Avoiding The Cone of Silence While Protecting Your Client’s Privacy
Note: keep an eye on our website for workshops showing you how to effectively use online video for therapy. Better yet, subscribe here on our website and receive occasional updates about our training events.
While most of us communicate every day, often about sensitive matters, using telephones, email, post, and social media, there is often very heated discussion about whether the use of Skype or FaceTime is “secure” enough for online therapy and consultations.
The Information Commissioner’s Office has already issued the following statement:
“The ICO’s official position on this is that the Data Protection Act 1998 (DPA) would not prevent the use of Skype for online Counselling. The DPA requires the data controller to consider the security implications with such use and then implement measures to ensure the information is appropriately secure.”
“In addition to this we would expect you to ensure that the individuals who could potentially use this service is made fully aware of how you will use the service i.e. what is likely to be discussed, what if anything will be held as a result of use along with any security implications. If the individual consents to the use of Skype for the purpose of online counselling after being given the relevant fair processing you would be able to go ahead with such use.”
This statement was issued within the past couple of years, but is essentially the same response we received, in writing, from the ICO more than ten years ago.
So, who’s using Skype and other platforms for therapy?
The NHS has launched medical and therapy plans across the country using Skype. Relate is using Skype as a platform. Do I really need to say any more?
It helps to understand a little bit about data, security, and responsibility in formulating your own approach to this.
The most common form of data breach is the loss of a USB stick, tablet, computer, or phone. This is exacerbated by the fact that most people handling sensitive information are not using disk encryption, appropriate passwords, or best practice. Other forms of breach are sessions overheard through walls and doors, covert recording by the client or therapist, records left on a kitchen table, emails sent to the wrong address, and so on.
Data can take many forms, some of which are easily identifiable and traced to the data subject. Others, like video streams, are transmitted in encrypted streams from point-to-point and are difficult if not impossible to compromise, even if someone was strongly motivated to do so. The content of therapeutic sessions is not Top Secret, Secret, or even Confidential. It is private information and our decisions about how to handle it have to be considered in light of the damage a possible breach may cause.
Many discussions online about this topic quickly come to focus on whether the US National Security Agency can tap into the conversation a therapist is having with his or her client.
Applying the principles of the Data Protection Act makes our responsibility clear and easy enough to formulate. Skype, FaceTime, Zoom, and others actually provide a high level of security, certainly beyond that of mobile phones, emails, and even Royal Mail. While many fret about security intrusions by US intelligence services, it is actually the UK that requires service providers to maintain detailed records of telephone calls and web searches. However, a recording of an encrypted stream of video is not likely to be decoded by even the most determined hacker or government official. Spying by authorities is not a reasonable concern for transmitted therapy sessions.
A frequently raised topic is that the data stream goes through servers in other countries, like the US, and that this constitutes “processing” outside of the EU. In fact, no processing is going on and this does not violate the principles of the DPA.
How do we ensure we comply with the intention of the Data Protection Act? The point-to-point connection is the most secure part of the process. We need to ensure our client knows that nothing is 100% secure, including Skype. Other steps we can recommend are:
- do not record the session
- ensure sessions take place in private locations or without people in earshot
- ensure that you are talking to the actual client
- be sure you understand Skype’s recommendations for security and privacy
- we recommend that your own user ID is not personally identifiable
- consider using a service like Zoom which does not require your client to identify themselves with a user ID
A quick word about HIPAA, a US law regarding a broad range of health insurance matters in the US. It is not, as is frequently put forward in online forums, a regulation about online therapy. For UK therapists it is irrelevant as it does not apply to the UK. It is not even a good example for policies in the UK. HIPAA does not apply to everyone, only “entities” that work in a particular way. Specifically, practitioners who submit claims for payment electronically to insurance companies, which not only excludes UK practitioners, but many US practitioners as well. Contrary to internet lore, there is no such thing as “HIPAA compliant” products and services such as video services, although the claim is widely circulated on the internet. Only entities can be compliant and, in that sense, is very similar to the UK DPA, where the data manager is responsible for how it is handled.
I hope this has helped shed some light on the requirements and encourages you to keep up with progress.