Data Protection for Psychologists in 2024 with Clare Veal

Welcome to the Business of Psychology podcast. Today we're joined by Clare Veal, a commercial lawyer from Aubergine Legal. Lots of you listening will already be familiar with Clare, as she is the legal eagle behind our legal templates, which are bringing peace of mind to hundreds of mental health professionals right this second. She also teaches in my Start and Grow course, giving our students a really solid understanding of what we need to do and why we need to do it, to protect ourselves and our clients in our independent work. But today we have Clare on this podcast because I think it's really important that everyone that's seeing clients independently has a good grasp of data protection and specifically how it applies to us. I find that once you understand that, then things like contracts and policies that we need to create, or that we've created for you in the legal pack if you have that, they just don't seem so scary anymore.

Full show notes and a transcript of this episode are available at The Business of Psychology

Links:

Data Protection Workshop: Sign up for the June 17th data protection workshop (recording available)

Clare:

Website: www.auberginelegal.co.uk

LinkedIn: ​​Clare Veal

Facebook: Aubergine Legal

The legal pack of contracts and policies for psychologists and therapists

Try out WriteUpp (practice management software)

Psychology Practice - Data Retention Period Guide | Aubergine Legal Limi

Clinical Psychologist Legal Services | Aubergine Legal

Checklist for launching a website (auberginelegal.co.uk)

Psychology Practice - Data Retention Period Guide | Aubergine Legal Limited

BizCoach + Legal Toolkit for Business Coaches

What UK Businesses Need To Know About The UK Data Protection And Digital Information Bill (DPDI) (auberginelegal.co.uk)

Rosie on Instagram:

@rosiegilderthorp

@thepregnancypsychologist

The highlights

• Clare tells us about the main areas of law that we need to consider when we start to work independently 01:39
• Clare explains the basic principle behind GDPR 12:16
• Clare talks about getting consent 17:54
• Clare talks about data retention periods 22:32
• We discuss what differs when providing services to organisations 29:04
• Clare gives us examples of the common mistakes people make 35:46
• Clare tells us about the changes that are coming to the data protection laws 43:40
• Clare summarises the main points our Data Protection Workshop will cover 49:47

Thank you so much for listening to the Business of Psychology podcast. I'd really appreciate it if you could take the time to subscribe, rate and review the show. It helps more mental health professionals just like you to find us, and it also means a lot to me personally when I read the reviews. Thank you in advance and we'll see you next week for another episode of practical strategy and inspiration to move your independent practice forward.

SPEAKERS

Rosie Gilderthorp, Clare Veal

Hello and welcome to the Business of Psychology podcast. Today we're joined by Clare Veal, a commercial lawyer from Aubergine Legal. Lots of you listening will already be familiar with Clare, as she is the legal eagle behind our legal templates, which are bringing peace of mind to hundreds of mental health professionals right this second. She also teaches in my Start and Grow course, giving our students a really solid understanding of what we need to do and why we need to do it, to protect ourselves and our clients in our independent work. But today we have Clare on this podcast because I think it's really important that everyone that's seeing clients independently has a good grasp of data protection and specifically how it applies to us. I find that once you understand that, then things like contracts and policies that we need to create, or that we've created for you in the legal pack if you have that, they just don't seem so scary anymore. So welcome to the podcast, Clare.

Hi Rosie, thanks for having me. Delighted to be here today chatting with you.

I just can't believe we haven't done this before because we've known each other for a long time, and normally I mine all of my business connections and friendships for podcast materials.

I know, I'm happy to be here at long last.

So I thought it would be sensible to start with a bit of an overview of what we need to think about as independent mental health professionals and then maybe we can talk about some of the common mistakes that people make if that's alright with you.

Yeah, sure.

So what are the main areas of law that we need to consider when we start to work independently?

Well, I suppose the first thing that people need to be thinking about is how you're going to be set up because that's right at the very beginning. So you need to think to yourself, will I be a sole trader? Will I be a limited company? Perhaps you might be going into business with another psychologist, so maybe you might be thinking partnership might be best for you. Now, obviously there are pros and cons for each of those different ways of being set up. So you have to sort of think to yourself about the amount of admin you're willing to take on.

For example, limited companies have quite a lot of filing requirements at Companies House. But then on the flip side of that, you need to think about how much risk and liability you want to be exposed to. So if you're set up as a limited company, you're obviously taking on less risk because your personal assets won't be on the line if something goes wrong. So that's the first thing.

So, sorry, just to clarify on that, because I always get really confused about the liability thing. So with a limited company, if I'm a director in a limited company and the company goes bust, no one can come for my house, is that right?

So it acts as a shield. So if you set up a limited company, you can just sort of view it as a shield between you in your corporate life with your business and you in your personal life. The limited company is a separate, it's a separate entity, it's a separate being and so it won't affect anything to do with your home life even if you're a director of it. You obviously have director's duties, you know, as a director, you have to act in the best interest of the company, but you know, if something went wrong, so say if somebody sues you for some, you know, for negligence or something went wrong in your practice, and if you were set up as a limited company, they would only be able to come after the company and they wouldn't be able to see you as an individual, you know, your house, your savings, your car would all be separate and wouldn't be touched. It would only be the assets in your company that could be attacked. So once, you know, if there wasn't enough money in the company, then you would just have to make the company, you'd have to wind it up and make it insolvent.

