Of all the categories of complaint that reach a coach’s professional indemnity insurer, confidentiality breach is the one that most consistently surprises the practitioner. The coach who is sued for mis-advice usually has some sense, even if disputed, of where the alleged failure occurred. The coach against whom a confidentiality breach is alleged often does not know, until the complaint lands, that any line has been crossed. That asymmetry is itself instructive. Confidentiality, in the modern executive coaching engagement, is governed by a tangle of professional ethics, contractual undertakings, UK data protection law and unwritten stakeholder expectations, and the lines between them are not always where the coach assumes they are.
This article complements our pillar guide to professional indemnity insurance for coaches and trainers and our cluster on coaching contract clarity and PI exposure. It focuses on the confidentiality dimension specifically: where breach claims come from, how the various legal and contractual sources interact, what a typical PI policy will and will not do about it, and the practical steps a coach can take to reduce exposure.
The triangular relationship and the conflicts it creates
A typical executive coaching engagement involves three parties: the coach, the coachee and the sponsor — the corporate buyer paying for the engagement, usually represented by an HR or talent function. Each has expectations of confidentiality that, if not consciously aligned at the outset, will diverge the moment a difficult issue arises.
The coachee expects, in the strongest version, that what is said in the room stays in the room. The ICF Code of Ethics, the EMCC Global Code and the AC Code all establish confidentiality as central to the coaching relationship. The coachee is frequently being coached on matters that touch their personal life, their psychological responses to professional pressure, their views on colleagues and leaders, and occasionally on grievances against the organisation paying for the coaching.
The sponsor expects, often without articulating it, to receive enough information to know whether the investment is delivering value. In some organisations this extends to expecting the coach to flag if the coachee is at risk of leaving, behaving inappropriately or surfacing complaints. The HR partner may, in good faith, expect a level of disclosure that the coach considers inconsistent with the coaching ethic.
The coach sits in the middle. The standard professional-body answer is that the coach reports themes and progress, not content; that the coachee is told at the outset what will and will not be shared, and agrees to it; and that any reporting to the sponsor is, where appropriate, mediated through the coachee. The right answer is not self-executing. It requires explicit contracting at the outset, robust handling in the middle and disciplined behaviour at the end.
Where confidentiality breach claims actually come from
In our experience, claims and complaints involving confidentiality fall into five recurring categories, each with a different risk profile and a different insurance response.
The first is disclosure to the sponsor that the coachee did not anticipate. The HR sponsor asks the coach, mid-engagement, how things are going. The coach offers a generalised observation — “we’re working on his approach to peer relationships” — that the sponsor, in good faith, repeats to the line manager, who repeats it to the coachee. From the coach’s perspective the disclosure was theme rather than content; from the coachee’s perspective the trust on which the coaching depended has been broken. The complaint may be brought as breach of contract, breach of the common-law duty of confidence and breach of the coach’s stated commitment to professional ethics.
The second is the inverse: disclosure to the coachee of sponsor-side information. The HR sponsor briefs the coach beforehand on the coachee’s recent 360, their succession status, an unresolved complaint or the board’s view of their leadership. The coach uses some of this in the first session, and the coachee — unaware any briefing took place — realises the coach knows more than they should. This is sometimes pleaded as breach of confidence owed to the coachee, even though the underlying information came from the sponsor.
The third is UK GDPR-flavoured exposure arising from the storage, processing and transfer of coachee information. Coaches hold notes, calendars, recordings, assessment outputs and email correspondence that may constitute personal data and, in some circumstances, special category data — particularly where psychological assessments or health information have been disclosed in session. The Information Commissioner’s Office has the power to investigate and impose significant monetary penalties. The coach is, in most engagements, a controller in their own right in respect of session notes.
The fourth is references in published material. The coach who anonymises a case study for a blog post, podcast or LinkedIn carousel sometimes underestimates how identifiable the coachee may be. A “senior leader at a UK media organisation” who experienced a specific named challenge in a defined period may be identifiable to anyone who knows the sector. The claim that follows is often pleaded as misuse of private information and breach of confidence, with reputational consequences beyond the legal outcome.
