, back up, control access to, and securely delete digital files. Using a GDPR-compliant practice management platform can centralise payment tracking, invoicing, and record-keeping with built-in security features, reducing the manual workload.

Retention Periods for Payment Data

Deciding how long to keep payment data is a balancing act between legal requirements and the GDPR principle of not retaining personal data longer than necessary. Under UK tax laws, financial records such as invoices, receipts, and payment logs must be kept for at least six years after the relevant accounting period to address potential HMRC queries or audits.

In contrast, therapy clinical records are typically retained for six years after the end of therapy for adults, or until a child client’s 25th birthday, as recommended by professional bodies like BACP. It’s crucial to establish a clear retention schedule that separates financial data from clinical records. Documenting this schedule shows both the ICO and your clients that you’ve carefully considered your data protection responsibilities.

Secure Deletion of Payment Data

Once payment data has reached the end of its retention period, GDPR requires secure deletion or anonymisation under its storage limitation principle. Secure deletion goes beyond simply moving files to the recycle bin or tossing paper documents - it ensures the data cannot be recovered.

For digital records, use specialised deletion tools or anonymise the data. For paper records, opt for cross-cut shredding or certified waste disposal services. If using cloud storage, confirm that your provider deletes data from both active storage and backups as outlined in your contract. Some accounting software and practice management platforms allow automated retention rules or archiving, making compliance easier.

Keeping a simple log of major deletion events - like “Invoices for FY 2017/18 shredded on 15/04/2025” - can provide evidence of compliance if questioned by the ICO or insurers.

Anonymisation is another option if you want to retain financial data for analysis but without personal identifiers. For example, you could replace client names with random codes or summarise transaction totals without linking them to individuals. However, be cautious: if there’s any way to re-identify individuals, the data still counts as personal under GDPR.

Using a GDPR-compliant practice management platform like Konfidens can simplify secure deletion and retention management. These platforms are designed to handle client data, including payments, with built-in security measures, automated retention settings, and clear deletion processes, helping therapists stay compliant without the need for manual oversight.

sbb-itb-0b4edca

Working with Third-Party Payment Processors and Practice Management Platforms

In the UK, many therapists rely on third-party tools for handling payments. This could be anything from card terminals and online payment gateways to comprehensive practice management platforms. Under UK GDPR, it’s vital to understand your responsibilities when using these services.

As a therapist, you’re the data controller for your clients’ payment information. This means you determine what data to collect, why you need it, and how long to keep it. The payment processor, on the other hand, acts based on your instructions. By adhering to secure data storage and retention practices, you can ensure that any third-party tools you use comply with GDPR requirements.

Verifying GDPR Compliance with Payment Processors

When choosing a payment processor or practice management platform, you need to confirm that they meet GDPR standards to safeguard your clients' data.

Start by checking if the provider offers a Data Processing Agreement (DPA) or Data Protection Addendum. This contract should clearly identify you as the controller and them as the processor. It must also include the terms required under Article 28 of UK GDPR. The DPA should specify that the processor acts only on your instructions, maintains strong security measures, promptly notifies you of data breaches, and assists with client data requests.

Another key factor is data location. Ensure the provider stores data within the UK or EEA. If data is transferred abroad, they must use approved safeguards like the ICO’s International Data Transfer Agreement or Standard Contractual Clauses. Many therapists prefer platforms that avoid international transfers to simplify compliance and mitigate risks.

Look for providers that document robust security measures, such as encryption for data in transit and at rest, strict access controls, and incident response procedures. For payment processors, PCI DSS compliance is crucial for securely handling card details. Reputable providers often publish their security certifications and policies online.

The DPA should also outline terms for sub-processors and provide audit logs. Additionally, assess whether the provider can support your GDPR obligations. For example, can they help you retrieve payment records for a client’s access request? Can they delete data when you ask? These capabilities are essential for demonstrating compliance.

