used fairly, lawfully, and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant, and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage 
What data you are collecting – this may include name, contact information such as email address and/or phone number, as well as their medical or treatment history and details of psychological difficulties. It may be helpful to indicate whether this information is obtained from the client themselves or from a third party such as a GP, Psychiatrist or medical insurer on the client’s behalf.
Why you are collecting their data including the “lawful reason”, e.g., for providing safe, and professional mental health treatments such as psychological assessments and therapy. Also, for contacting clients about future appointments, treatment fees or in case of needing to refer them to a third party for further support.
How you collect their data, e.g., through online sign-up forms, or from communications via email, over the phone, or in writing, as well as in the notes you write about their treatment sessions.
How you store their data – if a physical copy of the information is kept in person, where this is stored, e.g., filing cabinet or locker. If the information is kept digitally, where it is stored, e.g., on a password protected device or on an encrypted cloud storage platform. This should include emails and texts.
How you use their data, e.g., to arrange and book assessments or therapy sessions, to help plan treatment, to create and send invoices and keep payment records, and/or to pass on information to third parties if necessary.
Who has access to their data, e.g., you as the therapist, any practice managers who may access the information where relevant. This also includes if it is shared with third parties – including the reasons why you may share their data, for example if there are concerns about a client’s wellbeing or for further referrals.
How long you will keep their data – It is a legal and professional requirement that health records must be kept securely for 7 years after treatment ends, or 7 years after the client turns 18 if they are a minor.
- The right to be informed about how their data is being used
- The rights to access, update, erase, or restrict the processing of their data
- The right to object to how their data is processed in certain circumstances
In the context of mental health treatment, this means that clients can request to see their therapist’s notes. You should indicate how they can make this request and how long you are likely to take to fulfil it as you will need to remove any information about third parties. Clients can also make requests to update and erase data in some circumstances but therapists will need to make judgements about which circumstances will allow this and reflect with clients on the potential implications of doing so. Furthermore, clients can make requests about how their information is processed, but therapists may need to think about how this affects their ability to offer their services. It may be helpful to allude to some of these caveats.
References and additional links: