DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Coaches and Therapists: How to Handle Client Data in Private Practice

#gdpr #healthcare #privacy #coaching

If you work in private practice as a life coach, business coach, therapist, counsellor, or psychologist, you hold some of the most intimate personal data that exists. Your clients trust you with details of their mental health, relationships, trauma histories, and the parts of their lives they have never told anyone else. That trust creates both an ethical obligation and a legal one.

GDPR is not primarily a concern for large healthcare organisations. It applies to sole traders and micro-businesses too — including single-practitioner coaching and therapy practices. And because the data involved is so sensitive, the compliance stakes are higher than for most small businesses.

This guide covers what GDPR requires of coaches and therapists in private practice, from session notes to scheduling tools to what happens when you eventually close your practice.

Why Therapy and Coaching Data Is Some of the Most Sensitive Data That Exists

GDPR creates two tiers of personal data. Ordinary personal data — names, addresses, email addresses — requires a lawful basis to process. Special category data — including health data, data revealing mental health conditions, and data concerning sex life or sexual orientation — is subject to a higher level of protection under Article 9 of GDPR.

For therapists, counsellors, and psychologists, virtually all client data is special category health data. Session notes describing a client's depression, anxiety, trauma responses, or relationship difficulties are health data. A client's diagnosis, if disclosed, is health data. Even the fact that someone is attending therapy — without any details — arguably constitutes health information, because it implies they have a reason to seek professional mental health support.

For life coaches and business coaches, the position is more nuanced. Coaching is not a regulated health profession in the UK, and pure business coaching typically does not involve health data. However, many coaches work in areas that blur the line — burnout coaching, relationship coaching, grief coaching, and resilience coaching frequently involve discussions of mental health, bereavement, relationship breakdown, and personal trauma. If your coaching sessions involve a client disclosing mental health information, you may be processing special category data whether you intended to or not.

The practical implication: if there is any possibility your work touches on health, mental health, or deeply personal matters, treat your client data as special category data and apply the higher standard.

Lawful Basis for Processing Client Data

For Therapists: Explicit Consent and Article 9

Under GDPR, processing special category health data requires both a lawful basis under Article 6 and a condition under Article 9(2).

For therapists in private practice, the most appropriate Article 6 basis is typically Article 6(1)(b) — performance of a contract (the therapy agreement between you and the client). However, because health data is involved, you also need an Article 9 condition. The most commonly used conditions for therapists are:

  • Article 9(2)(h): Processing necessary for the purposes of health or social care or the management of health care systems. This applies where you are providing a health-adjacent professional service.
  • Article 9(2)(a): Explicit consent. The data subject has given explicit consent to the processing of their special category data for specific purposes.

In practice, most private practice therapists use explicit consent as their Article 9 condition, obtained through a clear client agreement signed before therapy begins. This is the cleanest approach in private practice where there is no NHS contract or professional regulatory structure mandating processing.

Important: explicit consent under Article 9 must be specific about what health data is being processed and why. A generic "I agree to the terms and conditions" is not sufficient. Your client agreement should state clearly that you will hold notes of your sessions, what those notes will contain, how long you will retain them, and who might see them.

For Coaches: Contract as Lawful Basis

For coaches whose work does not involve health data, Article 6(1)(b) (performance of a contract) is typically sufficient as the lawful basis for processing. You are processing a client's name, contact details, and session notes because it is necessary to deliver the coaching service they have contracted for.

If your coaching work does touch on health or mental health matters, you should treat your data as special category and obtain explicit Article 9 consent, as described above.

What Your Client Agreement and Privacy Notice Must Include

Your client agreement — sometimes called a contract, service agreement, or terms and conditions — is your primary compliance document. Under GDPR's transparency principle, clients have the right to know, at the time their data is collected, exactly what you will do with it.

Your client agreement or accompanying privacy notice must cover:

Identity and contact details: Your name (or your practice name), address, and contact details. If you have a data protection representative, their details too.

What data you collect: Be specific. Name, address, contact details, payment information, session notes, any assessments or questionnaires, referral information.

Why you collect it and your lawful basis: For each category of data, explain the purpose and your lawful basis (contract performance, legal obligation, explicit consent).

Article 9 disclosure for health data: If you are processing health data, state this explicitly. Name the Article 9 condition you rely on (typically explicit consent or Article 9(2)(h)).

Who you share data with: Supervisors (see below), referral practitioners, payment processors, your scheduling tool, any cloud storage providers.

How long you retain data: Your retention periods for session notes, payment records, and other data.

Client rights: The right to access their data, correct it, request deletion (with caveats if legal obligations require retention), and to withdraw consent.

How to make a complaint: Information about the right to complain to the Information Commissioner's Office (ICO) in the UK.

This information can be contained in the contract itself, in a separate privacy notice, or in both. The key is that the client receives it before or at the point of data collection — not after they have already shared sensitive information with you.

Session Notes: Storage, Access, and Security

Session notes are the core of your clinical or coaching record — and they are likely to be the most sensitive data you hold.

