ACTO

Answer prepared by Pip Weitz, Standards and Ethics Officer, ACTO. 28^th August 2017

This is a subject that leads to high emotion amongst some people. So I feel it is important to give a full answer here. There is far more information that I include here and the references will give you further reading on the subject.

In 2013-2014 I wrote quite a lot about Skype and its unsuitability for working online – I have recently updated this. However, the main message remains the same as in 2013, there are better platforms available without breaking the bank.

In 2014 I approached Microsoft, the owners of Skype, and they confirmed that Skype was not suitable to be used for therapeutic purposes. I also documented my conversation with the Information Commissioner’s Office, which confirmed the same (Weitz, 2104a).

Three years on, as Standards & Ethics Officer for ACTO, I have reviewed my original view and look at the matter again, and looked beyond Skype to see what might be suitable. Bond (2017) in his review of my (Weitz, 2014b) book said: “the reservations expressed about Skype could also apply to other platforms, to some degree”. I couldn’t agree more and the comments I include below may well apply to other software, and I will mention them.

So first all let’s deal with a myth: everyone misguidedly talks about how Skype is not encrypted. It is encrypted. This is a good point and there are many good points about Skype and many millions of people use it for personal purposes without any problems. I suppose you might make a comparison between an accountant using a home accounting package for his work rather than using Sage or another professional accounting package.

Because Skype is so well known we’re used to hearing “I’ll Skype you this evening”, even when not using Skype. It’s like the Hoover …. In the UK we talk about any vacuum cleaner as a Hoover, whatever its make. The difference is that all the makes of vacuum cleaner we use are equally acceptable for the purposes we’re using them. This is not the case with various video-conferencing software platforms, Skype being one of them especially when talking about working therapeutically. So just a little plea, please do not to use the word Skype generally when we’re speaking in a therapeutic context as it provides a mixed message about whether it’s OK or not. Let’s just talk about working via video, or video-conferencing. I know it’s a bit more long-winded but it stops the misunderstanding that creeps in by using the S word!

The issues regarding Skype (and some other platforms) are around security. The place to look to substantiate this is the Information Commissioner’s Office (ICO), the Data Protection Act 1998, and in particular the Data Principles. (ICO, 2017), in particular Principle 7 – Security. Every therapist working face to face or online really needs to read these principles, and especially Principle 7. These data principles are not a soft option that we can choose to opt into or not, they are enshrined in law. The summary of this principle is:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (p. 75).

On page 77 the ICO discuss what appropriate might mean, but says that assessment is the key, and the cost of implementing your security should be commensurate with the risk. In other words, you’re not required to have military grade security. Actually in my experience most of us have very high grade security, it’s nothing we do; it just comes with the software. The problem is far closer to home, you or/me, we are the weakness! Let’s read on and you’ll see what I mean! The ICO would say that one of the considerations for security is cost and that this must be manageable and commensurate, and this is why I encourage therapists to think about this issue as changing from Skype to another platform is not a costly or complicated exercise, so reflecting the ICO data protection principle security I believe it is one that would be desirable.

So what are the issues. There are three:

The first issue, is that Microsoft raid the Skype accounts to sell you stuff. We’re all used to seeing the ads flying around our Skype screens.  From a therapeutic point of view (which is very different to the uses by the general public) it is a breach under Principle 7 of the Data Protection Act 1998.

The second issue is the contacts list. And for me this is a much bigger issue as it is very prone to human failure and oversight. VSee has this problem, Skype, has this problem, Skype for business has this problem, and other platforms have this problem. This is a clear example of Principle 7 and how we can manage data and the risk, because there is no cost to managing this breach. Just a requirement for better management of our computers, it is an example of sloppiness by the data controller (you or me as therapists in this context) by leaving the contacts open on the screen and it’s our responsibility to manage this issue. The easiest way to manage it is not to use Skype or Skype for Business, or other similar software that uses contacts lists. And that is easy now as there are other systems in place that comply without major cost. The one I find fits the bill the best is www.zoom.us. Zoom does have a contacts list but you do not need to use it and I never use it. I just send the link to the client for the session and once the session is over any trace of it has gone. You may say this is a little zealous, but how many of us have worked with clients who have been stalked or tracked on their computers by a jealous partner? Whilst a very clever stalker may crack any software, selecting a good platform as a basis for our online work is a duty of care to our clients and will go a long way towards their protection.

