GDPR for Speech and Language Therapists: Client Records, Children's Data, and Clinical Notes
Speech and language therapists (SLTs) work with some of the most sensitive personal data in healthcare. Clinical records covering communication disorders, swallowing difficulties, cognitive-linguistic impairments, and developmental delays are unambiguously special category health data under GDPR Article 9. Add to that the fact that a significant proportion of SLT caseloads involve children — many under the age of 16 — and the data protection obligations become substantial.
This guide covers everything speech and language therapists need to know about GDPR: from managing client records and children's data, to recording therapy sessions, sharing reports with schools and GPs, operating as a private practitioner versus an NHS clinician, and maintaining compliance with HCPC registration standards alongside your data protection duties.
Clinical Records as Special Category Health Data
Every piece of clinical information you hold about a client — assessment results, therapy notes, case history, communication aids data, dysphagia risk assessments, video fluoroscopy reports — constitutes health data. Under GDPR Article 9, processing this data requires both a lawful basis under Article 6 and a specific condition for special category data under Article 9(2).
For NHS SLTs, the relevant conditions are typically Article 9(2)(h) — processing necessary for the provision of health or social care — combined with the professional secrecy obligation, and Article 6(1)(c) — compliance with a legal obligation. For private SLTs, the most common approach is Article 9(2)(h) with Article 6(1)(b) — performance of a contract — or Article 9(2)(a) — explicit consent — where the therapeutic relationship does not clearly fall under the health care provision condition.
Your privacy notice must explain:
- What data you collect and why
- The lawful basis for processing health data
- Who you share it with (GPs, schools, local authority SEND teams, etc.)
- How long you retain it
- Clients' rights — including the right to access their records
Working with Children: Parental Consent and Gillick Competence
A large proportion of SLT caseloads are children, which creates a dual layer of data protection complexity: children's data requires heightened protection, and you must navigate who has the legal authority to consent on behalf of the child.
Parental consent is required for children under 13 in the UK for most data processing activities. For therapeutic purposes, consent from a person with parental responsibility is generally appropriate. However, this is not an unlimited right — parental consent does not override a child's developing right to autonomy.
Gillick competence is the legal standard used in healthcare to determine whether a child under 16 has sufficient maturity and understanding to consent to a particular decision without parental involvement. If an older child — perhaps a teenager with a stammer or a voice disorder — demonstrates Gillick competence, they may be able to consent to their own therapy records and to specific disclosures, without parental consent being required.
In practice:
- For young children (under 13), always obtain written consent from a parent or person with parental responsibility before commencing assessment or therapy
- For children aged 13–15, assess Gillick competence and document your assessment; in most routine SLT cases parental consent will still be sought
- For children aged 16–17, they are generally treated as capable of consenting on their own behalf
- Never assume that because a parent has referred their child to you, they have consented to every subsequent data sharing activity
Document your consent assessment carefully. If you are ever challenged on why you disclosed or withheld information, your documented clinical reasoning will be critical.
Recording Therapy Sessions: Consent and Storage
Audio and video recordings of therapy sessions are extremely common in SLT — they may be used for assessment, for monitoring progress, for supervision, or for training purposes. Under GDPR, recordings constitute biometric data and health data simultaneously, making them among the most sensitive data types you can hold.
Before recording any session, you must:
- Obtain explicit written consent from the client (or parent/guardian for a child under Gillick competence age) specifying the purpose of the recording
- Explain who will have access to the recording — you, your supervisor, any trainees, your clinical management software
- State how long the recording will be retained and how it will be securely stored
- Confirm that the client may withdraw consent and request deletion at any time (subject to any clinical justification for retention)
Recordings made for supervision purposes should be subject to a specific consent that clearly states the supervisory purpose and confirms confidentiality within the supervision context.
For training recordings — for example, demonstrating therapy techniques at a conference or for student SLTs — you need separate consent that is explicit about the training use. You cannot repurpose a recording taken for clinical assessment for training without additional consent.
Storage must be secure. Recordings should never be stored on personal devices without encryption. Clinical management software that stores recordings must be operating under a valid Data Processing Agreement with you.
Sharing Reports with Schools, GPs, Paediatricians, and SEND Teams
Multi-disciplinary working is central to SLT practice. You will routinely share reports and clinical information with:
- GPs and paediatricians — as part of coordinated healthcare
- Schools and class teachers — to support classroom communication strategies
- Educational psychologists and SEND teams — as part of EHCP processes
- Occupational therapists and physiotherapists — in joint caseloads
Each sharing activity requires a lawful basis. For routine clinical sharing with other healthcare professionals, Article 9(2)(h) typically applies. For sharing with schools and local authority SEND teams, the basis may be the same health care condition or may be Article 9(2)(g) — substantial public interest — depending on the specific statutory function involved.
