GDPR for Therapists in the UK: Notes, Consent, and AI Tools
Outline
It is 7:40pm. You have finished the last session of the day, and the progress note still needs writing. The same note may later leave your desk through a cloud practice system, an AI draft tool, a supervisor review, or a client access request. That is the real work of GDPR for therapists: not a policy poster on the wall, but the decisions you make about notes, software, and who can see what.
This guide turns UK GDPR into a practice workflow for mental-health clinicians. It covers therapy notes, privacy notices, client access and deletion, consent limits, processor contracts, and how to assess AI documentation tools. It is guidance for UK private practice and NHS-adjacent work, not legal advice. When a case is high risk or unclear, involve your data protection officer, solicitor, supervisor, or professional body.
Free PDF: UK GDPR Therapy Notes Checklist
A printable UK GDPR checklist for therapy notes, privacy notices, processor contracts, and AI documentation tools.
- Data inventory prompts for notes, intake, recordings, and AI drafts
- Article 6 lawful basis and Article 9 special-category checks
- Privacy notice, retention, access, and breach-response prompts
- Processor DPA and mini DPIA prompts for AI therapy-note tools
Free. We'll email the PDF link right away. We may also send the occasional therapist toolkit. Unsubscribe any time.
Where should we send the link?
We'll email the PDF link right away. You'll also get the occasional therapist toolkit. Unsubscribe any time.
✓ Check your inbox
We've sent you the PDF
The download link is on its way to your inbox, usually within a minute or two. The email will come from hello@emosapien.com; check your spam folder if you don't see it.
You're also on the weekly therapist toolkit list. Unsubscribe any time from the email footer.
Educational resource for licensed and registered mental-health clinicians practicing in the UK (and UK clinicians seeing EU clients by telehealth). UK GDPR, the Data Protection Act 2018, and ICO guidance change over time. Verify current requirements against official sources before you rely on any workflow.
What GDPR requires when you handle client data
In plain terms, GDPR for therapists means you can explain five things about every client record:
- Why you hold it (lawful basis under Article 6, plus an Article 9 condition for health data).
- What you tell the client (privacy notice).
- How little you keep (data minimization: clinically necessary, not a transcript of everything said).
- Who else processes it (staff, supervisors, software vendors with contracts).
- How long you keep it, and how a client exercises their rights (access, correction, erasure limits, complaints).
The Information Commissioner’s Office publishes the UK baseline on the data protection principles. Therapy work sits inside those principles, not outside them.
Who this applies to
If you are a private therapist, counseling psychologist, psychotherapist, CBT therapist, group practice lead, or telehealth clinician based in the UK, this page is for you. It also applies when a UK practice uses overseas software or sees EU clients by video.
Two roles matter in plain language:
- Controller: you decide why client data is processed and how. Most independent therapists and practice owners are controllers of the clinical record.
- Processor: a vendor processes data on your documented instructions (for example a notes platform or email host). Processors need a contract; they do not set the purpose of care.
HCPC standards still expect you to keep records that support safe practice and confidentiality, even when a software vendor holds the bits and bytes. Professional rules and data protection sit side by side.
Therapy notes under UK GDPR
Therapy notes are personal data. When they reveal mental or physical health, they are special-category data. That higher bar covers more than the formal progress note:
- Intake forms and referral letters
- Risk notes and safeguarding records
- Outcome measures and assessments
- Emails or portal messages about care
- Session recordings and transcripts
- AI-generated drafts and edited versions
- Between-session check-ins that describe symptoms or functioning
Write what another competent clinician needs for continuity and safety. Leave out gossip, unverified third-party detail, and private process reflections that do not belong in the shared clinical record. Good clinical documentation habits reduce both clinical risk and data-protection risk.
Consent is not the whole GDPR answer
Clients sign clinical consent forms every week. That does not automatically mean consent is your data-processing lawful basis for notes.
Separate four conversations:
- Consent to treatment (clinical and ethical).
- Consent to record a session (if you record audio or video).
- Transparency about AI or human scribes (who drafts, who signs, what is stored).
- Lawful basis and Article 9 condition for processing health data (documented for the practice, explained in the privacy notice).
For many therapy notes, a health or social care condition under Article 9 may fit better than forcing every processing activity onto explicit consent. Consent can still be right for optional features such as marketing, non-essential recordings, or research. When consent is the basis, the client must be able to refuse without losing essential care, and withdrawal must be workable.
For the full consent map (treatment, recording, AI transparency, and lawful basis), see GDPR consent for therapy. This page keeps consent short so it does not own that whole topic.
