The new BACP ethical framework — answers to the questions therapists are actually asking
Jun 12
/
Joel Bild
The new BACP ethical framework — answers to the questions therapists are actually asking
Confident Therapist Hub · Practice management · 14 min read · The practical long read
If you would prefer the shorter take focused on the three decisions you will need to make this year, the brief piece is here.
Most articles about the draft framework walk through it section by section. This one starts somewhere else — with the questions therapists are actually asking.
Each section below is a question a real UK practitioner might have. Find the ones that apply to your situation; skip the ones that do not.
An important distinction
There are three different kinds of obligation in play here.
**Legal duties** apply to every UK therapist regardless of body membership — UK GDPR, the ICO data protection fee where applicable, HMRC tax obligations, safeguarding duties and the Equality Act.[^2]
**Professional body requirements** apply to members of that body specifically. For BACP members, the Ethical Framework is one of these.[^1]
**Ethical good practice** is what a thoughtful practitioner would do regardless of which categories apply to them.
Each question below makes clear which category is mainly at play.
The draft framework is already available, and BACP has said the final version is expected in Autumn 2026.[^1]
Do not rely on assumed go-live dates — check BACP’s latest implementation guidance as those dates approach. The work involved is not hard. It just needs to be done properly.
“I’m not a BACP member. Does any of this apply to me?”
Probably yes, and the reason involves untangling the three categories above.
Therapy is not a regulated profession in the UK. Anyone can call themselves a therapist or counsellor without joining a professional body. So strictly speaking, the BACP framework binds only its members.
But “I am not bound by the BACP framework” is a different statement from “none of this applies to me.”
A surprising amount of what the draft framework covers is not BACP-specific at all — it reflects legal duties that apply to every therapist holding client data.
In most private practice contexts, you are a data controller because you decide why and how client information is collected, stored and used.[^3]
Many private practitioners will also need to pay the ICO data protection fee unless exempt, so it is worth checking the ICO’s self-assessment rather than assuming either way.[^2]
HMRC tax obligations, including Making Tax Digital where your qualifying self-employment and/or property income is above the relevant threshold, are separate legal duties.[^6] None of these are about which professional body you have joined.
And then there is the question of what counts as ethical practice. The draft framework did not invent the clinical will, the privacy notice, or the idea that you should be able to evidence ethical reasoning. It codifies them.
A therapist outside the bodies who decides they need not bother with a clinical will because they are not technically required to have one is making a choice their clients have not agreed to — and a therapist who dies without one may leave their clients without records access or proper notification, regardless of which professional letters they hold.
The honest position is this: legal duties bind everyone, professional body commitments bind members of that body, and ethical good practice is broadly worth adopting regardless. The draft framework is useful reading whichever of those categories you sit in.
The rest of this article assumes you are not necessarily a BACP member. Where something is specifically a BACP requirement rather than a legal duty or good practice, it is flagged as such.
“I use AI to help with notes. What do I actually need to do?”
This is the question with the most immediate practical work attached to it, and the one most likely to require something you are not currently doing.
Section 2.1(e) of the draft framework asks members to assess any AI tool, digital tool or online platform before using it, and places clear emphasis on competence, understanding how data are handled, and being open with clients.[^1]
In terms of obligation, this sits primarily as a professional body requirement for BACP members, with real legal overlap. UK GDPR’s accountability principle means you should be able to evidence how you have assessed and managed risks when processing sensitive client data.[^3]
So any therapist using AI tools is on stronger legal ground if they have done this work — body membership or not.
What might that actually look like in practice?
In many cases, therapists will want to keep a short written assessment for each AI tool they use, on file. A page is usually enough. It might cover:
* what client-related data passes through the tool
* where it is stored
* who else processes it
* what the residual risks are
* what you have told clients about it.
The chain of sub-processors can be longer than it looks, so this is worth checking rather than assuming.
The honest-disclosure piece is the part most likely to need attention. Many therapists currently mention AI tools only as a line in a privacy notice, if at all. The draft framework wording suggests something more substantive: a real conversation about what the tool does with what the client tells you, what the trade-offs are, and what alternatives might exist.
And there is the deeper question worth holding for a moment.
Therapy works partly because nothing else is in the room. The attention, the held silence, the trust that what is said here is held here — these are conditions of the work.
A recorder during sessions is a third presence. An AI listener is a fourth. Even when the client agrees, the therapist who knows their device is listening may practise differently because they know something is listening.
Asking a client whether you may record or process a session through an AI tool creates an interaction the therapy never previously had to have — and even if they agree, the asymmetry is now in the room.
None of this is a reason never to use AI tools. It is a reason to be sure the time saved is worth the relational cost, and to be able to defend the choice if questioned.
The draft framework is not requiring you to avoid AI. It is asking you to be able to defend your use of it.
Whether your answer is “yes, the trade-off works for my practice” or “no, the work is better protected with the device in my bag” — both can be defended. What is harder to defend is defaulting into a tool because it saves time, without being able to explain the ethical and data-protection reasoning behind that choice.
“Do I need a clinical will, and if I have one, is it good enough?”
