Compliance with GDPR (General Data Protection Regulations) is important for every business but especially for those who handle particularly sensitive data, such as private psychology practitioners. As you’ll be dealing with highly personal information, and taking notes on client therapy sessions, you’ll need to ensure this data is kept confidential.There are strict rules around data consent for private psychology practices. You’ll need to register with the ICO (Information Commissioner’s Office) and pay the fee (unless you are exempt). To find out more about data consent see our guide - Psychology Private Practices - Do I Need To Get Data Consents?
Data retention, though, refers to the period of time you may keep client records, including personal data and any paperwork or notes (whether physical or digital).
NHS Psychologist Data Retention Periods
The NHS (National Health Service) has specific rules for how long they may keep patient data. Data collected in the course of treatment given under the Mental Health Act 1983 can be retained for 20 years, or else for 10 years after the client’s death.
Data Retention Periods For Private Practice Psychologists
Data retention periods for private psychology practices are less fixed. Not having regulations in place can make it challenging for private practice psychologists to decide what is a reasonable amount of time to hold client records and personal data. However, there are industry bodies and councils you may take guidance from.
The HCPC (Health and Care Professionals Council) for example, advises taking guidance from the Records Management Code Of Practice for Health and Social Care (2021) which sets the standards for data retention that the NHS is subject to. The BMA (British Medical Association) points to the same guidelines. These state that data may be retained for 20 years after treatment or 10 years after death. Although these standards are only enforceable for the NHS, many clinical psychologists adopt these guidelines for their data protection policy and data management procedures. However, the BPS (British Psychological Society) recommends that private practice psychologists keep records for a shorter period of 7 years.
Responsible Data Processes For Psychology Practitioners
When it comes to clinical care, there are regulations around how you collect data and data consent. As discussed, there is also guidance as to lengths of data retention, though no specific rules for private practitioners. What is also vital though, is knowing what is expected of you in the way you handle, process and store this data whilst it is in your care.
Your Privacy Policy should outline how you intend to protect personal data. It is a legal requirement to have a privacy policy that is available to clients and meets with data protection laws (currently GDPR). As a commercial solicitor specialising in psychology legal services, Aubergine Legal can create a bespoke privacy policy for you that ensures you are both compliant with UK law and following guidance set out by relevant governing bodies.
Again, the NHS guidelines provide a good framework for all mental health practitioners to follow concerning data protection procedures. They underline the importance of creating a policy that helps you devise a record management system. The HCPS also offer extensive advice on completing records within a fixed timeframe and using digital record-keeping tools, which you can find here.
In terms of legal compliance with data protection, you should be ensuring the following:
Records are secure - protected digitally or, if in paper form, stored in a secure place where they cannot be accessed by anyone else
Records should be accurate, detailed and up-to-date
Language used in notes and personal records should be clear and understandable
Data collection should adhere to the purposes stated when data consent was given.
As a clinical psychologist, you will no doubt already know the importance of confidentiality. So, make sure that you create procedures and leverage technology that can help you safeguard your clients and their information.
Data Retention Guidelines For Working With Children
In terms of data retention for clients under the age of 18, again there are no set regulations for private practice psychologists. However, the HCPC, the BMA and the BPS all urge referring to the NHS guidelines. These advise that children’s data be retained until their 25th birthday, or else their 26th if the patient was 17 when treatment ended.
Understanding Data Protection In Private Psychology Practice
If you require any more guidance regarding data retention for private clients at your clinic, please download my free Guide To Data Retention In Psychology. However, since there are no set rules, the overriding advice is to take the lead from other relevant laws (that around data protection and those around patient care) and use your professional judgement.
Most importantly, you must have processes and procedures in place and these must be written and available to your clients. These uphold your clients’ rights to know how their data will be collected, processed and stored (including how long for), as well protecting your business.
Aubergine Legal specialise in legal services for clinical psychologists and offer the following services:
Client Therapy Terms & Conditions
Client Privacy & Cookie Policies
Client Consents
Website Terms & Conditions
Associate Agreement
Supervision Agreement
Virtual Assistant Agreement
Clinical Wills
Sale of Online Content Terms & Conditions
Advice on Data Protection Compliance
Advice on setting up and how to structure your business
Advice on how to create and protect your brand
Drafting bespoke Service Agreements with other organisations/businessesÂ
Intellectual Property advice
Please get in touch if we can assist you with any of the above and we can get you booked for a free consultation.