1. Purpose
This policy sets out the governance, safeguards, and controls applied to the use of technology, transcription tools, and artificial intelligence systems within Prior Mindset. It is designed to:
Protect clients, practitioners, and the organisation
Ensure compliance with the UK GDPR and Data Protection Act 2018
Support accessibility needs for staff who may have learning disabilities or neurodevelopmental differences, including (but not limited to) dyslexia, dyspraxia, dyscalculia, attention deficit hyperactivity disorder (ADHD), and autism
Reduce legal, clinical, and information‑governance risk
Ensure transparency, proportionality, and accountability
This policy forms part of Prior Mindset’s wider governance, safeguarding, and data protection framework.
2. Scope
This policy applies to:
All practitioners, employees, associates, and contractors
All clinical, administrative, and supervisory activity
All digital platforms, software, and devices used in service delivery
All client data in any format
3. Legal and Regulatory Basis
Processing under this policy is carried out in accordance with:
UK GDPR
Data Protection Act 2018
Common law duty of confidentiality
Professional ethical standards applicable to psychological therapy
Safeguarding legislation
Lawful basis for processing
Article 6 UK GDPR
6(1)(b) Performance of a contract
6(1)(c) Legal obligation
6(1)(f) Legitimate interests (service delivery, safeguarding, quality assurance)
Article 9 UK GDPR (special category data)
9(2)(h) Health or social care provision
9(2)(g) Substantial public interest (safeguarding)
Explicit consent where audio recording or transcription is used
Consent is recorded separately and may be withdrawn at any time without affecting access to therapy.
3A. Additional Legal, Regulatory and Professional Frameworks
In addition to the statutory duties outlined above, Prior Mindset aligns its technology use, transcription practices, and AI-supported workflows with the following UK legal, regulatory, and professional standards. These frameworks are used as interpretative guidance and assurance benchmarks, even where not legally binding on private providers.
Data protection and information governance
UK GDPR Articles 5, 6, 9, 24, 25 and 32 (lawfulness, fairness, transparency, data minimisation, security, accountability, and privacy by design)
Data Protection Act 2018, including Schedule 1 conditions for processing special category data
ICO Accountability Framework and guidance on AI, data protection, and automated processing
ICO guidance on anonymisation, pseudonymisation, and identifiable data
ICO guidance on data protection impact assessments (DPIAs)
Confidentiality and professional record keeping
Common law duty of confidentiality
Professional ethical frameworks applicable to psychological therapy practice
NHS Records Management Code of Practice (used as a benchmark for retention and disposal)
NHSX and NHS England guidance on digital records and data minimisation
Digital health, AI and clinical safety standards (used as benchmarks)
Although Prior Mindset is not an NHS body, the following standards are adopted as best-practice reference points to strengthen governance and risk management:
NHS Digital Technology Assessment Criteria (DTAC)
DCB0129: Clinical risk management for the manufacture of health IT systems
DCB0160: Clinical risk management for deployment of health IT systems
NHS England guidance on AI-enabled documentation and ambient scribing
NHS Digital Data Security and Protection Toolkit (DSPT) principles
These standards inform risk assessment, human oversight requirements, audit trails, and safety controls within this policy.
Equality, accessibility and reasonable adjustments
Equality Act 2010
Public sector equality duty principles (used as best practice, even where not legally binding)
Accessibility measures described in this policy are treated as reasonable adjustments designed to support staff who may have learning disabilities or neurodevelopmental differences, including dyslexia, dyspraxia, dyscalculia, ADHD and autism.
Safeguarding and vulnerability frameworks
Children Act 1989 and 2004
Care Act 2014
Working Together to Safeguard Children statutory guidance
Local safeguarding partnership procedures
These frameworks inform decisions about retention, escalation, disclosure, and information sharing where risk of harm is identified.
Employment, conduct and accountability
ACAS Code of Practice on disciplinary and grievance procedures
Professional regulator codes of conduct applicable to practitioners
Principles of vicarious liability and organisational accountability
These frameworks support proportionate management of misuse, misconduct, or unsafe use of systems.
4. Core Governance Principles
Prior Mindset applies the following mandatory principles:
Data minimisation at all stages
Purpose limitation
Least‑privilege access
Human oversight of all AI outputs
Separation of clinical records from working materials
Time‑limited retention
Auditability and traceability
Safeguarding precedence over convenience
5. Approved Systems and Their Functions
5.1 WriteUpp (Clinical Record System)
WriteUpp is the sole authoritative clinical record system.