The third is the issue of the paper trail left in live chat in Skype.  In Skype the live chat function is what provides the risk as the texts are stored online and available well after the “session” (for 30 days) and not password protected or security protected in any way.  Yes another breach. In my opinion the live chat function on either skype or Skype for Business does not provide a suitable level of security for the therapeutic use as the text is still available at a later date and could be misused (think about for example a jealous partner using tracking software).

Microsoft is quite open about the way it way access and use your data. Here’s what Microsoft (2017) says about its use of data and privacy on Skype for Business in its Terms and Conditions:

“Microsoft collects data to operate effectively and provide you the best experiences with our products. You provide some of this data directly, such as when you create a Microsoft account, submit a search query to Bing, speak a voice command to Cortana, upload a document to OneDrive, purchase an MSDN [Microsoft Developer Network] subscription, sign up for Office 365 or contact us for support. We get some of it by recording how you interact with our products by, for example, using technologies like cookies, and receiving error reports or usage data from software running on your device. We also obtain data from third parties […….] “If you use a Microsoft service, such as Outlook.com, to manage contacts, Skype will automatically add the people you know to your Skype contact list. With your permission, Skype will also check your device or other address books from time to time to automatically add your friends as Skype contacts. You can block users if you don’t want to receive their communications.”

In terms of the privacy that we are required by law to provide as data controllers to our clients and patients, the above Terms and Conditions are extremely worrying. What might be really helpful for us as family and friends is not at all suitable for therapeutic purposes.

Tim Bond’s (2017) recent statement, “Ideally, it is better to use more appropriate platforms for psychotherapy, where these are available and acceptable to clients”. There are other platforms and the one I use is zoom. The quality is just so much higher spec AND doesn’t have to work via a contacts list and once the link is gone after the session that’s the end of it. Other platforms are coming through so I would not wish to say that zoom is the only way, but it is a good way. And it is free for you to use individually. I pay for the service as I use it with groups and for my teaching and supervision and have been absolutely delighted with the quality. I pay £11.99 a month and I am really happy. https://zoom.us/pricing.

So finally just as the accountant wouldn’t use the home accounts package for his professional work, we need to use professional solutions for our professional work. Protecting our clients security is our responsibility, not an option, it’s a legal requirement.  Obviously this is an on-going conversation is a fast moving field and we at ACTO will review this particular FAQ regularly to see if we should alter any of what we have included here. If you want to read more abourt security working online I have put together a White Paper (Weitz, 2015) that you might find useful.

References

Bond, T. (2017). BookREVIEW: Psychotherapy 2.0: Where Psychotherapy and Technology Meet. http://www.contemporarypsychotherapy.org/volume-9-no-1-summer-2017/bookreview-psychotherapy-2-0-where-psychotherapy-and-technology-meet/ . [Last accessed 12 August 2017]Information Commissioner’s Officer. (2017) The guide to data protection. 7^th July 2017. https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/  [Last accessed 12 August 2017]Weitz, P. (2014a). A request to the ICO for guidance regarding Skype and other online platforms for therapeutic use, and other issues of security and confidentiality, 12/5/14.

file:///C:/Users/P%20Weitz/Downloads/Philippa%20Weitz%20conversation%20with%20the%20Information%20Commissioner's%20Office%20120514%20-%20Copy%20(4).pdf [Last accessed 26^th August 2017]/

Weitz, P. (Ed.). (2014b). Psychotherapy 2.0: Where Psychotherapy and Technology Meet. London: Karnac.

Weitz, P. (2015). Security, privacy, confidentiality & jurisdiction for the online counsellor and psychotherapist. http://files.edu.flipsnack.net/iframehtml5/embed.html?hash=fumqvss9&fullscreen=1&startIndex=0&previous_page=true [Last accessed 26^th August 2017] 

Not all insurers are the same. I did a secret shopper survey in 2014 and I found a huge variation with regards to working online and some insurers didn’t seem to understand some of the issues involved, especially around jurisdiction. If you are working online we would suggest you contact your insurer to insure that you are covered to work online and if you’re working outside the UK to check that the country where your client is (or where you are) is covered by your insurer.  Get confirmation of this in wiritng.

