Caira can review your contract in 3 clicks:

• Get suggested changes and comments added directly to your file

• Generate an email summary to send to the other party

It takes less than 30 seconds to sign up for a free trial. No credit card required: Start your free trial

Therapy exists in a sacred space. The "container" depends on trust, privacy, and boundaries.

But outside that room, the real world—and its laws—still applies. Private practice therapists often feel torn between their ethical bodies (BACP/UKCP) and the hard edges of legislation like GDPR and the Terrorism Act.

When a client demands to see your notes, or confesses a crime, or threatens to harm themselves, you need to know exactly where the line is drawn.

1. The Subject Access Request (SAR)

The Scenario: You have been seeing a client for a year. It ends badly. A week later, you receive an email: "Under GDPR, I request a copy of all data you hold on me, including all session notes."

You panic. Your notes include your personal reflections: "Client projecting anger," "Signs of narcissism." You don't want them to see that.

The Legal Reality: Under GDPR, clients have a right to access their data. This includes your clinical notes. They are "Special Category Data."

You generally cannot refuse a SAR.

The only major exemption is the "Serious Harm Test" (Data Protection Act 2018)—you can withhold data if disclosing it would cause "serious harm" to the physical/mental health of the data subject. This is a very high bar (e.g., likely to trigger suicide). It does not cover "hurt feelings."

The Fix:

Clean Notes: Write notes assuming the client will* read them one day. Stick to facts and themes, not judgements.

• GDPR Contract: Your contract should explain clearly how data is stored and their rights.

2. Breaking Confidentiality (The Mandatory Breaches)

The Scenario: A client confesses they stole £50,000 from their employer. Do you report it?

A client confesses they sexually abused a child 20 years ago. Do you report it?

A client mentions they are sending money to a "freedom fighter" group abroad. Do you report it?

The Legal Reality: Confidentiality is not absolute.

• Terrorism Act 2000: Mandatory reporting.

• Proceeds of Crime Act 2002 (Money Laundering): Mandatory reporting (though complex for health professionals).

Safeguarding (Children/Vulnerable Adults): Not always strict statutory duty for private practitioners (unlike NHS), but a massive ethical and negligence* duty. If you fail to act and someone is harmed, you are liable.

The Fix: Your Therapeutic Contract must list the Limits of Confidentiality.

"Everything is confidential EXCEPT: Risk of harm to self/others, Terrorism, Money Laundering, or Court Order."

If it’s in the contract, the client gave informed consent to the breach before they spoke.

3. The Clinical Will (Death in Service)

The Scenario: You are a sole practitioner. You are involved in a car accident and are in a coma. Your clients turn up to your office. It is locked. They call you. No answer. They feel abandoned and re-traumatized.

The Fix: A Clinical Will.

A trusted colleague ("Clinical Executor") holds a list of your clients (encrypted). If you die or are incapacitated, they contact the clients to cancel sessions and offer referrals. This is a requirement of most ethical bodies and a vital legal protection for your estate against negligence claims.

4. Duty of Care (Suicide Risk)

The Scenario: A client expresses suicidal ideation. You assess the risk as "Video". You let them leave. They take their own life. The family sues you for negligence.

The Legal Reality: Duty of Care requires you to take "reasonable steps."

The Fix: Documentation. You must document your Risk Assessment and your rationale for not breaking confidentiality/hospitalizing them (e.g., "Client agreed to Safety Plan"). If it isn't written down, it didn't happen.

Why Contract Review Matters for Healers

You focus on the emotions. Let the contract focus on the rules.

AI contract review ensures your "Confidentiality" clause is legally accurate (so you don't promise total secrecy you can't deliver). It checks your GDPR compliance. It creates the safe container you need to do your best work.

Disclaimer: The information in this article is for general guidance only and is not intended as professional legal, financial, tax, or medical advice.