Holds assessments, notes, risk documentation, consent, and correspondence
Each client is assigned a unique PII reference number
Role‑based access controls are applied
Records retained in line with NHS Records Management Code of Practice
No AI processing is used within WriteUpp
WriteUpp constitutes the legal clinical record.
5.2 ChatGPT Business (Non‑learning Configuration)
ChatGPT Business is used only as a professional drafting and comprehension aid and never as a clinical system.
Permitted uses include:
Assisting staff with learning disabilities or neurodevelopmental differences (including dyslexia, dyspraxia, dyscalculia, ADHD and autism) with comprehension of written material
Structuring or refining anonymised clinical notes
Drafting internal documentation or policies
Supporting reflective practice
Safeguards:
Business-tier account with model training disabled
No patient-identifiable information entered
Each case handled separately
Use limited to de‑identified content linked only to a WriteUpp PII reference
No audio or video files uploaded
Outputs reviewed and edited by a qualified practitioner
ChatGPT does not make clinical decisions and does not replace professional judgement.
Retention and deletion (ChatGPT)
Conversations are deleted from the user workspace once no longer required
Platform-level deletion occurs in line with provider retention rules (currently up to 30 days for security and legal purposes)
This limitation is disclosed transparently to clients
6. Transcription and Accessibility Support
Purpose
Transcription is used solely as a reasonable adjustment to support staff who may have learning disabilities or neurodevelopmental differences (including dyslexia, dyspraxia, dyscalculia, ADHD and autism), and to improve accuracy of clinical documentation.
It is not used for surveillance, monitoring, training, or performance management.
Transcription rules
Audio-only transcription may be used
Video recording is not permitted except for formal supervision or assessment with explicit written consent
Transcription supports note creation only
Transcripts are not clinical records
Retention of transcripts
Transcripts are retained for the duration of the client’s engagement plus 60 days
This allows for audit, supervision clarification, and safeguarding review
After this period, transcripts are securely deleted
Deletion is logged where technically possible
Clinical notes remain stored in WriteUpp in accordance with statutory retention rules.
Separation and containment
Each client has a separate case file linked to a unique PII reference
Transcripts are stored separately from clinical records
Transcripts are not shared externally
Transcripts are not provided to clients
Transcripts do not replace contemporaneous clinical notes
Raw transcripts are classed as private working materials and are not subject to routine disclosure.
7. Client Recording Restrictions
Clients must not:
Audio record sessions
Video record sessions
Screen record sessions
Photograph screens or documents
Use third‑party software to capture sessions
Whether overtly or covertly.
Unauthorised recording constitutes a breach of therapeutic boundaries and may result in termination of therapy.
8. Safeguarding and Risk Management
Client safeguarding
Safeguarding risk is assessed at intake and reviewed throughout therapy
Immediate risks trigger safeguarding procedures
Transcripts may be retained temporarily where required for safeguarding review
Actions are documented in WriteUpp
Staff safeguarding
Technology use is reviewed in supervision
Accessibility adjustments are supported
Workload and digital risks are monitored
9. Data Security Controls
Device security
All devices used must:
Be password protected
Use encryption at rest and in transit
Have up‑to‑date security patches
Use antivirus and firewall protection
Lock automatically when unattended
Personal devices must not store client data locally.
Access control and logging
Role‑based access applies across systems
Access logs are reviewed periodically
Credentials must not be shared
Multi‑factor authentication used where available
10. Data Breach and Incident Management
Any suspected or actual breach must be reported immediately to the Designated Safeguarding Lead or Data Protection Officer.
Actions include:
Immediate containment
Incident logging
Risk assessment
Notification to the ICO within 72 hours where required
Notification to affected individuals where legally necessary
11. Client Rights and Limits
Clients retain rights under data protection law, including access and rectification.
However:
Raw transcripts and working notes are not routinely disclosed
Requests are assessed case by case
Disclosure may be restricted where legally justified
Records are not altered retrospectively; addenda may be added
Freedom of Information legislation does not apply to Prior Mindset.
12. Staff Responsibilities and Misuse
Staff must:
Use only approved systems
Follow this policy at all times
Protect access credentials
Report concerns immediately
Unauthorised recording, disclosure, or misuse of systems may result in disciplinary action, termination, or referral to professional regulators where appropriate.
13. Audit, Review and Assurance
Annual audits of platform use and access logs
DPIA reviewed annually or when systems change
Policy reviewed annually or earlier if legislation or guidance changes
Findings used to update training and controls
14. Policy Ownership
Owned by: Senior Management Team / Designated Safeguarding Lead
Applies to all Prior Mindset services, staff, and associated platforms.