“abandoned” data can be requested without formal judicial
review. In addition, beyond surveillance by the NSA, the Federal
Bureau of Investigation is permitted to access email in certain
situations without first notifying the person under investigation
(Counterintelligence Access to Telephone Toll and Transactional
Various principles and standards in APA’s Ethics Code are
imperiled by the use of electronic storage and communications.
In particular, psychologists should be aware of Principle E and
Sections 2, 4, 6, and 10 of the Ethics Code.
Principle E (Respect for People’s Rights and Dignity)
provides a foundation for privacy and confidentiality. This
principle recognizes the need to protect these rights and to
safeguard clients’ trust. Because of emerging threats to privacy,
client data may be underprotected, regardless of current policies.
Section 2 of the Ethics Code focuses on ethical questions
regarding competence. Of specific interest are Standards
2.01 (Boundaries of Competence) and 2.03 (Maintaining
Competence). Standard 2.01 posits that psychologists must
practice and provide services within their area of competence
and that psychologists have an obligation to obtain training
and/or support in areas that they are not familiar with,
including technology. Shapiro and Schulman (1996) warned
that accepting new technologies without critical, expert analysis
might test practitioners’ boundaries of competence. Similarly,
Standard 2.03 outlines an expectation that psychologists will
continue their education.
Taken together, Section 2 suggests that practitioners are
expected to gain competence or support if they use privacy and
security tools. Ethically, it may also be expected that practitioners
continue to be informed about the various threats to client data.
Standard 4 may be the most relevant to the issue at hand
because it explicitly outlines privacy and confidentiality
expectations. As noted earlier, digitizing records and
communications may lead to them being accessed by outside
entities. This threat primarily affects two standards: 4.01
(Maintaining Confidentiality) and 4.02 (Discussing the Limits
of Confidentiality). Section 4.02 establishes an ethical obligation
to explain how certain record-keeping and communication
practices may limit confidentiality. As a result, if psychologists
use text messaging and email with a client, it might be ethically
appropriate to talk about how these technologies may result in
intrusions on privacy. In discussing the limits, it is important to
consider how a client’s information could be used against him
or her. Psychologist-led discussions should facilitate evaluation
of the appropriateness of certain disclosures on the basis of
foreseeable client risk.
Section 6 specifies ethical obligations for record-keeping and fees. The standard of interest is 6.02
(Maintenance, Dissemination, and Disposal of Confidential
Records of Professional and Scientific Work). The Ethics
Code explains that within any medium, record storage
and creation must be kept confidential. Moreover, if a
practitioner needs to use shared records (such as in hospital
settings), he or she should minimize the use of protected
health information whenever possible to improve client
privacy. Today’s therapeutic interventions are performed in a
variety of settings, and as technology becomes an important
part of these, maintenance of confidentiality in record
keeping comes into question.
Section 10 deals with concerns regarding therapy.
According to Standard 10.01 (Informed Consent to Therapy),
clients are to be informed of the limits of confidentiality and
about communication methods available during treatment. If
practitioners are interested in communicating via email and
text, clients should be informed about these methods. Without
a thorough informed consent process that covers these factors,
client confidentiality cannot be properly founded (Everstine et
APA’s Ethics Code and “Record Keeping Guidelines” inform
counseling and record-keeping, but there are additional
practices that psychologists can consider to further prevent
breaches of confidentiality. To proactively help prevent privacy
breaches and maintain client confidentiality, psychologists can:
Develop a threat model: Practitioners should create a threat
model to assess each client and his or her practice’s associated
risk (Barrows & Clayton, 1996; Lee, 2013). The Electronic
Frontier Foundation (2014) has suggested that such threat
models contain five questions:
1. What do you want to protect?
2. Who do you want to protect it from?
3. How likely is it that you will need to protect it?
4. How bad are the consequences if you fail?
5. How much trouble are you willing to go through to try to
Practitioners could, for instance, answer those questions
with the following responses:
“I want to protect client records and communications.”
“I want to protect it from unauthorized government access
and individual hackers.”
“I am currently working with a public, political figure, who
has expressed concerns regarding unauthorized disclosures and
leaks of data.”
“Considering the public nature of this client, my practice