How do we protect digital security and privacy? 

While absolute security in the digital world does not exist, practitioners are nevertheless directly responsible for protecting their end of the communications with clients, according to the BACP. But what does this mean in practice? Below we lay out the common security and privacy threats to digital practice, and the measures you can take to ensure you have necessary precautions in place. 


1. Make sure you are complying with GDPR 

Anyone working online for any aspect of their work needs to take account of the relevant law concerning data protection. - BACP, 2019

The general Data Protection Regulation and Data Protection Act 2018 sets out the law when it comes to processing personal data in the UK, and you are expected to comply with these requirements during lockdown. As a first step, you or the organisation you work for must be registered with the Information Commissioner’s Office.

The BACP also recommends that you carry out a Data Protection Impact Assessment before agreeing to move your practice with children and young people online, and provides the following (non-exhaustive) list of considerations: 

  • Whether the devices used to support young people remotely will be solely for work use. 
  • Whether you can use a secure platform for contacting young people and carrying out remote therapy. 
  • Whether the young person’s school or your organisation are subject to any guidance from the Department for Education regarding contact with students whilst they are at home. 
  • What the impact would be of providing or not providing therapy if the child or young person refuses to seek parental consent, and whether this would make them more vulnerable.
  • How you will explain and document the informed consent of the young person, if this is being sought.  

In addition, all practitioners who are new to remote therapy with children and young people are advised to seek guidance from experienced online CYP practitioners or supervisors and experts in the field of GDPR and therapy, via relevant guidelines, training and CPD."

When there has been a data breach

Data and security breaches are to be dealt with following the same guidelines outlined in BACP’s Ethical Framework for the Counselling Professions - you can find more information on the ICO’s Guidance on Data Breach Management.

What if we can’t meet our usual data standards? 

During a time of such fast-paced change and uncertainty, it’s understandable to be concerned about whether your data protection practices and procedures are meeting the required standards. In response, the Information Commissioner’s Office has said it will not take regulatory actions against these organisations: 

“We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.  

"We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic."  

It’s advisable to read the ICO guidance in full on their website, where you can also find more information relating to coronavirus and what it means for data regulation. 


2. Secure your internet connection and devices  

There are several steps you can take to keep your devices and internet connection as secure as possible while working from home and to ensure that others are not able to access confidential, sensitive personal data, or view and intercept your communications with young people. 

  • Make sure your computer and devices can’t be accessed by anyone else, are password protected and turned off while you’re not working. If you have a shared computer, make sure you’re using a separate user account with a strong password known only to you.
  • Likewise, make sure any digital platform you use is linked only to a professional email address, and that you don’t use an account linked to someone outside your organisation.
  • If you have to use your personal computer during the pandemic because your organisation is not able to purchase laptops for every member of staff, use password-encrypted USBs to store any personal data of young people, rather than storing on your personal drives. 
  • Ensure youre using a secure, password-protected Wi-Fi connection.  
  • Have good firewall and anti-virus / anti-malware and other necessary security protection installed, and regularly update these. Note that free services are often less secure than paid-for services.
  • Clear your cookies after every video call with young people.
  • Consider using a Virtual Private Network (VPN).
  • Do not save links to online sessions in an online calendar.
  • Before your sessions, turn off all devices and programmes that have a listening or voice recognition function, such as Siri, Alexa, OK Google or similar, including on your computer, phone, smart watches and other devices.

3. Secure your correspondence  

Email

The Association for Counselling and Therapy Online (ACTO) notes that general emails aren’t private, and says they are more like a postcard than a letter that has been sealed and tracked. You are recommended to take the following steps to ensure youre taking reasonable security measures over email: 

  • Use only organisational logins and contact details when contacting young people – and avoid handing out any personal details. 
  • If you are messaging more than one young person at a time, make sure to use the ‘Bcc’ function on your email, unless they have given you explicit consent to be Cc'd in group emails.
  • It is best practice to use programmes and software that are secure and encrypt your correspondence – for email this includes Protonmail, Hushmail, SecureMail or Frama. Full encryption of your correspondence would require what’s known as ‘shared encryption’, which would most easily be achieved by the person you are communicating with to be using the same secure email service as you. 
  • Include confidential information in a password protected document that you attach to your email. 
  • It is best to limit your emails with young people to factual, practical information, and avoid therapeutic conversations. If your email correspondence drifts into therapeutic territory, acknowledge what the young person has said and say you’ll speak about it in your next session.
  • In your email signature, include a line that says you don’t provide crisis support and provide links to known and trusted organisations that do. 