The clinical will is the item that has probably moved the most.
In the 2018 framework it appeared at point 42, in non-mandatory language. In the draft framework it appears in section 4.5, and the wording suggests stronger and more explicit weight: members are asked to ensure they have executed a clinical will and appointed an executor who, bound by confidentiality, can communicate with clients if the therapist becomes too ill to do so or dies.[^1]
The main category here is professional body requirement for BACP members if adopted in this form. BABCP has already mandated clinical wills for accredited members.[^5]
It is not a UK legal duty. But of all the items in this article, it is one where “not legally required” is a particularly weak defence.
The harm of dying without a clinical will is to your clients, not to you.
A working clinical will typically needs four things:
* a named executor who has agreed in writing to the role, usually a trusted colleague or supervisor
* a confidentiality agreement with that person
* secure arrangements for accessing your client list and records
* clear instructions on how clients should be contacted.
If you do not have one, the work is usually a few hours. BACP, the BPC, and several supervision networks publish templates that will get you most of the way.
The most important practical step is the conversation with whoever you are asking to be your executor. They need to actually agree, understand what they are taking on, and know how to find the things they would need.
If you do have one, the audit questions are these:
* Does your executor know, right now, where your current client list is held?
* Can they actually access it if they needed to?
* Have you written down what they should say to clients — and what they should not?
* Have you reviewed the document in the last year?
A clinical will that has not been touched since you set it up five years ago is often a clinical will that no longer reflects your practice.
Many practitioners discover they need a clinical will only when a supervisor or a peer in their network raises it. The draft framework is, in effect, surfacing the question for everyone.
“Is my privacy notice doing what it needs to do — and what about the new complaints rules?”
This is important because it sits across all three categories of obligation and across two different regulatory updates.
Section 3.1(c) of the draft framework asks for a clear and accessible privacy notice outlining how personal data are collected, used, stored and protected. Section 3.1(d) adds that you should inform people of foreseeable limitations to confidentiality, including the use of digital storage systems, platforms or tools that may monitor or collect data.[^1]
This is primarily a legal duty under UK GDPR, which has expected clear privacy information since 2018.[^3] The draft framework simply makes the link more explicit for BACP members. So this applies to every UK therapist, body member or not.
There is also a separate, more time-pressing legal update here. The Data (Use and Access) Act 2025 introduces a new requirement for organisations to maintain a formal data protection complaints process, with the ICO confirming that the new complaints-process requirements come into force on 19 June 2026.[^4]
In practical terms, this means private practitioners need to be able to tell clients:
* how to raise a data protection concern
* how it will be acknowledged
* how it will be investigated
* how the outcome will be communicated.
The ICO has signalled a measured approach to enforcement during the transition, but the rule itself is statutory and applies to all data controllers — regardless of size, sector or body membership.[^4]
So there are really two practical tests for your current privacy notice.
First: does it clearly identify the main systems, platforms and providers involved in handling client data?
For example, does it identify your practice management software, video platform, any AI tools you use, your email provider, payment processor and backup system? If your privacy notice uses phrases like “industry-standard secure tools” or “trusted third-party providers” without saying who those tools and providers are, it may not be specific enough for either UK GDPR transparency or the draft framework.[^3]
Second: does it tell clients how to raise a data protection complaint with you directly, before going to the ICO? From 19 June 2026, this becomes a statutory expectation.[^4]
For a private practitioner this does not need to be elaborate, but it does need to be clear: a route for the client to raise the concern, an acknowledgement, an investigation, and an outcome communicated back to them.
Writing a more specific privacy notice and complaints process is not difficult. The structure is broadly:
* what data you collect
* what you do with it
* who else has access to it, including the main named providers
* how long you keep it
* what rights the client has
* how they can exercise those rights
* how they can raise a data protection concern.
There is a small bonus to specificity. The clearer your privacy notice is about who handles client data, the easier the other framework conversations become. If a client asks about AI tools you use, your privacy notice has already disclosed it. If you ever need to evidence the risk-assessment work in section 2.1(e), your privacy notice supports the documentation chain.[^1][^3]
“I see clients across borders, or I work from abroad sometimes. What changes for me?”
The draft framework introduces clearer cross-border framing than the 2018 version had.
Section 3.2(b) asks for records to be stored securely and to comply with the data protection requirements of the country where the record is held. Section 3.3(b) notes that legal obligations may vary depending on the jurisdictions in which you provide services. Section 4.2(a)(ii) extends the insurance requirement to all jurisdictions of work.[^1]
In terms of obligation, the data sections reflect legal duty: UK GDPR and corresponding regulations in other jurisdictions apply regardless of body membership. The insurance section is a BACP requirement that mirrors what any sensible practitioner would do anyway.
If your work is entirely UK-based — UK clients, UK location, no travel — most of this will not apply to you directly, though you should still be able to articulate where your data is stored and which legal regime applies.
If you work with clients abroad, or you yourself work from outside the UK for periods of the year, the practical steps are these.
Know where your data is stored. Many cloud services are hosted outside the UK: US-hosted, EU-hosted, or both.