Using GDPR-Compliant Practice Management Platforms

Many therapists in the UK are turning to integrated practice management platforms. These tools combine scheduling, session notes, video calls, and payment processing, making it easier to manage your practice while staying compliant.

Take Konfidens, for example, a platform built specifically for UK therapists. Konfidens highlights its focus on compliance, stating:

"Rest assured, your client data is secure with Konfidens. Our platform is meticulously designed to comply with the most stringent privacy, health data, and cybersecurity standards in the EU, UK, and Norway." ^[4]

When evaluating a platform for payment handling, prioritise features that support data minimisation and security. Opt for platforms that separate billing data from clinical records, reducing retention risks. Role-based access controls are also important, especially in group practices. For instance, administrative staff can access payment records without seeing clinical notes, while therapists may not need access to payment details. Platforms like Konfidens allow you to assign roles and control access, ensuring everyone only sees the information they need.

Choose platforms that securely manage card payments through PCI-compliant methods, eliminating the need to store sensitive data locally. Konfidens, for instance, offers a “Collect payment” feature, allowing clients to pay directly from their phones while the platform handles security and automation.

Automation can also help reduce manual errors. Features like automated invoicing, payment tracking, reminders, and data retention rules simplify compliance. However, as the controller, you remain responsible for configuring settings, reviewing permissions, and ensuring the platform aligns with your privacy policies.

Recording Third-Party Processor Use

While sole practitioners in the UK aren’t typically required to maintain a full Record of Processing Activities (ROPA) under Article 30 of UK GDPR, it’s considered good practice by the ICO and professional bodies. Keeping a simple record of your data processing activities, including the third-party processors you use, demonstrates accountability and simplifies compliance.

Maintain a straightforward record that includes details like processor names, data categories, and storage locations. For instance, note the payment gateway or platform name, the data processed (e.g., client name, email, billing details), and where it’s stored (e.g., UK, EEA, or under approved safeguards). Update this record whenever you switch providers or add new ones, and ensure your privacy notice reflects these changes.

Your privacy notice should also inform clients about the third-party processors you use. For example: “We use [Platform Name] to manage appointments and securely collect payments. [Platform Name] acts as a data processor on our behalf and stores data within the UK/EEA in accordance with GDPR.” This transparency builds trust and meets your legal obligation to inform clients about data sharing.

When onboarding a new processor, review and sign the DPA before transferring any client data. Configure security settings like two-factor authentication and strong passwords, apply role-based access controls, and ensure data retention settings align with your policies. Update your internal records, privacy notice, and client-facing contracts as needed.

Professional bodies like BACP and UKCP stress that using a GDPR-compliant platform doesn’t absolve you of responsibility as the data controller. You’re still accountable for ensuring confidentiality, security, and lawful processing. However, choosing a processor with strong security measures, clear contracts, and transparent practices can make compliance easier, allowing you to focus on what truly matters: supporting your clients.

Client Rights, Transparency, and Data Breach Management

It's crucial to ensure clients understand how their payment data is managed and how they can exercise their rights under UK GDPR. This requires clear communication, efficient handling of data requests, and solid procedures in case of any issues.

Informing Clients About Payment Data

Your privacy notice and therapy contract are the cornerstones of transparency. These documents should clearly explain what payment data you collect, why you collect it, and how you protect it - before clients commit to your services.

Typically, the payment data you collect includes the client's name, billing address, the last four digits of their card, transaction IDs, and bank transfer details. Make it clear that full card details are securely processed by your payment provider and are never stored locally.

Explain why this data is necessary: invoicing for sessions, collecting fees, managing refunds, and meeting tax and accounting requirements. UK GDPR and the Data Protection Act 2018 mandate that you disclose what data you collect, the purpose behind it, and how long you’ll keep it. Be upfront about your legal basis for processing: it’s required to fulfil your contract (providing therapy services and receiving payment) and to meet legal obligations related to accounting.

