Lecture 6 data protection and access to client records

Lecture 6 Data Protection and
Access to Client records
Module: Law for Counsellors
Kevin Standish

LEARNING OUTCOMES
1. Recording therapeutic work
2. Data Protection: Core idea
3. Definition of personal data
4. The eight principles
5. Format of therapy records
6. Handling data
7. Access to therapeutic records
8. Frequently asked questions regarding record keeping

1. RECORDING THERAPEUTIC
WORK
1. Professional aspects of
record keeping
2. Ethical aspects of
record keeping
3. BACP code of practice

1. Issues relating to data protection and access to
records clearly impact on the central concept of
therapeutic confidentiality
2. Both the therapist disclosing information and the client
or other party obtaining such access may infringe
confidentiality, but the processes involved are often
quite distinct.
3. Persons with a statutory right of access to personal
records include clients, solicitors (in certain situations)
and external agencies, such as the police and courts.
4. The legal process of disclosure can involve the
therapist in attending court, and being required to
answer the court’s questions in the witness box.
1.1.PROFESSIONAL ASPECTS OF
RECORD KEEPING

The principle of
confidentiality of client
material is NOT a valid
defence on its own against
legal demands for
disclosure on judicial
grounds, or under statute

Therapists are engaged in record-keeping for three sets of
reasons:
1. relating to service delivery: record-keeping is useful for the
purposes of management and administration, monitoring client
progress and measuring outcomes via audits
2. therapeutic practice: record-keeping may be essential to
orient the therapist towards the client’s key issues and
relationships, and can also play a role in identifying issues to
take to supervision.
3. professional development: records can be used for personal
reflection, or may be needed for accreditation purposes, and to
contribute towards research and publication
1.1.PROFESSIONAL ASPECTS OF
RECORD KEEPING

1. From an ethical perspective, record-keeping tends to
be framed in terms of professional responsibilities to
maintain confidentiality and to demonstrate respect for
the client.
2. ‘Good quality of care:
Practitioners are encouraged to keep appropriate records
of their work with clients unless there are adequate
reasons for not keeping any records. All records should
be accurate, respectful of clients and colleagues and
protected from unauthorised disclosure. Practitioners
should take into account their responsibilities and their
clients’ rights under data protection legislation and any
other legal requirements.’ (BACP, 2002: 6)
1.2. ETHICAL ASPECTS OF RECORD
KEEPING

Respecting privacy and confidentiality
Section 20. Respecting clients’ privacy and
confidentiality are fundamental requirements for
keeping trust and respecting client autonomy.
The professional management of confidentiality
concerns the protection of personally identifiable and
sensitive information from unauthorised disclosure.
Disclosure may be authorised by client consent or the
law. Any disclosures of client confidences should be
undertaken in ways that best protect the client’s trust
and respect client autonomy.
BACP CODE

1.3. BACP CODE OF PRACTICE
‘Confidentiality:
Psychologists shall maintain adequate records, but they shall take
all reasonable steps to preserve the confidentiality of information
acquired through their professional practice or research and to
protect the privacy of individuals or organisations about whom
information is collected or held.’
(BPS, 2000: 4)
BACP advises practitioners to ‘keep
appropriate records of their work with clients
unless there are good and sufficient reasons
for not keeping any records’ (BACP, 2010)

Why do we keep notes on clients?

1. Making and keeping notes of
client sessions fulfils a number of
therapeutic and functional
purposes for therapists and
counselling services.
2. When considering what to put in
notes there are two key issues;
what is the purpose of keeping
notes and to whom do the notes
belong?
3. The importance of notes will vary
with the context.
THE PURPOSE OF RECORDS AND
NOTES

Here are some of the purposes for making notes:
1. Tracking and liaison record
2. Notes for general assessment or screening
purposes
3. Session content notes
4. Notes for research
5. Notes as part of quality assurance processes
6. Medical or quasi-medical record
7. Notes and artefacts that are made by the client as
part of their treatment
8. Process notes
THE PURPOSE OF RECORDS AND
NOTES

2. DATA PROTECTION
1. Core Idea
2. Personal data
3. 8 principles

2.1. CORE IDEA
1. The ethical justification for record-keeping has
often been unclear. Based on a quasi-medical
model, influenced by agency practice and personal
preferences, therapeutic recordkeeping was quite
varied in its format and content and largely
protected from client access.
2. The Data Protection Act (DPA) 1998, derived from European
Directive 95/46/EC, has attempted to develop a culture of
openness and transparency with regard to personal records
kept on citizens.
3. It has had a profound impact on therapeutic
recording, by challenging the widespread
presumption held by therapists that record-
keeping is a private, professional task, to be
carried out beyond the scrutiny of clients, agency
management or the wider society.