Okay. All right. So, whereas if you're a sole trader, presumably they could, you know, access anything that you have.

Yeah, they could. So in that scenario, they could, you know, if something really bad happened and you got sued for lots of money, then, you know, you might have to, you know, might have to sell your house or your car and you'd have to use your savings. It would all, would all have to go towards, you know, settling the claim. So, you know, it is worth thinking about becoming a limited company because it will protect you. You can hide behind it.

That's really interesting.

Like I said though, there is a lot of filings you have to do, a lot of tax you have to pay, you have to, you probably need an accountant to help you. So there's a bit more admin cost on that side of things, but you do have that peace of mind.

Yeah, it's interesting because I think, most, well, all of us do have professional indemnity insurance, which goes some way towards those negligence type claims. But there are other types of claims as well that can be made against us.

Yeah, sorry, I should have, should have mentioned, you know, if you've got insurance that will protect you to a certain extent, but don't forget that there is always a limit on insurance policies. So it depends what you, what you've set up. So if you only have like a limit of say half a million and the claim came in at a million, you know, God forbid, but if that did happen, then you are exposed to an extra half a million pounds.

So it's always about weighing up what types of risk you might be taking in your company and what your insurance policy does and does not cover, I think.

Yes, exactly.

Because the example that was given to me once was, I'd be protected if somebody sued me as a psychologist by my professional indemnity insurance, because I think I've got about 10 million cover and no claim has ever been at that level, so she considered that risk to be safe. But I wouldn't be protected by that if somebody tripped over the doormat on the way into my practice.

So you need a separate insurance policy, public liability insurance for that. So that's the other thing you might have some insurance in place, but you've got to make sure it covers, you know, everything that might go wrong in your practice. Some people though, some people in business just don't want to take any risks at all. And they will just, even though they have the insurance in place, they just want the peace of mind of being able to hide behind a limited company.

And there are organisations that insist on it as well. So there are organisations that I've done freelance work for who have insisted I have to be a limited company to do that.

Yeah. And some organisations that people work for will insist on a certain amount of insurance cover as well. So yeah, you need to weigh all of that up, and then, you know, think to yourself, how do I want to be set up? Some people just want to be a sole trader because it's a lot easier. They just, there's not, you know, you don't have to file lots of things at Companies House. But yeah, it all depends as well on the individual as that, you know, are you a risk taker?

And actually one type of risk, which not many private practitioners will use much of, but is something to consider depending on your business model is financial risk. So if you're a limited company and the business takes out loans, does that mean that if you couldn't pay those back and the business went bankrupt, they couldn't come after your house, or can they still do that?

Oh, I'm not quite sure on that point. That's more of a question for a corporate lawyer. I know the basics about corporate law, like what director's duties are, but I don't, I don't think they would come, I don't know the answer for sure, but I'm pretty sure that they wouldn't come after you as an individual, but yeah, I think probably needs to check that with a corporate lawyer.

Yeah. And, you know, hopefully nobody's getting into that situation anyway. But I think, you know, when you hear about all of these, you know, perhaps politicians or famous people in the public eye that have had multiple businesses go bankrupt, I think that's part of the way that they do it and the reason that they do it is that they can get themselves into, get the business into debt and still live their lives. But definitely worth checking if you're considering taking out any loans.

Yeah, definitely. Yeah. Well, you know, your accountant as well would be able to tell you the sort of rules around that as well, yeah. But yeah, have a think and have a chat. So, you know, your accountant, maybe talk to a corporate lawyer if that's something you're thinking of doing, but, yeah. I mean, yeah, like I said, the best thing to do is to weigh it all up at the beginning, because that's one of the key things that you need to think about before you set up your practice. Because obviously you can't set your practice up without knowing what you're going to be. Going back to that, once you, once you've decided what you're going to be, whether you're going to be a sole trader or limited company, the next big thing to think about when you're setting up your practice is to consider whether or not you're going to have a website. Now, if you're going to have a website, before you hit that publish button and make your website accessible to everybody, you need to make sure there's a few things on there to protect you from a legal perspective. You'll need to have, you know, a set of website terms and conditions telling people, you know, that the content on your website is yours. You also need to comply with the cookie rules. We'll talk a bit more about that later on in this when we talk about data protection, but you do need, at the moment, you need to have a little cookie pop up notice, and you'll need the all important privacy policy. You will need to make sure you tell everybody what data you're collecting about them, because websites will collect data about people, even if they're not interacting with the website. You know, if they're not clicking on the ‘contact us’ form and actually submitting information to you, the website is still tracking which pages you're visiting. So you need to have that privacy policy on there. I do have like a little handy checklist of things you need to think about when you're setting up your website. I think Rosie's going to pop that into the show notes, but that's a good checklist to go through. And then I suppose the other two main things you need to think about when setting up your practice is, first of all, you need to make sure you've got all the right documents in place. You know, you need a robust set of therapy T&Cs with your clients, which will need to include your client consents. You'll need, you know, if you're working with associates, you'll need agreements with them and any other third parties. So yeah, you need to have your documents in place. And then obviously last but not least, you need to think about data protection and privacy laws, that's going to be cropping up a lot for you in your work as a psychologist, bearing in mind, you know, that you'll be collecting a lot of health data. So you need to get your head around GDPR as well.

