The document your therapy practice almost certainly doesn't have

Most UK therapists have a privacy policy. A good number have a cookie policy. But there is a third document — one that the Data Protection Act 2018 explicitly requires if you process health data — that the vast majority of therapists in private practice have never heard of.

It is called an Appropriate Policy Document, or APD.

What is an Appropriate Policy Document?

Schedule 1 of the Data Protection Act 2018 sets out the conditions under which you can process special category data — which includes health and mental health information. Therapy notes, presenting issues, diagnoses, medication, trauma history: all of this is special category data under UK GDPR.

To process that data lawfully, you need to satisfy one of the Schedule 1 conditions. For most therapists, the relevant condition is Part 1, paragraph 2: health or social care. This applies to anyone providing health treatment who is subject to a professional obligation of confidentiality — which describes virtually every registered therapist in the UK.

Here is the critical part: Schedule 1, Part 4 requires that where you rely on a Schedule 1 condition to process special category data, you must maintain an Appropriate Policy Document. This document must:

Identify the Schedule 1 condition you rely on
Explain how you comply with the seven Article 5 principles of UK GDPR
Set out your data retention and deletion policy
Be made available to the ICO on request
Be retained until at least six months after your processing ceases

Why almost no therapists have one

The requirement exists in the legislation, but it receives almost no attention in the guidance aimed at therapists. BACP, NCPS, UKCP and other professional bodies do an excellent job of explaining privacy policies and data retention. The APD is rarely mentioned.

The result is that the majority of therapists in private practice are technically non-compliant not because they have done nothing, but because they have done most things — just not this one.

What happens if you don't have one?

The ICO can request an APD from any data controller who processes special category data under Schedule 1. Failure to produce one is a breach of the DPA 2018. In practice, the ICO is unlikely to target individual therapists in private practice — but the obligation is real, and a client complaint or subject access request is exactly the kind of scenario that can prompt scrutiny.

What should an APD contain?

A compliant APD for a therapy practice should include:

The Schedule 1 condition you rely on. For most therapists this is Part 1, paragraph 2 — health or social care. AoR reflexologists may rely on a slightly different basis under the AoR Code of Practice and Ethics.

How you comply with the Article 5 principles. These are lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Your APD should address each in the context of your practice.

Your retention policy. How long you keep adult client records (six years for BACP and NCPS members; seven years for UKCP, BABCP and AoR members), how long you keep records for clients who were minors, and what happens at the end of the retention period.

Your safeguards. Encryption, locked filing cabinets, supervision arrangements, clinical executor, ICO registration.

A review date. The APD should be reviewed annually and updated when your processing changes.

The APD is not client-facing

Unlike your privacy policy, the APD is an internal compliance document. Your clients do not need to see it — but the ICO can ask for it. Think of it as the paperwork behind the paperwork.

PolicyDiary generates an APD automatically as part of your compliance documents, tailored to your professional body, retention obligations, and the tools you use. It sits in your dashboard as a private document — not published on your compliance page — ready to produce if you ever need it.

If you do not currently have one, now is the right time to sort it.