What your BACP membership actually requires from you on data protection

BACP is the largest professional body for counsellors and psychotherapists in the UK, with over 70,000 members. Its Ethical Framework for the Counselling Professions sets out the standards that members are expected to meet — including on data protection.

For many BACP members, the intersection of their ethical obligations and the legal requirements of UK GDPR is unclear. This guide sets out what your BACP membership actually requires.

The Ethical Framework and data protection

BACP's Ethical Framework does not contain a detailed data protection policy. What it does contain is a clear commitment to respecting client confidentiality and to good record-keeping practice. Section 50 of the framework states that practitioners should "store records securely and in ways that protect confidentiality."

BACP has also published separate guidance on record-keeping that is considerably more specific. Key requirements include:

Retention of records for six years after the end of the therapeutic relationship for adult clients. BACP guidance aligns with the ICO recommendation of six years, though some therapists retain for longer based on insurance requirements.

Retention until age 25 for clients who were under 18 at the time of therapy. If a client was 16 when you worked with them, their records should be retained until they are 25 — not for six years from the end of therapy.

Secure storage. Electronic records should be encrypted and password-protected. Paper records should be kept in a locked filing cabinet. Access should be restricted to the therapist and, where applicable, a clinical executor.

Supervision arrangements. BACP members are required to attend regular clinical supervision. When discussing client work in supervision, records and identifying information about the client should not be shared. Supervisors should use anonymised material.

The lawful basis for processing

Under UK GDPR, you need a lawful basis to process client data. For BACP members providing therapy, the appropriate basis is Article 6(1)(b) — contract. Processing is necessary for the performance of the therapeutic contract between you and your client.

For health data specifically — which includes therapy notes, presenting issues, mental health diagnoses, and relevant medical history — you need an additional basis under Article 9. The appropriate basis for BACP members is Article 9(2)(h): processing necessary for the provision of health or social care treatment by a health professional subject to a professional obligation of confidentiality.

You also need a Schedule 1 condition under the Data Protection Act 2018. For BACP members, this is Part 1, paragraph 2: health or social care.

What documents you need

A BACP member in private practice needs:

A privacy policy that reflects your specific practice — your tools, your retention periods, your lawful basis, your supervision arrangements.

A cookie policy if your website uses cookies. Under the Data (Use and Access) Act 2025, statistical cookies like Google Analytics no longer require prior consent, but they must be disclosed.

A data retention policy that sets out your six-year retention period, your extended retention for minor clients, and your secure deletion process.

A GDPR statement — a client-facing document explaining how and why you process data.

An Appropriate Policy Document (APD) — an internal document required by Schedule 1 of the DPA 2018. Most BACP members do not have one. It is not client-facing, but the ICO can request it.

The DUAA 2025 and complaints

From 19 June 2026, the Data (Use and Access) Act 2025 requires all data controllers — including individual BACP members — to have a formal complaints procedure. Complaints must be acknowledged within 30 days and resolved within three months. Records of complaints must be kept for six years.

Staying up to date

Data protection law changes. The DUAA 2025 is the most significant change since GDPR came into force in 2018. BACP members should ensure their compliance documents are reviewed annually and updated when the law or their practice changes.

PolicyDiary generates all five required documents tailored specifically to BACP members, with the correct six-year retention period, BACP-specific lawful basis language, and full DUAA 2025 compliance.