I have clients in The States, my supervisor has told me this is not OK. Is she right? Generally how does it work if your client is in a different country?

This subject is known as jurisdiction. As the question covers the USA specifically I will start with the USA where there are specific issues. There are two issues to think about when working in the States online. HIPAA and State Licenses. There is an American online therapist, Roy Huggins, who runs a really interesting company and website https://personcenteredtech.com/ ….. you’ll find plenty of resources there and Roy is a great person to consult. In brief, HIPAA (Health Insurance Portability and Accountability Act of 1996) is a United States legislation that provides data privacy and security provisions for safeguarding medical information. If you are going to work in the States you’ll need to sign up for this and comply with it. The second constraint is that most States require you to have a State license. This is for face to face work and online work. So to comply with US State laws you’ll need to be licensed in each State that you work in. You’ll understand from this that it is for this reason that most insurers do not include working in the States within their Professional Indemnity Insurance cover.

To summarise it’s therefore HIGLY UNLIKELY that you’ll be able to work in the States unless you have the correct licenses and comply with HIPAA. If you want a second opinion on this Roy Higgins is your man!

I have used the USA as the example, but each country has its own laws, and you should not assume that because we are in (just) Europe that all EU countries Have the same rules and laws, they don’t. It can be very difficult to get the information you need, for example if you have a child protection issue with an online client in Italy, how might you proceed. You still need to think about safeguarding and compliance wherever the client is and it’s not always easy.

There is no doubt that having a trained online supervisor will be of benefit. However neither BACP or ACTO insist that you have a trained online supervisor but suggest that some of your current supervision is done through similar technology that’s used for working with clients and advise to have a trained online supervisor to do this with.

BACP Working Online Guideline 047, states:

Point 3 "It is considered good practice to receive at least some supervision online through similar technology to that used for working with clients ..."

(Bond, 2016 BACP online guideline)

ACTO Code of Ethics:

"Members should be aware of and work within their limitations and competence; seeking regular supervision preferably from an experienced online supervisor; and be willing to undertake continuing professional development."

We therefore recommend that at least part of your online therapy work should be explored in online supervision and preferably with an experienced online supervisor.

If you need help to find an online supervisor you can find a list of registered online supervisors on the ACTO website https://acto-org.uk/seeking-online-supervisor/

We are not able to provide definitive advice which you would need to seek from the ICO as every situation is different.

However our understanding is that if you keep any personal information relating to your clients either in paper or electronic form you will need to register. (This for example would include email addresses and phone numbers stored on a computer or mobile phone).

If your only work outside is as salaried employment then your employer is responsible for the management of all personal data within the company / organisation and in that instance it would not be necessary to register.

However, this is a fast changing area of legislation and with the arrival of General Data Protection Regulation (GDPR)and extensive new Data Protection Legislation we would recommend that you familiarise yourself with both the Data Protection Act and GDPR as well as completing the ICO’s self-assessment to determine if your personal circumstances necessitate your registering.

References:                       
Self-assessment: https://ico.org.uk/for-organisations/register/self-assessment/
Data Protection Act: https://ico.org.uk/for-organisations/guide-to-data-protection/
GDPR: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/
GDPR: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

There seems to be quite a lot of confusion generally about DBS checks. You cannot apply directly to the DBS Service but you can apply for your own DBS check at https://www.dbscentral.co.uk/. Whilst there appears to be no fixed time validity, https://codeuk.com/faq/dbs-crb-checks-expire-often-need-reviewing/, the generally available guideline is that a DBS should be valid for three years, and that's the standard we recommend at ACTO.

As soon as you receive your DBS check we would recommend you apply to https://secure.crbonline.gov.uk/crsc/apply?execution=e1s1 which is their updating service – you need to do this within 19 days of the date of your DBS certificate, but in future this will avoid you having any duplication.