Is Online Therapy Private? GDPR and Confidentiality in Irish Telehealth

The shift to online therapy raises understandable concerns about privacy. When you're discussing your deepest struggles through a screen, you want assurance that your conversations remain confidential and your data protected. For Irish clients, these concerns intersect with European data protection law—the General Data Protection Regulation (GDPR)—which provides some of the strongest privacy protections in the world.

Understanding how GDPR applies to online therapy helps you make informed choices about providers and gives you confidence that your personal information receives appropriate legal protection. This guide explains what GDPR means for online therapy in Ireland, what protections you have, and what questions to ask potential therapists about their data practices.

Understanding GDPR: What It Means for Therapy Clients

The General Data Protection Regulation came into force in 2018, replacing previous data protection frameworks across the European Union. For Irish therapy clients, GDPR establishes clear rights regarding how personal data—including highly sensitive mental health information—must be handled.

Lawful basis for processing is required for any data collection. Therapists must identify a legal basis for processing your information. For therapy, this is typically "consent" (you agree to treatment) or "contract" (you're receiving a service you've paid for), supplemented by "legal obligation" where professional records must be maintained. Legitimate interests rarely apply to therapy given the sensitive nature of the data.

Data minimisation means therapists should collect only what's necessary for providing care. Your therapist doesn't need your PPS number, banking details beyond payment processing, or unrelated personal information. If a registration form requests excessive data, this raises questions about their GDPR compliance.

Purpose limitation requires that data collected for therapy cannot be used for other purposes without additional consent. Your therapist cannot use your contact details for marketing, sell anonymised case studies without explicit permission, or share information with third parties beyond what's necessary for care provision.

Storage limitation means data cannot be kept indefinitely. Professional bodies like IACP and PSI provide guidance on record retention—typically seven years for adults, longer for children. After this period, records should be securely destroyed, not archived indefinitely.

The Irish context involves the Data Protection Commission as the supervisory authority. Irish therapists are also bound by the Data Protection Act 2018, which supplements GDPR with national provisions. This dual framework provides robust protection for therapy clients.

What Data Do Online Therapists Collect?

Understanding what information flows through online therapy platforms helps you assess privacy risks appropriately.

Clinical information includes session notes, assessment materials, treatment plans, and any diagnoses. This is the most sensitive category, deserving highest protection. GDPR classifies health data as "special category data" requiring additional safeguards.

Contact and administrative data covers names, addresses, phone numbers, email addresses, and payment information. While less sensitive than clinical content, this data still identifies you as a therapy client and requires protection.

Technical data accumulates through online delivery: IP addresses, device information, session timestamps, and platform usage patterns. Many clients don't realise this metadata exists, but it can reveal when you attend therapy and from where.

Communication records include emails, text messages, platform messages, and voicemails exchanged between sessions. These often contain clinically relevant information and should be treated with the same protection as formal session notes.

Assessment and outcome measures completed online generate data that, while potentially anonymised for research, may be personally identifiable in raw form. Ask how these tools handle your responses.

Your Rights Under GDPR

GDPR grants specific rights that empower you to control your personal data. Understanding these helps you advocate for your privacy.

The right to be informed means therapists must provide clear privacy notices explaining what data they collect, why, how long they keep it, and who they share it with. Vague or missing privacy policies indicate poor GDPR compliance.

The right of access allows you to request copies of all personal data a therapist holds about you. This includes session notes, emails, and administrative records. Therapists must respond within one month, providing copies in accessible formats.

The right to rectification enables you to correct inaccurate information. If your records contain errors—wrong dates, misquoted statements, incorrect contact details—you can request corrections.

The right to erasure (sometimes called the right to be forgotten) allows you to request deletion of your data in certain circumstances. However, this right is limited for therapy records because therapists have legal and professional obligations to maintain records. You cannot demand destruction of clinical notes simply because you've ended therapy.

The right to restrict processing means you can request that data processing be limited in certain situations—for example, while disputing accuracy of records. This doesn't erase data but pauses certain uses.

The right to data portability allows you to receive your data in structured, machine-readable formats and transfer it to other providers. For therapy, this might mean transferring records to a new therapist.

The right to object enables you to challenge processing based on legitimate interests or direct marketing. While less relevant to therapy itself, this right applies if a therapist wanted to use your data for research or training without consent.

Rights related to automated decision-making don't typically apply to therapy, but become relevant if platforms use AI for triage, risk assessment, or treatment recommendations.

Security Measures: What Should Online Therapists Have

Technical and organisational security measures are mandatory under GDPR. Here's what to expect from compliant online therapy providers.

End-to-end encryption should protect video sessions from interception. Major platforms like Zoom (with healthcare settings), VSee, and dedicated therapy platforms offer this. Standard consumer video calls without encryption are inadequate for therapy.

Secure data storage means clinical records should be encrypted at rest (when stored) as well as in transit (when transmitted). Cloud storage, if used, must comply with GDPR requirements—often meaning EU-based servers or adequate safeguards for international transfers.

Access controls limit who can view your data. Your therapist should have unique login credentials, multi-factor authentication for sensitive systems, and clear policies about who within their practice can access records.

Device security matters for both therapist and client. Therapists should use encrypted devices, automatic screen locks, and secure disposal procedures for old equipment. You should similarly protect your own devices when attending online sessions.