This is not inherently problematic — many operate lawfully under UK adequacy arrangements, standard contractual clauses or other transfer mechanisms — but you should be able to explain the arrangements if asked.
Confirm with your insurer that your policy covers the actual jurisdictions in which you and your clients are located. Keep the written confirmation on file.
Cross-border insurance is genuinely complicated. It involves governing law, practitioner location, client location, regulatory recognition, and individual insurer exclusions, and the draft framework does not resolve any of these questions.
What it does is make the obligation to think about them explicit. If you have even occasional cross-border clients, a written question to your insurer is worth the small effort.
"How do I actually evidence ethical reasoning when something difficult comes up?"
This is one of the strongest threads in the draft framework.
Section 1.4(d) asks members to be able to demonstrate ethical rationale and reasoning, including the steps taken to resolve dilemmas or challenges.[^1]
Importantly, the draft framework does not appear to require a formal written rationale for every ethical decision. The relevant text suggests rationale should be recorded “in a way that is consistent with good practice around record keeping” where required by others. The expectation is that your reasoning is articulable and, where appropriate, evidenced — particularly for significant or contested decisions.[^1]
The main category here is professional body requirement, but with real protective value beyond body membership. If a complaint, lawsuit, or regulatory inquiry arises, the ability to demonstrate considered ethical reasoning is one of the strongest defences any therapist has — body member or not.
Practically, three kinds of record do this work between them:
* case notes: the formal clinical record
* process notes or reflection notes: your own thinking about a session or a decision, kept separately from the clinical record
* supervision notes: the record of conversations with your supervisor about difficult moments.
Process notes — separate from the clinical record, kept for your own reflection and supervision preparation — can be particularly useful here. They are the place where the difficult thinking happens.
If you keep them, they should be separate, purposeful, proportionate and consistent with your privacy information and record-keeping policy. Whether particular notes are disclosable in response to a Subject Access Request is fact-specific, so it is safer not to assume they are automatically protected.[^3]
The draft framework is not asking you to write a 1,000-word rationale every time you make a decision. It is asking you to be able to point to some record — clinical, process, or supervision — that shows you thought about a difficult question.
“I mix personal and professional digital channels. Does that need to change?”
The 2018 framework asked members to take reasonable care to separate personal and professional social media.
The 2025 draft is more direct: members are asked to ensure there is a clear boundary between personal and professional social media, digital accounts and communications. That is section 1.3(d).[^1]
The main category here is professional body requirement and broadly good practice. It is not a specific legal duty, but mixing channels creates real risk of accidental disclosure, boundary confusion, and data-protection breaches — risks any thoughtful practitioner would prefer to avoid.
For solo practitioners with limited resources, the question is what counts as adequate separation.
The honest answer: a separate work phone number is not strictly required, but a dedicated work email and separate professional accounts on whichever social platforms you use is fairly minimal.
Using personal WhatsApp or personal email for client contact has been quietly accepted by many UK therapists for years; the draft framework wording suggests that this now needs more deliberate thought and clearer boundaries.
The practical move is to audit your current channels:
* Where do clients message you?
* What email do they use?
* What number do they text?
* Which social accounts do they see?
Then decide which need to be moved or duplicated to professional-only versions. For most practitioners, this is a few hours of setup work, not a major restructuring.
“What about my working agreement and intake materials?”
Section 1.2(b) of the draft asks members to provide people with a record of the working agreement.[^1]
Several other framework items end up being documented inside this agreement, or referenced from it:
* fees and payment terms
* how data are handled
* foreseeable limits to confidentiality
* the use of AI or digital tools
* access to safeguarding policy details
* the existence of a clinical will arrangement
* how to raise a data protection concern.
The main category here is mixed: partly legal duty, partly professional body requirement, and partly good practice.
The privacy notice and GDPR elements are legal duties. The formal working-agreement record is a professional body requirement for BACP members if adopted in this form. The broader point is good practice: any therapist offering paid services would prudently have clear written terms.
Whether all of this sits in a single working agreement or splits between a working agreement and a standalone privacy notice is a matter of preference. A short standalone privacy notice that the agreement references is a workable structure.
What matters is that the client has, in writing, a record of:
* what is agreed
* what is confidential
* what might break confidentiality
* what tools handle their information
* how to raise concerns about their data
* how the relationship ends if you become seriously ill or die.
If your existing working agreement was written before 2023, it is likely missing some of these items — particularly around AI use, the clinical will, the specificity of the privacy notice, and the new complaints-handling expectations.
A review of the document against the framework sections above and the DUAA changes is the practical task.[^1][^4]
“Are my fees, payment terms, and tax position OK?”
The draft framework adds a financial responsibility section that did not exist in 2018.
Section 3.4 asks members to be aware of and comply with tax obligations in the country where they provide services, and to provide clear and transparent information about fees, including when and how payments are to be made.[^1]
The tax obligation is a legal duty. It applies to every sole trader regardless of body membership. The written fees and payment terms requirement is professional body-specific and good practice combined.