Yeah. And I think a lot of people get really scared about GDPR, and I'm not one of those people. I actually think that it's very sensible legislation and you have taken the fear out of it for me completely, Clare. But I do think it's really important because in the NHS or when I was employed by the prison service and kind of any public sector employment, you go through courses about, not GDPR, it wasn't at the time anyway, data protection, regularly, and it's easy to just kind of tick box it because in reality, all the structures are there for you. So you're using a system, which is already a secure system. So long as you don't do anything crazy, like, you know, save stuff onto the hard drive when it's meant to be in the cloud or whatever, then you don't have to worry that much about it because there are all these layers of security built in and there's, there's always a kind of data protection expert that you can access if you've got a question. In independent work, we don't have any of that. So you actually do need to understand it for yourself because there are quite a few judgement calls that come up, you know, strange situations where we'll talk about it in the community, and I might pop an email over to you because it's not straightforward. And if you don't understand those basic principles, then you're just going to feel really fearful every time something a bit unusual comes up.

Yeah.

So thinking about that, then, could you just explain for us the basic principle behind GDPR?

Yeah, of course. So, GDPR is basically the law for data protection. As most people know, it was originally a European directive, but obviously we're not part of the EU anymore. But since we left the EU, the GDPR directive has been adopted into UK law in the form of the UK Data Protection Act. It's often now referred to as UK GDPR, but basically the same rules as pre Brexit still apply here in the UK at the moment. So people in the UK are still looking at GDPR, and the main aim of that law was to promote greater transparency to individuals about what actually happens to their data. So I suppose the main thing is it's really important that you explain to your clients what data you're collecting about them, why you need that data, what you're going to be doing with it, and who you need to share it with. If you do all of that, then you're pretty much, you know, most of the way there to complying with GDPR. So it's really important, you know, that you explain to your clients what, what the data is you're collecting about them and why you need it. So you need to be transparent and have that privacy policy because the privacy policy will tick all of those boxes.

And so once you've got your privacy policy in place, that's pretty much the main thing you have to do. So you get your privacy policy in place, you get your consents, because health data requires, health data is known as special category data, which means that you have to get consent from people. And then you obviously just need to make sure that the processes that you have in place to run your business are GDPR compliant. So for example, if you're using WriteUp, that's already GDPR compliant because WriteUp have made sure that their system is safe. So like you were saying, you know, don't store things on your hard drive, stick it somewhere in the cloud. That's already GDPR compliant. So you just need to be aware of what you're doing with the data. And if you're not sure something's GDPR compliant, ask, you know, if you're not sure if WriteUp is GDPR compliant, ask them, I'm sure they have like a massive privacy department where they'll answer all of your questions about data protection. And then I suppose the other thing you need to do is you need, definitely need to register with the ICO. Now the ICO is the Information Commissioner's Office and they are part of the government and they sort of look after all the data protection issues. They're like the watchdog. They will investigate any breaches and any organisation in the UK has to pay an annual fee to the ICO. I kind of like to think of it as a data protection tax. You pay that money so that the department can be run. They answer, you know, they can answer any questions you might have. So they're like a support resource centre as well. And then, sorry, going back to explaining the basic principle of GDPR, the other thing is, not only do you have to be transparent, but you mustn't be collecting excessive amounts of data about people. So, you only need, you only should be collecting what you actually need. So, you know, if you don't need to know who your client's GP is, then don't ask. You know, if you don't need to know certain information, don't collect it. And the other big thing about GDPR, the other main principle is that you should only be keeping that data for as long as you need it. So don't, you know, don't keep it for any longer than you actually need it for. But there are, but on that point, there are some specific data retention periods that your regulators will need you to hold on to that data for, which we'll talk about later. But yeah, those are the key principles. So yeah, as long as you're being transparent, you're not collecting too much, you're not holding on for too long, you should be fine.

And I think, you know, just thinking about the privacy policies, people get really intimidated by this, and it's something we talk about a lot in the Start and Grow course, because it seems scary. But actually, I've always found writing and updating my privacy policy to be a very helpful process, because you don't want to be managing data ad hoc, it's a very stressful way of working. It means you won't know where things are. You might not have a good naming convention and all of that stuff just makes you feel chaotic, even if somehow you are keeping data safe, if you don't know explicitly exactly what you're doing, it's very stressful. So I always find it really helpful to write the privacy policy, mapping out exactly what I'm going to be doing with the information I collect from people, what I'm going to collect, being really thoughtful about what do I actually need, get all of that in the policy, and then make it true. So then make sure I build my systems and I have in my task manager, this is what I do every time a new inquiry comes in, for example, or when I'm onboarding a client, this is what I collect and when, and this is how I do it. So it's like the policy tells me how to run my practice. And I think that's a really valuable process. One question I do have for you though, Clare, and it comes up every time we talk about privacy and consent is, you know, how practically do people get that consent? Is it that we need people to physically sign? Can we use digital signatures? What do we have to do?

