Originally published 1 May, 2018
In light of the information shared with me from the biggest directory of counsellors when I have asked why their system of sending client contact information is not secure, hackable and contains PII in the form of an IP/email address – I thought we could start a discussion about the fact that clients in distress: Visit this directory, open a counsellors profile page and send that counsellor detailed information via a contact form (because they are in distress and are dysregulated and in need of help. Sometimes urgently) This contact form then arrives at the email box of the counsellor and contains the clients IP address, email contact and more often than not a telephone number.
All sounds okay so far? Well, I asked how this contact form was forwarded and what measures are in place to secure the transition of this infusion from the directory to the inbox. To keep it short the answer is it isn’t if you don’t have an email system that is secure at your end.
When I challenged this and explained many counsellors are not tech-savvy, nor do they have encrypted email systems I was given some advice about best practice.
The directory has informed me that for GDPR compliance they will put a notice on the directory “not to send personal information to the counsellor” However, they send the clients IP/email address?
This is not good enough. Not when I feel as a psychotherapist that I have a duty of care to the potential client to offer them a safe space to connect.
When I challenged them on the ethics of ‘the onus is on the client and counsellor’ to set up a secure email system and that an IP and email address is actually identifying information that they send I was given the same response. Including a line about using codes for client confidentiality. (After sending the contact form to me with identifying info?) Metaphors of horses and gates springs to mind.
The world of cybersecurity applies to the profession of counselling/psychotherapy and currently, I am not seeing enough care and due diligence in this domain. (see my previous blogs and videos on my Facebook page cyber trauma and young people)
I’m aware the profession of counselling is not as tech-savvy as I am, however surely there’s a body of advisors to this directory and others? When I used PlusGuidance all messages were kept secure and I had to login to read and reply. The system held the info. Why is it not possible for a directory that charges approximately £20 per month to thousands of counsellors to set up a system like this to keep client and counsellor safe and GDPR compliant?
Let me know your thoughts.