For UK sole-trader therapists, the most consequential current piece of this is Making Tax Digital for Income Tax. It is being phased in from April 2026 for sole traders and landlords whose annual income from self-employment and property is over £50,000, with lower thresholds following.[^6]
If you have not yet prepared for MTD, this is the year.
You will need either a full accounting package, such as Xero, FreeAgent or QuickBooks, or HMRC-compatible bridging software that connects to a record-keeping system. Bridging software may be cheaper than full accounting software if your needs are simple, although what is suitable will depend on your practice and tax position.
The written fees and payment terms piece is straightforward: your working agreement should cover the session fee, when invoices are issued, acceptable payment methods, late payment terms, and the cancellation policy.
Most practitioners already do this informally. The draft framework suggests it should be in writing.
“I have a supervisor. How do I actually use them to walk through all this?”
Supervision is a strong thread through the draft framework.
Section 4.3 sets out the supervision requirement; section 1.4(c) asks members to consult regularly with a supervisor about ethical dilemmas or challenges.[^1]
Beyond the framework itself, supervision is the place where the rest of these questions get worked through in real practice.
The main category here is professional body requirement. Supervision is also required by most other professional bodies, though the details vary.
It is not a UK legal duty as such, but it is commonly expected by professional bodies and may be relevant to indemnity and defensibility. Any therapist offering paid clinical work would benefit from it regardless.
A practical use of supervision for the framework changes is to block out a single session in the second half of 2026 to walk through your current contracts, privacy notice, digital tool use, insurance arrangements and clinical will against the draft framework.
This is the kind of audit that is easier collaboratively than alone, and your supervisor’s perspective on what counts as adequate evidence is genuinely useful. Most supervisors will welcome this as a productive use of a session.
What to do this month
If the article above has flagged any specific concerns for your practice, the highest-leverage actions are these.
1. Check your privacy notice and complaints process.
- Does it identify the main tools and providers handling client data?
-Does it tell clients how to raise a data protection concern with you directly?
The 19 June 2026 commencement date for the DUAA complaints rules is the most time-pressing item in this article, so this is the place to start.[^4]
2. If you use AI tools that touch client material, draft a short written risk assessment for each one.
Even a single page. Cover what data passes through, where it is stored, who else processes it, what risks remain, and what you have told clients. This is the item most likely to be missing for current users.[^1][^3]
3. Check your clinical will.
If you do not have one, put one in place — the work is a few hours and templates exist. If you do have one, audit it: does your executor know where your client list is right now, and could they actually access it?[^1][^5]
The remaining items in this article are worth attending to but less urgent. They can wait until later in 2026, when the final framework version is due and the accompanying Good Practice in Action resources are clearer.[^1]
If this has helped you spot gaps in your own documents, start with the privacy notice, AI position and clinical will. Those are the three areas most likely to need action before the final framework becomes mandatory.
Where to find the framework, and what else to read
The draft is available on the BACP website on the Developing the new Ethical Framework page.[^1]
The framework itself is short and well worth reading directly.
The Confident Therapist Hub publishes regular pieces on the practical side of UK private practice. Future articles will go deeper into AI note-taking ethics, working agreements that meet the new framework, and clinical wills in practice.
If you would find it useful to think through these themes with other UK practitioners, the CTH email list will let you know when each is published.
Endnotes
[^1]: BACP, Ethical Framework for the Counselling Professions 2025 draft PDF: https://www.bacp.co.uk/media/23628/ethical-framework-for-the-counselling-professions-2025.pdf; BACP, Developing the new Ethical Framework: https://www.bacp.co.uk/developingethicalframework
[^2]: ICO, Exemptions: https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee/exemptions/; ICO, Data protection fee self-assessment: https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee-self-assessment/
[^3]: ICO, What privacy information should we provide?: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-be-informed/what-privacy-information-should-we-provide/; ICO, Transparency: https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/toolkits/accountability/transparency/
[^4]: ICO, How to deal with data protection complaints: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/; ICO, One month to go: what businesses need to know to meet new data law: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/05/one-month-to-go-what-businesses-need-to-know-to-meet-new-data-law/; GOV.UK, Data (Use and Access) Act 2025: data protection and privacy changes: https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes; GOV.UK, Data (Use and Access) Act 2025: plans for commencement: https://www.gov.uk/guidance/data-use-and-access-act-2025-plans-for-commencement
[^5]: BABCP, Clinical Wills Policy: https://babcp.com/about/who-are-babcp/our-policies/clinical-wills-policy/
[^6]: GOV.UK, Making Tax Digital for Income Tax: https://www.gov.uk/government/collections/making-tax-digital-for-income-tax; GOV.UK, Find out if and when you need to use Making Tax Digital for Income Tax: https://www.gov.uk/guidance/find-out-if-and-when-you-need-to-use-making-tax-digital-for-income-tax
This article does not constitute legal or compliance advice. Consult your supervisor, your professional body, your indemnity insurer, and a qualified data protection adviser for guidance specific to your practice.
Based on the draft Ethical Framework for the Counselling Professions 2025. BACP has said the final version is expected in Autumn 2026 and may include changes.
