The Therapist’s Guide to Encrypted Note Storage: Keeping Client Data Safe in the Cloud

|

William

A person with short brown hair and a trimmed beard is sitting indoors, wearing a white t-shirt layered with a light blue plaid shirt. They are holding a spiral-bound notepad with both hands and looking at it. The background features shelves with books and boxes, giving the setting a casual, home or office atmosphere.

Thinking about moving your notes from paper to the cloud?

The idea of accessing session notes from anywhere, without being tied to a single office computer, is compelling. It speaks to a more flexible, modern way of working, and many therapists are turning to platforms like Google Docs, Office 365, or practice management software to store their records.

A good few years ago, I set off on this very search for my own practice. The process sparked professional and ethical questions: how can we trust these vast, faceless systems with the profoundly personal stories our clients entrust to us?

The search for a secure digital home for client data can feel overwhelming, full of technical jargon and conflicting advice. This guide is my attempt to share what I learned during my in-depth research. While I ultimately decided that a local, encrypted storage device was the right fit for my practice, I came to understand that using the cloud can be done safely and ethically – if the right tools and methods are used.

My blog post here is aimed at demystifying the process for you, my colleagues, who have decided that cloud storage is the right choice for them. When we have systems we can trust, whatever they may be, we free up our own mental and emotional space. We can then bring our full attention back to where it belongs: the therapeutic relationship and the client in front of us.

Contents

The Ethical Tightrope: Navigating the BACP Framework and GDPR in the Digital Age

A person wearing black shorts is balancing barefoot on a slackline outdoors, with trees in the background and a clear blue sky above. The image is taken from a low angle, focusing on the legs and feet.

Before I talk about specific tools, it feels helpful to ground ourselves in the principles that guide our decisions.

For me, as an accredited member of the BACP, my practice is anchored by their Ethical Framework for the Counselling Professions.

Whichever professional body we belong to, a core commitment to confidentiality is a principle we all share.

Clients share their most vulnerable experiences because they trust that what they say will go no further. If we move our record-keeping onto the cloud, our responsibility is to ensure that digital container is just as secure as a locked filing cabinet in a private office.

GDPR then adds a legal layer to this ethical commitment. As I am sure you already know, it’s a set of regulations about how organisations, including sole-trader therapists, must handle personal data. It gives individuals rights over their data and requires us to process it lawfully, fairly, and transparently. There are a number of principles to GDPR but the most significant principle for us is “integrity and confidentiality,” which legally obligates us to protect data against “unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

When we look at our own ethical framework alongside the legal requirements of GDPR, our duty becomes clear. We must take active, demonstrable steps to secure the confidential information we hold. When a client shares a difficult experience, they are trusting us not only to hold it emotionally but to protect it practically.

“But Isn’t Google Drive Secure?” Understanding Different Types of Encryption

Person using a laptop computer at a table, with another laptop and hands visible in the background, suggesting a collaborative or work setting.

Most mainstream cloud services like Google Drive, Dropbox, and Microsoft 365 use a standard level of security, but it may not be what you think it is.

Encryption-in-Transit and At-Rest

When you upload a file to most cloud services, it is usually encrypted in transit (as it travels from your computer to their servers) and encrypted at rest (while it’s sitting on their servers).

Encrypted means it is scrambled in a way that if someone were to snoop at this data it wouldn’t make any sense.

This is good. It protects the data from being intercepted by a hacker as it travels across the internet, and it means if someone were to physically steal a hard drive from the provider’s data centre, they wouldn’t be able to read it.

However, there is a very important gap here.

The service provider themselves holds the key to unlock that encryption. This means the platform – be it Google, Microsoft, Zanda or another practice management tool – has the technical ability to access, scan, and read your files.

They may do this to serve you targeted ads, to train their AI models, or in response to a legal request from law enforcement.

For holiday photos, this might be a non-issue. For confidential client session notes, it presents a significant ethical and privacy problem.