Practically:
- Obtain consent from the client (or parent/guardian) before sharing reports with schools or non-clinical professionals where sharing is not clearly mandated by statute
- Use secure transfer methods — encrypted email, NHS MESH, or secure file-sharing platforms — never unencrypted email for clinical reports containing health data
- Record what you shared, with whom, when, and on what basis
- Include a data sharing statement in your reports: what data is being shared and for what purpose
EHC Plan Assessments and Data Sharing with Local Authorities
Education, Health and Care (EHC) plan assessments are a specific context where GDPR meets statutory education law. When a local authority initiates an EHC needs assessment, it has a statutory duty to seek advice from relevant professionals, including SLTs.
From a GDPR perspective:
- The local authority is the data controller for the EHC plan data it holds; you are providing clinical information in your professional capacity
- Sharing clinical assessment data with a local authority for EHC purposes has a lawful basis under UK GDPR Article 9(2)(g) (substantial public interest) combined with the Children and Families Act 2014 statutory framework
- You should still inform parents and children (where age-appropriate) that you will be contributing to an EHC assessment
- Your clinical reports provided for EHC assessments will be held by the local authority for the duration of the child's EHCP — typically until age 25, or when the plan ceases, whichever is earlier
If you receive a Subject Access Request from a parent seeking all information held about their child, your SLT records may be disclosable, subject to the third-party information exemption (which may apply if your records contain information about other professionals).
Private vs NHS SLT: Different Obligations
Whether you work in the NHS or private practice significantly affects your GDPR obligations.
NHS SLTs operate within an established information governance framework: NHS England data security standards, the Data Security and Protection Toolkit, Caldicott Guardian oversight, NHS Data Processing Agreements with software suppliers, and established retention schedules under NHS guidance (generally 8 years for adult records from last treatment, 25 years for children's records or until age 25, whichever is later).
Private SLTs are individually registered as data controllers with the ICO. You are responsible for:
- Registering as a data controller with the ICO (the annual fee for most sole practitioners is £40)
- Drafting and publishing a compliant privacy notice
- Signing Data Processing Agreements with all software suppliers (clinical management software, telehealth platforms, email providers, cloud storage)
- Maintaining your own retention schedule aligned with HCPC record-keeping standards
- Handling DSARs yourself within the one-month statutory deadline
- Deciding whether to appoint a Data Protection Officer — unlikely to be required for a sole practitioner, but you should document your assessment
Private SLTs working in independent schools, via NHS contracts, or through local authority commissioned services may need to navigate multiple data controller relationships simultaneously.
HCPC Registration and Professional Record-Keeping Standards Alongside GDPR
All practising SLTs in the UK must be registered with the Health and Care Professions Council (HCPC). The HCPC sets professional standards for record-keeping that exist independently of GDPR but complement it.
HCPC standards require that your records are:
- Accurate, factual, and up to date
- Written contemporaneously or as close to the event as possible
- Secure and accessible only to those with a legitimate need
- Retained for an appropriate period after care ends
GDPR adds the following to these professional obligations:
- Records must only be retained for as long as necessary (the GDPR storage limitation principle)
- Clients have a right of access to their records via DSAR
- Inaccurate records must be corrected upon request
- Processing activities must be documented in a Record of Processing Activities (RoPA)
The HCPC and ICO expectations are generally aligned, but GDPR is more prescriptive about data subject rights. If an HCPC fitness-to-practise investigation arises that involves client data, your records may be disclosed under the HCPC's regulatory powers — a separate legal basis that overrides usual confidentiality expectations.
Data Retention: 8 Years for Adults, 25 Years for Children's Records
SLT record retention is a critical compliance area. The relevant benchmarks are:
- Adult clinical records: minimum 8 years from the date of last treatment (aligned with NHS guidance and the Limitation Act 1980 for potential negligence claims)
- Children's records: minimum until the child's 25th birthday, or 8 years from the date of last treatment if this is later — this reflects the 3-year limitation period running from when a child reaches adulthood at 18, plus a safety margin
- Children under 16 who die during treatment: records should be retained until what would have been their 25th birthday or for 8 years, whichever is longer
Private SLTs should document their retention policy in writing and build it into their clinical management software settings where possible.
After the retention period expires, records must be securely destroyed — not simply deleted from a cloud system but confirmed as permanently removed, with a destruction log.
Clinical Management Software as Data Processors
Whether you use WriteUpp, TheraPlatform, SimplePractice, Cliniko, or another clinical management platform, that software provider is processing personal data on your behalf — making them a data processor under GDPR.
You are required to:
- Have a written Data Processing Agreement (DPA) in place with every processor before using their platform with client data
- Verify that the processor provides adequate security guarantees (encryption at rest and in transit, access controls, breach notification procedures)
- Ensure that if the software provider is based outside the UK/EEA, appropriate transfer safeguards are in place (UK International Data Transfer Agreements or adequacy decisions)
Most established clinical management platforms designed for healthcare have compliant DPAs readily available. If you cannot find a DPA in a platform's documentation or terms of service, ask for one before storing client data on the platform.
