Updated 25/03/20 : Now applicable to all practitioners using Zoom -read below!

DATA PROTECTION AND SPECIAL CONSIDERATIONS- post webinar notes from the lecture 16 March 2020

Currently there are no hard and fast answers here, many of the membership bodies for counselling and psychotherapy and organisations are still learning. We will need to look back with scrutiny on our practice/procedures after the event. Are we in a fit state to do that now? Can we afford to wait or should this be a pick it up as we go along process?

For now, provision of services to all must be a priority, whilst also taking as many steps to adhere to DPA 2018/GDPR and taking cybersecurity seriously. It is very likely you will need training in this as you move through this period.

Begin where you are and take the learning as something to add and increase your potency, professionalism and to protect both you and the client, but do add to your learning, it is necessary.


and the Privacy4 Interview Series episodes :

NEW: ~Zoom-

After delivering a webinar on how to work with Children and Young people online on Monday 16th March 2020 I am making the post webinar notes here available to all. The video is now available here, the meantime please see these notes here for a summary


The pragmatics of “how to do play/creative therapy online, and what does that look like?” are not shared here as the information below is the critical aspect.

What the ICO says about processing data of those under 13 years of age. Bearing in mind this document is written for anyone who is creating a service for children. Where possible DPIA (data protection impact assessments) are carried out to assess the suitability of a service for processing the data of a child. This is slightly more complicated for Private practice and for services with no contingency plan as right now you are probably feeling the pressure to provide/continue a service and do not know enough about how to carry these assessments out, nor may you feel you have the skills, time or designated data protection officer who can do this.

The ICO has on their website: For children under this age (13) you need to get consent from whoever holds parental responsibility for the child — unless the online service you offer is a preventive or counselling service.

If this service is one that is set up by an organisation then a child can access that service without consent from a parent. Services such as the NSPCC Childline and Off the Record, fall under this remit as they have taken all necessary operational and technical measures to protect that data and have dedicated DPO’s & DPIA’s in place already.

As you are more than likely asking about moving to online work (as part of your private practice) or your placement has asked you to (so that services are continued/provided to those who will be socially isolating), there are a few things you need to consider in terms of GDPR and processing electronic data as you are unlikely to have the above in place before now.


Data includes: email addresses or phone number of the child or parent/carer. Who owns the contract for the phone? Who has the contract for the ISP?

Under 18’s will not have the legal contract for phones/ISP, therefore where possible you will need to gain consent with the parent/carer/adult to use this medium to provide this service. Though this is mentioned above, perhaps it is best practice to do this for your own records as a private practitioner. It also helps when you need to do your audit. (which you are required to carry out as a Data processor). You now need to ensure you are registered with the ICO as a data processor/controller. (which you ought to have been before now as you have been very likely taking supervision/case notes at a bare minimum which is data). BACP guidelines say accurate and appropriate note taking is part of your ethical processes so just to make this very clear for those who are confused; register with the ICO because now you will be in contact with your clients using electronic forms of data and lawfully you must be registered. We will come onto the need for suitable ways to process electronic data in our training, as the content for this is far too long of r a blog and this is becoming a daily updated blog as it is. (there are also laws about processing electronic data separate to this document here…)

To gain parental consent I have a 3 or 4 way contract with a parent/carer/adult/ and responsible adult (school/service provider etc) who holds responsibility for the child/payment and the child themselves, should we need to conduct our therapy in person or online. Either way from the outset I work with the context around the4 child. Personally I don’t deliver any therapy to children without parental/carer consent for a number of ethical and safeguarding reasons, so not to collude with psychological or familial games. Children do not come context free and therefore I do not practice in this way. (this is my personal approach, underpinned by research and evidence based practice, you can make your own choices as a practitioner).

My 2019 version of a contract (child and adult) is provided in the Privacy4 Standard for FREE under month 1 when you sign up which is currently FREE

As you are now in a position where more than likely you need to change/adapt your contract the following should be taken into consideration:

You may be asking a child in therapy if it is okay to move to online work, if this is the case, how will you evidence this in terms of your contract and for the purposes of changing the current contract you have? Do you see the child without the parent? Do you see the child in a service where they are brought by an adult? Do you see them in private practice where an adult brings them? Or do they bring themselves? You need to consider if you are working with Gillick/Fraser competencies for children aged 13 upwards and what considerations you will need to take to process this data. Under this age you need to give special considerations to why/how/where/when and for how long you will process that data for. It is wise to evidence this process.

If you are seeing a child in school will you be able to do this if you are operating a service where parental consent is not required? How can you do this? It is likely that you would have to cease therapy services for children accessing services in school without parental consent. If this is the case for you, consider if this would be a safeguarding issue to cease sessions. Also take into consideration the information you would be asking the child for and whether this contravenes the school/counselling service DPA policy. Your school/organisations should have a contingency plan and assist you in this. You must ask them and if they cannot answer you, take it to supervision or your membership body.

