Sessionly
← Back to blog
Secure note taking in an agency: using a two-code system

Secure note taking in an agency: using a two-code system

28 April 2026

As soon as you move from solo private practice into agency work, note taking becomes more complex.

It is no longer just about your own memory, your own notes, and your own workflow. It becomes about how information is recorded, how it is shared, who can identify a client, and how you protect confidentiality across a wider team.

That is where a more structured note system can be incredibly helpful.

For many agencies, a two-code system offers a thoughtful next step in confidentiality practice. Not because using client names is “wrong”, and not because ordinary pseudonymised note taking is somehow inadequate, but because once several therapists and administrators are involved, tighter separation of information can significantly reduce avoidable risk.

Why agency note taking needs a stronger structure

In solo work, many therapists already separate contact details from session notes. BACP explicitly recommends keeping clients' names and contact details separately from session notes and other records where possible.

That is already good practice.

But agency work introduces extra layers:

  • multiple therapists may work under one organisation
  • admin staff may need access to bookings or contact details
  • supervisors or clinical leads may need access to parts of the record
  • handovers may happen
  • records may need to be reviewed centrally without broadening access to identifying details

In that environment, simply storing notes under a client's full name may expose more identifiable information than is actually necessary for everyone involved.

What a two-code system is

A two-code system creates two separate identifiers for each client.

The clinical code

This is the operational code used inside the agency's core client record. It links the client to appointments, contracts, contact details, therapist assignment and administrative workflow.

The anonymous note code

This is a second code used specifically for clinical notes. Therapists record session notes under this note code rather than under the client's direct name or visible identifying profile.

The practical effect is that a person may be known in the admin system as one reference, while their session notes sit under another reference that is not immediately identifiable without access to the controlled linking system.

This builds on the principle of pseudonymisation described by the ICO: replacing identifiers with a reference or pseudonym and storing the identifying information separately. The ICO is clear that this reduces risk and supports security, but the data remains personal data if the organisation can still re-identify the person.

Why this is the next level up

It helps to think of this not as a criticism of simpler systems, but as a more mature model for a more complex setting.

Using names in records is common and often manageable in smaller settings. But in an agency, a two-code structure offers additional protection because it:

  • reduces unnecessary exposure of identifiable information
  • allows some staff to access operational records without seeing full clinical notes
  • allows therapists to work in notes that are one step removed from direct identifiers
  • makes internal sharing more controlled and purposeful
  • supports data minimisation in day-to-day practice

BACP's confidentiality guidance and public-facing confidentiality examples both support the wider principle here: keep identifying details separate from session notes where possible, and keep records adequate, relevant and limited to what is necessary.

In an agency, the two-code system is often a practical way of putting that principle into action more consistently.

What this does and does not do

It is important not to overstate it.

A two-code system is a strong confidentiality measure, but it is not the same as true anonymisation.

If the agency still holds the linking information between the clinical code, the note code and the client's identity, the records remain personal data under UK GDPR. The ICO is explicit that pseudonymised data is still personal data when re-identification remains possible.

So the purpose of a two-code system is not to make disclosure impossible. It is to reduce risk, tighten access, and create a more thoughtful internal structure for confidentiality.

That is why it is best understood as “next level up” confidentiality design, rather than a legal loophole.

How this works in practice with agency therapists

A two-code system only works if the agency is clear about who needs access to what.

A sensible model might look like this:

Admin team

The admin team may need access to:

  • client contact details
  • referral details
  • therapist allocation
  • appointment scheduling
  • invoices or payments
  • safeguarding escalation routes

They do not necessarily need routine access to detailed session notes.

Therapists

Therapists need access to:

  • their own clients' session notes
  • relevant referral and risk information
  • the client's working details needed for safe treatment
  • the note code system that lets them record notes securely

They do not necessarily need broad access to all agency-wide identifying data.

Clinical leads or supervisors

Clinical leads may need a more structured oversight function, such as:

  • reviewing notes quality
  • reviewing risk issues
  • supporting handover or reassignment
  • accessing the code-linking structure where appropriate and authorised

The principle is simple: access should follow role, not curiosity or convenience.

That sits closely with the UK GDPR approach to minimisation and appropriate security, and with BACP's emphasis on secure, proportionate record keeping.

A simple example

Imagine a new client is referred to your agency.

The agency creates:

  • a clinical code linked to the intake, contact details and admin record
  • a separate note code used for session recording

The treating therapist sees the information necessary to work safely, but the notes themselves are stored and reviewed by note code rather than by a full-name-first system. If a clinical lead needs to review note quality, they can often do so in a more contained way. If admin staff need to manage scheduling, they can often do so without routine access to the full clinical narrative.

That is where the system becomes genuinely useful. It is not just more secure in theory. It creates better separation in everyday practice.

Why this matters for boundaries as well as compliance

Agency note systems are not just about GDPR.

They are also about emotional containment, internal boundaries, and clinical culture.

When agencies grow quickly, notes can become messy very easily. Therapists may store things differently. Admin staff may end up seeing more than they need. Systems may rely too heavily on memory or informal workarounds. Over time, that increases both confidentiality risk and organisational stress.

A clear two-code structure helps the agency communicate something important: we take confidentiality seriously, and we have built our systems accordingly.

That is reassuring for therapists, for agency leaders, and most importantly for clients.

The system still needs clear policy and training

Even the best note structure will fail if the surrounding process is vague.

Agencies using a two-code system should also be clear about:

  • who creates and controls each code
  • where the linking record is stored
  • who can access that linking record
  • how handovers work
  • what happens in emergencies or safeguarding situations
  • how subject access requests are handled
  • how long records are kept
  • how therapists are trained in note writing and note security

In other words, the coding system is only one part of secure note taking. It needs to sit inside a wider confidentiality and records framework.

Good agency systems should make secure practice easier, not harder

If a system is so complicated that therapists work around it, it will not hold.

The strongest agency systems are the ones that make secure behaviour the easiest behaviour. Therapists should not have to invent their own note structures or rely on memory to maintain confidentiality. The agency should provide a framework that is clear, proportionate and easy to follow.

That is one of the reasons we think this matters so much.

A two-code system is not about making note taking feel colder or more bureaucratic. It is about helping agencies protect client information more thoughtfully as the practice grows, while still letting therapists do their work well.

And that is also why we built Sessionly with agencies in mind: to help teams manage notes, workflows, and access in a way that supports both clinical care and confidentiality.

See how Sessionly helps therapy agencies manage notes, workflows and access.

Visit our agency page →