Be transparent about who receives this data. Mention your card processors, online payment platforms, accountants, or practice management systems, ensuring they are GDPR-compliant. For example, if you use Konfidens, you might state: “We use Konfidens, a GDPR-compliant platform, to manage appointments and securely collect payments. Data is stored within the UK/EEA using encryption and strict access controls.”

Let clients know how long you retain payment data, aligning with HMRC guidelines, and explain their rights. This includes the right to access, correct, erase (where legally possible), restrict processing, object, and transfer their data. Provide your contact information as the data controller and let clients know how to raise concerns with the ICO if needed.

Clarify what data is essential and what is optional. Payment data is required to provide therapy services, as sessions can’t proceed without a payment method. However, clients often have options for how they pay - bank transfer, card, or cash. Optional features, like saving card details or receiving automated reminders, should be clearly identified as choices.

Once clients are informed, it’s equally important to handle any data requests they make with efficiency and care.

Responding to Client Data Requests

Under UK GDPR, clients have full rights over their payment data, just as they do with clinical records. Having a clear process for managing these requests builds trust and accountability.

Clients may request access to their payment data, such as copies of invoices or transaction records. To handle this, maintain a Subject Access Request (SAR) procedure that covers both clinical and payment data. When a request is received, verify the client’s identity, gather the relevant data from all systems (e.g., Konfidens), and provide the information within one month. While this is typically free, a reasonable fee may apply if the request is excessive or repetitive.

Clients also have the right to correct inaccuracies. For instance, if a client reports an incorrect billing address, update your records promptly and notify any third-party processors of the correction.

Requests to delete payment data can be more complex. Clients may ask for deletion if the data is no longer needed, consent is withdrawn, or they object to processing. In some cases, such as outdated saved card tokens or duplicate records, deletion is straightforward. However, you can refuse or restrict deletion if the data must be retained to meet legal obligations or defend against claims. In such situations, explain what data will be deleted, what must be retained (and why), and inform the client of their right to lodge a complaint with the ICO.

To stay organised, keep a log of all data rights requests. Include the date of the request, the details of what was asked, the systems checked, the outcome, and the response date. This helps ensure compliance with the one-month timeframe.

Equally important is having a solid plan to handle data breaches.

Payment Data Breach Procedures

A payment data breach involves any loss, unauthorised access, alteration, or disclosure of payment-related personal data. Examples include sending an invoice to the wrong client, losing documents with sensitive payment details, or unauthorised access to payment systems.

If a breach occurs, act immediately to contain it. This might involve revoking access to compromised accounts, changing passwords, enabling multi-factor authentication, or temporarily disabling affected systems. Then, assess the situation: identify the data involved, the number of affected clients, whether the data was exposed, its encryption status, and the potential risks.

Under UK GDPR, if the breach could harm individuals' rights and freedoms, report it to the ICO within 72 hours. Your report should detail what happened, the type of data involved, the potential impact (e.g., unauthorised card use), and the steps taken to mitigate the issue.

If there’s a high risk to individuals - such as exposed payment details that could be misused - inform affected clients promptly. Your notification should explain what occurred, what data was involved, the actions taken to address the breach, and advice for clients, such as monitoring bank statements or contacting their card issuer.

Maintain a breach log to document the incident. Include details about how it happened, the data affected, the number of individuals involved, your risk assessment, and the actions taken. This demonstrates accountability and helps identify any recurring issues.

After resolving the breach, review your security measures to prevent future incidents. This could mean strengthening passwords, enabling multi-factor authentication, updating encryption protocols, or providing additional staff training. If a third-party processor was involved, assess their security practices and review your contract with them. A thorough breach response plan - covering detection, containment, assessment, and communication - is key to protecting your clients and maintaining their trust in your services.

Conclusion

Managing payment data under UK GDPR requires therapists to navigate legal responsibilities, maintain client trust, and implement effective security measures. The key principles are simple: handle payment information lawfully and transparently, limit data collection to what’s necessary, ensure its security, and retain it only for the required period - typically six years for HMRC purposes or until a minor turns 25.