Confident Therapist Hub · Practice management · 14 min read · The practical long read
If you would prefer the shorter take focused on the three decisions you will need to make this year, the brief piece is here.
Most articles about the draft framework walk through it section by section. This one starts somewhere else — with the questions therapists are actually asking.
Each section below is a question a real UK practitioner might have. Find the ones that apply to your situation; skip the ones that do not.
An important distinction
There are three different kinds of obligation in play here.
**Legal duties** apply to every UK therapist regardless of body membership — UK GDPR, the ICO data protection fee where applicable, HMRC tax obligations, safeguarding duties and the Equality Act.[^2]
**Professional body requirements** apply to members of that body specifically. For BACP members, the Ethical Framework is one of these.[^1]
**Ethical good practice** is what a thoughtful practitioner would do regardless of which categories apply to them.
Each question below makes clear which category is mainly at play.
The draft framework is already available, and BACP has said the final version is expected in Autumn 2026.[^1]
Do not rely on assumed go-live dates — check BACP’s latest implementation guidance as those dates approach. The work involved is not hard. It just needs to be done properly.
“I’m not a BACP member. Does any of this apply to me?”
Probably yes, and the reason involves untangling the three categories above.
Therapy is not a regulated profession in the UK. Anyone can call themselves a therapist or counsellor without joining a professional body. So strictly speaking, the BACP framework binds only its members.
But “I am not bound by the BACP framework” is a different statement from “none of this applies to me.”
A surprising amount of what the draft framework covers is not BACP-specific at all — it reflects legal duties that apply to every therapist holding client data.
In most private practice contexts, you are a data controller because you decide why and how client information is collected, stored and used.[^3]
Many private practitioners will also need to pay the ICO data protection fee unless exempt, so it is worth checking the ICO’s self-assessment rather than assuming either way.[^2]
HMRC tax obligations, including Making Tax Digital where your qualifying self-employment and/or property income is above the relevant threshold, are separate legal duties.[^6] None of these are about which professional body you have joined.
And then there is the question of what counts as ethical practice. The draft framework did not invent the clinical will, the privacy notice, or the idea that you should be able to evidence ethical reasoning. It codifies them.
A therapist outside the bodies who decides they need not bother with a clinical will because they are not technically required to have one is making a choice their clients have not agreed to — and a therapist who dies without one may leave their clients without records access or proper notification, regardless of which professional letters they hold.
The honest position is this: legal duties bind everyone, professional body commitments bind members of that body, and ethical good practice is broadly worth adopting regardless. The draft framework is useful reading whichever of those categories you sit in.
The rest of this article assumes you are not necessarily a BACP member. Where something is specifically a BACP requirement rather than a legal duty or good practice, it is flagged as such.
“I use AI to help with notes. What do I actually need to do?”
This is the question with the most immediate practical work attached to it, and the one most likely to require something you are not currently doing.
Section 2.1(e) of the draft framework asks members to assess any AI tool, digital tool or online platform before using it, and places clear emphasis on competence, understanding how data are handled, and being open with clients.[^1]
In terms of obligation, this sits primarily as a professional body requirement for BACP members, with real legal overlap. UK GDPR’s accountability principle means you should be able to evidence how you have assessed and managed risks when processing sensitive client data.[^3]
So any therapist using AI tools is on stronger legal ground if they have done this work — body membership or not.
What might that actually look like in practice?
In many cases, therapists will want to keep a short written assessment for each AI tool they use, on file. A page is usually enough. It might cover:
* what client-related data passes through the tool
* where it is stored
* who else processes it
* what the residual risks are
* what you have told clients about it.
The chain of sub-processors can be longer than it looks, so this is worth checking rather than assuming.
The honest-disclosure piece is the part most likely to need attention. Many therapists currently mention AI tools only as a line in a privacy notice, if at all. The draft framework wording suggests something more substantive: a real conversation about what the tool does with what the client tells you, what the trade-offs are, and what alternatives might exist.
And there is the deeper question worth holding for a moment.
Therapy works partly because nothing else is in the room. The attention, the held silence, the trust that what is said here is held here — these are conditions of the work.
A recorder during sessions is a third presence. An AI listener is a fourth. Even when the client agrees, the therapist who knows their device is listening may practise differently because they know something is listening.
Asking a client whether you may record or process a session through an AI tool creates an interaction the therapy never previously had to have — and even if they agree, the asymmetry is now in the room.
None of this is a reason never to use AI tools. It is a reason to be sure the time saved is worth the relational cost, and to be able to defend the choice if questioned.
The draft framework is not requiring you to avoid AI. It is asking you to be able to defend your use of it.
Whether your answer is “yes, the trade-off works for my practice” or “no, the work is better protected with the device in my bag” — both can be defended. What is harder to defend is defaulting into a tool because it saves time, without being able to explain the ethical and data-protection reasoning behind that choice.
“Do I need a clinical will, and if I have one, is it good enough?”
The clinical will is the item that has probably moved the most.
