Counsellors who use Zoom: what your client doesn't realise about online sessions

When a client books a Zoom or Teams session with you, they assume the conversation is private in the same way it would be in your consulting room. That assumption is reasonable. It is also incomplete.

Online sessions don't change your duty of confidentiality, but they do introduce a layer between you and the client — the platform — and that platform processes data in ways that are not always obvious.

This isn't an argument against online therapy. Most UK therapists now do at least some sessions remotely, and there are good reasons for that. The point is that online therapy comes with data protection responsibilities that an in-person session simply does not have, and many therapists haven't worked through them.

What the platform actually does with the session

The first thing to know is that the platform is a data processor, not a passive conduit. The audio and video flow through the provider's infrastructure. Some metadata is logged. Recordings, if you make them, sit somewhere. Transcripts, if generated, sit somewhere too.

It is worth taking ten minutes to read the privacy and security pages of whatever platform you use. The relevant questions are usually:

Is the session encrypted in transit, and is it end-to-end encrypted?
Where is data stored, and for how long?
Is the data used to train AI features, and can that be turned off?
What is the controller-processor relationship between you and the provider?

Each platform answers these differently, and the answers change. Zoom's terms have been updated several times in the past two years. Microsoft Teams' approach to AI features is evolving. Meet's data handling sits inside Google's broader privacy framework, which is its own large document.

The recording question

If you record sessions — even with the client's clear consent — you are now storing sensitive personal data. That data has to be protected, retained for a defined period, and securely deleted when the retention period ends. Recording locally to your laptop is not, on its own, a compliant arrangement. Recording to the cloud means choosing where and under whose terms.

A surprising number of therapists have a recording in a downloads folder from a session three years ago and have never thought about it again. The Data Protection Act doesn't care that you forgot — it expects you to have a documented retention policy and to follow it.

The AI features changing the landscape

Several major platforms now offer automatic transcription, AI summaries, or assistant features that listen during a meeting. These are sometimes turned on by default for paid accounts. Some of them send the audio to a third-party AI provider for processing.

For most professional uses this is convenient. For a therapy session, it almost certainly isn't appropriate. If your platform has any AI feature enabled, check that it is turned off. Then check again after each platform update — features that were opt-in last quarter sometimes become opt-out the next.

What to check before your next online session

A short list:

Confirm what platform you use is genuinely fit for confidential sessions and that you have read its current privacy terms
Disable any auto-recording, auto-transcription, and AI assistant features
If you record sessions, document why, get explicit consent, and write down your retention period
Make sure the platform is named in your privacy notice as a data processor
Use a paid or business-tier account where possible, because the terms tend to be clearer about what the provider does and does not do with the data

None of this is dramatic. It is small, careful housekeeping. But the alternative — discovering after the fact that your platform has been generating transcripts you didn't know about, or that recordings you thought were local were actually synced to a cloud — is the kind of thing that becomes a serious problem very quickly.

The convenience of online therapy is real. So is the additional thinking it requires.