Yeah. So you can do either of them. What you have to do, is you have to get it because you know, like I said before, it's special category data. So most people pop a little consent box at the end of their T&C's because people will normally sign their T&C's. So what's the harm of sticking a box there, just making it clear that they are happy for you to collect that health data about them. You should bear in mind that there's a distinction between special category data and personal data. So If you were, say for example, you were not going to be collecting any health data, which would be rare for psychologists, but just say for the sake of argument you weren't, then you wouldn't need to get them to tick a box at all. You would just simply signpost people to your privacy policy. That's if you're just collecting name, email address, you know, telephone number. It's only because you're collecting health data, you're collecting data about people's, you know, potentially their mental health history, medication, possibly any sort of surgery possibly that they've had. All of that would come under special category data and for that, under the UK laws, you have to collect it via a consent. So yeah, a tick box at the end of the form would be ideal. Some practices will have adopted electronic signatures. You know, you might be using things like DocuSign or Dropbox. Again, that's easy, that's fine. You just get, you know, by them clicking on the box and adding their signature, that's getting consents. Yeah, but the key thing is it has to be explicit consent. So you can't pre tick the box. So they have to actually tick the box or actually add their signature. They need to take a positive action, but otherwise, you know, any way that you want to collect it is fine. Some people even, some I've seen some practices simply just collect the consent by getting people to reply to an email with certain wording that can be consent as well. It depends on how you're running your practice what, you know, what third party bits of software you're using, if you're ever not sure, like say for example, if you decided to use Dropbox, for example, and you weren't sure if that was GDPR compliant, you again, you just ask them, there'll be FAQs on Dropboxe’s or DocuSign's website telling you how they are complying with the data protection laws.

That's really helpful because I think often people think that there's going to be a right way and a wrong way to do it, but actually it's about that principle of proactive consent. And I think if you remember that, that it just has to be that I'm demonstrating that they have actively chosen to say yes to this, rather than it being like a default, I think that is usually going to be okay.

Yeah, it will be okay. And obviously just make sure you keep a record of it.

Yes. Yeah. And that's the other thing, you know, every time I've talked to the ICO, and I have had lots of chats with them about various situations, it's always very much like just document your best thinking and how you made that decision, and you know, maybe in some cases evidence that you spoke to more experienced colleagues or that you took this to a peer supervision situation. And that is good enough because there's not, you know, I've often spoken to them about situations where there actually isn't a clear cut yes or no answer. It just has to be that you have responsibly thought it through and sought as much advice as you could to make that decision. Which, nobody wants to hear that answer, everybody wants, everybody wants ‘tell me what to do’. But often in situations, maybe where we're considering how much of our notes to give to court, for example, that comes up a lot, and that's the last conversation I had with the ICO. There wasn't a clear cut right or wrong, like you should give this, you should not give that. I had to make a judgement, but evidencing that I'd made that judgement with as much information as I could possibly take on board and as thoughtfully as possible was enough.

Yeah, exactly that. I mean, you will find that a lot with the ICO. They will, you know, often not give you an answer. It's not black and white. There are shades of grey throughout all of this, you know, if you said some, if you ask the ICO, you know, how long should I keep this piece of data for? They won't be able to tell you the answer. They would say to you, you should only keep it for as long as is necessary. And what that means is, it will depend on the circumstances and what's happening with you and your practice and the data. There's no one answer fits all, unfortunately.

Yeah, and actually we should probably talk about the data retention periods, because I know you've created a really helpful document around that, because this is something I get asked all the time, how long do I need to keep stuff for? And all the bodies have competing information, don't they?

Oh, it's so frustrating. I felt like when I prepared this guide, I felt like I was going mad because you read one thing that says seven years, you read another thing, it says 20 years, like what am I supposed to be doing? So I suppose, well, have a read of my guide, it depends on who you're regulated by, and if you're regulated by a few, then I suppose I, if it was me, I would just take the one with the longest period of time, just to cover all my bases. If you ask the ICO, they'll say for as long as is necessary. If you ask, oh, I can't, is it, I think it's BMA and BPS both say 20 years. I think the NHS says something slightly different and then the HCPC say something slightly different. I can't remember all the different time frames. You'll have to like, download my free data retention guide. But basically, they do all say different things. It will depend on who you're regulated by. You would just need to like, make a decision, take a view based on what you're doing, what type of client you have, who you're being regulated by, you know, if you're doing NHS work, it will be different. If you're doing private work, it'd be different. And also, the other thing is, it will be different as to whether it's a child or an adult.

Yes, that's something I noticed.

The retention periods for children are different. So you have to sort of keep it for, I can't remember how many years, but once they get to the 25th birthday, then there's so many years you have to keep it for, but yeah, it's all complicated, which is why I did this guide, because, you know, talking to you now, I should have printed the guide off and I could have told you all the actual dates. But this is, this makes the point even more real. I can't actually remember all of the time periods because it's so complicated.

Yeah, no one could. No one could.

If you're, if you are a psychologist and you're running your own private practice, my advice would be download my free guide, stick it on your wall. It's one page. You can, you don't, you know, you can just stick it on your wall and then you can, you've always got it there in front of you. You don't need to check about five or six different websites, which is what I had to do. And finding the information on the websites is difficult. There's conflicting information. But I feel really happy that I have this guide now because if a client asks me what the retention periods are supposed to be, I have it at my fingertips now. And this is why I haven't memorised the years and the periods because I don't need to anymore because I have my amazing guide.

