a laptop for online counselling

Privacy and Confidentiality


Let’s summarise all the privacy challenges we need to keep in mind when using technology:

1. If the client’s or counsellor’s phone/laptop/tablet is lost or stolen, could they delete the data remotely?

This is to ensure nobody can easily hack their device if lost or stolen and impersonate the client or the therapist to obtain further information. However, I recommend to follow all the advice under the "Technical Advice" page: “Cyber-Security Steps to take before starting Online Counselling” to ensure that if any data is recovered by a hacker, it is minimal.

2. If clients change device and sell the old one, how do they ensure all the data is erased?

The therapist never sells old devices, the reason being is because even if you “erase with a software tool all the data in the hard drive” there are other software tools that can recover all the “erased data”, if a laptop can’t be fixed, the hard-drive is erased and rebooted to factory setting, then the hard drive is physically removed from the laptop and physically destroyed with a drill, this is all done before disposing appropriately of the rest of the laptop. Here is a guide on how to destroy a hard drive in a safe way, to ensure that nobody can access any data from it:

3. In the case of a broken tablet/phone, if it can’t be fixed:

The sim card and memory card are removed and the tablet/phone’s system rebooted to factory setting before it’s physically destroyed to ensure there is no data leaks. Here are some important tips from uscybersecurity.net about mobile cybersecurity before destroying you mobile:

As previously mentioned, the reason why all devices are physically destroyed if they no longer work, is because if software is used to erase data from the device, there is other software that can recover data, therefore the data is never really erased from the device unless it is physically destroyed, ensuring no data can be recovered from it.

For tips on the following challenges, please read the section “How to make the most of our time during the online sessions” presented below under “Professional Boundaries”

4. Can a client’s family member have access to the same computer?

If so, would they have access to their email account or video-calling/live-chat software? If not, where does the client keep the password safe away from other family members?

5. Can anyone hear your conversation within your house, or maybe a neighbour or someone outside your house?

6. Can anyone interrupt you in the middle of a session? Are you in a private closed room?

7. Can anyone see inside of your room from outside during a session?


Online Safety Guidelines for Therapist & Client

Ensure that Anti-Virus, Anti-Malware and Firewall software protection are in place, and the operating system and all the above are up-to-date at all times, the device you use and all your communication software is password protected (and this password wasn’t shared with anyone), the Wi-Fi connection is encrypted (with a unique secret password in place, not shared with anyone outside the household), ideally use VPN connection (Virtual Private Network) this ensures higher encryption when the data travels through the internet (therefore making it harder to be intercepted by hackers), the therapist uses the free of charge, open source and safe software ProtonVPN.

Important Note: VPN shouldn’t be used for videocall therapy because it slows down the connection a lot, making it really hard to carry on with the videocall. However, it is recommended when using email or live chat, since they require less internet bandwidth. ProtonVPN can be downloaded for both pc and mobile here.


Data Disclosure and Sharing

I will never sell any of your data to any third parties. The only times that a minimal part of your data will be shared with a third party, would be due to any of the legal limitations to confidentiality stated below.

As I aim to offer confidentiality regarding the content of our sessions, I would ask that you do the same by not sharing any of the content of our sessions with any third party.

If you have any questions regarding the content of this agreement, or would like further information, please contact me on: jtortosacounselling@protonmail.com

GDPR Compliance for Software Platforms Used during Therapy

Please click on the following links for full information:

Signal and the General Data Protection Regulation (GDPR ...

Signal and the General Data Protection Regulation (GDPR): Signal is committed to protecting your privacy and the security of your data. Signal cannot sell, rent, or monetize your data or content in any way - ever.

Signal Messenger Review: Secure Messaging

Signal is generally considered the most secure messaging app in existence. 100% open-source code. The code is available on GitHub. The Signal Messaging Protocol was independently audited in 2016. The service is fully GDPR compliant. Clients for Android, iOS, Mac OS, Windows, Linux.

Secure personal messenger · Wire

Wire Personal is a secure, privacy-friendly messenger for personal use. It combines useful and fun features, audited security, and a beautiful, distinct user interface. It does not require a phone number to register and chat. End-to-end encrypted chats, calls, and files. Crystal clear voice and video calling.

Wire is fully GDPR compliant and helps its customers to deal with the requirements of GDPR. By encrypting all communication, we ensure that no sensitive data is available to Wire as a 3rd party thus reducing the number of data processors a business needs to deal with.

