top of page

Privacy Policy

I am registered with Information Commissioner’s Office (ICO) and as such, abide by the UK Data Protection Act 2018 the UK’s implementation of the General Data Protection Regulation (GDPR) and am the data controller and processor for my practice, trading as Lucy Matthews. You can find out more about the GDPR and the UK Data Protection Act from the ICO:
Under the GDPR the I have a duty to make clients aware of the following:
Reason for collecting Personal Data/Information I collect relevant personal information from clients to enable a working
record of contact information, in case of emergencies (explained below) and for the ongoing work in the therapeutic relationship.

I am bound by the British Association of Counselling and Psychotherapy (BACP) Ethical Framework for the Counselling Professions, BACP Ethical Framework for the Counselling Professions Supplementary Guidance:
Working Online (GPiA 047). The provision of confidentiality is made adhering to these guidelines.
Our sessions are strictly confidential, and the contents will not be disclosed beyond good practice guidelines.
(Please read: confidentiality policy

  • Under the GDPR I am legally obliged disclose data if you are involved in drug money laundering, planning terrorist’s offences or if a Court Order has been made.


  • Where there is suspicion of illegal or terrorist activities disclosed in online and remote counselling, the police and other authorities can ask for access to an individual’s email account or synchronous messaging account. They can also ask me for access to stored records. I am unable therefore to maintain confidentiality in these circumstances.

How will my personal data be stored and for how long?

  • Retention and storage of personal data will be as minimal as is possible and will only be relevant to the provision of counselling or supervision.

Data stored electronically:
Email address – stored in Contacts and not identifiable as a client
Contact phone number – stored in mobile phone using initials only.
Text messages – Please be aware that if you chose to contact me by text, these messages will be deleted unless they contain significant information.
No electronic devices are shared, and are password protected.
Data stored as a hardcopy and handwritten information:
Significant emails, signed agreements and contact details are printed and stored in a dedicated filing cabinet under lock and key, to which only I have access.
Electronic copies and messages received by email are destroyed.
Personal data/records of our sessions will be kept for up to 7 years after our work together has ended.
Your personal data will be disposed of by wiping any electronic files and shredding handwritten information. You can also request (in writing) that all data is destroyed during our contact, once our work together ends, or at anytime thereafter.
Your rights under GDPR
You have the right to request access to your client record and receive an explanation of what is held within it.
You have the right to withdraw consent, to request erasure or correction of your client record, to request portability, or to object to or restrict collection and processing of your data.

You have the right to know the source/s of personal data not originating from yourself, and the right to not receive unsolicited

You have the right to be made aware of any automatic decision making processes (e.g, profiling) and any significance and
consequence for yourself.

You will be made aware of any data breaches within 72 hours. You will be compensated for any damage or distress caused by the data breach.
You have the right to complain to the ICO (Information Commissioners Office) if you are unhappy with the data processing
arrangements, and to engage representation from a not-for-profit body in doing so.

In summary:

  • I collect, store and process personal information about you to enable me to run my practice. This information can include contact information, as well as information about your age, health (mental and physical), and where relevant, sexuality, domestic and financial arrangements and other special category data. I am able to collect this information upon the legal basis of "Legitimate Interests", as per GDPR regulations.

  • Your information is stored anonymously, under lock and key and/or password and encryption protected. I may use this information to track the progress of our work together or to receive reflection and guidance from my supervisor.

  • I will keep this information for up to 7 years. When deleted it will be by wiping electronic files and shredding handwritten information.

  • With regards to how this information is used, you have the right to have information about you deleted, have inaccuracies corrected, the right to access information about you - free of charge - within 1 month, the right not to receive any unsolicited marketing, the right to determine how information about you is processed and the right to complain if you are unhappy about any of the above by contacting the Information Commissioners Office here:, although I trust that you will try to discuss this with me in the first instance.

  • Should anything happen to me that prevents me from attending a session and from communicating with you directly - such as illness or death - then I have appointed a Therapeutic Executor who would be able to access your contact details to inform you should this situation arise.

bottom of page