Yeah, no, I think that's really useful. And it's, it's in the show notes to this episode, so you can just go along, click the link and download it from Clare's website. It's a very, very good thing to do, I think. But also it's worth just setting aside one day every year where you go back through and see if you've got anything that's coming up for deletion, because if you're in the first few years of your practice, you obviously won't, but once you get, for me past the seven year point, now I'm starting to find things that I need to delete from the first year of my practice, because for some of my data, not all of it, but for some of it, it's a seven year period. So it is, and that's because of the bodies I'm regulated by. So do go check, don't just take seven years. Do go and check.

Yeah, you definitely should do that one day a year rule or set yourself up a calendar reminder because if you are holding on to data for longer than you're supposed to be, then that's in breach of the rules. So yeah, you definitely need to be actively deleting on a regular basis once you've hit that initial seven year mark in your, in your business, your practice, because if you're not, then, you know, why are you not? The ICO will ask, you know, why are you holding on to this data? And if you don't have an actual reason for holding on to it, then you could be in a little bit of trouble.

And if you're at the beginning of your practice, then making sure that you set up in a way that makes that easy for you. So if you're using something like WriteUp, it's really easy because you can look, oh I'll go back to my 2016 clients, easy. If you're saving something in your own system, like maybe you're using OneDrive, Google Drive, Dropbox, then just make sure that the year is in your naming convention. Probably as the first part of your name in the naming convention, because otherwise trying to find the right data that needs to go is going to be a real headache for you, especially if you run a big practice or an associate practice where you're responsible for a lot of data. So this is another reason why I geekishly enjoy doing all the policies because it saves you nightmares further down the road. It's a bit like when I first went digital with tax receipts. I was like, this is amazing. If I get audited, I'm not going to have to go through filing cabinets of paper. Yeah, it just, that's the kind of thing that floats my boat.

Yeah. Your naming convention idea is one that I use. So for example, if I was doing some work for you, I would store your folder would be Gilderthorp, Rosie, and then it would be 2024. I always do that. So then when I'm scrolling through, I literally don't have to open the folders. I just say, Oh, that folder was 2016, I'm going to delete that one. So yeah, that is a brilliant tip. I probably should tell people that more often.

Well, the thing is that I think you only find these things out by making the mistake. And because I'm somebody that has a naturally chaotic brain, I found lots of ways to kind of harness the chaos and rein it in a little bit so that I don't end up in such horrible pickles that I got in in my first couple of years.

Yeah, because you don't want to get to that year seven mark and then have to go through every single folder and try and work out what year you did that piece of work.

Yeah, absolute nightmare. So anything that makes life easy, I am all about it. Absolutely. So one thing I wanted to ask you is, you know, how does this stuff differ when we're dealing with an organisation? So maybe we're providing training for a business or a charity, rather than dealing with an individual client who's paying us themselves.

So, well, putting data protection to one side for a minute, on that basis, there's the key difference is, is that when you're providing services to an organisation, and you're going to be, say, for example, you're, you're like engaged with a client, and then you're going to be doing therapy with their employees, there's two different things going on there. First of all, the organisation, the corporate, the charity, whatever it is, will be paying you. So you'll need to have an agreement in place with them to say I'm going to provide these services for X amount of money and you need to sort of set out your liabilities, disclaimers, and you'll need to get some consents from the organisation that they've actually got permission from their employees to share their employees data with you. That's the first thing. But then when you turn up and provide your therapy sessions to the individual employees, that's something different because they're not part of that contract. So you'll need to have a separate document for them, like a sort of, like a little policy document, which will basically tell them, you know, what you're actually going to be doing, who you are, what your professional information is, who you're regulated by, how they can make appointments with you, sort of more of the consumer type of information that you would have to give people, and also you'd need to collect a consent as well, because even though the employer has given you their name and email address, you will be collecting different data from them. The employer won't be collecting the health data, you will be. Also on that point, you might need to reassure the employee that you won't be sharing all of this health data with their employer. So you'll need to have a nice confidentiality clause which kind of sets the scene, reassures them. Obviously, they might be talking to you about sensitive issues that they might not want their employer to know about.

This is a big deal, actually, because if you're, and I've talked about this before on the podcast, if you're providing those clinical type services to individuals within an organisation, so maybe you're providing therapy or coaching is more common, through an organisation, you have to agree with whatever stakeholders you're contracting with, how much information they do expect you to give.

Yeah, they might need to know certain things, they might need to know, for example, how many sessions you've had with that employee. But they don't necessarily need to know the details of the conversations that you've had during those sessions. But they will need to know certain, there'll be a certain level of information that you will probably have to tell them. And you can pop that in your policy and tell the employee, you know, we will be updating your employer with how many sessions you've had and how many more we think you might need. But you can reassure them to say, but we won't be sharing any of the specifics about the, you know, the health data that you're sharing with us.

