2.2 GDPR, contracting and insurance

GDPR compliance with online working

Counsellors and counselling organisations in the UK must already comply with the General Data Protection Regulation and the Data Protection Act 2018 (GDPR) – further information about this can be found in the further resources [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)]   section.

One of the requirements of GDPR is that anyone who processes personal data needs to take sufficient steps to protect it from a physical or electronic data breach, as you explored in Activity 4. Another requirement is that clients explicitly consent to the counsellor keeping counselling-related data: this may have implications for counsellors who are moving to working online with clients for the first time.

Consider this further in Activity 5.

Activity 5: Data when working online

Timing: Allow approximately 10 minutes

Answer the following questions in the space below:

  1. What data do you normally collect about the clients that you work with face-to-face?
  2. Is there any data that you might need to collect from your clients in order to work online that you do not normally hold, such as an email address or additional phone numbers?
  3. Are you storing data about clients in a differently way compared to how you would usually? Perhaps you are you storing data electronically rather than on paper, or using your own PC rather than one in the counselling centre?
  4. Is your online therapy creating data that is different or new for your practice, such as text-based counselling content?
To use this interactive functionality a free OU account is required. Sign in or register.
Interactive feature not available in single page view (see it in standard view).


If your answer to any of these questions suggests that you might be collecting or storing new or different data, you may need to amend your counselling consent form and data privacy information to reflect this. You may also need to think about taking additional steps to ensure the security of client data: for example, do you have a child who sometimes uses the computer you now use for online counselling?

Do you need to recontract/change how you contract?

As suggested above, you may need to amend existing contracts in order to meet requirements related to GDPR for online counselling. You will also need to discuss with clients exactly how you will engage in online counselling. This includes not only how you will work together (for example, which platform?) but also:

  • ground rules and boundaries for communication (for example, is email contact only for communicating about appointment attendance, and how quickly are counsellors expected to respond to client communication?)
  • agreeing on a ‘plan B’ if the agreed means of communication fails (such as talking on the phone rather than a video call)
  • discussing confidentiality of online counselling, including what the client needs to do to maintain their data security, and how the counsellor manages security and issues related to GDPR
  • how to keep a formal record of consent given by clients to the terms and conditions of the online therapy.

It could be useful to create a written document to send to clients that includes this kind of information, possibly as additional clauses to your existing contract.

Are you covered to work online?

It is also important to check that your professional liability insurance covers you for online work, as well as any limitations to such cover – for example, for clients who do not live in the UK. Organisations that are moving to online working should also check their own insurance.

2.1 Security and confidentiality

2.3 Assessing counsellors’ competence for online working