According to the Act, personal data is widely
defined to cover almost every kind of
information related to an identifiable living
person, including information recorded
electronically. The Act includes within its
remit manual or handwritten records, as well
as material held on computer, thus capturing
for the first time the bulk of therapeutic
records.
2.1. CORE IDEA

The Act makes a distinction between personal
data, and categories of information, such as a
person’s mental, physical and sexual health,
which are termed ‘sensitive personal data’
and accordingly require higher levels of
security, such as the client’s explicit consent
for any processing.
2.2. DEFINITION OF PERSONAL
DATA

2.3. THE EIGHT PRINCIPLES
1. Processed fairly and lawfully.
2. Processing personal data for specified purposes.
3. Adequate, relevant and not excessive.
4. Accurate and up to date.
5. Not kept any longer than necessary.
6. Processed in accordance with the “data subject’s” (the
individual’s) rights.
7. Securely kept.
8. Not transferred to any other country without adequate
protection in situ.

In practice, it means that you must:
1. have legitimate grounds for collecting and using the
personal data;
2. not use the data in ways that have unjustified adverse
effects on the individuals concerned;
3. be transparent about how you intend to use the data,
and give individuals appropriate privacy notices when
collecting their personal data;
4. handle people’s personal data only in ways they would
reasonably expect; and
5. make sure you do not do anything unlawful with the
data.
PRINCIPLE 1: PROCESSED FAIRLY AND
LAWFULLY.

In practice, the second data protection principle means
that you must:
1. be clear from the outset about why you are collecting
personal data and what you intend to do with it;
2. comply with the Act’s fair processing requirements –
including the duty to give privacy notices to
individuals when collecting their personal data;
3. comply with what the Act says about notifying the
Information Commissioner; and
4. ensure that if you wish to use or disclose the personal
data for any purpose that is additional to or different
from the originally specified purpose, the new use or
disclosure is fair.
PRINCIPLE 2: PROCESSING PERSONAL
DATA FOR SPECIFIED PURPOSES .

In practice, it means you should ensure that:
1. you hold personal data about an individual
that is sufficient for the purpose you are
holding it for in relation to that individual; and
2. you do not hold more information than you
need for that purpose.
3. So you should identify the minimum amount of
personal data you need to properly fulfil your
purpose. You should hold that much
information, but no more. This is part of the
practice known as “data minimisation”.
PRINCIPLE 3: ADEQUATE, RELEVANT
AND NOT EXCESSIVE

To comply with these provisions you should:
1. take reasonable steps to ensure the accuracy of
any personal data you obtain;
2. ensure that the source of any personal data is
clear;
3. carefully consider any challenges to the accuracy
of information; and
4. consider whether it is necessary to update the
information.
PRINCIPLE 4: ACCURATE AND UP TO
DATE

In practice, it means that you will need to:
1. review the length of time you keep personal data;
2. consider the purpose or purposes you hold the
information for in deciding whether (and for how
long) to retain it;
3. securely delete information that is no longer
needed for this purpose or these purposes; and
4. update, archive or securely delete information if it
goes out of date.
PRINCIPLE 5: NOT KEPT ANY
LONGER THAN NECESSARY

the rights of individuals that it refers to are:
1. a right of access to a copy of the information
comprised in their personal data;
2. a right to object to processing that is likely to cause or
is causing damage or distress;
3. a right to prevent processing for direct marketing;
4. a right to object to decisions being taken by automated
means;
5. a right in certain circumstances to have inaccurate
personal data rectified, blocked, erased or destroyed;
and
6. a right to claim compensation for damages caused by
a breach of the Act.
PRINCIPLE 6: PROCESSED IN ACCORDANCE WITH THE
“DATA SUBJECT’S” (THE INDIVIDUAL’S) RIGHTS

In practice, it means you must have appropriate security to
prevent the personal data you hold being accidentally or
deliberately compromised. In particular, you will need to:
1. design and organise your security to fit the nature of the
personal data you hold and the harm that may result from a
security breach;
2. be clear about who in your organisation is responsible for
ensuring information security;
3. make sure you have the right physical and technical
security, backed up by robust policies and procedures and
reliable, well-trained staff; and
4. be ready to respond to any breach of security swiftly and
effectively.
PRINCIPLE 7: SECURELY KEPT

Personal data shall not be transferred to a
country or territory outside the EU unless that
country or territory ensures an adequate level of
protection for the rights and freedoms of data
subjects in relation to the processing of personal
data.
PRINCIPLE 8: NOT TRANSFERRED TO ANY OTHER COUNTRY
WITHOUT ADEQUATE PROTECTION IN SITU.

3. FORMAT OF THERAPY
RECORDS
1. Relevant filing system
2. Process notes
3. Handling Data

• the Data Protection Act has presented challenges to therapists
in subjecting to public scrutiny what had previously been a
private professional activity (Jenkins, 2002).
• Therapists tend to define record-keeping in terms of the
purpose of the record. Therapist tend to distinguish between
objective official agency record of client contact and more
personal, subjective records, known as process notes :
• Data protection law however, defines records on a completely
different basis.
• Records are defined firstly in terms of context, so that records
kept in health, education and social work settings have
separate provisions, deriving from the reforms initiated by the
Gaskin case
• Records are further defined by format, rather than by purpose.
Thus records are categorised as electronic or manual.
• Manual, or handwritten, records are further subdivided into
those which are part of ‘a relevant filing system’ and those
which are ‘unstructured’. These distinctions are crucial for
determining issues of client access
3. FORMAT OF THERAPY RECORDS

1. For therapy records more generally, it seems
that the Act has been instrumental in changing
practitioners’ recording practice.
2. It is increasingly based on the presumption of
client access and has become more factual
and less subjective in nature (Jenkins and
Potter, 2007).
3. FORMAT OF THERAPY RECORDS

3.1. RELEVANT FILING SYSTEM
it is intended to cover non-automated records that are
structured in a way which allows ready access to information
about individuals.
As a broad rule, a relevant filing system exists where records
relating to individuals (such as personnel records) are held in
a sufficiently systematic, structured way as to allow ready
access to specific information about those individuals.
"Accessible record" means: a health record that consists of
information about the physical or mental health or condition
of an individual, made by or on behalf of a health professional
(another term defined in the Act) in connection with the care
of that individual

WOULD PRIVATE PRACTISE FALL UNDER
RELEVANT FILING SYSTEM?

FREEDOM OF INFORMATION ACT 2000
However the Freedom of information act
amended the Data Protection Act 1998 to
provide for the right of data subject to have
access to ‘unstructured personal data’ held by
public authorities.

• These were defined as including Local Authorities, the
NHS, maintained schools and other educational
institutions, the police and a long list of public bodies,
ranging from the Advisory Committee on NHS Drugs to
the Zoo Forum.
• Agencies not classed as a ‘public authority’, or
practitioners in private practice, whose records are not
held in relevant filing systems, may be exempt from
provisions for client access.
• However, from an ethical and professional perspective,
denying client access on legal grounds alone might be
seen to be contrary to the move within the profession
towards adopting more open and accessible forms of
recording, even where these are not formally required
by the law.
PUBLIC BODIES DEFINED

Session content notes usually
form part of a counselling service
record.
1. These notes are made by
therapists to indicate that a
session has taken place and
to give a general overview of
what was covered in a
session and/or any other
matters which the therapist
considers necessary as an
aide mémoire for the therapy,
or made in compliance with
agency policy or legislation.
2. What is important is that
content notes are accurate
and an authentic, usually
brief, summary of what was
discussed
Process notes: there is a long tradition of
keeping process notes in therapy. They may
be optional, handwritten notes, or they may be
held on computer.
Process notes are usually made by therapists
to bring to supervision or to engage in
personal reflection on the therapeutic
relationship.
If process notes identify the client directly by
name, or contain data that could identify the
client (personally identifiable information),
then they are part of the client record, and
subject to the law and duty of confidentiality.
They should be retained with the client
records.
Process notes that are completely anonymous
(i.e. contain no personally identifiable
information and so do not identify the client in
any way) may be treated as separate from the
client records and destroyed when no longer
required.
See Bond, T. and Mitchels, B. (2008: 68–71).
3. 2. SESSION NOTES: CONTENT VS
PROCESS NOTES

3.3. HANDLING DATA
It is equally important NOT to:
a) access personal data that you do not need
for your work
b) use the data for any purpose it was not
explicitly obtained for
c) keep data that would embarrass or damage
you or the client if disclosed
d) transfer personal data outside of the
European Economic Area unless you are certain
you are entitled to or consent from the individual
concerned has been obtained
e) store/process/handle sensitive personal data
not relevant to the purpose.