End-to-End Encryption (E2EE): The Gold Standard

If you are thinking about trying to create the locked filing cabinet online then you need to know about End-to-End Encryption, often shortened to E2EE.

End-to-end encryption is a method of secure communication that prevents any third parties from accessing data while it’s transferred from one system to another. With E2EE, the data is encrypted on your device before it is ever uploaded to the cloud. It remains encrypted on the server and is only decrypted when you, or someone you have explicitly shared it with, accesses it on their device.

The most important part of this is that only you hold the encryption key.

The service provider cannot unlock your files.

They can see that you are storing an encrypted file, but they have absolutely no way of knowing what is inside it.

This is the critical difference. It protects your client data from platform data mining, from rogue employees, and, crucially, from third-party legal requests. If the service provider receives a warrant for your data, all they can hand over is a scrambled, unreadable file, because they don’t have the key to decrypt it.

For therapists, E2EE provides the closest digital equivalent to the traditional locked filing cabinet. It ensures that you, and only you, have control over who sees your client’s information.

Two Paths to End-to-End Encryption: The DIY Route vs. The All-in-One Service

When we decide to use E2EE, we are essentially choosing to hold the only key to our digital filing cabinet.

The way we do this generally falls into two distinct approaches. One involves you actively encrypting the files yourself before storing them, and the other uses a service where the encryption is built-in and automatic.

Path 1: Using Encryption Software with a Standard Cloud Service (The DIY Approach)

This approach involves using a separate piece of software on your computer to create an encrypted, password-protected “vault.” You then place your client notes and documents inside this vault. The vault itself is just a single file that you can then upload to a standard cloud service like Google Drive, Dropbox, or Microsoft OneDrive.

To anyone looking at your cloud storage – including the service provider – all they can see is this one scrambled, unreadable vault file. To access your notes, you would use the software to unlock and open the vault on your own computer.

Some well-regarded tools for this purpose include:

  • Cryptomator: This is a user-friendly, and open source tool designed to make encryption simple. It creates a valut inside your existing cloud drive, and you can access your files easily without having to manually encrypt and decrypt them each time.
  • VeraCrypt: A powerful and highly-respected free, open-source encryption tool. It’s a bit more technical to set up but is considered a gold standard for creating encrypted containers on your computer.
  • 7-Zip: Many people know this as a tool for creating .zip files, but it also includes strong AES-256 encryption. You could, for instance, put all of a client’s documents into a folder, and use 7-Zip to turn it into a single, password-protected, encrypted archive before uploading it.

The benefits of this path are that it can be very low-cost (the software is often free) and it allows you to continue using a cloud service you are already familiar with.

The significant drawback, however, is the room for human error. This system relies on you remembering to place every confidential file inside the encrypted vault, every single time. Accidentally saving a session note to a regular folder by mistake would completely bypass your security. It also adds an extra layer of management that can feel cumbersome for a therapist who wants to deal with people, not technology. For files you need to access and edit often, the process of downloading, decrypting, editing, re-encrypting, and re-uploading can become a real barrier to a smooth workflow.

In fact, during my use of cloud services for storing notes, I trialled this method extensively. While effective, I personally found the manual steps a potential point of failure and ultimately settled on keeping my data on a local, encrypted device instead.

Path 2: Using an Integrated E2EE Cloud Platform

The second path is to use a cloud service that has E2EE built-in from the ground up. These services look and feel almost identical to Dropbox or Google Drive. You drag and drop files, create folders, and sync them across your devices. The big difference is that all the encryption and decryption happens automatically and seamlessly in the background.

With these platforms, you are choosing a provider whose entire business model is built on providing privacy. But how do you verify their claims? A healthy dose of professional scepticism is a good thing here.