The fifth is accidental disclosure in group programmes. Coaches delivering action learning sets, peer coaching, team coaching or group supervision face the additional risk of disclosure between participants. A participant who breaches the confidentiality of another creates a situation in which the coach may be alleged to have failed in their duty to manage the group environment.
The data protection layer and what insurers do with it
The UK GDPR and the Data Protection Act 2018 sit over the coaching relationship whether or not the coach is conscious of them. The principles apply to any processing of personal data, including the keeping of session notes.
Coaches working with corporate sponsors are commonly asked to sign data processing agreements, sometimes positioning the coach as a processor and sometimes as an independent controller, with materially different consequences. Sponsors are increasingly pushing coaches towards processor status; the contrary view, often supported by professional body guidance, is that the coach exercises independent professional judgment over what to record and is therefore a controller. The right characterisation depends on the facts. The practical insurance point is that data protection obligations sit on the coach regardless, and breach of those obligations is a recognised head of liability.
Modern PI policies for coaches and trainers commonly include cover for liability arising from breach of data protection legislation, subject to the wording. Some markets write this within the core PI section; others carve it out into a separate data protection liability section with its own sub-limits. Notification costs are often covered under a separate cyber policy rather than under PI. Regulatory fines imposed by the ICO are insurable in the UK only to the extent the law permits, which is a moving target and an area where specific advice should be taken at the point of any actual breach.
For coaches whose practice involves any meaningful volume of personal data, we typically recommend a combined PI and cyber arrangement, with the cyber policy carrying the first-party costs and the PI policy responding to third-party liability. The two policies need to be coordinated at placement.
Note-storage risks in practical terms
The session note is the most ordinary and most frequently mishandled piece of confidential coaching information. Notes accumulate on laptops, in personal note-taking applications, in cloud-synced folders, in coaching practice management platforms, in supervision portfolios and in physical notebooks, following the coach across devices and life events.
A handful of practical points repeatedly come up in our conversations with coaches about insurability. Session notes should be held in a location encrypted at rest and access-controlled. Cloud services should be UK or EU hosted where the engagement involves UK data subjects, or covered by an appropriate transfer mechanism if not. Retention periods should be defined and adhered to; notes kept indefinitely create an indefinite exposure. Notes should be findable and identifiable to a particular subject so that a subject access request can be properly answered, and should not be co-mingled with personal material the coach would not wish to disclose if production were required.
Voice and video recordings warrant particular attention. A recording is a more intimate form of personal data than a written note, and its breach is correspondingly more serious. Where recordings are made, consent should be specific, retention short, storage encrypted and access tightly controlled. We have been involved in matters where a casually retained recording, never re-listened to by the coach, became the centrepiece of a subject access request years later.
References in published material: the marketing problem
The coaching profession is also a marketing profession. Coaches build their practices by writing, speaking and posting; drawing on real experience is often the most authentic form of marketing available.
The line between use and disclosure is in the detail. Generalised reflections on common coaching themes are usually safe. Specific examples drawn from a particular engagement are not safe unless fully and genuinely anonymised — which requires more than changing the gender and the industry — or used with explicit, written and informed consent from the individual concerned, ideally also covering inferences that could identify them or the sponsor. The most defensible position is composite material drawn from across the practice. The most exposed is a specific case study, posted while the engagement is still in memory, that contains enough sector and timeframe detail to identify the coachee.
Accidental disclosure during group programmes
Team coaching, group supervision and action learning have grown significantly as modalities, and the confidentiality contracting for group work is more complex than for one-to-one. The coach is responsible not only for their own confidentiality conduct but for establishing and maintaining the confidentiality environment between participants.
Practical mitigations include explicit upfront contracting with every participant in the group, ideally signed individually as well as endorsed by the sponsor; a defined process for handling disclosures that surface concerns about the welfare of a participant or third party; a clear protocol for what may be discussed outside the group and what may not; and a process for handling the situation where a participant has, after the event, learned of a breach by another participant. The coach’s PI policy will respond, broadly, to allegations that the coach failed in their professional duty to manage the environment; it cannot make the situation un-happen, and the prevention work matters more than the cover.
