1. Purpose

This document sets out our policy for responding to subject access requests under the GDPR (General Data Protection Regulation), which comes into force on 25th May 2018. This document explains the rights of the data subject in relation to a data subject access request and PRISM Brain Mapping UK’s responsibilities when dealing with that request.

2. Individual Rights

An individual has the right to know what information is held about them. GDPR in the UK provides a framework to ensure that personal information is handled properly. This information must be:

3. PRISM Brain Mapping UK’s Policy on Providing Information

PRISM is committed to meeting all reasonable requests for access in accordance with GDPR, whilst protecting PRISM’s intellectual property and respecting the ethos of honest and confidential feedback which forms part of the PRISM experience.

4. How Do You Make a Subject Access Request?

A subject access request is a written request for personal information held about you by PRISM. You have the right to see what personal information we hold about you. You are entitled to be given confirmation as to whether we hold or process your personal information, and if so, you are entitled to access all your personal information as well as details of:

You are entitled to have any mistakes in your personal data rectified, and to have the data deleted if you would no longer like us to store or process your personal data, or to request restriction of our processing of your personal data.

If you are not satisfied with how we store or process your personal data, you have a right to lodge a complaint, in the first instance with us, by contacting and subsequently with the ICO.

5. What is Personal Information?

Personal data is information which relates to an individual or refers to an individual. Data refers to an individual if that individual can be identified such as by using their name, identification number, location data, or factors specific to the individual such as physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

6. What Do We Do When We Receive a Subject Access Request?

We cannot disclose personal information to anyone other than the Data Subject in question and we will take reasonable steps to verify their identity.

Collating information – we will gather any manual or electronically held information and identify any information provided by a third party or which identifies a third party.

Third parties – before sharing information that relates to third parties, we will, where possible, anonymise or edit information that might affect another party’s privacy. We may also summarise information rather than provide a copy of the whole document. The GDPR requires us to provide information, not documents.

7. Issuing a Response

Once any queries around the information requested have been resolved, copies of the information will be sent to you electronically wherever possible or, if this is not technically possible, by post.

8. Will We Not Charge a Fee?

We will not normally charge a fee for a subject access request. However, where the request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request. We may also charge a reasonable fee if an individual requests further copies of their data following a request. We will base the fee on the administrative costs of providing further copies.

9. What Is the Timeframe for Responding to Subject Access Requests?

We have one month (30 calendar days) starting from when we received the information necessary to identify you, to identify the information you requested, and provide you with the information (or explain why we were unable to provide the information). Wherever possible, we will aim to complete the request in advance of the deadline.