Sync Cloud Service: GDPR compliance update - Sync | Secure Cloud Storage

We are fully committed to providing better privacy protection in the cloud, including GDPR compliance. Privacy by default is the reason why we built Sync. Your data is always encrypted in the cloud, and in terms of your file data, only you have access (we don't). Protecting your security and privacy in the cloud is what we're all about.

DocuSign: Data Management and Privacy Practices for DocuSign ...

DocuSign operates in accordance with fundamental privacy principles that underlie the General Data Protection Regulation (GDPR) and other international privacy regimes, with respect to an individual's right to know what and how their personal data is collected and used.

Data Protection & Client’s Rights (GDPR Statement)

Under the General Data Protection Regulations 2018, you have certain rights. These are:

  • You are allowed to access your session notes and all of your data held by J Tortosa Counselling. This is facilitated within 30 days of your formal request to the counsellor via the following email: jtortosacounselling@protonmail.com
  • Records are kept for 3 years after termination of therapy and then destroyed. This is according to the complaints’ procedure of my ethical body NCS. Because GDPR laws don’t establish a maximum amount of time to keep personal details, however the amount of time needs to be justified.
  • Having your records amended (change of name, home address, email, phone number or GP details)

Erasure of Data/ “Right to be Forgotten” (exclusions)

Under GDPR you can request your data to be erased. However, there are exceptions to this in the counselling profession:

In the case of counselling records, insurance companies and ethical bodies ask for records to be available for the period of time as outlined above in case a complaint is raised within that time period. My insurance company is Hiscox.

Limits of Confidentiality and Legal Obligation

Counsellors have a duty to maintain client confidentiality by not discussing client material inappropriately, storing client data securely and according to the law, and to ensure clients are clear about the limits to confidentiality and when confidentiality may need to be broken.

There are boundaries and limits to confidentiality in certain cases, confidentiality will be broken without the client’s consent if:

1) The therapist is required to do so by subpoena (court order or instructions from a coroner).

2) The client infers involvement in or knowledge of an act of terrorism or of money laundering.

3) The client infers knowledge of or involvement in drugs trafficking under the Drug Trafficking Act 1994.

4) When the client poses an imminent danger to themselves or others, and breaking confidentiality is necessary to resolve the danger (there must be justifiable concerns from the therapist to do so). This information would be shared without your consent with the therapist’s supervisor firstly, and in urgent cases the emergency services and your GP.

5) The client infers knowledge of or involvement in any behaviours that may lead to harm or neglect to vulnerable adults (elder or dependent adult abuse) and to children, including Female Genital Mutilation (FGM), or sexual abuse which are criminal offences, then the appropriate authorities need to know. Additionally, if there is a serious safeguarding concern and somebody is at risk, then the therapist has a duty to share this information to keep people safe. This information would be shared without your consent with the therapist’s supervisor first of all, and when necessary, the NSPCC (in the case of children and young people up to 18yo) Hourglass (about elder people) and your GP (for vulnerable people of any age, including 18yo+)

Definition of Terrorism according to the Crown Prosecution Service in the UK:

Terrorism is the use or threat of action, both in and outside of the UK, designed to influence any international government organisation or to intimidate the public. It must also be for the purpose of advancing a political, religious, racial or ideological cause. (Terrorism Act 2006)

Examples include:

  • serious violence against a person or damage to property
  • endangering a person's life (other than that of the person committing the action)
  • creating a serious risk to the health or safety of the public or a section of the public
  • action designed to seriously interfere with or seriously to disrupt an electronic system

It is important to note that in order to be convicted of a terrorism offence a person doesn't actually have to commit what could be considered a terrorist attack. Planning, assisting and even collecting information on how to commit terrorist acts are all crimes under British terrorism legislation.

Definition of Money Laundering according to the Crown Prosecution Service in the UK:

Money Laundering is the process by which criminal proceeds are sanitised to disguise their illicit origins. Acquisitive criminals will attempt to distance themselves from their crimes by finding safe havens for their profits where they can avoid confiscation orders, and where those proceeds can be made to appear legitimate. (Sanctions and Anti-Money Laundering Act 2018)

What is a vulnerable person according to UK laws?

In general, a vulnerable person is either a minor or someone of any age who, for reasons like mental health issues, disability, age or illness, is unable to look after themselves or their finances or protect themselves from harm or exploitation.