Breach notification procedures are required. If a data breach occurs that risks your rights and freedoms, therapists must notify the Data Protection Commission within 72 hours and inform you without undue delay.

Regular security assessments demonstrate ongoing commitment to data protection. Ask therapists how often they review their security measures and whether they conduct data protection impact assessments for new technologies.

Red Flags: Privacy Practices to Avoid

Certain practices suggest inadequate attention to data protection. Consider these warning signs when choosing an online therapist.

Consumer-grade communication tools like standard WhatsApp, Facebook Messenger, or unencrypted email for clinical discussions indicate poor practice. These platforms weren't designed for healthcare and may expose your data to third parties.

No privacy policy or vague documentation suggests the therapist hasn't engaged seriously with GDPR requirements. Every practitioner should have a clear, accessible privacy notice written in plain language.

Storing data on personal devices without professional encryption or backup systems risks data loss and unauthorised access. Clinical records should reside on professionally managed, secure systems.

Sharing information without clear protocols for supervision, emergencies, or referral situations indicates poor governance. Therapists should explain exactly when and why they might share your information.

No discussion of data protection during initial consultation suggests the therapist views privacy as an afterthought. GDPR compliance should be proactively addressed, not hidden in small print.

International data transfers without adequate safeguards raise concerns. If your therapist uses US-based platforms, they should explain what safeguards (Standard Contractual Clauses, adequacy decisions) protect your data.

The Practical Reality: Balancing Privacy and Care

Perfect privacy is impossible—therapy inherently involves sharing personal information with another human. The goal is reasonable, proportionate protection that doesn't compromise therapeutic effectiveness.

Therapy requires some data sharing for legitimate purposes. Your therapist discusses your case in clinical supervision—this is professionally required and benefits your care. They may need to breach confidentiality in genuine emergencies. These aren't GDPR violations but necessary professional practices.

Anonymity has limits in therapeutic relationships. While you can use pseudonyms on some platforms, payment records, insurance claims, and professional registration requirements typically require real names. Complete anonymity is difficult to achieve while receiving legitimate professional services.

Platform choice involves trade-offs. Dedicated therapy platforms offer better security but may have usability issues. Mainstream video tools are more familiar but may harvest data for advertising. Neither choice is inherently wrong, but you should understand the implications.

Your own device security matters as much as the therapist's. Using public WiFi, sharing devices with family members, or attending sessions in shared spaces creates privacy risks regardless of the therapist's GDPR compliance.

Data protection isn't the only consideration. The most secure platform with the most robust GDPR compliance is worthless if the therapist lacks clinical skill. Privacy protections support effective therapy but don't replace therapeutic competence.

Questions to Ask Prospective Therapists

Before committing to online therapy, these questions help assess privacy practices:

"What platform do you use for sessions, and what security measures does it have?" Look for end-to-end encryption, GDPR compliance, and healthcare-appropriate features.

"Where are your clinical records stored, and how are they protected?" Expect answers about encrypted storage, access controls, and backup procedures.

"Do you have a privacy notice I can review?" This should be readily available and written in accessible language, not legal jargon.

"Under what circumstances would you share my information with third parties?" Therapists should clearly explain supervision, emergency protocols, and any other sharing arrangements.

"How long do you keep records, and how are they destroyed when no longer needed?" Professional standards require retention periods, but secure destruction should follow.

"Have you had any data breaches, and how would you notify me if one occurred?" Past breaches don't necessarily indicate poor practice, but transparency about incident response matters.

"Do you transfer data internationally, and if so, what safeguards are in place?" This is particularly relevant if the therapist uses US-based platforms or cloud storage.

"What are my rights regarding my personal data, and how do I exercise them?" The therapist should clearly explain access, correction, and complaint procedures.

Therapists who cannot or will not answer these questions may not take data protection seriously enough for clinical work.

Making Your Decision: Informed Consent for Online Therapy

GDPR ultimately serves the principle of informed consent—you should understand and agree to how your data will be used before engaging in therapy.

Read privacy policies before booking, not after. If the policy is unclear or concerning, seek clarification or choose another therapist. You cannot meaningfully consent to practices you don't understand.

Consider your specific privacy needs. If you're a public figure, work in a sensitive profession, or have particular confidentiality concerns, discuss these explicitly with prospective therapists. Standard practices may need adjustment for your situation.

Document your consent. Save copies of privacy notices, consent forms, and any correspondence about data protection. These records protect you if disputes arise later.

Remember you can withdraw consent, though this may limit the therapy that can be provided. If you become uncomfortable with data practices, you have the right to end the therapeutic relationship.

Complaints mechanisms exist. If you believe a therapist has violated GDPR, you can complain to the Data Protection Commission. Professional bodies like IACP and PSI also handle data protection complaints as ethical matters.

Online therapy offers remarkable access to mental health support, but this convenience shouldn't compromise your right to privacy. GDPR provides robust protections for Irish therapy clients—understanding these rights helps you access online therapy with confidence that your personal information remains appropriately protected.

Related Guides:

Related Guides:

This article is part of The Ultimate Guide to Online Therapy in Ireland — our comprehensive hub covering everything you need to know about virtual mental health support.

• **IACP vs. PSI: Choosing an Accredited Online Therapist** — Understanding accreditation
• **How Much Does Online Therapy Cost?** — Understanding pricing
• **Choosing Between Online and In-Person Therapy** — Finding your best format