In the 2018 framework it appeared at point 42, in non-mandatory language. In the draft framework it appears in section 4.5, and the wording suggests stronger and more explicit weight: members are asked to ensure they have executed a clinical will and appointed an executor who, bound by confidentiality, can communicate with clients if the therapist becomes too ill to do so or dies.[^1]
The main category here is professional body requirement for BACP members if adopted in this form. BABCP has already mandated clinical wills for accredited members.[^5]
It is not a UK legal duty. But of all the items in this article, it is one where “not legally required” is a particularly weak defence.
The harm of dying without a clinical will is to your clients, not to you.
A working clinical will typically needs four things:
* a named executor who has agreed in writing to the role, usually a trusted colleague or supervisor
* a confidentiality agreement with that person
* secure arrangements for accessing your client list and records
* clear instructions on how clients should be contacted.
If you do not have one, the work is usually a few hours. BACP, the BPC, and several supervision networks publish templates that will get you most of the way.
The most important practical step is the conversation with whoever you are asking to be your executor. They need to actually agree, understand what they are taking on, and know how to find the things they would need.
If you do have one, the audit questions are these:
* Does your executor know, right now, where your current client list is held?
* Can they actually access it if they needed to?
* Have you written down what they should say to clients — and what they should not?
* Have you reviewed the document in the last year?
A clinical will that has not been touched since you set it up five years ago is often a clinical will that no longer reflects your practice.
Many practitioners discover they need a clinical will only when a supervisor or a peer in their network raises it. The draft framework is, in effect, surfacing the question for everyone.
“Is my privacy notice doing what it needs to do — and what about the new complaints rules?”
This is important because it sits across all three categories of obligation and across two different regulatory updates.
Section 3.1(c) of the draft framework asks for a clear and accessible privacy notice outlining how personal data are collected, used, stored and protected. Section 3.1(d) adds that you should inform people of foreseeable limitations to confidentiality, including the use of digital storage systems, platforms or tools that may monitor or collect data.[^1]
This is primarily a legal duty under UK GDPR, which has expected clear privacy information since 2018.[^3] The draft framework simply makes the link more explicit for BACP members. So this applies to every UK therapist, body member or not.
There is also a separate, more time-pressing legal update here. The Data (Use and Access) Act 2025 introduces a new requirement for organisations to maintain a formal data protection complaints process, with the ICO confirming that the new complaints-process requirements come into force on 19 June 2026.[^4]
In practical terms, this means private practitioners need to be able to tell clients:
* how to raise a data protection concern
* how it will be acknowledged
* how it will be investigated
* how the outcome will be communicated.
The ICO has signalled a measured approach to enforcement during the transition, but the rule itself is statutory and applies to all data controllers — regardless of size, sector or body membership.[^4]
So there are really two practical tests for your current privacy notice.
First: does it clearly identify the main systems, platforms and providers involved in handling client data?
For example, does it identify your practice management software, video platform, any AI tools you use, your email provider, payment processor and backup system? If your privacy notice uses phrases like “industry-standard secure tools” or “trusted third-party providers” without saying who those tools and providers are, it may not be specific enough for either UK GDPR transparency or the draft framework.[^3]
Second: does it tell clients how to raise a data protection complaint with you directly, before going to the ICO? From 19 June 2026, this becomes a statutory expectation.[^4]
For a private practitioner this does not need to be elaborate, but it does need to be clear: a route for the client to raise the concern, an acknowledgement, an investigation, and an outcome communicated back to them.
Writing a more specific privacy notice and complaints process is not difficult. The structure is broadly:
* what data you collect
* what you do with it
* who else has access to it, including the main named providers
* how long you keep it
* what rights the client has
* how they can exercise those rights
* how they can raise a data protection concern.
There is a small bonus to specificity. The clearer your privacy notice is about who handles client data, the easier the other framework conversations become. If a client asks about AI tools you use, your privacy notice has already disclosed it. If you ever need to evidence the risk-assessment work in section 2.1(e), your privacy notice supports the documentation chain.[^1][^3]
“I see clients across borders, or I work from abroad sometimes. What changes for me?”
The draft framework introduces clearer cross-border framing than the 2018 version had.
Section 3.2(b) asks for records to be stored securely and to comply with the data protection requirements of the country where the record is held. Section 3.3(b) notes that legal obligations may vary depending on the jurisdictions in which you provide services. Section 4.2(a)(ii) extends the insurance requirement to all jurisdictions of work.[^1]
In terms of obligation, the data sections reflect legal duty: UK GDPR and corresponding regulations in other jurisdictions apply regardless of body membership. The insurance section is a BACP requirement that mirrors what any sensible practitioner would do anyway.
If your work is entirely UK-based — UK clients, UK location, no travel — most of this will not apply to you directly, though you should still be able to articulate where your data is stored and which legal regime applies.
If you work with clients abroad, or you yourself work from outside the UK for periods of the year, the practical steps are these.
Know where your data is stored. Many cloud services are hosted outside the UK: US-hosted, EU-hosted, or both.
This is not inherently problematic — many operate lawfully under UK adequacy arrangements, standard contractual clauses or other transfer mechanisms — but you should be able to explain the arrangements if asked.