Here are a few practical steps you can take to check if a service is genuinely E2EE:

  1. Look for the term “Zero-Knowledge.” It means the service has “zero knowledge” of your password and, therefore, has no way to decrypt your files. A provider who makes this claim is stating publicly that they cannot access your data.
  2. Check their password recovery process. A genuine zero-knowledge service cannot send you a password reset link for your account. If you lose your password, you lose access to your data. They should be very clear about this. If a service offers simple email-based password resets, it is a strong indicator that they have access to your data or encryption keys.
  3. See if they publish third-party security audits. Some services will hire independent security firms to test their systems for vulnerabilities. They may then often publish the results of these audits on their website.
  4. Note where the company is based. Companies based in countries with strong privacy laws offer an additional layer of legal protection for your data.

For most therapists, this offers a balance of high security and day-to-day usability. It removes the risk of manual error and provides a streamlined system for storing notes in the cloud.

E2EE Cloud Solutions for UK Therapists

A woman wearing a light pink hijab and brown shirt is sitting at a terrazzo-patterned table, working on a tablet with a keyboard. The background features a decorative plant and a light green wall. The setting appears modern and calm, suggesting a comfortable workspace.

When I was first researching this, my heart sank a little. It isn’t such a polished landscape as the likes of usual cloud platforms like Google Docs and Office 365, or the simplicity of practice management tools like WriteUpp and Zanda. However there are still some accessible, user-friendly, and affordable E2EE services that are well-suited for sole practitioners.

It is worth noting here that most Practice Management Software does not offer E2EE for file storage. While they are great for diaries, invoicing, and sending messages, their file and note storage component typically relies on the standard “at-rest” encryption mentioned earlier. This is why having a separate, dedicated E2EE solution for your session notes and confidential documents is a vital part of a secure digital practice.

Here are a few options which I have found to be robust and reliable.

Tresorit

Tresorit homepage featuring the Tresorit logo, a "Try for free" button, and a headline promoting secure file exchange and collaboration. The page highlights features such as end-to-end encryption, secure file storage, sharing, and productivity integrations. A laptop and smartphone display the Tresorit interface, emphasizing cross-device accessibility and security. The background is light blue with bold, clear text describing Tresorit’s benefits as a secure digital workspace.
  • What it is: A Swiss-based, E2EE cloud storage service designed with high security and privacy in mind.
  • How it fits a therapist’s workflow: It functions just like any other cloud drive. You can create folders for each client, upload documents (like Word files, PDFs, or scans), and it all syncs seamlessly and securely across your devices. Its “zero-knowledge” promise means they never have access to your encryption keys or data.
  • Good to know: Switzerland currently has strong privacy laws.

Sync.com

Sync.com homepage displaying the Sync.com logo in the top left, navigation links for Features, Solutions, Resources, and Pricing at the top, and prominent "Sign in" and "Sign up free" buttons in the top right. The main section features a headline stating "The safe space to get your best work done," a description of Sync as a file storage, sharing, and collaboration platform, and a call-to-action button labeled "COMPARE PLANS." On the right, there is a signup form titled "Start with 5 GB free," requesting email, password, and confirmation, with options for password reset, product updates, and acceptance of terms and privacy policy. The design uses a blue and white colour scheme with clear, bold text and simple graphics to emphasize security and ease of use
  • What it is: A Canadian-based E2EE cloud storage service that is a very popular alternative to Tresorit.
  • How it fits a therapist’s workflow: The user experience is very straightforward. You get a secure folder on your computer that syncs everything you put in it to the cloud, all with E2EE. You can store your session notes, client agreements, and any other documents.
  • Good to know: Sync.com is also a zero-knowledge provider and claims to comply with global privacy laws, including GDPR. They often have a free tier to let you try the service, with paid plans offering more storage and features.

Proton Drive

Proton Drive homepage featuring the Proton Drive logo in the top left and a prominent headline stating “Keep your files safe and private.” The page highlights end-to-end encrypted cloud storage, with a description emphasizing privacy and that not even Proton can access user files. There are two main call-to-action buttons: “Create free account” and “Compare plans.” Below, a screenshot of the Proton Drive interface displays various coloured file and folder icons, emphasizing secure file management. The design uses a clean, modern layout with purple accents and clear, bold text.
  • What it is: Part of the Proton suite of privacy-focused services (which also includes Proton Mail), based in Switzerland. Proton has built a strong reputation for its commitment to user privacy and security.
  • How it fits a therapist’s workflow: If you are already looking for a secure email provider, using Proton’s ecosystem for both email and file storage can be very convenient. It offers the same E2EE security for your files, ensuring that only you can access your client notes.
  • Good to know: Proton’s services are open source, which allows for independent security audits, and they are protected by Swiss privacy laws.

