The short answer is “yes”. Read on for a more detailed analysis!
If you are starting or running a psychology private practice then you have many responsibilities. Client care is going to be first and foremost. In treating clients you will be taking measures to ensure you are providing them with a safe space in which to receive treatment. It goes without saying that client privacy is extremely important in psychology practices, but this begins before therapy sessions even begin - it starts with the personal data you collect when the relationship is established.
As a private practice handling client information, you will need to know a little about data protection. You can find some quick answers to common data protection queries on my blog Data Privacy, GDPR and Data Protection Must Knows. In this article though, we’ll look more specifically at psychology practices, what kind of data you'll be handling and when you need to get consent for data collection and processing.
Data Protection Guidance For Psychology Private Practices
If you are going to collect, process and/or store anyone’s data then you need to be compliant with GDPR (General Data Protection Regulation). You must also register with the ICO (Information Commissioner’s Office) and pay the fee (unless you are exempt).
Data refers to any information whether it can or cannot be used to identify the individual, although identifying data will often be viewed as more personal and therefore more confidential.
Do You Need To Get Data Consent From Clients?
Consent refers to permission. In business, it is best practice and often a legal requirement to obtain permission to collect and/or keep certain data on people, although there are a few exceptions/alternatives to consent.
Consent may be given as part of a form or agreement, usually by ticking a box online or signing a document. This agreement may be part of a wider agreement, such as terms and conditions, or it can be a separate stand-alone document.
Anyone being asked to give data consent should be able to access information regarding:
Why the data is required
What it might be used for
Whether third parties may have access
How this data will be stored and for how long for
How their data will be protected and how it will be destroyed when required
Information regarding the above may be summarised or be provided in a separate document which is accessible to the prospective signatory (usually in the form of a privacy policy - which you can store on your practice’s website). It is important, when asking any person to sign any kind of legally-binding contract, that they are provided with all relevant information - usually best done by sign-posting your privacy policy, so people know where to go to find this information.
Under GDPR, every person also has the right to access their data and has the right for that data to be destroyed should they wish it to be.
Processing Special Category Data As A Private Psychology Practice
As a private psychology practice, you will likely be processing special category data. This refers to information that is considered more personal and therefore in need of further protection. This can include health data, political opinions, religious beliefs, sexual orientation and other more sensitive information. As a private psychology practice, the special category data you’ll likely need to collect and use will fall under health.
GDPR prohibits the collection of special category data, except in specific cases. Article 9 of GDPR lists these exception clauses as:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)
Psychology practitioners will usually be able to use 'health or social care' as their reason for being exempt from the ban on processing special category data.
What do I need to consider with the Health or Social Care Exemption?
Article 9(2)(h) permits you to process health data under certain conditions. These have been set out in UK law in the Data Protection Act 2018, in Schedule 1 condition 2. This condition covers the following purposes:
preventive or occupational medicine;
the assessment of an employee’s working capacity;
medical diagnosis;
the provision of health care or treatment;
the provision of social care (this is likely to include social work, personal care and social support services); or
the management of health care systems or services or social care systems or services.
Article 9(3) of the UK GDPR contains the additional safeguard that you can only rely on this condition if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. Section 11 of the DPA 2018 makes it clear that in the UK this includes:
(a) a health professional or a social work professional; or (b) another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
Section 204 of the Data Protection Act 2018 defines the terms “health professional” and “social work professional”. You should check the full details of section 204 where relevant, but as a guide this includes doctors and so you will be covered if you are a registered clinical psychologist.
This means, in theory, that you can collect health data about your clients (without getting an explicit consent) if you are a registered doctor (clinical psychologist) and you need that health data for the provision of health care and treatment (i.e. psychology therapy services).
….take note though, because here comes the “but”...
However, 'explicit consent' is always the best option if at all possible. ICO guidance states that in order to rely on many of the conditions under Article 9, you have to demonstrate that it would not be reasonable to obtain consent from individuals, implying a preference for reliance upon consent. Therefore if you have client on-boarding forms and you are already getting clients to tick a box agreeing to your terms, then you should also get them to tick a box for consent to collect and process their health data.
In addition to meeting one of the above clauses for being exempt from the prohibition of special category data processing, you’ll also need to be compliant with Article 6 of UK GDPR.
This means at least one of the following conditions needs to apply in order for you to legally process special category data:
(a) Consent - Specific consent has been given
(b) Contractual - Processing is necessary in order to meet the obligations of a contractual agreement between you and the data subject, or because they have asked you to take specific steps before entering into a contract
(c) Legal Obligation - The processing is necessary for you to comply with the law (not including contractual obligations)
(d) Vital Interests - Processing is necessary to protect someone’s life.
(e) Public task - Processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate Interests - Processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
Private psychology practices will most likely be able to fulfill at least the first and second conditions though others may be relevant in specific situations.
As advised, both by the ICO (Information Commissioner’s Office) and the BPS (British Psychology Society), wherever possible, getting explicit consent from the patient to process their data is by far the most secure and ethical option. This is usually possible for psychology practices to obtain when patients fill in their forms to become therapy clients. Simply include a consent box specifically for data processing. Please be mindful though that consent should be presented as an opt-in and not assumed. Therefore, do not use pre-ticked boxes or other forms of default consent.
The ICO acknowledges that the GDPR does not provide a clear distinction between consent and explicit consent. However, the ICO provides that the “extra requirements for consent to be ‘explicit’ are likely to be”: (i) a clear statement (oral or written); (ii) it must specify the nature of the special category data; and (iii) the consent should be separate from any other consent. So something like the following:
“By ticking this consent box, I agree for you to collect and process my health data, in accordance with your privacy policy, for the purpose of providing your therapy services to me.”
Privacy Policy
Don’t forget to ensure your privacy policy is up to date and covers your use of special category data.
You need to have a separate section in your privacy policy setting out the types of special category data you collect about clients (so maybe something like “information about your health, including information about your existing and previous medical conditions, medication/prescription details, psychiatric history and any other relevant health information to enable us to carry out our services to you”).
You also need to state how that health data is being stored by you, who you are sharing it with and how long you’ll be keeping it.
Protecting Special Category Data As A Private Therapy Practice
Not only is protecting data a legal obligation, but it is also essential for your reputation and ability to maintain trust with your clients. Therefore, you need to be aware of the risks of processing special category data.
You must be able to justify why processing of this specific data is ‘necessary’ - it must be a reasonable and proportionate way of achieving one of these purposes, and you must not have more data than you need.
All businesses handling personal data should carry out a data protection impact assessment (DPIA). This will help you to identify risks and put in place appropriate protections and procedures.
Legal Advice For Psychology Private Practices
If you’re starting or running a private psychology practice, then check out my Top Tips for Therapy Businesses for a quick run-down of essential legal considerations.
To make sure you’re legally compliant, protected and have all the right documents in place though, you may wish to consider working with me. As an independent commercial lawyer, I have worked with over 100 clinical psychologists, helping them to set up private practices that meet with legal requirements, and providing them with specific agreements and contracts as well as advice on data protection, business structure and much more.
I work with psychology private practices putting together bespoke agreements and offering legal advice. However, I have also created a package of contract templates suitable for clinical psychologists setting up in private practice. Find out more about my legal services for psychology private practices.
Commentaires