To achieve this, your privacy notice and therapy contract should clearly outline your data practices. Clients must be informed about their rights to access, correct, or request deletion of their data, and you should be ready to respond to such requests within one month.

Security is non-negotiable. Use encrypted devices, strong passwords, and multi-factor authentication. Full card details should only be processed within PCI-DSS compliant systems. If you work with third-party payment processors, confirm their GDPR compliance and have a data processing agreement in place. Maintain a detailed record of all processors, including the services they provide, their location, and their compliance status.

Being prepared for potential breaches is equally important. If a breach occurs, act quickly: contain the issue, assess the risks, and report to the ICO within 72 hours if necessary. Inform affected clients promptly and document every step you take to show accountability. Regularly reviewing and updating your security measures can help prevent future incidents.

Professional organisations like BACP, UKCP, and BPC continue to provide detailed GDPR guidance and checklists. These resources highlight the importance of having documented policies, clear data retention schedules, and robust breach procedures. Failing to comply doesn’t just risk ICO enforcement - it can also damage client trust and your professional reputation.

Take a moment to review your privacy notices and retention policies. Are your security measures up to standard? For a streamlined approach, consider using a GDPR-compliant platform like Konfidens. Designed in Europe to meet strict privacy and cybersecurity standards across the EU, UK, and Norway, Konfidens integrates scheduling, secure session notes, video calls, and payment collection into one secure system. It automates payment processes, allowing clients to pay conveniently from their phones, while ensuring data is encrypted and access is tightly controlled. As Jonas S., a Clinical Psychologist, shared:

"It gives me great peace to use Konfidens."

Managing payment data responsibly under GDPR doesn’t just fulfil legal requirements - it builds client trust and reinforces the professional integrity that is vital in therapy.

FAQs

How can therapists ensure they handle payment data in compliance with GDPR?

Therapists need to follow specific steps to handle payment data in line with GDPR requirements. To start, it's essential to use secure systems built to meet GDPR standards. This means ensuring payment data is encrypted, stored safely, and accessible only to authorised individuals.

It's also crucial to provide clients with clear privacy policies. These policies should explain how their payment information is used and stored. Regular updates to these policies, along with periodic audits of data handling practices, can help maintain compliance and foster client trust.

Opting for a GDPR-compliant platform can make this process more manageable. Such platforms combine secure payment collection with practice management tools, ensuring data security and compliance are prioritised throughout.

How should therapists explain their payment data processing to clients?

Therapists need to be upfront about how they manage payment data to ease any concerns clients may have about privacy and compliance with GDPR. One way to achieve this is by explaining the measures taken to safeguard sensitive information - such as using secure, GDPR-compliant platforms for processing payments.

It's also important to provide clients with a clear and concise privacy notice. This document should outline how payment data is collected, stored, and used. By being transparent, therapists can build trust and help clients feel assured about the security of their personal information.

What steps should therapists take if there's a payment data breach under GDPR?

If you face a payment data breach, taking swift action is crucial to limit the damage and comply with GDPR regulations. Start by evaluating the breach to understand the type of data involved and the potential risks. If the breach is likely to cause harm, you must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. Your report should explain what happened, the possible consequences, and the steps you're taking to address the situation.

If the breach significantly threatens individuals' rights or privacy, you'll also need to notify affected clients. Be open about what occurred, provide advice on how they can protect themselves, and share the measures you're putting in place to prevent similar issues in the future. Lastly, take this as an opportunity to review and strengthen your data protection practices. Using GDPR-compliant tools, such as Konfidens, can help you manage payment data securely and reduce risks going forward.

Related Blog Posts

• GDPR Compliance for Therapists: Common Questions
• GDPR vs. UK Data Protection Act: Key Differences
• Common GDPR Storage Issues and How to Solve Them
• GDPR Compliance for Online Cancellations and Rescheduling