Teletherapy and Online Sessions: Data Flows and Consent
Online therapy sessions introduce additional data protection considerations beyond face-to-face practice.
Key areas to address:
- Video conferencing platforms: Zoom, Teams, Google Meet, and similar platforms are data processors when used for clinical purposes. Check that you have accepted appropriate terms of service or a DPA, and that your clients are informed that a third-party platform is involved
- Session recording: Many video platforms default to cloud recording. Ensure recording is only enabled with explicit prior consent, and that recordings are not retained in the platform's cloud beyond a short defined period before being downloaded and deleted
- Data flows: If your teletherapy platform, clinical notes system, and communication tool are different products, each creates a separate data processor relationship requiring a DPA
- Client consent for online delivery: Your intake consent process should specifically address online session delivery, including the platform being used and any limitations on confidentiality (for example, risks of family members being present in the client's home environment)
Custodia can help you audit the data flows and tracker activity on your SLT practice website — run a free scan at https://app.custodia-privacy.com/scan to see what your website is sharing with third parties.
Waiting List Data and Enquiry Management
Many SLTs — particularly in private practice — maintain substantial waiting lists, sometimes stretching to months. Waiting list data is personal data: names, contact details, presenting concerns, referral information, and often children's data from the referring parent.
Key obligations:
- Inform people on your waiting list (in writing, via a privacy notice) how their data is held, for how long, and what their rights are
- Do not retain waiting list data indefinitely — establish a clear retention period (for example, delete enquiry data if no appointment has been made within 12 months)
- Secure waiting list data appropriately — a spreadsheet on a personal laptop without encryption is not adequate for health-related waiting list information
- If someone withdraws from your waiting list, delete their data promptly
Referral data from GPs or other NHS professionals should be stored securely and processed in accordance with any information sharing agreement or referral pathway protocols that apply.
Marketing for Private SLT Services: PECR Rules
Private SLTs often market their services to parents, schools, and GP practices. Under the Privacy and Electronic Communications Regulations (PECR), direct marketing by electronic means — email and SMS — requires prior consent or the soft opt-in exception.
Key rules:
- Consent-based marketing: If someone signed up to your newsletter or expressed interest in your services, you can market to them if they explicitly opted in at the time
- Soft opt-in: If a parent made an enquiry or previously used your services, you may be able to send them marketing about similar services without fresh consent — but you must have provided a clear opt-out at the time of collection and in every subsequent communication
- Schools and GPs: Marketing to professional organisations at generic addresses (e.g., info@schoolname.co.uk) is governed by PECR rules for organisations, which are less strict, but marketing to named individuals at those organisations requires consent or legitimate interest with a balancing test
- Direct mail (physical post) is not covered by PECR but must still comply with GDPR legitimate interest requirements
Data Breach When Client Clinical Records Are Exposed
A data breach involving SLT clinical records — a lost USB drive, an email sent to the wrong recipient, a ransomware attack on your clinical management software — is a serious incident.
Under GDPR, you must:
- Assess the risk immediately — is there a likely risk to client rights and freedoms?
- Report to the ICO within 72 hours if there is likely risk (breaches of health data will almost always meet this threshold)
- Notify affected clients if the breach is likely to result in high risk to them
- Document the breach in your breach log, even if you decide reporting to the ICO is not required
Common breach scenarios in SLT practice:
- Sending a clinical report to the wrong email address (for example, the wrong school or wrong parent)
- A clinical management platform being hacked or suffering a data loss
- A laptop or phone containing client session notes being stolen
- Using an unencrypted file sharing service to transfer video recordings
The 72-hour clock starts when you — or any member of your organisation — becomes aware of the incident, not when you have fully investigated it.
Getting Compliant: Your Next Steps
GDPR compliance for speech and language therapists is substantive but manageable. The core priorities are:
- Register as a data controller with the ICO if you are in private practice
- Publish a compliant privacy notice covering all your data processing activities
- Review your consent processes for clinical records, session recordings, and multi-disciplinary sharing
- Sign Data Processing Agreements with WriteUpp, TheraPlatform, SimplePractice, or whichever clinical management system you use
- Establish a documented retention schedule aligned with NHS/HCPC guidance
- Build a DSAR procedure with a named responsible person and a one-month response target
- Train yourself (and any admin staff) on data breach recognition and reporting
Custodia is built to help healthcare professionals and small practices get compliant efficiently. Our platform scans your website for privacy issues, identifies trackers and missing consent mechanisms, and generates compliant privacy policies tailored to your practice.
Ready to see how your SLT practice website measures up? Run a free scan at app.custodia-privacy.com/scan — no signup required, results in 60 seconds.
Top comments (0)