Right to access

Right to Access Policy

General Data Protection Regulations(“GDPR”) – Subject Access Request

The purpose of this document is to set out the National Council for Hypnotherapy (“NCH”) policy for responding to subject access requests under the GDPR. The Regulations took effect from 25th May 2018

The regulations explain the rights and responsibilities of those dealing with personal data held in accordance with our privacy policy.

How do you make a subject access request?

A subject access request is a written request for personal information (known as personal data) held about you by the NCH.  Generally you have the right to see what personal information is held about you. Generally, you are entitled to be given a description of the information, what we use it for, who we can pass it on to, and any information we might have about the source of the information. However, this is subject to exemptions within the GDPR.

What is personal data?

Personal data is information which is biographical or which has the individual as its focus.

What we do when we receive a subject access request,

Check identity

First, we will always check we have sufficient information to be sure of your identity. Where appropriate we will ask you to supply evidence to confirm your identity. If you are making a data subject access request but you are not the individual concerned you will be required to provide your right to this information pursuant to the GDPR.

If the person requesting the information is a relative/representative of the individual concerned, consent for the release of the data must first be supplied from the individual. If you have been appointed under the Mental Capacity Act 2005, you must confirm your capacity to act on their behalf and explain how you are entitled to access their information.

Where you are a parent or guardian requesting information for a child under 16 we will need to decide if the child can provide their consent to you acting on their behalf.

Collating information

We will gather any manually or electronically held information held about you.

Where we identify information relates to a third party we will write to them to ask if there is any reason the information may not be supplied to you. We may also anonymise information that identifies third parties and edit information which could affect the privacy of another individual,

For the purposes of clarity, the GDPR requires the production of information and not documents.

Providing our response

We have the right to withhold personal data if disclosing would adversely affect the rights and freedoms of others.

Information will be supplied by email unless otherwise specified.

We will not charge a fee for complying with a request unless the request is “ manifestly unfounded or excessive”. If further copies are requested, the data controller reserves the right to charge a reasonable administrative fee if further copies are requested.

We will provide a response within a month (30 days).  In the case of a complex request, we may reserve the right to extend this period.

In the event you have made a previous request, we will respond if a reasonable period has elapsed since the previous request.


Possible exemptions may be:

information covered by legal professional privilege

information used for research, historic and statistical purposes

confidential references given or received by the NCH.

If you remain dissatisfied, you have the right to refer the matter to the Information Commissioner. The Information Commissioner can be contacted by following the options available on this link: https://ico.org.uk/global/contact-us/

The NCH is registered with the Information Commissioner’s Office,

Reference Number:   Z656424X

Date: 01 May 2018

Review: 01 May 2019