top of page
  • Facebook
  • Instagram

Data Protection, GDPR & Privacy

The Essex Birth Company is registered with the Information Commissioner’s Office (ICO), and operates in compliance with GDPR and the Data Protection Act 2018.

 

This policy outlines our commitment to equity, diversity, and inclusion in all aspects of our work as a mental health counselling service.


1.  PURPOSE

This policy outlines how our counselling service collects, stores, processes, and protects personal information in compliance with:

  • General Data Protection Regulation (GDPR)

  • UK Data Protection Act 2018

  • BACP Ethical Framework for the Counselling Professions

  • Relevant safeguarding and confidentiality requirements

Our aim is to ensure that client data is handled lawfully, fairly, and securely while supporting safe, effective, and confidential therapeutic practice.


2.  SCOPE

This policy applies to:

  • All client information, whether obtained online, in person, or during walk and talk sessions

  • All forms of personal data, including digital records, paper notes, emails, audio/video recordings, and health assessments

  • All employees, contractors, and supervisors working with the organisation


3. DATA WE COLLECT 

We may collect the following personal data for the purpose of providing safe and effective counselling:

  • Identity information: name, date of birth, gender identity, contact details (including the location where the sessions will be taking place, for online clients)

  • Health information: physical and mental health history, pregnancy or perinatal history, women’s health details, neurodivergence, menopause or gynaecological concerns

  • Session information: clinical notes, risk assessments, safeguarding concerns, goals, progress and information in regards to presenting problems and history concerns

  • Contact and communication information: emails, phone numbers, emergency contacts

  • Payment and administrative data: invoices, receipts, and relevant financial information

We only collect information that is necessary for the provision of counselling, safeguarding, and service administration.


4.  LAWFUL BASIS FOR PROCESSING

Under GDPR, we process client data based on the following lawful grounds:

  • Consent: The client voluntarily agrees to share personal information for therapy and related services

  • Contractual necessity: Information is needed to deliver counselling services safely and effectively.

  • Legal obligation: Information may be processed to comply with safeguarding duties or other legal requirements

  • Legitimate interests: To ensure safe, professional practice, manage risk, or utilise supervision (where this does not override client rights)


5.  CONFIDENTIALITY & LIMITS

Client confidentiality is central to our work. However, personal data may be disclosed without consent if there is:

  • Risk of serious harm to the client

  • Risk of serious harm to another person (including unborn babies, infants, or dependent children)

  • Safeguarding concerns involving children or vulnerable adults

  • Legal obligations (e.g., court order)

All disclosures are minimised to what is necessary and only shared with relevant authorities (GP, midwife, health visitor, social care, crisis teams, or emergency services).


Every effort will be made to discuss a disclosure of confidentiality in advance with the Client. Being open and transparent about the process is of the upmost importance, unless discussing this could cause harm.


At the end of each session your Therapist will write and keep brief anonymised notes about what you’ve shared. There will be kept secure and confidential unless the above situations arise.   


In alignment with professional standards counsellors are required to attend regular supervision sessions to discuss their work. No disclosures will be made that share your identity, and all conversations will be anonymised. Supervision sessions are for counsellors to gain support and guidance with their work, and to check that they are working ethically and competently.


6. STORAGE & SECURITY 

We take all reasonable steps to ensure client data is secure:

  • Digital records are password protected, and stored on secure devices or cloud services

  • Paper records are locked in secure cabinets accessible only to authorised personnel

  • Access to client data is restricted to practitioners and supervisors who require it for professional purposes. Supervisor’s access is anonymised.


7. RETENTION & DISPOSAL 

  • Clinical records: Retained for a minimum of 7 years after the end of therapy (BACP guidance), or longer for safeguarding purposes

  • Financial records: Retained for at least 6 years (HMRC requirements)

  • Records are securely destroyed after the retention period: paper records shredded, digital files permanently deleted


8. CLIENT RIGHTS

Under GDPR and UK data protection law, clients have the right to:

  • Access their personal data (subject to professional exceptions for clinical notes)

  • Request correction of inaccurate or incomplete data

  • Request deletion of data where legally permissible

  • Object to processing where lawful grounds allow

  • Withdraw consent at any time, understanding that this may affect service delivery

  • Request a copy of this policy and related privacy information

Requests can be made in writing or via email. We will respond within one month unless complexity requires an extension (in line with GDPR).


9. THIRD PARTY SHARING


Client data will only be shared with third parties when necessary, including:

  • Supervisors for clinical oversight (anonymised)

  • External safeguarding authorities (social services, NHS crisis teams, or emergency services)

  • IT or cloud providers, where data is held securely

Any third party sharing is done lawfully, proportionately, and with minimal disclosure.


10. DATA BREACHES

In the event of a data breach affecting client confidentiality:

  • The breach will be reported to the Information Commissioner’s Office (ICO) within 72 hours if required

  • Clients affected will be informed without undue delay

  • Steps will be taken to mitigate harm and prevent recurrence


11. WALK AND TALK, ONLINE & FACE TO FACE CONSIDERATIONS

  • Walk and talk: Personal data is collected and stored as per standard practice; sessions are conducted in public spaces with additional risk awareness

  • Online therapy: Sessions are conducted via platforms discussed in advance with clients’ physical location and emergency contacts are confirmed each session

  • Face to face: Private, secure rooms are used; records are stored securely

All modes of therapy comply with data protection, confidentiality, and safeguarding requirements.


12. REVIEW

This policy will be reviewed annually, or sooner if:

  • Legislation changes

  • BACP or statutory guidance is updated

  • Service delivery models change

  • A data breach or safeguarding incident necessitates revision


Copyright Notice

 

Copyright © 2026 The Essex Birth Company. All rights reserved.

  • The Essex Birth Company may also trade as Perinatal Counselling and Trauma Therapy by The Essex Birth Company. All copyright, intellectual property rights, and the terms of this document apply to both trading names.

  • All content contained within this document, including but not limited to text, structure, layout, branding, and logo, is the intellectual property of The Essex Birth Company (TEBC) unless otherwise stated.

  • This document is provided solely for the purpose of client engagement with The Essex Birth Company. It may not be copied, reproduced, distributed, adapted, shared, published, or used for any commercial or non-commercial purpose without prior written consent.

  • The logo, branding elements, and design of this document may not be used, replicated, extracted, or displayed in any format without express written permission.


June 2026

bottom of page