What to do if a breach has occurred or is alleged
If a coach learns of an actual or potential confidentiality issue, the most important practical step is to notify the broker and the insurer promptly. PI policies are claims-made-and-notified and contain notification provisions that, if not complied with, may affect the insurer’s response. The threshold is usually a circumstance that may give rise to a claim, not a claim actually received. A solicitor’s letter, a complaint to a professional body or a serious-concern email from the sponsor’s HR director all qualify. The coach should not respond substantively before taking advice.
We address claims advocacy in the pillar article. The instinct to resolve matters informally — an apology, a fee refund, a holding email — is understandable, and is often the very thing that prejudices the insurance position.
Frequently asked questions
Is confidentiality breach actually covered by my professional indemnity policy? Most modern PI policies for coaches and trainers include cover for liability arising from unintentional breach of confidentiality and unintentional breach of data protection obligations, subject to the policy wording. Deliberate breach and certain regulatory fines may be excluded. The exact response depends on the wording in force at the time of notification.
Am I a data controller or a data processor in respect of session notes? The position depends on the facts of the engagement and on the contracting in place with the sponsor. Where the coach exercises independent professional judgment about what to record and how, the coach is typically a controller in respect of those notes, even where the sponsor is also a controller in respect of engagement metadata. Specific advice should be taken on the facts.
How long should I keep coaching session notes? There is no statutory retention period for coaching notes. Professional body guidance typically suggests a period long enough to support potential complaints — often three to seven years from the end of the engagement — and no longer than necessary. The retention policy should be documented, applied consistently and disclosed in the coach’s privacy notice.
Can I publish a case study based on a real engagement? Only with the explicit, written and informed consent of the coachee, and ideally the sponsor where the sponsor’s identity is implicated. Even then, the case study should be reviewed for residual identifiability, and consent should cover the specific publication and audience. Anonymisation alone is rarely sufficient where the engagement has distinctive features.
What happens if the sponsor demands a debrief I’m uncomfortable giving? The right answer was established at the contracting stage, and it should be invoked rather than re-negotiated under pressure. Where the contract is silent or ambiguous, the coach’s professional body code provides a defensible position. The discomfort of declining a debrief in the moment is usually less than the consequence of providing one and being complained about afterwards.
Does my cyber policy and my PI policy overlap on data breach? They can. The convention is that cyber covers first-party costs — forensics, notification, restoration, business interruption — and PI covers third-party liability to affected data subjects. The boundary is not always crisp and we coordinate the two policies at placement to minimise gaps and unintended overlaps.
A previous coachee has issued a subject access request. What do I do? A subject access request is a formal request under the UK GDPR and must be responded to within one month, extendable in limited circumstances. The coach must identify all personal data held about the requester, including session notes, recordings and correspondence, and provide a copy subject to the exemptions and qualifications in the legislation. We recommend taking specialist advice on the response.
Can I record coaching sessions? Recording is permissible with the coachee’s informed consent, given in advance and ideally recorded in writing. The recording must then be held securely, retained for no longer than necessary and protected in the same way as any other special category personal data may need to be. The decision to record should weigh the supervision and reflection benefit against the additional confidentiality and data protection exposure.
Related Guides
- Professional Indemnity Insurance for Coaches and Trainers — the pillar guide to PI cover, limits and run-off.
- Coaching Contract Clarity and PI Exposure — how the engagement letter and ICF/EMCC framework drive insurability.
About Apex Insurance Brokers
Apex Insurance Brokers is a Bristol-headquartered commercial insurance broker. We arrange professional indemnity, public liability, cyber and combined business insurance for coaches, executive coaches, corporate trainers and L&D consultants across the United Kingdom.
Authorised and regulated by the Financial Conduct Authority. FCA Firm Reference Number 724952. Registered in England and Wales, Companies House registration 07014570.
Email: info@apexinsurancebrokers.co.uk Telephone: 0117 325 0027
This guide is provided for general information and does not constitute legal advice or regulated advice on a specific insurance contract. Cover is subject to the terms, conditions, exclusions and limits of the policy issued and to underwriter assessment of the individual risk. Last reviewed May 2026.
This article is part of our PI insurance for coaches and trainers (pillar guide). See the pillar for the full guide.