Yeah. That's really helpful. And I think just making everything very explicit because it can feel like a bit of a strange triangular relationship where, you know, maybe you do have HR, for example, asking you questions that feel uncomfortable and having it written on paper, like, no, this is what I've agreed,

I said I wasn't going to disclose the content of sessions and I will not be doing that. You know, having all of that up front is extremely useful. If you're doing something that is more directly aligned to job performance, so for example, there are types of coaching which fall under that, then it's thinking about, you know, what agreement can I have in place about information sharing from the beginning? Because in those situations, employers do tend to want much more information about what's happening in the sessions, which again, it's about being really explicit, but also thinking about the category of the data, because I'm guessing in that situation where it's more career focused and, you know, talking about job specific situations that might not come under health data, but it's possibly still personal.

Yeah, it will still be personal data. I think what you just need to do is in that document with your employees, just, you know, with the employees, not yours, just make it clear what data you will be sharing, which you will obviously have to agree up front with the business before you get to that point. But yeah, you just have to agree it and just, you know, there will be some personal, there'll be some special category. I think there's not really a distinction between the two in that respect, it's just what you've agreed with the organisation. But if you are collecting the health data, then you just need to get the consent. Like I said earlier if you're not collecting any health data, if it is just sort of coaching, you're not talking about any sort of health issues, then you probably don't even need to, well you don't, you won't need to get the employees to consent

Right, that's really helpful.

I have got like another pack actually in my shop for business coaches. So coaches, which you could tailor for psychologists as well, where they are going into organisations. And I've actually got a pack where I've got the agreement with the corporate, the policy with the employee, And I think there's a privacy policy in there as well, which has all been geared up for this triangular relationship.

Oh, that's really helpful. I'll put a link to that in the show notes as well. That's very useful. Because one thing I was wondering about there, was often if I go into an organisation to deliver training, I probably won't collect any data at all about the participants. If the session is recorded, that'll be done by the organisation and held by them. So in that circumstance, is there anything different that I need to do? Do I still need to get any kind of consent?

No. So my pack also covers this point. There's a lot of business coaches will just do training and they won't do any one to one sessions with employees. You just need to make sure that the employer is on the hook for that. You have to put some wording in to say that they've already got all the permissions from the attendees of the workshop and the training to like be there, that they're aware that it might be recorded if it's going to be, you know, you just need to put the onus on the employer because you don't have the relationship with all of the individuals. You're not going to stand there at the beginning as they file in and get them all to sign a waiver. So put the onus on the employer.

Brilliant. It's just making sure that that's in your kind of B2B contract with the organisation.

Yes. And then if something goes wrong, they're, you know, it's their fault. They were, that was their job to get the consents.

Brilliant, that's really helpful. So, you know, coming on to the negative, really, because you've been working with a lot of psychologists and therapists over the past few years, could you just give us some examples of common mistakes that people make?

Yes, so there are a few. I suppose the main one is when somebody comes to me, a psychologist comes to me, and they've been using the wrong type of, you know, templates, that their agreements aren't geared up for what they're actually doing. So yeah, avoid the temptation for picking up cheap or free templates on the internet and trying to adapt them yourself, because there are a lot of issues that need to be covered. Not every single psychologist is running their practice the same way. Every, you know, I've seen so many different types of psychology practices, you know, some are just doing one to ones, some are doing a combination of that with some training, some people sell things online, there's like a whole, you know, some people just do it to businesses, there's like a whole range of ways in which you can run your practice. So don't just pick up any old template and think it will work. It probably won't. You need to, at the bare minimum, if you are picking up something yourself, you need to read it from end to end and make sure it's ticking all the boxes and covering all of the different compliance issues. Although you don't need to do that because we have our amazing pack, which is really good value and has been drafted specifically for psychologists. But you know, you need to make sure that you've got those consents in there. You need to make sure that you're mentioning the specifics of your industry, you know, like the safeguarding issues, the fact that supervision is going on. You know, just don't, that's the biggest risk, just using something that's not appropriate. Talking about consents, I've also seen some psychology practices not getting the right consents. You know, having those pre ticked boxes, it's a big no no, so make sure you're getting your consents in the right way. Another hot topic is IP, that's a big one where errors are typically made. I've seen a few agreements where the psychologist has done some work for another third party and they've given away all of their IP rights, meaning that they're not able to reuse that work or, you know, that they've created for themselves or with anyone else.

People often just can't believe how bad that is. It's not common sense, is it? Because you, you wouldn't think it was possible that an organisation could own something that you thought of and you created and maybe delivered once for them in a workshop. But it does mean you can't then deliver that workshop anywhere else. It's so bad. And what hurts me the most about that is that it's usually accidental on the part of the organisation. They just have that in their contracts. Nobody's thinking about it. So if you challenge it, there's very rarely any pushback at all, it's just being left there.

Yeah, you’ve found a clause that they've forgotten to change. Yeah. So read that clause properly. Make sure that you get to own it because, you know, although sometimes people do work for an organisation and the organisation will own it and that's on purpose.

Yeah, the NHS does that. The NHS and a lot of universities. So watch out for that guys.

Yeah. But if that, if that is the case and you're, and you don't mind, that's fine.

Just make sure you charge a bit more because you won't be able to reuse it. So it's a one off.

