What client data do therapists need to store securely in Ireland?

Therapists in Ireland are data controllers under the General Data Protection Regulation (GDPR) and the Data Protection Acts 1988 to 2018. This means you are legally responsible for the personal data you collect, store, and process about your clients. The rules are specific and the consequences of non-compliance are real: the Data Protection Commission can issue fines and conduct audits. More importantly, the data you hold is highly sensitive, and your clients trust you to protect it.

This post covers what counts as personal data, how long you must keep it, what secure storage means in practice, and what a compliant setup actually looks like.

What counts as personal data for a therapist

Personal data is any information that identifies or could identify a living individual. For therapists, this covers a wide range of information you routinely collect.

Basic identifying information: full name, address, phone number, email address, and date of birth. This is collected at intake and held throughout the therapeutic relationship.

Intake forms: the information clients provide when they first contact you or at the start of therapy, including presenting concerns, relevant history, GP details, emergency contact details, and any risk indicators.

Session notes: records of what was discussed in session, clinical observations, treatment planning, and progress notes. These are perhaps the most sensitive documents a therapist holds.

Mental health history: details of previous therapy, psychiatric history, medication, diagnoses, and any information the client discloses about historical or current mental health conditions. Under GDPR, mental health data falls into the special category of sensitive personal data, which is subject to additional protection requirements.

Payment records: invoices, receipts, and records of fees paid or outstanding. These are also personal data and must be stored securely.

All of this data requires appropriate technical and organisational measures to protect it, under Article 25 and Article 32 of GDPR.

How long you must keep client records in Ireland

Retention periods for therapy records in Ireland are not set by a single piece of legislation. The guidance comes from a combination of professional body requirements and general principles.

The HSE's standard is that health records should be retained for a minimum of eight years from the date of last contact with the patient. This is the benchmark most professional bodies in Ireland, including the IACP (Irish Association for Counselling and Psychotherapy), work from.

If a client was under 18 at the time of therapy, records should typically be retained until the client's 26th birthday, or for eight years after last contact, whichever is longer.

After the retention period expires, records should be securely destroyed. For digital records, this means deletion using a method that makes recovery impossible, not simply moving files to the bin. For paper records, secure shredding is required.

You should document your retention and destruction policy, even informally, as evidence that you have considered these obligations.

What secure storage means under GDPR

Secure storage under GDPR requires technical measures to protect personal data against unauthorised access, loss, or destruction. For a solo therapist, this translates into several practical requirements.

Encryption: any device holding client data should have full disk encryption enabled. On a Mac, this is FileVault. On a Windows machine, it is BitLocker. These are built-in features that should be switched on.

Access control: data should only be accessible to you and to any authorised processor (such as a practice management software provider). Files stored in a shared consumer account, or on a device without a password, do not meet this standard.

EEA-based storage: personal data processed under GDPR must generally be stored within the European Economic Area, or transferred outside the EEA only under specific safeguards. This matters when choosing cloud storage and software tools.

Data processor agreements: if you use a third party to process personal data, such as a practice management software provider, a cloud storage provider, or an online booking tool, you must have a Data Processing Agreement (DPA) in place with that provider. Most reputable tools provide these.

Why a shared Google Drive folder is not enough

A standard consumer Google account (Gmail, Google Drive with a personal account) does not meet the requirements for storing sensitive therapy records.

The issue is not that Google is inherently insecure. The issue is that the standard consumer terms of service do not provide the Data Processing Agreement required under GDPR. Google's consumer terms are governed by US law and do not include the contractual commitments required when processing special category data in an EU context.

Additionally, a shared Google Drive folder, one where multiple people have access or where the sharing settings are not tightly controlled, creates a risk of unauthorised access that is difficult to audit or control.

There is also a question of what Google does with data processed through consumer accounts. The terms for consumer Google products reserve rights to use content to improve Google's services. This is incompatible with the confidentiality obligations of a therapy practice.

What a compliant setup looks like

A compliant setup does not need to be expensive or complicated. Several approaches work well for solo therapists in Ireland.

Google Workspace (formerly G Suite) with a business account is compliant, provided you have signed Google's Data Processing Amendment and configured sharing settings appropriately. Google Workspace provides a DPA, stores data in the EEA by default, and gives you administrative control over access. This is a significant upgrade from a consumer Gmail account and costs approximately €6 per user per month.

Dedicated practice management software such as WriteUpp, Cliniko, or Hectic (formerly Practice Better) is designed specifically for health practitioners. These tools provide DPAs, keep data within the EEA, include session note templates, and are built around clinical workflow. Costs range from approximately €25 to €60 per month.

For session notes specifically, a password-protected Word document or encrypted notes app stored on an encrypted device is a valid low-cost approach, provided you have a clear protocol for backup, retention, and eventual secure deletion.

Whatever system you choose, you should be able to answer these questions: where is the data stored, who can access it, what encryption is in place, and what agreement governs how the provider handles the data? If you cannot answer these questions, the setup is probably not compliant.

If you are setting up a private therapy practice and want your digital infrastructure, including your website, booking system, and GDPR documentation, to be built correctly from the start, the Karv Web Studio therapist package covers all of this as part of a complete practice setup.