Therapists & Counsellors
Session content is the most sensitive personal data that exists. Your professional obligations and the law both apply — and neither excuses you from the other.
.
The only compliance guide that addresses BACP, BPS, and COSCA obligations alongside UK GDPR — in parallel. Covers RIPA 2000 for AI transcription, three consent forms specific to therapy practice, and the rule that where your professional body and the law conflict, you apply the more protective standard
Everything a client discloses in a therapy session — their mental health, trauma, relationships, and personal history — is almost certainly Special Category Data under Article 9 UK GDPR. This is the strictest data protection category in UK law. It applies regardless of whether you consider yourself a clinician, regardless of your modality, and regardless of whether your professional body has issued specific AI guidance yet.
Using AI to draft session notes or transcribe sessions without explicit written consent and a business account with a DPA in place is a serious breach of both data protection law and your professional body's ethical standards — simultaneously.
Two risks in this guide carry potential criminal liability — not just regulatory consequences
Recording a session without telling the client — even for AI-assisted note-taking — may be a criminal offence under RIPA 2000 Section 3. Maximum sentence: two years imprisonment. Verbal agreement at the start of a call is not sufficient. Written consent, obtained before the session begins, is the required standard.
Failure to register with the ICO as a data controller when required is a criminal offence. Almost all therapists operating commercially must register. The annual fee is typically £40. It takes approximately 15 minutes.
TWO FRAMEWORKS — BOTH MANDATORY
UK GDPR & the Data Protection Act 2018
→Session content is Special Category Data under Article 9 — requiring explicit written consent for every processing activity
→Every AI tool used with client data requires a business account and a written Data Processing Agreement
→Clients must receive a Privacy Notice before their first session naming every AI tool used in practice
→7-year retention period for adult records; until the client's 25th birthday for minors
Professional Body Ethical Standards
→BACP's Ethical Framework requires AI use to be consistent with the practitioner's duty of care and the primacy of the therapeutic relationship
→BPS Code of Ethics requires transparency with clients about AI use and the application of professional judgment to all AI outputs
→COSCA's Statement of Ethics emphasises protection of client information — AI use that could compromise confidentiality requires careful documentation of reasoning
→AI guidance from all three bodies is actively developing — check your body's current published position directly
Where your professional body and the law conflict — apply the more protective standard.
Three consent Forms
General Client Data Consent
Covers storage and processing of contact details, session notes, clinical records, and invoicing data. Includes lawful basis under Article 6 and Article 9(2)(a). Required before the first session. Covers AI tools used for administration — Calendly, Zoom, scheduling platforms — separately from session content.
AI-Assisted Session Notes Consent
Separate explicit Article 9 consent required only if you use AI to draft or structure session notes. Names the specific AI tool, confirms it is a business account with a DPA, states data will not leave the approved platform, and confirms client understanding that session content will be processed by AI. Cannot be bundled with Form 5.1.
Session Recording Consent
Required before any session is recorded or transcribed — by any means, including AI transcription tools active on your video platform. Obtained in writing before the session begins. Covers purpose, storage, access, retention, and the client's right to withdraw consent for future recordings. Verbal agreement at session start does not satisfy this requirement.
What’s Included
Dual-framework compliance guide — UK GDPR and BACP, BPS, COSCA obligations addressed side by side
Three consent forms — general data consent, AI-assisted session notes consent, and session recording consent — each as a standalone document
Privacy Notice template — drafted for therapy practice, including the limits of confidentiality and AI tool disclosures
Safe vs unsafe AI prompt guide — what crosses the line, what the risk is, and the compliant alternative for each
Retention schedule — adult records, minor records, supervision notes, recordings, and financials — with the legal or professional basis for each period
Client Record & Consent Log — track every client's consent status, retention end date, and scheduled deletion
AI Tool Register — log every platform used in practice, its account type, DPA status, and whether it may process session content
72-hour breach response plan — with a specific note on professional body breach notification requirements alongside ICO reporting
Completed worked example — Dr. Maya Patel (BACP Accredited, Clarity Therapy Practice) shows a completed AI Tool Register, Privacy Notice, and safe AI use approach for administrative tools only
AI Safe Starter Pack — the foundational seven documents, included free with this guide
Therapist Action Guide — £47
The profession-specific guide with BACP and BPS alignment, completed examples, separated consent forms, and a week-one action plan built around the highest-risk gaps in therapeutic practice.
Recommended pathways
Complete Compliance Bundle — £119
Everything in Tier 1 plus the Legal Pack and Companion Guide — strongly recommended for therapists, given that AI-influenced decisions in a therapeutic context may face professional body scrutiny and require documented evidence.
Full Suite Bundle -£189
Everything in the complete Compliance Bundle, plus the Website Compliance Pack, the DPAs 1&2 . This suite is recommended for therapists, to have complete cover, especially if they have a website, or use booking platforms.