What Therapists need to know about Storing Notes/Docs in Private Practice
We talk security, what to do if a client asks for their note. If a court orders your notes. How long should you keep notes for, getting consent to share information Download a note taking template
The question of whether to even keep notes of clients' sessions can be quite a complex and delicate matter that requires careful consideration. Some therapeutic models argue that note-keeping can potentially interfere with the therapeutic process.
The guidance and recommendations surrounding this issue may vary depending on the specific modality of your work. However, there is a general trend leaning towards an expectation that therapists will maintain session notes to capture the key points and insights.
Some therapists find it helpful to jot down brief notes during the session and expand on them later. Others prefer relying on their memory and writing a comprehensive note afterwards. The principle I’ve always maintained is that my notes guide the therapy I’m delivering, so I briefly outline what I’ve done in one session and what I want to consider or plan for the next session. The new data protection requirements mean that we should only take or hold information that we require for the service we deliver, so this seems to fit well. Once you have written notes or your client has completed an initial contact form, the question then arises: how should they be stored?
Many therapists opt for electronic note-keeping in today's digital age due to its convenience and efficiency. I highly recommend this option for its ease of use and enhanced security, although it may come with a cost. If you choose the digital route, ensure that you select a platform that is not only user-friendly but also prioritises data protection. I think these systems are more secure and, ultimately, save you time and money. Two popular clinical systems are writeupp that I use and power diary.
If you are a pen-and-paper therapist, make sure your physical notes are stored in a secure, locked location and you have a clear policy of how you will look after data in your private practice.
Regardless of the method you choose, security should always be a top priority.
Start with a clear policy for note storage and review it regularly to align with data protection legislation. It's advisable to consult your insurance company to confirm the duration for which you need to retain notes. Typically, it is seven years for adults, and if you work with children, you keep the notes until the child reaches 18 and then an additional seven years. However, it's always a good practice to check with your insurers in case these guidelines change. Safeguarding the privacy and confidentiality of your client's information is paramount, so taking proactive measures to ensure secure note-keeping is vital.
Clients should understand therapists may find it helpful to take notes during sessions. Explain these tend to be brief and designed to help them keep track of topics/themes covered in therapy. Highlight the fact notes in locked cabinets or password-protected documents on a secure platform or practitioner computers per the data protection act and GDPR.
Do you need a Data Processing Agreement?
If you have anybody else in your private practice that might see sensitive data then you need to have a GDPR Data Processing Agreement (DPA). An example would be if you work with an administrator and they are processing personal data on your behalf as a data processor.
An administrator may handle various administrative tasks related to your therapeutic practice, such as managing client appointments, organising client records, or handling billing and invoicing. Since administrators have access to personal data and perform tasks that involve data processing, it is essential to have a DPA in place.
The DPA outlines the responsibilities and obligations of both parties regarding data protection, ensuring compliance with the General Data Protection Regulation (GDPR) requirements. It helps protect the confidentiality, integrity, and security of personal data and establishes a clear framework for data processing activities carried out by the administrator on your behalf.
Registered with the ICO
As a therapist, registering with the Information Commissioner's Office (ICO) is essential for ensuring compliance with data protection regulations and upholding client confidentiality. The ICO is the UK's independent authority responsible for enforcing the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. By registering with the ICO, therapists demonstrate their commitment to protecting personal data and maintaining high standards of data security. Registering provides therapists with access to valuable resources and guidance on data protection requirements, helping them navigate complex legal obligations. It also serves as a means of transparency, assuring clients that their personal information is handled in accordance with established regulations. Registering with the ICO promotes accountability, professionalism, and trust, strengthening the therapist-client relationship and safeguarding the rights and privacy of individuals seeking therapy.
If you are holding sensitive data about others you need to register with the ICO. You’ll likely need to pay £40 for the privilege.
In this next section, for paid subscribers, we go more in-depth with guidelines for Storing paper notes and sensitive data, how long you should keep notes and data and why, how to deal with data breaches, and what to do if your client requests to see their notes if they want to have them altered or destroyed. We’ve covered enough that you should be able to pull together the information you need to create your own individualised Data Policy.
If you have any questions, just let us know in the comments section!