The Practicalities: Implementing E2EE Storage in Your Practice

A woman with wavy blonde hair is sitting at a table, partially smiling, and looking at a laptop. She is wearing a white, textured knit sweater with a wavy pattern. Her left hand is raised, holding a pen, while her right arm rests on the table. The background is softly blurred, and the overall setting appears to be indoors.

Choosing the software is the first step. The next is integrating it thoughtfully into your daily work.

Setting Up Your System

Once you’ve chosen your E2EE provider, you can create a clear folder structure. A common approach is to have a main “Clients” folder, and within that, a separate, anonymised folder for each client, perhaps using their client code.

It is good practice to never use a client’s full name in a file or folder name. Inside each client’s folder, you can store your session notes, contracts, and any other relevant documents.

The “Key” to Security: Password Management and 2FA

The security of an E2EE system rests on one thing: the strength of your password. Because the service provider cannot access your data, they also cannot reset your password for you.

If you lose it, you lose access to your data. Forever. I’m not exaggerating – the loss is permanent!

This is why using a password manager is so important. A password manager (like Bitwarden, 1Password, or KeePass) creates and stores long, complex, unique passwords for all your accounts. You only have to remember one strong master password to unlock your vault. This allows you to have an incredibly secure password for your E2EE storage without the impossible task of memorising it.

Alongside this, enabling Two-Factor Authentication (2FA) adds a vital second layer of security. This means that even if someone were to steal your password, they would still need a second piece of information (usually a code from an app on your phone) to log in.

What about Backups?

Three wooden blocks are placed side by side, each displaying a large black number: 3, 2, and 1, from left to right. The background is blurred, showing more wooden blocks out of focus. The overall tone is soft and neutral.

A common question is whether a cloud service counts as a backup for therapist notes. If encrypted, it could, but it’s wise to have a more robust strategy.

A well-regarded principle in data management is the 3-2-1 backup rule. It suggests you should have:

  • 3 copies of your data…
  • on 2 different types of media…
  • with 1 copy stored offsite.

In a therapy practice, this could look like:

  1. Your primary, “live” copy which is stored in the cloud on your E2EE service.
  2. A second, local backup on an external hard drive or USB stick that is itself fully encrypted. Aside from the tools I mentioned earlier, BitLocker (on Windows Pro) or FileVault (on macOS), can also do this encryption.
  3. Your third, offsite copy, perhaps that you give to a friend or supervisor, and update once a month, which is an encrypted copy of what’s on your E2EE provider’s cloud.

This way, if your cloud service is offline or encounters a data centre fire, you have the external drive. If there’s a fire or theft at your home or office, you have the backup at a friend’s.

Security on Your Own Screen

There is one final area of security that is worth being mindful of. We can do an excellent job of encrypting our data on the way to the cloud and while it sits on a server, but there is a moment of vulnerability: when we decrypt a file to view it, the confidential information is displayed, in plain text, on our own computer screen.

Often people think that the only concern is viruses or malware, but what about the features of legitimate, modern software?

Operating systems like Windows and macOS, as well as other applications, are increasingly built with features that can analyse what is on your screen. This is often done under the banner of providing helpful AI-powered suggestions, improving services, or gathering usage data (sometimes called ‘telemetry’).

For a therapist, the risk is clear. If your operating system is taking screenshots of your activity to feed its AI, it could capture a client’s name or the sensitive details of a session note. This information could then be processed on the company’s servers, creating a breach of confidentiality that completely sidesteps your carefully chosen E2EE storage.

Addressing this is about extending our security mindset to our own local devices.