Confirm with your insurer that your policy covers the actual jurisdictions in which you and your clients are located. Keep the written confirmation on file.
Cross-border insurance is genuinely complicated. It involves governing law, practitioner location, client location, regulatory recognition, and individual insurer exclusions, and the draft framework does not resolve any of these questions.
What it does is make the obligation to think about them explicit. If you have even occasional cross-border clients, a written question to your insurer is worth the small effort.
"How do I actually evidence ethical reasoning when something difficult comes up?"
This is one of the strongest threads in the draft framework.
Section 1.4(d) asks members to be able to demonstrate ethical rationale and reasoning, including the steps taken to resolve dilemmas or challenges.[^1]
Importantly, the draft framework does not appear to require a formal written rationale for every ethical decision. The relevant text suggests rationale should be recorded “in a way that is consistent with good practice around record keeping” where required by others. The expectation is that your reasoning is articulable and, where appropriate, evidenced — particularly for significant or contested decisions.[^1]
The main category here is professional body requirement, but with real protective value beyond body membership. If a complaint, lawsuit, or regulatory inquiry arises, the ability to demonstrate considered ethical reasoning is one of the strongest defences any therapist has — body member or not.
Practically, three kinds of record do this work between them:
* case notes: the formal clinical record
* process notes or reflection notes: your own thinking about a session or a decision, kept separately from the clinical record
* supervision notes: the record of conversations with your supervisor about difficult moments.
Process notes — separate from the clinical record, kept for your own reflection and supervision preparation — can be particularly useful here. They are the place where the difficult thinking happens.
If you keep them, they should be separate, purposeful, proportionate and consistent with your privacy information and record-keeping policy. Whether particular notes are disclosable in response to a Subject Access Request is fact-specific, so it is safer not to assume they are automatically protected.[^3]
The draft framework is not asking you to write a 1,000-word rationale every time you make a decision. It is asking you to be able to point to some record — clinical, process, or supervision — that shows you thought about a difficult question.
“I mix personal and professional digital channels. Does that need to change?”
The 2018 framework asked members to take reasonable care to separate personal and professional social media.
The 2025 draft is more direct: members are asked to ensure there is a clear boundary between personal and professional social media, digital accounts and communications. That is section 1.3(d).[^1]
The main category here is professional body requirement and broadly good practice. It is not a specific legal duty, but mixing channels creates real risk of accidental disclosure, boundary confusion, and data-protection breaches — risks any thoughtful practitioner would prefer to avoid.
For solo practitioners with limited resources, the question is what counts as adequate separation.
The honest answer: a separate work phone number is not strictly required, but a dedicated work email and separate professional accounts on whichever social platforms you use is fairly minimal.
Using personal WhatsApp or personal email for client contact has been quietly accepted by many UK therapists for years; the draft framework wording suggests that this now needs more deliberate thought and clearer boundaries.
The practical move is to audit your current channels:
* Where do clients message you?
* What email do they use?
* What number do they text?
* Which social accounts do they see?
Then decide which need to be moved or duplicated to professional-only versions. For most practitioners, this is a few hours of setup work, not a major restructuring.
“What about my working agreement and intake materials?”
Section 1.2(b) of the draft asks members to provide people with a record of the working agreement.[^1]
Several other framework items end up being documented inside this agreement, or referenced from it:
* fees and payment terms
* how data are handled
* foreseeable limits to confidentiality
* the use of AI or digital tools
* access to safeguarding policy details
* the existence of a clinical will arrangement
* how to raise a data protection concern.
The main category here is mixed: partly legal duty, partly professional body requirement, and partly good practice.
The privacy notice and GDPR elements are legal duties. The formal working-agreement record is a professional body requirement for BACP members if adopted in this form. The broader point is good practice: any therapist offering paid services would prudently have clear written terms.
Whether all of this sits in a single working agreement or splits between a working agreement and a standalone privacy notice is a matter of preference. A short standalone privacy notice that the agreement references is a workable structure.
What matters is that the client has, in writing, a record of:
* what is agreed
* what is confidential
* what might break confidentiality
* what tools handle their information
* how to raise concerns about their data
* how the relationship ends if you become seriously ill or die.
If your existing working agreement was written before 2023, it is likely missing some of these items — particularly around AI use, the clinical will, the specificity of the privacy notice, and the new complaints-handling expectations.
A review of the document against the framework sections above and the DUAA changes is the practical task.[^1][^4]
“Are my fees, payment terms, and tax position OK?”
The draft framework adds a financial responsibility section that did not exist in 2018.
Section 3.4 asks members to be aware of and comply with tax obligations in the country where they provide services, and to provide clear and transparent information about fees, including when and how payments are to be made.[^1]
The tax obligation is a legal duty. It applies to every sole trader regardless of body membership. The written fees and payment terms requirement is professional body-specific and good practice combined.
For UK sole-trader therapists, the most consequential current piece of this is Making Tax Digital for Income Tax. It is being phased in from April 2026 for sole traders and landlords whose annual income from self-employment and property is over £50,000, with lower thresholds following.[^6]
If you have not yet prepared for MTD, this is the year.
