The new BACP ethical framework — three decisions you’ll need to make this year

Jun 12 / Joel Bild
The new BACP ethical framework — three decisions you’ll need to make this year
Confident Therapist Hub · Practice management · 6 min read

Most writing on the draft BACP Ethical Framework is descriptive: here’s what changed, here’s what’s new.

Useful, but it leaves you with the harder question: what applies to me, and what do I need to do?

This piece does that work for you. It picks the three changes most likely to matter to a UK private practitioner this year, sorts them by urgency, and ends with three things to do this month.

For the comprehensive version, with all ten shifts and full framework references, the long-read is here.

An important distinction
A lot of confusion in private practice comes from mixing up three different kinds of obligation.

1. Legal duty
Applies to every UK therapist, regardless of professional body membership. Compliance with UK GDPR, HMRC tax obligations, safeguarding duties and the Equality Act all sit here. Many therapists in private practice will also need to pay the ICO data protection fee unless exempt, so it is worth checking the ICO self-assessment rather than assuming either way.

2. Professional body requirement
Applies to members of that body. e.g. BACP, UKCP, NCPS and BABCP each have their own frameworks, standards or requirements. These are contractual: by joining, you have agreed to them. Breach can affect your registration, your defensibility in a complaint and, depending on the circumstances, your relationship with your insurer.

3. Ethical good practice
Neither legally required nor specifically mandated for every practitioner, but something a thoughtful practitioner would do anyway. The clinical will is the cleanest example: not a legal duty for every therapist, but a therapist who dies without one may leave clients without proper notification, records access or continuity arrangements. “Not legally required” is not the same as “not necessary”.

Each item in the draft framework sits mainly in one of these categories. That tells you how urgent it is — and what is at stake if you ignore it.

Decision 1: What to do about AI
Framework section 2.1(e). Category: professional body requirement for BACP members, with legal overlap.
The draft framework asks members to assess the risk of any AI tool, digital tool or online platform before using it, and places clear emphasis on competence, understanding how data are handled, and being open with clients.

The decision is not simply whether to use AI. It is whether you can defend your use of it.

In practice, many therapists will want to be able to evidence at least:
• a short written risk assessment: where the data goes, who else processes it, and what the residual risks are
• an understanding clear enough to explain to a client
• real disclosure to clients, not just a buried line in a privacy notice.

For many therapists currently using AI transcription or note-taking tools, this means doing work that may not yet have been done. For therapists not using AI, the question is whether to start — and the practical test is whether you could explain and defend that decision clearly to a client, supervisor, insurer or regulator.

A practical note on consent. Asking a client whether you may record or process a session through an AI tool creates an interaction the therapy never previously had to have. Even when a client agrees — and many will, out of wanting to be a good client — the asymmetry is now in the room.

This is not a reason never to use AI tools. It is a reason to be sure the time saved is worth the relational cost.

Decision 2: Whether you have a clinical will, and whether it is good enough
Framework section 4.5(e). Category: likely to become a professional body requirement for BACP members if adopted in this form; already required for some BABCP members; ethical good practice for everyone else.

The clinical will appears to be given stronger and more explicit weight in the draft framework. Many therapists discover they need one only when a supervisor or peer raises it.

A working clinical will needs four things:
• a named executor who has agreed in writing
• a confidentiality agreement with that person
• secure access arrangements for your client list
• clear instructions for how clients should be contacted if you die or become incapacitated.

If you do not have one, this is the single most actionable item in the article. Templates and guidance exist. The work is usually a few hours.

If you do have one, the question is whether it is actually workable. Does your executor know where your client list is right now? Could they access it? Have you written what they should say to clients? These are the questions an audit would ask.

This is one of the few items where “I’m not required to have one” is a particularly weak defense. The harm of dying without a clinical will is to your clients — they have no access to their records and are left not knowing why you suddenly stopped contacting them.

Decision 3: Whether your privacy notice and data complaints process are specific enough
Framework sections 3.1(c) and 3.1(d). Category: legal duty under UK GDPR for every therapist, reinforced by the draft framework for BACP members.1,3

The draft framework requires a clear and accessible privacy notice that explains how personal data are collected, used, stored and protected. It also asks members to inform clients about foreseeable limits to confidentiality, including the use of digital storage systems, platforms or tools that may monitor or collect data.

