Ethics and Encryption in the Mental Health Practice

As a mental health professional, you will have certain obligations — some legal, some ethical — regarding confidentiality and the security of materials related to your practice. This article comments on some ethical issues relating to encryption, while a companion article offers some brief notes on my personal experience with and views on encryption software.

Ethics and Encryption

Recently I’ve encountered several discussions amongst mental health professionals about encryption technology, with some arguing that it should be considered an ethical obligation to use a specific encryption platform, or that specific software standards should be built into the ethical guidelines issued by this organization or that organization. (In fact, I am told of at least one professional organization apparently preparing to take that very course of action right now.)

Unfortunately, discussions of ethics sometimes take on an air of the sacrosanct, and it can be difficult to express disagreement with the gradual spread of ethics-coloured tentacles into a field like encryption — but I’m going to do it anyway.

Ethics vs. Implementation

Let me state it plainly: references to any specific encryption platform have no business whatsoever in ethical guidelines.

The ethical obligation to, for example, guard the privacy of client data, is clear. But the specific implementational details of how one might do that are a different matter altogether, and fall outside the domain of ethics per se. That is why, for example, no sane set of ethical guidelines has ever made it an ethical obligation to lock up paper files with a Yale lock. Guard files? Yes, that’s an ethical obligation. Choose a specific brand of lock to do it? No, that is not an ethical obligation.

Moreover, the actual end result in terms of privacy of client data is a much, much broader matter than what specific encryption package a practitioner is using. Returning to the lock example, a practitioner might well choose a Yale lock to secure a filing cabinet full of client files — but if their filing cabinet happens to be very small and happens to sit next to an open window adjacent to a busy bus stop, that practitioner probably is abrogating his or her duty to protect the privacy of client data. In other words, understanding the ethics of the practitioner’s behaviour simply cannot be boiled down to what brand of lock he or she is using.

To put it differently, if a practitioner may fail in his or her ethical duty to protect client data, while also using a Yale lock, then the use of a Yale lock cannot be sufficient to guarantee that ethical duties are being met. Contrariwise, if a practitioner’s ethical duties to protect client data can be met without using a Yale lock, then using a Yale lock cannot be a necessary condition of meeting those ethical duties.

Good Grief, Why So Technical?

(I can’t help it: I used to work in communications security, and before that I did a PhD in philosophy. When I read what I consider to be ill-argued exhortations about encryption, I go “grrrrrr…”, and then I try to articulate exactly what it is that I disagree with.)

A useful analogy can be found in the distinction between legal standards and legal rules.

Try Online Counseling: Get Personally Matched

In the case of a legal rule, all the specific details of the legal imperative are considered in advance, and the rule stipulates exactly what must happen (or not happen) and exactly what the penalties for failing to conform must be, with no room for interpretation, exception, or consideration of details beyond those which the people who wrote the rule were able to think up. One example of a legal rule might be that if someone commits a robbery using a gun, they must automatically spend exactly 5 years in prison. Regardless of any extenuating circumstances, prior convictions, etc., this legal rule would dictate that the convict spend precisely 5 years in prison. If a judge felt that the person’s prior record of 412 armed robberies meant the perpetrator should serve more than 5 years, too bad. If a judge believed that the person should not serve a custodial sentence because she was a 16-year old mother trying to steal food for her children, too bad.

Another example of a legal rule might be that if your car exceeds the speed limit, one hundred dollars will automatically be deducted from your bank account. One could imagine an electronic device fitted to a car to detect speeding, and automatically inflict the penalty.

Legal standards, on the other hand, articulate a specific goal and outline general guidelines for dealing with failures to conform to that goal. A legal standard might simply make it illegal to commit armed robbery, without stipulating a specific sentence. A legal standard might make it illegal to speed, but without requiring that every infraction merit an automatic bank account deduction.

Generally speaking, legal standards are much favoured over legal rules; probably you will see why from the examples above.

The analogy here exists between legal standards and ethical obligations to protect privacy, on the one hand; and legal rules and the obligation to use a specific software package on the other. In my view, the same features which make legal rules generally unpalatable (in particular, the requirement that all the details be figured out in advance) also make rules or ‘ethical guidance’ to use specific encryption software unpalatable.

Informed Choice

In addition to the ethical nuances about privacy and specific ways of protecting it using encryption, I have also encountered debates in the online counselling world over whether clients should be forced to communicate with their counsellors or therapists using a specific encryption package.

I can appreciate that practitioners may themselves feel safer from criticism if they ensure that communications with clients never take place outside a cryptographically secure channel. But in my own personal view as a mental health professional active in private practice online, it is preferable that clients be offered a choice as to how their communications will be protected. Some of my clients choose to use encryption, while some do not. There are non-trivial overhead costs in terms of time and convenience associated with using encryption software, and I respect my clients’ capacity to decide for themselves whether they would like to bear some of those costs, in return for enhanced security.

All clinical material on this site is peer reviewed by one or more clinical psychologists or other qualified mental health professionals. This specific article was originally published by on and was last reviewed or updated by Dr Greg Mulhauser, Managing Editor on .

Overseen by an international advisory board of distinguished academic faculty and mental health professionals with decades of clinical and research experience in the US, UK and Europe, provides peer-reviewed mental health information you can trust. Our material is not intended as a substitute for direct consultation with a qualified mental health professional. is accredited by the Health on the Net Foundation.

Copyright © 2002-2019. All Rights Reserved.