Data Protection, GDPR & Privacy
The Essex Birth Company is registered with the Information Commissioner’s Office (ICO), and operates in compliance with GDPR and the Data Protection Act 2018.
This policy outlines our commitment to equity, diversity, and inclusion in all aspects of our work as a mental health counselling service.
1. PURPOSE
This policy outlines how our counselling service collects, stores, processes, and protects personal information in compliance with:
General Data Protection Regulation (GDPR)
UK Data Protection Act 2018
BACP Ethical Framework for the Counselling Professions
Relevant safeguarding and confidentiality requirements
Our aim is to ensure that client data is handled lawfully, fairly, and securely while supporting safe, effective, and confidential therapeutic practice.
2. SCOPE
This policy applies to:
All client information, whether obtained online, in person, or during walk and talk sessions
All forms of personal data, including digital records, paper notes, emails, audio/video recordings, and health assessments
All employees, contractors, and supervisors working with the organisation
3. DATA WE COLLECT
We may collect the following personal data for the purpose of providing safe and effective counselling:
Identity information: name, date of birth, gender identity, contact details (including the location where the sessions will be taking place, for online clients)
Health information: physical and mental health history, pregnancy or perinatal history, women’s health details, neurodivergence, menopause or gynaecological concerns
Session information: clinical notes, risk assessments, safeguarding concerns, goals, progress and information in regards to presenting problems and history concerns
Contact and communication information: emails, phone numbers, emergency contacts
Payment and administrative data: invoices, receipts, and relevant financial information
We only collect information that is necessary for the provision of counselling, safeguarding, and service administration.
4. LAWFUL BASIS FOR PROCESSING
Under GDPR, we process client data based on the following lawful grounds:
Consent: The client voluntarily agrees to share personal information for therapy and related services
Contractual necessity: Information is needed to deliver counselling services safely and effectively.
Legal obligation: Information may be processed to comply with safeguarding duties or other legal requirements
Legitimate interests: To ensure safe, professional practice, manage risk, or utilise supervision (where this does not override client rights)
5. CONFIDENTIALITY & LIMITS
Client confidentiality is central to our work. However, personal data may be disclosed without consent if there is:
Risk of serious harm to the client
Risk of serious harm to another person (including unborn babies, infants, or dependent children)
Safeguarding concerns involving children or vulnerable adults
Legal obligations (e.g., court order)
All disclosures are minimised to what is necessary and only shared with relevant authorities (GP, midwife, health visitor, social care, crisis teams, or emergency services).
Every effort will be made to discuss a disclosure of confidentiality in advance with the Client. Being open and transparent about the process is of the upmost importance, unless discussing this could cause harm.
At the end of each session your Therapist will write and keep brief anonymised notes about what you’ve shared. There will be kept secure and confidential unless the above situations arise.
In alignment with professional standards counsellors are required to attend regular supervision sessions to discuss their work. No disclosures will be made that share your identity, and all conversations will be anonymised. Supervision sessions are for counsellors to gain support and guidance with their work, and to check that they are working ethically and competently.
6. STORAGE & SECURITY
We take all reasonable steps to ensure client data is secure:
Digital records are password protected, and stored on secure devices or cloud services
Paper records are locked in secure cabinets accessible only to authorised personnel
Access to client data is restricted to practitioners and supervisors who require it for professional purposes. Supervisor’s access is anonymised.
7. RETENTION & DISPOSAL
Clinical records: Retained for a minimum of 7 years after the end of therapy (BACP guidance), or longer for safeguarding purposes
Financial records: Retained for at least 6 years (HMRC requirements)
Records are securely destroyed after the retention period: paper records shredded, digital files permanently deleted
8. CLIENT RIGHTS
Under GDPR and UK data protection law, clients have the right to:
Access their personal data (subject to professional exceptions for clinical notes)
Request correction of inaccurate or incomplete data
Request deletion of data where legally permissible
Object to processing where lawful grounds allow
Withdraw consent at any time, understanding that this may affect service delivery
Request a copy of this policy and related privacy information
Requests can be made in writing or via email. We will respond within one month unless complexity requires an extension (in line with GDPR).
9. THIRD PARTY SHARING
Client data will only be shared with third parties when necessary, including:
Supervisors for clinical oversight (anonymised)
External safeguarding authorities (social services, NHS crisis teams, or emergency services)
IT or cloud providers, where data is held securely
Any third party sharing is done lawfully, proportionately, and with minimal disclosure.
10. DATA BREACHES
In the event of a data breach affecting client confidentiality:
The breach will be reported to the Information Commissioner’s Office (ICO) within 72 hours if required
Clients affected will be informed without undue delay
Steps will be taken to mitigate harm and prevent recurrence
11. WALK AND TALK, ONLINE & FACE TO FACE CONSIDERATIONS
Walk and talk: Personal data is collected and stored as per standard practice; sessions are conducted in public spaces with additional risk awareness
Online therapy: Sessions are conducted via platforms discussed in advance with clients’ physical location and emergency contacts are confirmed each session
Face to face: Private, secure rooms are used; records are stored securely
All modes of therapy comply with data protection, confidentiality, and safeguarding requirements.
12. REVIEW
This policy will be reviewed annually, or sooner if:
Legislation changes
BACP or statutory guidance is updated
Service delivery models change
A data breach or safeguarding incident necessitates revision
Copyright Notice
Copyright © 2026 The Essex Birth Company. All rights reserved.
The Essex Birth Company may also trade as Perinatal Counselling and Trauma Therapy by The Essex Birth Company. All copyright, intellectual property rights, and the terms of this document apply to both trading names.
All content contained within this document, including but not limited to text, structure, layout, branding, and logo, is the intellectual property of The Essex Birth Company (TEBC) unless otherwise stated.
This document is provided solely for the purpose of client engagement with The Essex Birth Company. It may not be copied, reproduced, distributed, adapted, shared, published, or used for any commercial or non-commercial purpose without prior written consent.
The logo, branding elements, and design of this document may not be used, replicated, extracted, or displayed in any format without express written permission.
June 2026