This is not just a professional body issue. UK GDPR has required clear privacy information since 2018. The draft framework makes the link more explicit for BACP members.

There is also a timely legal update here. The Data (Use and Access) Act 2025 introduces a requirement for organisations to maintain a data protection complaints process, with 19 June 2026 widely cited as the key implementation date for that obligation.

For private practitioners, this does not need to be elaborate, but it does need to be clear: how a client can raise a data protection concern, how you will acknowledge it, how you will investigate it, and how you will communicate the outcome.
So the question is not only, “does it explain what happens to client data?” It is also, “does it tell clients what to do if they are concerned about how that data has been handled?”

The practical test is simple: open your current privacy notice.
-Does it clearly explain the digital systems and tools involved in handling client data?
-Does it mention your practice management software, video platform, email provider, payment processor, and any AI tools you use?
-Does it explain where confidentiality may be limited by safeguarding, legal obligations, supervision, clinical-will arrangements or digital processing?
-Does it tell clients how to raise a data protection concern or complaint?. 

If it relies on vague phrases like “industry-standard secure tools” or “trusted third-party providers”, it may not be specific enough for either the draft framework or the transparency expected under data protection law.

The practical decision is simple: write a more specific privacy notice and complaints process yourself, adapt a strong template, or get one drafted. For most practitioners, adapting a good template is the most realistic starting point.

The other things to look at
The draft framework also asks you to look at:
• how personal and professional digital channels are kept separate
• where your records are stored and which jurisdiction applies
• how your fees and payment terms are written down
• whether your insurance covers cross-border work
• how you evidence ethical reasoning when decisions are complex
• whether your working agreement reflects all of the above
• the role of supervision in walking through any of it

This is important because each of these areas may affect how defensible, transparent and ethically grounded your practice is — but they are less likely to require immediate new work than the three decisions above. The full piece walks through each.

Three things to do this month
1. Open your privacy notice.
Is it specific about the digital tools, systems and processors handling client data? Does it tell clients how to raise a data protection concern or complaint? This is the most legally exposed of the three, so fix this first.

2. Decide your AI position.
If you use AI tools, draft a short risk assessment for each one. If you do not, decide whether you want to — and why — in language you could defend to a supervisor, client or regulator.

3. Audit your clinical will.
If you do not have one, put one in place. If you do, test whether it actually works: does your executor know where your client list is, and could they access it if needed?

These three actions cover the biggest practical shifts for many private practitioners. The rest can wait until later in 2026, when the final version is due and the Good Practice in Action resources are clearer.

The draft Ethical Framework for the Counselling Professions 2025 is already available, and BACP says the final version will be published in Autumn 2026. Do not rely on assumed go-live dates; check BACP’s latest implementation guidance. The work itself is not hard. It just needs to be done properly.

If you would like the full picture — all ten shifts, with framework references and a longer practical sequence — the long-read is here.

Confident Therapist Hub publishes regular pieces on the practical side of private practice.

Endnotes
1. BACP, Ethical Framework for the Counselling Professions 2025 (draft PDF): https://www.bacp.co.uk/media/23628/ethical-framework-for-the-counselling-professions-2025.pdf; BACP, Ethical Framework for the Counselling Professions review page: https://www.bacp.co.uk/events-and-resources/ethics-and-standards/ethical-framework-for-the-counselling-professions/
4. GOV.UK, Data (Use and Access) Act 2025: data protection and privacy changes: https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes ; GOV.UK, Data Use and Access Act 2025: plans for commencement: https://www.gov.uk/guidance/data-use-and-access-act-2025-plans-for-commencement

This article does not constitute legal or compliance advice. Consult your supervisor, your professional body, your indemnity insurer and a qualified data protection adviser for guidance specific to your practice.

Based on the draft Ethical Framework for the Counselling Professions 2025. BACP says the final version is expected in Autumn 2026 and may include changes.

 This article was developed with the assistance of AI writing tools and carefully reviewed by the Confident Therapist Hub team in line with our AI Use Policy.
Created with