Storing session notes securely means:

  • No paper notes left unsecured: If you keep handwritten notes, they must be stored in a locked filing cabinet in a secure location. Paper notes left on a desk, in an unlocked drawer, or at a shared workspace are a data breach waiting to happen.

  • Encrypted digital storage: If you keep digital notes — in a Word document, Google Doc, clinical notes app, or practice management system — the storage must be encrypted. Use a dedicated practice management platform (Cliniko, Jane App, SimplePractice, WriteUpp) that is designed for clinical records, rather than consumer tools like Google Docs or a plain folder on your desktop.

  • No personal devices without encryption: Avoid keeping client notes on a personal phone or unencrypted laptop. If your laptop is stolen, unencrypted files are accessible to whoever has the device.

  • Cloud storage location: If you use cloud-based note-keeping, check where data is stored. Services that store data in the US without appropriate safeguards (Standard Contractual Clauses) create data transfer compliance issues under UK GDPR.

Supervision: Most therapists work under clinical supervision. Discussing a client in supervision involves disclosing personal data to a third party. Your privacy notice should inform clients that you receive clinical supervision and that anonymised or identified details may be discussed with your supervisor as part of your professional practice. Your supervisor should handle that information confidentially and in compliance with their own data protection obligations.

Online Session Platforms: Zoom, Teams, and Google Meet as Data Processors

If you deliver sessions online — which most coaches and therapists do, at least some of the time — the platform you use is a data processor under GDPR. The platform processes personal data (video, audio, potentially chat messages) on your behalf, according to your instructions.

This creates specific obligations:

Data Processing Agreements: You must have a Data Processing Agreement (DPA) in place with your video platform provider. Zoom, Microsoft Teams, and Google Meet all offer DPAs — but you typically need to locate and accept them rather than assuming they are in place.

Recording: If you record sessions, you need explicit consent from the client before recording. Recording without consent is both a GDPR issue and an ethical one. Be specific about what recordings will be used for, who can access them, and how long they are retained. In most cases, therapists should not record sessions unless there is a specific clinical or supervisory reason.

Platform security: Use a platform that supports end-to-end encryption where possible. Enable waiting rooms and password-protect sessions to prevent uninvited access.

Free tiers: Be cautious about free tiers of consumer video tools. Some free plans use data for product improvement or advertising purposes. Review the terms before using any free tool for client sessions.

Scheduling and Booking Tools: Calendly, Acuity, and Others

If clients book their own appointments through a scheduling tool, that tool also becomes a data processor. Calendly, Acuity Scheduling, and similar services collect names, email addresses, and potentially phone numbers and appointment details.

Points to consider:

  • DPAs: Calendly and Acuity both offer DPAs. Ensure you have one in place.
  • Data retention: Check how long the scheduling tool retains booking data. Client names and contact details in a scheduling system may persist long after the therapeutic relationship has ended.
  • Minimisation: Only collect what you need for scheduling. A booking form asking for detailed medical history is unnecessary and creates risk.
  • Privacy notice reference: Your booking page should link to your privacy notice so clients know their data is being processed before they enter it.

Payment Data and Financial Records

When clients pay for sessions — by card, bank transfer, or through a payment processor — you collect and retain financial data.

Payment processors: Services like Stripe, Square, or PayPal process payment card data on your behalf. They are data processors. You should have DPAs in place and should not store raw card data yourself — use the processor's hosted payment tools instead.

Invoices and receipts: Financial records must be retained for tax and accounting purposes. In the UK, HMRC requires business records to be kept for at least six years. This is a legal obligation (Article 6(1)(c)) that overrides a client's right to erasure for financial records — you can legitimately decline to delete an invoice, even if a client requests deletion under GDPR.

Confidentiality of financial records: A client's payment history reveals that they are your client. Protect financial records with the same care as clinical notes.

Client Referral Data and Confidentiality

Coaches and therapists regularly give and receive referrals — you might refer a client to a psychiatrist, a GP, or a specialist therapist, or receive referrals from other practitioners.

Outgoing referrals: When you refer a client, you are disclosing personal data — and typically health data — to another practitioner. You need a lawful basis for this disclosure. Your client agreement should inform clients that you may make referrals in their interest, and ideally should obtain explicit consent for referrals that involve sharing detailed clinical information.

Incoming referrals: When a colleague refers a client to you, the referring practitioner has disclosed the client's personal data. Ensure you understand what data was shared and why, and that it is handled in accordance with your privacy notice from the moment you receive it.

The minimum necessary principle: When making referrals, share only the information necessary for the referral purpose. A GP referral letter does not need to contain every detail of a client's history — only what is clinically relevant to the referral.

What Happens to Client Data If You Retire or Sell Your Practice

This is one of the most overlooked areas of data protection in private practice, and one of the most important.

Retirement or cessation of practice: When you stop practising, you have an obligation to ensure client records are not simply abandoned. You need a plan for:

  • Notifying clients that you are closing your practice, and informing them of how their records will be handled.
  • Transferring records to another practitioner (with client consent) or to a secure archive.
  • Establishing who will handle data subject access requests after you cease practising.
  • Ensuring records are eventually deleted once retention periods expire.