Absolutely. And there are circumstances where you'll happily do that. You might do something that's really bespoke for a particular company. It wouldn't make any sense outside that company. And so of course you're happy to do that for them, but you want to charge a lot for that kind of work.

Yeah, definitely. But yeah, just, so I think the key takeaway there is make sure you do read that IP clause and make sure that you, you know, the rights are in the correct place. Now you're not giving away something that you need to hang on to, because that's a big error. The other error that I see quite a bit is where some practices haven't put proper agreements in place with their associates. So there's two things here. First, you need to make it really clear that they, those associates are not employees of yours. You don't want to be paying their PAYE National Assurance. So you need to make sure there's proper wording in the agreement to make it clear. But also in real life as well, you need to, even if the agreement says that they are not an employee, you need to make sure that in real life they're not acting like an employee as well. So don't, sort of make them out to be an employee. And the other thing is you need to make sure that that associate is clinically liable for the work that they carry out for you. And you obviously need to make sure that they've got proper insurance in place, because if the client sues you as the practice owner for something that the associate has done wrong, you need your associate agreement to be robust enough for you to go after the associate to recover your losses. So yeah, those are the biggest things that people come to me with, their gripes. And I sit here shaking my head, wishing I could go back in time and help them at the beginning.

I know. And I think, you know, that's what motivated us to start working together, wasn't it? All those years ago. Because so many of these things are entirely preventable, but to be honest, you know, I know it seems like common sense to you, but it's a bit like I always say to psychologists and therapists, we think everything we do is common sense. You think what you do is common sense, but actually this is, you know, decades of your expertise, and it's an absolute minefield for us. We don't understand it at all. Nothing in our training equips us to understand this. So I'm just really glad that we've got you on board helping us, you know, work our way through this so that hopefully less people will get caught out.

Yeah. I think using the legal pack that we put together, like, gets rid of most of the risks. And then if there's anything that's, you know, if anything sort of bespoke comes along in your practice, like if, you know, you've got your pack in place, you've got your agreements in place, but maybe something, some opportunity’s arisen and it's not really covered by what you're doing, then just come and talk to, you know, talk to a commercial lawyer, have a chat and just check to make sure there are no risks that need to be covered off at the beginning. It's when people just don't talk. They think, oh, I don't want to go and talk to a lawyer. That's going to cost money. I don't want to spend money on this because this new project hasn't even started making any revenue yet. That's a big mistake because you need to cover off the risks at the beginning.

And it helps you take yourself more seriously as well. I always think from a psychological point of view, if you're not willing to spend enough money to protect yourself at the beginning of an opportunity, is that because you don't really think it's going to go anywhere? Because that's the signal that you're sending is that, you know, I don't really believe in this, I don't really back myself to do this properly.

It’s just professional as well. It's professional. If you're going to be doing something new, check to make sure you're complying with all the laws. You know, there's lots of new, you know, areas of law that are rising all the time. There's the growth of AI for example. If you start to use AI in your practice, just check that there's nothing you should be doing, you know, to make sure that you're on the right side of the law. There aren't any laws at the moment for AI, but it will be regulated at some point. The government's talking about it a lot. And so that's like a new area. So if you, you know, there will always be new areas and new things to think about. Yeah, I think the best thing is just to talk to people, talk to a lawyer, make sure there's nothing you should be doing that you're not.

Yeah, absolutely. I think that's really important.

Burying your head in the sand, that's probably the biggest risk.

Yes. Very, very true. So coming to that, we are doing a new workshop, aren't we, on the 17th of June. And that's because there are some changes coming to the data protection laws. What sort of changes are we expecting to see?

Okay, I think you're, so you're referring here to the new data protection and digital information bill. It's a bit of a mouthful. Otherwise known as DPDI.

Oh, catchy.

Or maybe not that catchy. You could get the letters around the wrong way. But anyway, it's a, it's a new piece of law, which is still trawling through Parliament at the moment. We're currently waiting for a, I think it's the second or third reading at the House of Lords. It's expected to become actual law, maybe towards the end of this year, maybe the beginning of next year, it's dragging on and on. Anyway, the main aim of this piece of legislation is to update our data protection laws post Brexit, and to get rid of some of the red tape that GDPR has wrapped us all up in. So it's a good, it's good news. The new law will relax things slightly for business owners. So I think it would be a case of less requirements than more. So I think the key message is don't worry too much about this new piece of legislation. If anything, it just means you're going to have to do slightly less things than you are at the moment. It's hard to say exactly what's going to happen with this new piece of legislation until it's gone through Parliament and his actual law because they could change parts of it. But there are sort of seven key proposed changes that I think are most relevant to psychologists. The first one is that there's going to be a reduction in compliance costs because the bill is seeking to lower the amount of paperwork that organisations need to demonstrate to show compliance with data protection laws. So there'll be less of a need to carry out data protection impact assessments. So just less paperwork is the first one. The second one is that they're looking to clarify international data transfers. So at the moment, the whole law around if you're transferring data out of the UK, to say, for example, you're storing some data on a server in the US, there's a whole bunch of laws that you have to comply with. They're looking to make things easier by approving what they're calling data bridges to some other countries. So that should make all of the whole rigmarole a bit easier. The third one, they are looking for a new ground for legitimate interests. So if you have a ground for legitimate interest for processing data, it means you don't need to collect consent. And the new ground that they're looking at is if there is a purpose to safeguard vulnerable individuals, then you won't need to get consent, that might make things a bit easier for psychologists.

