What to do if a client asks to see their records

A client emails you. They have ended therapy — perhaps recently, perhaps some years ago — and they want to see the notes you made about them. What do you do?

This scenario is more common than many therapists expect, and it is one of the areas where data protection obligations and therapeutic practice intersect most directly.

The right to subject access

Under Article 15 of UK GDPR, every individual has the right to request a copy of the personal data you hold about them. This is called a Subject Access Request, or SAR. The right applies to former clients as well as current ones.

You are required to respond to a SAR within one calendar month. If the request is complex, you can extend this to three months — but you must tell the person within the first month that you are extending, and why.

There is no fee for a SAR (unless it is manifestly unfounded or excessive).

What the DUAA 2025 changed

The Data (Use and Access) Act 2025 introduced a significant qualification to the SAR obligation. Under the updated rules, you are only required to conduct a "reasonable and proportionate" search in response to a SAR. This replaces the previous expectation that you would search exhaustively for all data.

What this means in practice: if a client asks for all data you hold about them, you are not required to search every email archive, every paper notebook, and every backup drive. You are required to conduct a reasonable search of the places where you would normally keep client records — your therapy notes, your intake forms, your appointment records, any correspondence.

This is a significant and practical change. It does not reduce the right to access — it reduces the burden on the data controller to conduct exhaustive searches.

What to include in your response

When responding to a SAR, you should provide:

A copy of all therapy notes. This includes session notes, intake forms, risk assessments, and any other notes made about the client in the course of their therapy.

Contact information. Any emails, letters, or messages between you and the client.

Appointment records. Dates of sessions, cancellations, DNA records.

Any information shared with third parties. If you have written to a GP, made a safeguarding referral, or corresponded with an insurer about the client, this should be disclosed.

What you can withhold

There are circumstances in which you can withhold information:

Third-party information. If your notes contain information about a third party — a partner, family member, or colleague mentioned by the client — you may need to redact that information before disclosing.

Information that could cause serious harm. In limited circumstances, you can withhold information if disclosing it would be likely to cause serious physical or mental harm to the client or another person. This is a high threshold and should not be used lightly.

Legal professional privilege. If you have taken legal advice in connection with a complaint by the client, the legal advice is privileged and does not need to be disclosed.

The therapeutic dimension

SAR requests often arise in the context of a difficult ending, a complaint, or a period of reflection by a client about their experience of therapy. They can feel confrontational, even when the client's motivation is simply curiosity or a desire for closure.

It is worth remembering that responding thoughtfully and promptly to a SAR — providing what you are required to provide, explaining what you have withheld and why — is itself an act of respect for the client. How you handle a SAR says something about how you handle client relationships.

Having a process

The best time to think about how you would handle a SAR is before you receive one. A simple process — a template acknowledgement, a checklist of what to include, a note of the one-month deadline — means you can respond calmly and confidently if the moment comes.

Your privacy policy and GDPR statement should explain the right to subject access and how to exercise it. Your compliance page should make it easy for clients and former clients to make a request.