Notes and Record Keeping of Sessions

My policy is to keep minimum notes and records. The information I do store includes:

You can request in writing to see the information held on you. If you have any concerns about my policy on confidentiality and note-keeping, you're welcome to discuss it fully with myself as your counsellor.

Important Note: I use a “Split Note System”, which gives every client a unique identifying number together with the initials of their full name in one spreadsheet document, and on a separate spreadsheet document the rest of the identifiable information from the client, and then a third document with the ID number containing the session notes for that specific client, the three documents, as well as the signed contracts are then password protected and then stored in an encrypted folder on the pc and also backed up in the end-to-end encrypted cloud service Sync.

What is a Professional/ Clinical Will?

Although professional wills are not legal documents, they do offer practical and safe procedures in the event that a therapist is unable to practice or dies.

By making a professional will and appointing an executor to implement the wishes of the therapist, there is peace of mind that clients are offered the best possible service.

If implementing a professional will, it is necessary to get express client permission in writing. Specific details from the clinical will only be shared with clients in the event of the therapist’s serious illness or death.

A professional/clinical will helps with the following:

Professional Boundaries

It is normal that sometimes during sessions, clients can be triggered by certain topics, visuals, tone of voice or specific words which can make you feel uncomfortable or overwhelmed by emotions, or you may feel like a boundary has been crossed by the therapist, it is extremely important that you tell your therapist about these feelings as soon as you feel able to, so it can be discussed within that or a future session. You can talk about how it made you feel, so we can explore together how this situation came to be and how you would like me to change it as your therapist.

Dual Relationships

When a client and therapist are engaged in another relationship or interaction outside of the role of therapist and client, this is known as a dual relationship. Dual relationships can manifest in a number of ways:

  • A family/friend connection
  • A business relationship
  • Online interaction, e.g., social media
  • A collegial relationship
  • Neighbours
  • Same religious congregation, shared group, hobby or club

The BACP ethical framework states: “…any dual or multiple relationships will be avoided where the risks of harm to the client outweigh any benefits to the client.” (BACP, 2018).

This guidance asks that we use sound ethical decision-making in any situation where dual relationships might present themselves, and that we proceed with caution, avoiding dual relationships wherever possible.

Social Media Policy

In the modern world, it is important that we consider how our personal and professional online presence might impact on the therapeutic relationship and ensure we are maintaining online boundaries in a way that protects the integrity of the therapeutic relationship and promotes trust.

The 2018 BACP ethical framework addresses the issue of social media use: “reasonable care is taken to separate and maintain a distinction between our personal and professional presence on social media where this could result in harmful dual relationships with clients” (BACP, 2018).

Consequently, any private messages or public enquiries through posts between client/therapist through any type of social media is strictly forbidden in order to maintain safe therapeutic boundaries. The initial contact from the client with the therapist should be done through ProtonMail or Counselling Directory enquiry form, the reason for the use of this email platform from the very beginning of the therapeutic relationship is to ensure maximum confidentiality and safety when interacting online so there are no data leaks when sending sensitive information.


Sometimes clients may wish to offer their therapist a gift at the end of therapy or on a special occasion. Some therapists may choose not to accept gifts from their clients, and in order to avoid an upsetting rejection, it is a good idea to make such a policy clear from the outset of therapy.

“Good Therapy.Org” states: Although gifts may seem appropriate between a person in therapy and their therapist, receiving and giving gifts can be a source of stress for the therapeutic relationship. It can hurt therapeutic progress, and it can have serious consequences. Professional ethics codes typically caution therapists from giving or receiving gifts within a therapy relationship.

How to make the most of our time during the online sessions:

Please note that these guidelines are also followed by the therapist.

Contact out of session time or between sessions

In the case of the therapist having an emergency/urgent situation, you will be contacted as soon as possible, to reschedule an imminent appointment. How (email/ phone call through Signal or Wire/ message via Signal or Wire messenger/ standard text message), and when would you prefer, I contact you in this unlikely event?

Should you not attend a session on time, would you like me to contact you? If so, how and when?

Should you miss a session, would you like me to contact you? If so, how and when?

Contacting the therapist

Contact between sessions will be limited to the below condition: Should you need to notify me to cancel or reschedule an appointment 48 hours or more in advance, please send me an email to: jtortosacounselling@protonmail.com

Find me at

facebook icon linking to jtortosa online counselling facebook page instagram logo to link back to JTortosaCounselling's Instagram account


Counselling Accreditation Logo counselling directory logo trauma informed counsellor badge