Excellent. Yes. That could be extremely helpful. That would be for that nightmare situation where you come across somebody who is in a crisis situation, they haven't given you consent, they haven't filled out your privacy policy, they haven't signed up with you or anything, but you feel that you have to act immediately, which would involve, you know, storing some data yourself and contacting an agency that might need to support them. Doesn't come up often, obviously, but it's the kind of thing that scares us.

Yeah, well that will make life easier for psychologists. There's also going to be a new data preservation process. So in cases of child suicide, social media companies will now be required to preserve the personal data that they had on their social media account, which could be used for investigations or inquests.

So I don't know if that might impact psychologists slightly, you might be able to get access to their social media accounts if you were part of an investigation.

Yeah, and I can see that becoming part of expert witness work down the track.

Yes, definitely. There's that. Then the other good sort of change will be the change to cookies. So there might be some changes to the currently quite strict cookie laws that we have. There is the potential that they might remove the needs to have cookie consent, So there's, there might be a cut down on the amount of pop ups and banners and consents we need, but that, we have to wait and see really exactly what changes will be made, but there’s thought that they might make some changes to the privacy regulations in that regard. So that's a good one. Then, they're going to make some changes to data protection officer requirements. So some businesses won't need one of them anymore, instead they'll just need a senior responsible person. But, there's a big but here, if your business collects special category data, so like health data, then you might still need to have a DPO. So I think for psychology practices, I think it might be a case of carrying on as before. But not any worse than what it is at the moment. And then they're also going to be implementing a new framework for digital verification service providers. I don't think that will really impact psychology practices much, but it's just one of the, that's probably like the biggest change that this piece of law is going to have. So I think once, you know, once that bill actually becomes law, I'm going to do a checklist for what businesses need to do. Like I said, I don't think there'll be many changes for psychologists. So I think, you know, just carry on as you are and don't stress about the new law.

I like that. Do not stress anybody. And particularly if you are one of the, you know, many people that has the legal pack from us, you get all the updates that Clare makes to our documents. So if there's ever a change, Clare updates documents straight away, and you'll get a notification that lets you know that the documents have been updated. So don't worry if you've got your pack and anything does change that's relevant to it, it will be updated. So you will have all of that. So thinking about our workshop on the 17th of June, what are the main points that we're going to be covering? And who would it be useful for?

It's going to be a data protection extravaganza! How exciting. I've got to try and make it sound exciting. Basically it's going to be for anybody running their own practice, any clinical psychologists or any type of psychologists running their own practice, and it's going to be all the data protection things you need to think about. So what I'll do is I'll run through what should go in your privacy policy. I'll talk about health data and how you should be dealing with that and the consents you need to get. I'll talk about the cookie law, because it still applies, and you never know, it might not change, but at this point in time you still need to comply with it, so I'll talk about that. And I will also give you a little bit of insight on how you can actually work out what cookies are being used on your website because some people get the cookie policy and think, right, I need to fill this in, but I have no idea what cookies are being used on my website. So I'll talk about how you can work that out. Then I'll run through what you need to think about when you're sharing data. So when you're sharing data with associates or other third parties like your VA. So I'll be touching on data processing clauses a little bit, but not the nitty gritty, just the fact that you need them and how you can pop them in. And then I will do a little overview on what you need to think about with respect to marketing, just in case anybody wants to start an email newsletter list. And then I will touch on the data retention periods. I'll actually print my guide out and have the specific years, you know, and I'll talk through the different rules for the different regulatory bodies. So I'll help unravel all of that nonsense. And then finally, I'll mention the DPDI and I might go into a little bit more detail about what it might mean for psychology practitioners. So, yeah. So yeah, come along. It will be fun.

Amazing. I'm really looking forward to it. And the sign up page for the workshop is now available, and it's in the show notes for this episode. And if you're a member of Start and Grow or our alumni membership, you will get free access to the workshop, so watch your inboxes for details of that. If you aren't a student or a member, you can buy a ticket to join us on the 17th. And everyone who signs up will get access to the recording for three months. Thanks so much for joining us today, Clare. I know that you've generously made your downloadable list of data retention periods available for people to download for free. So I'm going to make sure the link to that is in the show notes because I think people listening to this will definitely want it, but where is the best place for people to find out more about your work and connect with you?

Yeah, so people can visit my website, which is auberginelegal.co.uk. There's a ton of resources on there for psychologists, including some specific blogs for psychologists running their own practice. There's also some other free checklists. And also some resources in my shop, including a clinical will with a guidance resource. And then, apart from my website, people can find me on LinkedIn. I post quite regularly there. This month I'm running a whole series on the legal things to think about if you have a website. And then people can also sign up to my newsletter. I send out a newsletter at the end of every month, which includes links to my new blogs and changes to the laws. And then finally, people can just reach out via email or pick up the phone. I'd be happy to help anyone.

That's amazing. Thank you so much, Clare. I think this has been a really informative interview.

No, thanks for having me today. It's been lovely to chat to you about these legal things.