• The law refers to a number of different types of records.
Client access varies according to the nature of the
record, rather than its content
Records may be of several types including:
1. Accessible records: i.e. health, education and social
work records and records held by public Authorities
2. Computerised records, i.e. records held in electronic
form
3. Computerised records held in combination with
manual or handwritten records
4. Manual or handwritten records as the sole form of
recording by an individual or organisation
5. Audio and video recordings, on tape, digital or created
and stored with any other form of technology
3.3. DIFFERENT TYPES OF RECORDS
DETERMINE ACCESS

4. FREQUENTLY ASKED QUESTIONS
REGARDING RECORD KEEPING
1. Therapist obliged to
keep notes?
2. Who owns the notes?
3. Time limits for keeping
records

• Therapeutic notes and records may include handwritten
or computer-based notes, audio tape and video tape or
digital recordings, and may include written, visual or
audio material for example drawings, poems, songs and
other artefacts created by the client or created in
connection with the therapeutic work.
• Therapists are not specifically required by law to keep
therapeutic records, although this may be an obligation
imposed by their contract with an agency or employer.
HOWEVER:
• BACP’s Ethical Framework states that :“Practitioners are
encouraged to keep appropriate records of their work
with clients unless there are adequate reasons for not
keeping any records. All records should be accurate,
respectful of clients and colleagues and protected from
unauthorised disclosure, (BACP, 2007: 5.5).
4.1. THERAPIST OBLIGED TO KEEP
NOTES?

1. The client contract should make the ownership of
the records clear.
2. Notes on clients made by a therapist employed by
an organisation or agency in the course of that
work are, generally speaking, the property of the
employing organisation.
3. Notes kept by a therapist in private practice
belong to that therapist.
4. Records kept by a self-employed therapist
providing a service for a referring agency, such as
an Employee Assistance Programme, may be
designated as agency property under the terms of
the contract existing between the agency and
therapist.
4.2. WHO OWNS THE NOTES?

5. In law, unless otherwise agreed with the
client, tape and video recordings are
usually deemed to belong to the owner of
the tape or video,
6. photographs belong to the owner of the
negatives or in the case of digital images,
the owner of the camera.
7. However, ‘ownership’ of records is not a
deciding factor regarding issues of
disclosure or client access
4.2. WHO OWNS THE NOTES?

1. Personal data should not be held any longer than
necessary for its purpose.
2. Certain types of record, e.g. NHS records, are
classed as ‘public records’, with specified periods
for retention. For example, records of patients
defined as ‘mentally disordered’ are kept for 20
years after their last treatment, or 8 years after the
patient’s death.
3. Where there is no set time limit which applies to
therapeutic records, therapists and their
organisations need to decide an appropriate time
limit for keeping records before destruction.
4.3. TIME LIMITS FOR KEEPING
RECORDS

4. These might be set to accord with the relevant
time limits for responding to a complaint
against a therapist or agency under the BACP
or other Professional Conduct Procedures or
to comply with the time limits for legal actions.
5. The normal time limit for legal action by the
client for personal injury is three years from
the incident or three years from the date when
the individual could have reasonably known
the problem had arisen. The time limit on legal
action for breach of contract is six years.
4.3. TIME LIMITS FOR KEEPING
RECORDS

Essential reading
• Jenkins (2007) 6 - Data Protection and Access to Client
Records..
• Mitchels, B. & Bond, T (2008):
1. chapter 6 recordkeeping – basic responsibilities
2. chapter 7 how long to keep records?
3. Chapter 9 sharing information between professionals
4. chapter 12 recording confidences practical guidelines
• Bond, T. (2010) chapter 13 record keeping
• Jenkins (2002) Chapter 5 - Transparent Recording:
Therapists and the Data Protection Act 1998
CORE READINGS

Essential reading:
• BACP G1 information sheet: Access to records of counselling and
psychotherapy by Tim Bond & Peter Jenkins (2009)
• P12 Information sheet: Making notes and records of counselling
and psychotherapy sessions by Liz Coldridge (2010)
• Please see What is personal data? – A quick reference guide
Data Protection Act 1998 on ICO website:
http://ico.org.uk/for_organisations/data_protection/the_guide/~/media/do
cuments/library/Data_Protection/Detailed_specialist_guides/determining
_what_is_personal_data_quick_reference_guide.ashx
Advanced reading
1. Tribe, R. & Morrissey, J (editors) (2005) chapter 6 client
confidentiality and data protection by Peter Jenkins
2. chapter 9 the ethics and responsibilities of recordkeeping and note
taking by David Purves
3. Jenkins (2002) Appendix 2: Therapy Notes and the Law
READINGS

Lecture 6 data protection and access to client records

More Related Content

Viewers also liked (20)

Similar to Lecture 6 data protection and access to client records (20)

More from Newham College University Centre Stratford Newham (8)

Recently uploaded (20)

Lecture 6 data protection and access to client records