The compliance risk most therapists are sitting on
A notebook on your desk. A folder of Word documents on your laptop. Notes emailed to yourself after a late session. These are all common — and all carry real risk under UK GDPR and the BACP Ethical Framework.
The problem isn’t that therapists are careless. It’s that the default tools most people reach for — Microsoft Word, Google Docs, email — weren’t designed for clinical records. They don’t encrypt at rest, they don’t restrict access, and they don’t provide audit trails. If a device is lost or a file is accidentally shared, there’s no technical safeguard standing between that event and a data breach.
What GDPR actually requires for session notes
Under UK GDPR, session notes are personal data — and in most cases, special category data, given their clinical nature. That means:
- They must be stored securely, with appropriate technical measures (encryption is the standard expectation)
- Access must be restricted to those who need it
- You must be able to demonstrate compliance if asked
- Retention periods must be defined and enforced — BACP guidance recommends a minimum of seven years after the end of the therapeutic relationship
The ICO doesn’t prescribe specific software, but “appropriate technical measures” in the context of sensitive clinical data means encryption at rest and in transit is effectively a baseline expectation.
What compliant note storage looks like in practice
Compliant session notes should be:
- Encrypted at rest — so the files cannot be read if the storage is ever accessed without authorisation
- Encrypted in transit — so data cannot be intercepted between your device and the server
- Access-controlled — so only you (and authorised supervisors, where relevant) can read them
- Backed up — so records aren’t lost to hardware failure
- Subject to a clear retention and deletion policy
Word documents stored on a local hard drive meet none of these. Google Docs meets some, but stores data on US servers under US law, which raises data residency questions for UK practitioners.
How Counselling Buddy handles this
Session notes in Counselling Buddy are encrypted from the moment you save them. They’re stored on UK-based, ISO 27001 certified infrastructure with no identifying plain-text link between a note and its client. Daily automated backups run to redundant UK storage.
When you finish working with a client and delete their profile, their notes are deleted permanently — with an audit log confirming the deletion. You remain the data controller throughout; Counselling Buddy acts as your data processor under a formal Data Processing Agreement available from your account settings.
You can also export any note as a PDF at any time — useful for supervision, handover, or keeping your own offline archive before deleting a client record.