Text / WhatsApp messaging

This is a tricky one, and lack of clarity over the use of mobile messaging has been frequently raised by Youth Access members since the lockdown. The BACP says text, WhatsApp and other messaging apps are useful for organising session times and sharing fact-based information, but that texting between mobiles is not secure and inappropriate for therapeutic work.  

According to ACTO, while text is relatively secure, it is not safe practice to send details of sessions and links via text (or unencrypted email). It further argues that texting is not advised as messages are too easily sent to the wrong client.  

On the other hand, NHSX says it’s "absolutely fine to use mobile messaging to communicate with colleagues and patients/service users as needed", and that the same goes for commercial apps including WhatsApp and Telegram "where there is no practical alternative and the benefits outweigh the risk."

What exactly is allowed? One of the leading principles of YIACS is to meet young people where they’re at and respond to their specific needs. This is as important during lockdown, if not more so, and yet our ways of staying in touch have become limited more than at any time in recent years. If a young person’s sole or preferred means of staying in touch with you is messaging via text, WhatsApp or social media (as opposed to video or phone call), then a ban on such communication is neither practical nor desirable. Again, we think it’s important here to find a balance between safety and accessibility. We recommend:

  • Like any form of online service, supporting young people’s mental health and wellbeing via text is possible with the right risk assessment in place and the right practitioner training. 
  • Training people to support people via text message is a completely different skill which practitioners need to learn how to do safely. The Mix and Shout offer their crisis volunteers training on how to do this, including how to risk assess via text, how to frame questions and acknowledge the individuals response 
  • When sending a message, make expectations clear - making sure you clarify if you need a response, don’t expect one or are just checking in. 

WhatsApp carries some additional considerations that need to be taken into account, , including recently raised questions about its security. But it’s important to note that for some individuals who have access to the internet via Wi-Fi but no credit or text messages, WhatsApp may be their only lifeline.

  • Again, this is where the assessment and management of digital/remote risk for each young person is crucial - asking questions including how old they are, whether they have parental consent to communicate this way, and whether there are alternative platforms they can use. 
  • Young people cannot be contacted on WhatsApp if they are under the age of 16, and should only be contacted this way if they have given consent to do so.  
  • WhatsApp allows you to send messages to groups of people, with all members of that group able to view each other’s contact details (as well as names and photos, if available). You should not send group messages to young people via WhatsApp unless they have given consent for you to do so – you can use the broadcast function to send messages to a large group of people quickly. 
  • It is important to note that messages can be deleted by both parties on WhatsApp. This highlights another concern when using WhatsApp and the importance of using session notes to summarise your conversations with young people, as well as any causes for concern. You may also want to use these session notes to quote from WhatsApp messages or save the dialogue on the client database you use to record your clinical notes. 

4. Protect client identity 

It is good practice to use a system of abbreviation that doesn’t reveal their name or sensitive details – also known as pseudonymisation.  


5. Prevent people from joining your call uninvited

  • If you are using a video platform, create a new joining link for every session – whether one-to-one or group – and share this only with the individuals due to attend. On Zoom, for example, you can edit the specific settings for the meeting you are planning and share a registration form with participants. Once they have registered, each individual is sent a unique join link, allowing you to verify who has signed up in advance of the session, and cancel any sign-ups whose name or email you don’t recognise. If possible, give your meeting its own password.
  • Set up your call to have a virtual ‘waiting room’, if possible, allowing you to control who is allowed into the call and let guests in when you are ready to start. You can customise the waiting room so that guests know they have logged in to the right meeting.  
  • Keep a register of young people who have signed up to a call, to make sure the right people are online.  
  • When all participants have joined the call, ‘lock’ your meeting if your video platform offers this. Bear in mind that while the meeting is locked people who lose connection will be prevented from re-joining the call and make it clear what you will do, or what they need to do, if this happens.
  • Make sure your video platform allows you to remove people from the call who aren’t supposed to be there, or who  behave disruptively, and prevent them from re-joining. 

Digital security and privacy resources

Next section: Do we have the training we need?