Data Protection for psychologists and executive coaches in private practice

On 17 December 2024, the BPS Special Group for Independent Practitioners (SGIP) hosted a training webinar covering data protection for psychologists working in private practice. The session was led by Clare Veal, a qualified solicitor specialising in supporting psychologists and coaches, from Aubergine Legal.

For psychologists, executive coaches, and other independent practitioners, ensuring compliance with UK GDPR (General Data Protection Regulation) and the Data Protection Act 2018 is critical – not just from a legal standpoint but as an integral part of ethical professional practice. 

While data protection laws are often associated with healthcare settings, the principles of privacy, confidentiality, and informed consent are equally relevant for psychologists engaging in executive coaching, leadership development, and consultancy work. Many executive coaches, business psychologists, and multidisciplinary practitioners handle sensitive client data, including performance assessments, personal reflections, health-related data and performance evaluations.

The webinar emphasised that all professionals collecting personal data must obtain informed consent, regardless of whether they work in health, business, or other sectors. This session was a fantastic refresher with regards to some areas of my coaching practice and enlightening in other areas. My key takeaways were: 

1. Understanding my legal responsibilities, regardless of psychological discipline

• Psychologists as data controllers – Private practitioners are responsible for the lawful collection, processing, and storage of client data.
• The role of informed consent – Clients must understand what data is collected, how it is used, and their rights regarding its storage and sharing.
• Privacy policies – All practitioners should have a clear, written privacy notice that aligns with GDPR requirements.

2. The need for informed consent

The session highlighted that it is advisable for psychologists who work as executive coaches to secure informed consent, even when working outside traditional healthcare settings. This includes:

• Clarifying data use – Explaining how notes, assessments, and reports will be stored and shared.
• Client rights – Ensuring coachees understand their right to access or withdraw consent regarding their data.
• Third-party involvement – Managing confidentiality when working with organisations that may request coaching reports.

As a practising executive coach, I have updated my terms and conditions, contracting documentation, and privacy policy to reflect best practices. I now integrate informed consent into my practice documentation and conversations with clients to ensure transparency and ethical integrity.

3. Confidentiality vs. data protection

• Ethical confidentiality obligations must align with legal data protection laws.
• Coaches and psychologists must clarify what remains private vs. what may be shared (e.g. organisational coaching contracts).
• Practitioners should develop data breach response plans to ensure swift action if client data is compromised.

4. Practical steps for compliance

• Secure storage – Whether physical or digital, client data must be securely stored and password protected.
• Contracting and documentation updates – Practitioners should regularly update their terms and conditions to reflect the latest data protection laws.
• Cybersecurity awareness – Using encrypted communication methods and avoiding unsecured email exchanges for sensitive data.
• Data retention policies – Understanding how long to store records before legally and ethically disposing of them.

As psychologists and members of the BPS, we need to always abide by the BPS Code of Ethics and this code provides a framework to ensure that data protection practices align with fundamental ethical principles:

• Respect: Informed consent and clear communication with clients.
• Competence: Staying informed about data protection responsibilities.
• Responsibility: Taking active steps to safeguard client data.
• Integrity: Handling client data with transparency and accountability.

Are you in private practice as a psychologist?  If so, you might wish to consider the following:

• Review and update data protection policies to align with best practices.
• Ensure informed consent is built into client contracting and practice documentation.
• Stay current with legal and ethical obligations through ongoing training.
• Consult a legal expert for complex data protection concerns.

In this age of training overload, this 2-hour webinar was a fantastic use of my time, extremely well delivered, so a big thank you from me and I would strongly recommend it to colleagues if it pops up again on the SGIP's training offering.  To find out about other resources to support you in independent practice, head to the BPS SGIP microsite.

About the author

Anne-Marie Rowson is a certified principal business psychologist, coaching psychologist and co-chair of BPS South West of England Branch.