The GDPR replaces the 1998 Data Protection Act to ensure your personal and sensitive, confidential data is kept private and held securely, being processed in the way that you have agreed to. It is there to protect your rights as a consumer of a service or product that might involve your identifiable data, e.g. your name and address or whether you have a specific condition. It also covers any session records, text messages or emails we exchange.
If you are a parent/ adult your data is kept for 7 years after psychotherapy sessions have finished for insurance purposes. After 7 years your electronic data is permanently deleted and your paper-based data is shredded with a cross-cut shredding machine.
If you are a child your data is kept until the month after your 25th birthday, or your 26th birthday if you are aged 17 when psychotherapy sessions end. At this point your electronic data is permanently deleted and your paper-based data is shredded with a cross-cut shredding machine.
Everything you talk about during your sessions is strictly confidential. In accordance with the BACP Ethical Framework, All therapists consult a supervisor on a regular basis to ensure their practice is ethical and that they are working in the best interests of their clients. Supervisor's are not not told name or contact details and does not have direct access to written records of your electronic or hard-copy data. The supervisor also adheres to the GDPR.
Client records There is a duty to keep records appropriate to the service provided, and these may be protected by a degree of pseudonymisation, see Glossary and (GPiA 105). Appropriate records are adequate, relevant and limited to what is necessary. The decision about what is appropriate will take into account the ethical and legal requirements for processing (includes making, keeping, using and sharing) records. See Information Commissioner’s Office www.ico.org.uk for the latest information, and (BACP 2018 C2e)
Pseudonymised information is regarded as personal data, and subject to the data protection law. By contrast, completely anonymised information ceases to be ‘personal data’ with the associated legal requirements and protection when any means of identifying the person concerned has been genuinely and irreversibly removed. The GDPR is very clear: The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person, or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This regulation does not therefore concern the processing of anonymous information, including for statistical or research purposes. (GDPR (26)) Ethical Framework, Good Practice, points 55g, 78, 83a.
Therapists working with children and young people will need to have valid consent to enter into the therapeutic contract. The legal issues surrounding work with children and young people are complex because of the requirement to provide services for children in need and to protect children from abuse. Not all parents have the power to make decisions for their children. The ability of a parent, or anyone else, to make a decision for their child depends on whether they have ‘parental responsibility’, which is the legal basis for making decisions about a child, including consent for medical or therapeutic treatment.