How will you send and receive these documents safely- As you need to send a contract before carrying out the work online?


People are frightened as and such need services that are easy to use and understand. I have recommend Frama Rmail in my video (link to free webinar below) with lots of information about why I and *Gary Hibberd (Professor of communicating cyber) use this software. The simple fact is: people need ‘easy to use’ right now not lots of passwords, portals and clicks. Keep it easy, use something that a panicked person can understand. You will find this service I mention invaluable at keeping data secure in transit (a very important factor). Its also tracked and can handle e-sign and large documents- perfect for this fear driven situation!

Once you feel you can move online it is also worth noting:

(see short course below from Kate Anthony)

  1. Are you covered by your insurance company to work online?

2. Do you have “cyber insurance?”

Practicalities: Who owns the contract for the device you provide therapy on? If the child is under 18 then it is very likely that the service will be delivered on a device that belongs to someone else and therefore you will be processing their data too, perhaps without their knowledge. How will you evidence/justify this if you do not have their consent?

This is why parental consent can be an ally here.

It is worth taking the approach that to lawfully process this data that unless a serious safeguarding issue exists; get the parental consent to process the data for your own paper trail and justification purposes. This way you can ensure that your practice is lawful and follows all technical and operational measures, this also shows that you have assessed the impact of your actions as best as you can at this time.

Conversely, where you need to provide a service online without parental consent you can show your “working out” as to why you processed data in this way.

Service provision

You must also ensure that any third party app that you decide to use meets the criteria for the service provision, is secure to the best of your knowledge and you have done all of the check that you know how to do in order to be able to say you have taken necessary operational and technical measures to protect that data.

You are responsible for any software, apps or platforms you decide to use and this means that when you provide a service on these platforms that you are aware of this and are asking your client to use the software, app, platform with you. Rightly so the client will trust that you are a safe practitioner, have taken all measures to protect them and can be guided by you in this time of uncertainty. We are a client’s safe base and refuge and we will need to maintain this where possible in the provision of online therapy.

These platforms may struggle with the bandwidth and traffic thats likely to suddenly appear in the next few weeks, so please equate yourself with them before using them for therapy. These platforms are not GDPR “complaint” nor fully secure, (nothing is in the world of cyber), however they may have to be used to ensure continuation of services. I am keeping up to date with the recommendations for these platforms and they are being added to below as the weeks progress and it may look like I am going back on my word about Skype (Where I have previously said do not use), however this is the caveat that may need to shift during these times. I am aware of this and will update accordingly. *My view about Skype has never been about the end to end encryption, it has always been about the T&C’s and data ownership which Gary alludes to from the InfoSec & cybersecurity community in the video so please watch to learn more.

I will be updating this section of the blog as more information comes in from reputable services/sources:

To Date 25 March 2020…for those who visit for the updates you will notice a big change here. Platforms that can be used for therapy: Facetime and one more to be communicated next week.

This is not a lawful list- do not use this as your justification check the T&C’s and DPA/Security Terms yourself:


Please read this blog

and wait for the next blog that will explain more about this issue. I spoke with Rowena today, whom I also interviewed in 2018 on GDPR on my podcast as she had contributed to this article and has given me much more information than I can share here. It has already changed this blog entry.

Be aware of update scams, links to use them and send your clients the link securely using an email service such as Frama Rmail- click here for FREE webinar Friday March 20th am (GMT)

Wednesday 25 March am (GMT)

(also just note how quickly you felt you could/not trust my links or word!)

Who knows maybe even Messenger will be added soon? Though this is another ‘ do your own research’ based statement not an endorsement!

To learn about GDPR/Privacy, and Cybersecurity risks see

To book tickets for FULL DAY TRAINING WITH PRIVACY4 on MAY 03 2020 ONLINE. (which was due to be delivered in person at the end of March which we cancelled last week. if you haven’t received our cancellation email and change of location please get in contact with us!) See:


  1. A summary blog for therapists can be found here:
  2. For suitable advice about Online therapy and training see
  3. For a short course training on how to deliver online therapy (ACTO approved and a genuinely great course for this crisis) see
  4. BACP guidelines
  5. UKCP guidelines
  6. NCS guidelines
  7. Support/Free webinars and more- see

And as always to learn more about Catherine see where you can get training in in-depth uses of technology in/for therapy, cybertrauma and a whole day of DPA/Cybersecurity training.

Online Harms Consultant, Cybertrauma Clinician, PhD’er, Author, Theorist, Polymath, Functional Health, Epigenetic Trauma Psychotherapist (Child/Adult)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store