You will need either a full accounting package, such as Xero, FreeAgent or QuickBooks, or HMRC-compatible bridging software that connects to a record-keeping system. Bridging software may be cheaper than full accounting software if your needs are simple, although what is suitable will depend on your practice and tax position.
The written fees and payment terms piece is straightforward: your working agreement should cover the session fee, when invoices are issued, acceptable payment methods, late payment terms, and the cancellation policy.
Most practitioners already do this informally. The draft framework suggests it should be in writing.
“I have a supervisor. How do I actually use them to walk through all this?”
Supervision is a strong thread through the draft framework.
Section 4.3 sets out the supervision requirement; section 1.4(c) asks members to consult regularly with a supervisor about ethical dilemmas or challenges.[^1]
Beyond the framework itself, supervision is the place where the rest of these questions get worked through in real practice.
The main category here is professional body requirement. Supervision is also required by most other professional bodies, though the details vary.
It is not a UK legal duty as such, but it is commonly expected by professional bodies and may be relevant to indemnity and defensibility. Any therapist offering paid clinical work would benefit from it regardless.
A practical use of supervision for the framework changes is to block out a single session in the second half of 2026 to walk through your current contracts, privacy notice, digital tool use, insurance arrangements and clinical will against the draft framework.
This is the kind of audit that is easier collaboratively than alone, and your supervisor’s perspective on what counts as adequate evidence is genuinely useful. Most supervisors will welcome this as a productive use of a session.
What to do this month
If the article above has flagged any specific concerns for your practice, the highest-leverage actions are these.
1. Check your privacy notice and complaints process.
- Does it identify the main tools and providers handling client data?
-Does it tell clients how to raise a data protection concern with you directly?
The 19 June 2026 commencement date for the DUAA complaints rules is the most time-pressing item in this article, so this is the place to start.[^4]
2. If you use AI tools that touch client material, draft a short written risk assessment for each one.
Even a single page. Cover what data passes through, where it is stored, who else processes it, what risks remain, and what you have told clients. This is the item most likely to be missing for current users.[^1][^3]
3. Check your clinical will.
If you do not have one, put one in place — the work is a few hours and templates exist. If you do have one, audit it: does your executor know where your client list is right now, and could they actually access it?[^1][^5]
The remaining items in this article are worth attending to but less urgent. They can wait until later in 2026, when the final framework version is due and the accompanying Good Practice in Action resources are clearer.[^1]
If this has helped you spot gaps in your own documents, start with the privacy notice, AI position and clinical will. Those are the three areas most likely to need action before the final framework becomes mandatory.
Where to find the framework, and what else to read
The draft is available on the BACP website on the Developing the new Ethical Framework page.[^1]
The framework itself is short and well worth reading directly.
The Confident Therapist Hub publishes regular pieces on the practical side of UK private practice. Future articles will go deeper into AI note-taking ethics, working agreements that meet the new framework, and clinical wills in practice.
If you would find it useful to think through these themes with other UK practitioners, the CTH email list will let you know when each is published.
Endnotes
[^1]: BACP, Ethical Framework for the Counselling Professions 2025 draft PDF: https://www.bacp.co.uk/media/23628/ethical-framework-for-the-counselling-professions-2025.pdf; BACP, Developing the new Ethical Framework: https://www.bacp.co.uk/developingethicalframework
[^2]: ICO, Exemptions: https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee/exemptions/; ICO, Data protection fee self-assessment: https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee-self-assessment/
[^3]: ICO, What privacy information should we provide?: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-be-informed/what-privacy-information-should-we-provide/; ICO, Transparency: https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/toolkits/accountability/transparency/
[^4]: ICO, How to deal with data protection complaints: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/; ICO, One month to go: what businesses need to know to meet new data law: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/05/one-month-to-go-what-businesses-need-to-know-to-meet-new-data-law/; GOV.UK, Data (Use and Access) Act 2025: data protection and privacy changes: https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes; GOV.UK, Data (Use and Access) Act 2025: plans for commencement: https://www.gov.uk/guidance/data-use-and-access-act-2025-plans-for-commencement
[^5]: BABCP, Clinical Wills Policy: https://babcp.com/about/who-are-babcp/our-policies/clinical-wills-policy/
[^6]: GOV.UK, Making Tax Digital for Income Tax: https://www.gov.uk/government/collections/making-tax-digital-for-income-tax; GOV.UK, Find out if and when you need to use Making Tax Digital for Income Tax: https://www.gov.uk/guidance/find-out-if-and-when-you-need-to-use-making-tax-digital-for-income-tax
This article does not constitute legal or compliance advice. Consult your supervisor, your professional body, your indemnity insurer, and a qualified data protection adviser for guidance specific to your practice.
Based on the draft Ethical Framework for the Counselling Professions 2025. BACP has said the final version is expected in Autumn 2026 and may include changes.
This article was developed with the assistance of AI writing tools and carefully reviewed by the Confident Therapist Hub team in line with our AI Use Policy.


Get in touch!
-
admin@confidenttherapist.org
