Professional confidentiality in psychology is much more than a formality: it is the pillar on which therapeutic trust rests. A patient only truly opens up when they know that what they share stays protected. That is why understanding what confidentiality covers, where its limits are, and how to protect it day to day —including digital data— is a first-order clinical competence.

In this guide you will see what professional confidentiality is, its ethical and legal basis, why it matters so much, the exceptions in which it can be lifted, and the best practices for safeguarding your patients' information. If you handle health data, you will also want our guide to GDPR in psychology practice.

What professional confidentiality is in psychology

Professional confidentiality is the psychologist's duty to keep strictly confidential all the information they learn about a patient in the course of their work: what is said in session, test results, their history, and even the very fact that they attend therapy. It is not optional or left to the practitioner's discretion: it is an obligation that protects the patient and the profession itself.

It helps to distinguish it from a neighbouring but distinct concept: data protection. Professional confidentiality is an ethical duty not to reveal; the GDPR is the regulation governing how data is processed. They are complementary, as we will see.

Ethical and legal basis

Professional confidentiality in psychology rests on several sources worth knowing (here in the Spanish framework):

  • The profession's code of ethics: requires keeping secret everything learned in the professional relationship and safeguarding documentation.
  • Criminal Code (art. 199): penalises the disclosure of secrets by someone bound to keep them by their occupation.
  • Law 41/2002 on patient autonomy: governs confidentiality and the retention of the clinical record.
  • GDPR and data-protection rules: health data is a special category with reinforced protection.

For the ethical framework see the British Psychological Society and the APA code of ethics (which has a specific section on confidentiality); for the data-protection side, Spain's Data Protection Agency.

Why confidentiality is the foundation of therapy

Without confidentiality there is no therapeutic alliance. A patient who fears their words will leave the room self-censors, and therapy on half-told information makes little progress. So professional confidentiality is not just legal protection: it is a clinical precondition for change.

Clearly communicating the scope of confidentiality —and its limits— from the start is part of the frame. Doing so in writing, alongside informed consent, conveys seriousness and reassures the patient.

The limits of confidentiality: when it can be lifted

Confidentiality is not absolute. There are exceptional situations in which the duty to protect prevails and allows —or even requires— disclosing the strictly necessary information. The main exceptions are:

  1. Serious risk to the patient's life: faced with imminent suicide risk, the duty to protect prevails. See our suicide-risk protocol in practice.
  2. Risk to third parties: if the patient poses a serious danger to another person, the practitioner may warn and activate the necessary resources.
  3. Minors and vulnerable people: where there are signs of abuse or neglect, there is a duty to report it to the competent authorities.
  4. Legal or court requirement: a judge may request information; even so, the practitioner should provide only what is relevant and may invoke confidentiality over the rest.
  5. The patient's own authorisation: the patient can release the practitioner to share information with a third party (another professional, an insurer), ideally in writing.
⚖️
Guiding principle. When confidentiality is lifted, do it with the minimum necessary, proportionately, informing the patient whenever possible and documenting the decision and its reasons.

How to protect confidentiality day to day

Professional confidentiality is also won (or lost) in everyday details. Best practices that make the difference:

  • Documentation under control: keep the clinical record with restricted access and never in view of third parties.
  • Reports to third parties with consent: when issuing a psychological report, include only what is relevant and protect any third-party data that appears.
  • Mind conversations and screens: avoid discussing patients in shared areas and lock your device when stepping away.
  • Social media: neither confirm nor deny that someone is a patient. See our social-media policy with patients.
  • Supervision: when supervising cases, anonymise and share only what is essential.

Confidentiality in the digital era

Today much of professional confidentiality plays out digitally: where you keep notes, how you send a report, who can access the record. Three keys:

  • Encryption and access control: health data must be stored encrypted and with access limited to those who need it.
  • Secure delivery: avoid unencrypted email; delivering documents through an authenticated patient portal is far safer than a PDF by email.
  • Compliant providers: work with software that complies with the GDPR and signs the data-processing agreement.

How My Psico Agenda protects professional confidentiality

With My Psico Agenda, confidentiality no longer depends on good memory: the clinical record and notes are stored encrypted and with access control, consents are signed in the record, reports are delivered through the patient portal and everything complies with the GDPR. Less risk, more peace of mind, and professional confidentiality that holds up in the digital world too.

Next step. See features · Create account

Frequently asked questions about professional confidentiality

Common questions about confidentiality, limits and exceptions in psychology.

What is professional confidentiality in psychology?

Professional confidentiality is the practitioner's duty to keep strictly confidential all the information they learn about a patient in the course of their work. It is both an ethical duty (the code of ethics) and a legal one (in Spain, the Criminal Code, Law 41/2002 and the GDPR), and it is the foundation of the trust on which the therapeutic relationship is built.

What are the limits and exceptions to confidentiality?

Confidentiality may be lifted, disclosing only what is essential, when there is a serious risk to the life or integrity of the patient or of third parties, in cases of abuse or neglect of minors and vulnerable people, when there is a legal or court requirement, or when the patient authorises the disclosure. Outside these situations, confidentiality is maintained.

Is professional confidentiality the same as the GDPR?

No, but they are complementary. Professional confidentiality is an ethical duty not to reveal what is known in the therapeutic relationship; the GDPR governs the processing of personal data (health data is a special category). Complying with the GDPR does not exempt you from respecting confidentiality, and vice versa.

Can a psychologist break confidentiality if there is suicide risk or risk to others?

Yes. When there is a serious and imminent risk to the life of the patient or of other people, the duty to protect prevails: the practitioner may disclose only what is strictly necessary to the appropriate parties (health or emergency services or the person at risk), proportionately, informing the patient where possible and documenting the decision.

How long does professional confidentiality last?

It is indefinite: it does not expire when therapy ends or on the patient's death. That is why clinical documentation must be kept and safeguarded securely for the legal retention periods and then deleted or anonymised. Software with encryption and access control helps sustain this duty over time.

Confidentiality without the worry

My Psico Agenda keeps the clinical record encrypted, with access control, signed consents and portal delivery — GDPR included.

Create account See pricing