Reflexologists and GDPR: why the AoR approach is different

Most GDPR guidance aimed at therapists is written with counsellors and psychotherapists in mind. If you are a reflexologist and a member of the Association of Reflexologists, some of that guidance does not apply to you in the same way — and some of it is actively wrong.

Here is what is different, and why it matters.

The lawful basis is different

Counsellors and psychotherapists typically process client data under a contractual basis — Article 6(1)(b) of UK GDPR. The therapy happens under a therapeutic contract, and the processing of data is necessary to fulfil that contract.

For reflexologists, this basis is less clearly applicable. Reflexology is a complementary therapy rather than a talking therapy, and the therapeutic contract model is less established. The Association of Reflexologists' guidance — and the approach taken by most GDPR advisors who work with AoR members — is to rely instead on Article 6(1)(f): legitimate interests.

Specifically, the legitimate interest is your interest as a practitioner in retaining the information you need to provide safe and effective treatment, and to comply with your professional insurance requirements.

The special category basis is the same

For health data — which includes the health history you collect from clients before and during reflexology sessions — the Article 9 basis is the same as for other therapists: Article 9(2)(h), processing necessary for the provision of health care treatment by a health professional subject to a professional obligation of confidentiality.

The professional obligation of confidentiality for AoR members comes from the AoR Code of Practice and Ethics. This is the document that establishes your confidentiality obligations and, importantly, provides the basis for your Schedule 1 condition under the Data Protection Act 2018.

The Appropriate Policy Document reflects the AoR

Your Appropriate Policy Document — the internal compliance document required by Schedule 1, Part 4 of the DPA 2018 — should reference the AoR Code of Practice and Ethics as the source of your professional obligation of confidentiality. A generic APD that references BACP's Ethical Framework is not appropriate for AoR members.

Retention periods

AoR guidance recommends retaining client records for seven years after the last treatment — one year longer than the BACP recommendation of six years. This reflects the different professional insurance requirements and the nature of the AoR's guidance.

For clients who were under 18 at the time of treatment, records should be retained until the client reaches the age of 25.

What your privacy policy should say

An AoR-compliant privacy policy should:

State that your lawful basis is legitimate interests under Article 6(1)(f), not contract
Explain what those legitimate interests are (providing safe treatment, meeting insurance requirements)
Reference the AoR Code of Practice and Ethics as the basis for your confidentiality obligations
State a seven-year retention period for adult clients
Include a legitimate interests assessment or reference to one

A generic therapy privacy policy written for counsellors will not contain any of this. Using one as an AoR member means your policy does not accurately describe your processing — which is itself a compliance issue.

The BRA and other reflexology bodies

If you are a member of the British Reflexology Association rather than the AoR, the same broad approach applies — legitimate interests, seven-year retention, reference to the BRA's professional standards. The specific wording of your APD and privacy policy should reference your actual professional body.

Getting it right

PolicyDiary generates documents specifically tailored to AoR members, with the correct lawful basis, retention period, and professional body references throughout. If you have previously used a generic therapy template, it is worth reviewing whether it accurately reflects the AoR approach.