Privacy, confidentiality and data protection
We were all too familiar with the barrage of emails from companies requesting permission to use our personal data as part of their mailing lists when the EU’s General Data Protection Regulation (GDPR) was legislated on 25 May 2018. This was one of the most wide-reaching changes to data privacy regulation that was intended for the digital era and has implications for therapists working in the field of mental health. According to GDPR regulations, all psychotherapists are probably Data Controllers by virtue of processing personal information for their patients, then using that information in particular ways (such as preparing invoices or writing patient notes), and carrying out this processing as part of a treatment contract, exercising professional judgement when processing that data, having a direct relationship with their patients who are the subjects of that data and having autonomy as to how they process that data. Being a Data Controller comes with stringent data protection obligations.
The Information Commissioners Office (ICO) is the UK’s independent authority established to uphold information rights in the public interest, including transparency of public bodies and data privacy for individuals. Controllers shoulder the highest level of compliance responsibility, having to demonstrate concurrence with all the data protection principles as well as other GDPR requirements. You are also responsible for the compliance of your processors), namely anyone appointed to process data on your behalf, like an administrator, receptionist or accountant. Controllers in the UK must register with the ICO (www.ico.org.uk) and pay the data protection fee, unless they are exempt. If you are outside the UK, it is worth identifying whether you have to register with a similar type of agency. The ICO website contains useful information about how you need to keep patient information safe.
The GDPR legislation obligates us to:
a Maintain an internal record of all processing activity; b Record the purpose of the processing;
c Keep a description of the technological or organisational measures to ensure a level of security.
We are required to have clear consent from our patients to process their personal data for the specific purposes we have set out, for example, to contact them if you have to change their appointment time or to write to their GP to advise they have commenced treatment. Any concerns about the safety of your patient will override considerations of data security, however, it is still important to share only the absolute minimum amount of data necessary.
Patients have the right to be informed about the collection and use of their data. They should be notified of the purpose of the data collection, retention periods, the lawful basis for that processing and with whom the data will be shared. This can be done via a privacy notice, worded in clear and plain language (we have included an example in Appendix 5), which therapists can upload onto their practice websites. Patients can withdraw consent at any point. Again, the only exception to this consent is a safeguarding concern where the legal obligation to keep the patient or someone else safe overrides data protection. Patients can request to access their data, with therapists required to respond to those requests within 40 calendar days. This has a bearing on the type of clinical notes you keep. Increasingly, we need to think about writing notes that the patient could read. It is possible to redact certain information if you felt that reading this would be harmful to the patient. Consider also how you keep notes about your patients - are these typed or hand-written on a tablet or in a notebook? Paper notes need to be locked away securely while electronic notes can be password protected.
The patient also has a right to be forgotten. This means that all records should be destroyed once you have completed working with a patient or in the event that they drop out of treatment. If a patient does not want you to have any contact with their GP, for example, you will need to consider the risks attached to this and whether you feel able to continue seeing a patient in your private practice without that support. Box 14.1 has a list of useful prompts to apply these principles to your clinical practice.
Box 14.1 Some aspects of GDPR to consider for your practice:
- • Do you keep all patient information under password or lock?
- • Do you have a locked filing cabinet?
- • Is your computer, laptop, iPad or mobile phone password protected?
- • If you transfer files to anyone, do you encrypt and password protect them as well as sending the password by separate email?
- • Do you have a privacy notice on your website or in your contract with patients? It is important to let your patients know how you will be using their personal data and the purpose of it.
- • How long do you keep patient records for?
- • Do you shred confidential information and dispose of it safely?
When working remotely with patients, we also have to consider the way confidentiality of the setting is now the shared responsibility for both patient and therapist to ensure. The ability to discuss issues relating to confidentiality and data protection is another British Association for Counselling and Psychotherapy (2020, p. 11) competence for remote working and includes the following aspects:
- • Helping patients maintain and protect their confidentiality and data security when using their own equipment;
- • Negotiating to ensure that any therapeutic records are kept confidential;
- • Discussing how patient data will be protected, for example through encryption;
- • Discussing limits of confidentiality, for example, making patients aware if you will be discussing anonymised clinical material with a superv isor;
To this we would add regularly updating virus protection and software, using an encrypted platform that offers a secure way of carrying out therapy, encouraging patients to use headphones to allow a greater degree of confidentiality during sessions, ensuring you have a reliable Internet service and a charger for your phone or laptop if needed. Just as with the revised hierarchy of needs, we cannot carry out this way of working unless we have WiFi and battery. The WiFi you have can be improved by signing up for a speedier broadband, by upgrading your router to a newer model and/or by using a WiFi extender where you are not plugging your computer directly into the router.