What belongs in a therapist privacy notice
Your privacy notice is the client-facing map of the practice. At minimum it should cover:
- What you collect (notes, contact details, measures, payments, technical logs if relevant)
- Why you collect it and the lawful basis / special-category condition
- Who sees it inside the practice
- Which processors you use (practice software, email, payment, AI tools)
- How long you keep records
- International transfers, if any
- Client rights (access, correction, erasure, restriction, complaint)
- How to contact you and how to complain to the Information Commissioner’s Office
Write it in plain language. Update it when you add a new AI tool or change storage.
Retention, access requests, and deletion
Keep notes for as long as clinical continuity, professional standards, and legal defense require, then delete or anonymize on schedule. A written retention schedule beats memory.
When a client asks for their records (a subject access request):
- Log the date and identity check
- Search every system that might hold their data, including AI drafts and exports
- Remove or redact third-party data where required
- Respond within the statutory timeframe unless a valid exemption applies
- Document any withholding decision (for example serious-harm or legal privilege concerns)
Erasure is not always available for clinical records that you still need for care, claims, or legal duties. Explain limits in the privacy notice before someone asks.
GDPR-compliant AI therapy notes
This is the section many UK clinicians search for under GDPR-compliant AI therapy notes and related queries such as “AI SOAP note GDPR.”
AI can draft notes. It does not replace your judgment, your signature, or your duties as controller. Before any session audio, transcript, or clinical detail enters a tool, walk this assessment:
- Data processing agreement (DPA). Is there a signed processor contract that matches UK GDPR requirements?
- Sub-processors. Who else touches the data, and where are they listed?
- Data residency and transfers. Is data stored in the UK, EEA, or another country with a valid transfer mechanism?
- Training on public models. Confirm the vendor does not use client content to train public models.
- Retention and deletion. Can you set retention, export records, and delete a client end-to-end?
- Security controls. Encryption in transit and at rest, role-based access, audit logs, and breach-notification timing.
- Human review. Clinician edits and signs before the note is final. No auto-filing of unreviewed drafts into the record of care.
- DPIA. Complete a data protection impact assessment when the AI workflow is new, large-scale, or higher risk for health data.
For product-side documentation patterns, see AI SOAP notes for therapy practices. Use that page for how structured notes are drafted; use this page for the UK compliance questions you should ask first. Platform security posture for encryption, access control, and audit logging is summarized on the security page. Product claims stay limited to published capabilities: human review before signing, no public-model training on session content, and encryption in transit and at rest.
If a vendor cannot answer the checklist in writing, do not put client data in the tool.
Vendor checklist for UK therapy software
Ask every notes, practice-management, or AI documentation vendor:
- Will you sign a UK GDPR-ready data processing agreement?
- Where is personal data stored, and which sub-processors are involved?
- How are international transfers documented?
- Is client content used to train public models? (Require a clear no.)
- What encryption, access control, and audit logging do you provide?
- How fast do you notify a controller of a personal-data breach?
- Can we export and delete a client’s data on request?
- What retention defaults apply to audio, transcripts, and drafts?
- Do you support a DPIA with architecture and risk documentation?
- How does the product keep final clinical sign-off with the therapist?
Save the answers with the contract. Re-check them when the vendor adds features.
Download the UK GDPR therapy notes checklist
The downloadable checklist puts data inventory, lawful basis, Article 9, privacy notice, retention, DSAR handling, processor contracts, and a mini DPIA prompt for AI tools on one printable sheet for supervision or practice setup.
How Emosapien fits this workflow
Emosapien is built for mental-health clinicians, not generic clinical scribing. The Scribe Agent drafts structured notes for clinician review; session content is not used to train public models; and security controls include encryption plus audit-oriented safeguards described on the product security pages. UK practices still complete their own lawful-basis documentation, privacy notice, DPA review, and DPIA where required. No software removes that controller work. If you want to test documentation support inside a review-first workflow, start a free trial.
US and Australian readers looking for HIPAA-framed product language should use the separate HIPAA compliant therapy notes page. That framework is not a substitute for UK GDPR.
A short closing checklist
- Special-category health data needs Article 6 and Article 9 thinking
- Privacy notice matches the tools you actually use
- Retention and access-request processes are written down
- Every processor has a contract you can find
- AI tools pass the DPA, residency, training, retention, and human-review tests
- Edge cases go to your DPO or solicitor, not a blog post
That is the practical bar for GDPR for therapists in day-to-day UK practice: defensible habits, clear contracts, and notes you can stand behind if a client, supervisor, or regulator asks.
References
- Information Commissioner’s Office. UK GDPR and data protection guidance hub (principles, special-category data, right of access, controller-processor contracts, and DPIAs).
- Information Commissioner’s Office. Make a complaint.
- UK legislation. Data Protection Act 2018.
- UK legislation. UK GDPR (retained Regulation (EU) 2016/679).
- Health and Care Professions Council. Standards of conduct, performance and ethics.