How do privacy and data protection issues apply in autism therapy records?
Autism therapy records often contain highly sensitive information about detailed behavioural notes, developmental histories, video recordings, and multi-agency updates. Under UK GDPR, this is classed as special category health data, which, according to the Information Commissioner’s Office (ICO special category data), “needs more protection” and requires both a lawful basis under Article 6 and an Article 9 condition such as “health or social care” or “safeguarding of children”.
Legal basis and children’s rights
ICO guidance on children’s data emphasises fairness, transparency and the use of clear, plain language when explaining how information is used, especially for under-18s as shown in ICO: children and the UK GDPR. NHS Confidentiality rules also apply to information shared with autism services that is kept within the child’s NHS record and only disclosed externally with permission unless there is a significant safeguarding risk, in which case reasons must be explained.
Under UK law, parental access depends on competence and best interests. Children under 16 may consent to care if they are Gillick competent (NHS consent guidance). (dance explains that parents can usually request their child’s records, but information may be withheld if sharing it would place the child at risk or compromise investigations (RCPCH records guidance). ICO also notes that if a child is competent, their data rights take priority over a parent’s access request.
How autism therapy providers must handle data
The NHS Records Management Code secure storage, access controls, audit trails and retention periods are tied to a child’s age typically until their 25th birthday for child health records. Private or independent therapists follow the same legal standards, often using encrypted files, password protection, and careful limits on video recording, which requires explicit consent.
ICO guidance clarifies that clinical consent and GDPR consent are different: providers usually rely on “provision of health or social care” rather than consent as their legal basis for record-keeping, even though they still seek clinical consent for therapy decisions.
Data sharing with schools and safeguarding partners
Therapy records are sometimes shared with education or social care teams. ICO safeguarding guide states that UK GDPR is not a barrier to sharing information when necessary to protect a child, but sharing must be “necessary, proportionate, relevant, accurate, timely and secure”. SCIE information sharing adds that consent should be sought where possible, but information can be shared without consent to prevent harm, with clear documentation of reasons.
Key takeaway
Autism therapy records sit within the strictest category of data protection law. Providers must follow UK GDPR, ensure secure storage, minimise the information collected, and share data only when it is lawful and in the child’s best interests. Families should expect clear explanations about how records are used, and children’s own rights and confidentiality increase as they grow in competence.