  • Review Your OS Settings: Take some time to go through your computer’s privacy and security settings. Look for and disable features related to personalised advertising, diagnostic data collection, and any AI-driven content suggestions. In Windows, for example, this means being very deliberate about the telemetry settings you allow.
  • Be Mindful of Third-Party Software: Be cautious about the software and browser extensions you install. An extension that can “read and change all your data on all websites” could, in theory, see the content of your notes if you are viewing them in a web browser.
  • Consider a Dedicated Work Machine: While it may not be practical for everyone, the gold standard for security is to use a computer exclusively for client work. This machine would have a minimal set of trusted software installed, with all non-essential and privacy-invasive features turned off.

I don’t want to invoke a state of paranoia, but I do hope that we can all have a conscious and professional approach to our digital environment. Our responsibility is to take reasonable and appropriate measures and being mindful of what our own devices are doing is a key part of that.

A Note on Risk and Responsibility

It is tempting to search for a perfect solution, a system that removes all risk. The reality is that no system is 100% infallible. Our responsibility as therapists is to conduct our due diligence, make informed choices, and take all reasonable and appropriate steps to protect the data we hold.

By choosing an E2EE provider and implementing good security practices like strong passwords and backups, you are demonstrating that you understand the risks and have actively chosen a professional, ethical, and legally compliant way to manage them. This is the core of responsible practice in the digital age.

How Choosing the Right Tools Builds a Sustainable Career

All of this technical and ethical detail can feel far removed from the work we do in the therapy room. But I think it is VERY connected.

When you have a system, digital or otherwise, that you can rely on, a huge source of professional anxiety is quietened. You no longer have that nagging worry in the back of your mind about data breaches, legal requests, or whether you are meeting your GDPR obligations.

That mental energy is then freed up. It’s energy you can invest in your clients, in your own professional development, and in your own wellbeing.

Building a Sustainable Digital Practice

Navigating these digital ethics is a continuous process of learning and reflection. If you are exploring these issues in your own practice, or thinking about how they intersect with client work, this is exactly the kind of topic we can unpack together in supervision.

Learn more about my approach to supervision, or book an introductory supervision consultation.

Frequently Asked Questions (FAQ)

Can’t I just password-protect a Word document and save it in Google Drive?

While password-protecting a document adds a layer of security, it doesn’t solve the core issue. The file itself is still on a platform (Google) that has the technical ability to access it, and the metadata about the file (its name, when it was created) is visible to them. An E2EE service encrypts everything before it even leaves your computer, providing a much higher level of privacy and security.

What’s the difference between this and Practice Management software?

Most Practice Management platforms are excellent for managing appointments, sending reminders, and invoicing. However, the majority, if not all, do not use end-to-end encryption for the documents you upload. They typically use server-side encryption, meaning the platform can still access your files.

Do I need to tell my clients which specific cloud service I use?

Your privacy policy, which you share with clients as part of your contract, should state that you store their data electronically using secure, encrypted, GDPR-compliant services. You don’t necessarily need to name the specific provider (as you might change it in the future), but you must be transparent about the type of security measures you have in place.

Is it expensive to use these E2EE services?

The cost has become much more accessible in recent years. Many services like Sync.com and Proton Drive offer free plans with a few gigabytes of storage, which can be enough for many therapists. Paid plans that offer more storage and features typically cost between £5 and £10 per month.

What happens if I forget my password to an E2EE service?

Because these services are “zero-knowledge,” they do not know your password and cannot reset it for you. If you forget your password and lose any recovery codes they provide, your data will be permanently inaccessible. This is why I reccomend using a trusted password manager.

Further Resources

The Business of Psychology Podcast – Data Protection for Psychologists in 2024 with Clare Veal

AI Critical Thinking for Counsellors – Confidentiality video by Kenneth Kelley

BACP Good Practice in Action – What do we mean by records and record keeping within the counselling professions? GPiA 066

Windows 11 Telemetry: How to Permanently Disable it

Minimizing macOS Telemetry

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.