Professional bodies — BACP, UKCP, BPS, and others — have guidance on closing a practice responsibly. This guidance typically requires that records are held securely for the required retention period even after you stop seeing clients.

Selling your practice: If you sell your practice to another practitioner or a group, client records may be transferred as part of the sale. This is a significant data processing event. Clients should be notified of the transfer, told who will be holding their records, and given the option to request deletion or collection of their data before the transfer. A practice sale does not automatically transfer client consent — the new owner needs a fresh lawful basis to process ongoing relationships with those clients.

How Long to Keep Session Notes

Retention is one of the most confusing areas of compliance for therapists and coaches, because professional body requirements do not always align neatly with GDPR's storage limitation principle.

Professional Body Requirements

Different professional bodies have different guidance:

  • BACP (British Association for Counselling and Psychotherapy): Recommends retaining adult client records for 7 years after the end of the therapeutic relationship. For records relating to children, recommends retaining until the child turns 25 (or 26 if they were 17 when therapy ended).
  • UKCP (United Kingdom Council for Psychotherapy): Similar guidance — typically 7 years for adult records.
  • BPS (British Psychological Society): Recommends 7 years for most clinical records, with longer periods in some circumstances.
  • BACP and UKCP also note that longer retention may be appropriate where there is any possibility of future legal proceedings.
  • ICF (International Coaching Federation): Coaching (non-clinical) records typically have shorter recommended retention periods — often 5 years — but check your professional body's current guidance.

The GDPR Position

GDPR requires you to delete personal data once it is no longer necessary for the purpose for which it was collected (the storage limitation principle). Professional body retention requirements give you a lawful basis to retain records for those specified periods — but you should delete records once the retention period expires, not keep them indefinitely.

In practice: Document your retention schedule. State it in your privacy notice. Implement a process for reviewing and securely deleting records once retention periods expire. Secure deletion means shredding paper records and using software deletion tools (not just moving files to the recycle bin) for digital records.

Compliance Checklist for Coaches and Therapists

Use this checklist as a starting point for your GDPR compliance review:

Client Agreement and Privacy Notice

  • [ ] Your client agreement or privacy notice clearly states what data you collect and why
  • [ ] You have identified and documented your lawful basis (contract, explicit consent, legal obligation) for each type of data
  • [ ] If you process health data, you have documented your Article 9(2) condition
  • [ ] Your privacy notice states retention periods for session notes and payment records
  • [ ] Your privacy notice lists third-party processors (scheduling tool, video platform, payment processor)
  • [ ] Clients are informed of their rights (access, correction, deletion, complaint to ICO)

Session Notes and Records

  • [ ] Session notes are stored on encrypted systems, not in unprotected documents or consumer cloud tools
  • [ ] Paper notes (if any) are held in a locked, secure location
  • [ ] You have a documented retention schedule aligned with your professional body's guidance
  • [ ] You have a process for securely deleting records once retention periods expire

Online Sessions

  • [ ] You have a DPA in place with your video platform (Zoom, Teams, Google Meet)
  • [ ] You obtain explicit consent before recording any sessions
  • [ ] Session links are password-protected and use waiting rooms

Scheduling Tools

  • [ ] You have a DPA in place with your scheduling tool (Calendly, Acuity, etc.)
  • [ ] Your booking page links to your privacy notice
  • [ ] You have reviewed data retention settings in your scheduling tool

Payments

  • [ ] You use a payment processor (Stripe, PayPal, Square) rather than storing card data yourself
  • [ ] Financial records are retained for the required period (6 years for UK tax purposes)

Supervision and Referrals

  • [ ] Your privacy notice informs clients that you receive clinical supervision
  • [ ] Referrals are made on a minimum-necessary basis, with client awareness
  • [ ] You obtain consent before sharing detailed clinical information with referral practitioners

Practice Continuity

  • [ ] You have a plan for what happens to client records if you retire, become incapacitated, or close your practice
  • [ ] If you are considering selling your practice, you understand the notification and consent requirements for data transfer

Check Your Practice Website

Your practice website is also a data processing activity. Contact forms, booking widgets, and analytics tools collect personal data — sometimes before a prospective client has even made contact with you.

Your website needs a compliant privacy policy, a cookie consent mechanism if you use analytics or tracking tools, and appropriate data handling for any forms that collect personal information.

Run a free scan of your practice website at app.custodia-privacy.com/scan to see exactly what data your site is collecting, which third-party scripts are active, and whether your consent setup meets GDPR requirements. It takes 60 seconds and requires no signup.

This post provides general information about GDPR compliance for coaches and therapists in private practice. It does not constitute legal advice. Regulatory requirements vary by jurisdiction, professional body, and the nature of your practice. Consult a qualified data protection solicitor or the Information Commissioner's Office for advice specific to your situation. Always check current guidance from your professional body, as requirements change.

Top comments (0)