Privacy Statement

GDPR COMPLIANCE STATEMENT FOR:

Christine M. Thomas,
Historical Researcher


1          AWARENESS

I am an Independent Researcher with no staff or assistance and I am fully aware that the law is changing/has changed in May 2018. 

I work with a Windows based computer system consisting of two desktops and a laptop.  All are password protected.  No one else has access to, or uses, my office.  I do not print enquiry emails or the results of research commissions unless specifically requested to do so by the person who has contacted me.

I am fully aware that family history related information is sensitive.  The majority of my research involves building up background information on deceased British Expatriates who spent time in Hong Kong & China in the 19th. and early 20th. centuries (1842 – 1941). 


2          INFORMATION I HOLD ON LIVING PERSONS

1)         The names and email addresses of people who have contacted me and to whom I have replied.  These arrive via BT Mail, Mail.com or Gmail and are downloaded/copied to my system.

2)         Information sent to me by family researchers who have requested that I carry out research on their behalf.

3)         The results of research applicable to individual commissions.

Names and email addresses of clients are deleted from my system one month after a research commission has been completed.

I never share clients personal information with anyone else.  I have never shared clients personal information with anyone else.


3          COMMUNICATING PRIVACY INFORMATION

This document is on my website & blogs and will in future be included in all responses for research assistance.


4          INDIVIDUAL RIGHTS

If someone asks to see a copy of their data I will email it to them as a pdf document. 


5          SUBJECT ACCESS REQUESTS

If someone should request details which I hold on them I can normally respond within 48 hours.

If I am abroad or crossing an ocean by ship then my response will be delayed until I have internet/wifi access.

As the law requires data to be deleted within 30 days of receiving a request I do not accept new commissions one month prior to leaving on long overseas trips.


6          LAWFUL BASIS FOR PROCESSING DATA

If a client contacts me requesting assistance then I need to have their name and email address in order to contact them with results.  At no time will I impart this information to anyone else.

If a client has settled their account via Paypal then that organisation will have their details. Their privacy policy can be found here:

Paypal privacy policy

The only details I have access to via this method are clients name and email address. I do not have access to clients credit card or bank details.


7          CONSENT

I have never harvested or purchased email lists and will never do so.

As from 25 May 2018 anyone who submits an enquiry to me will be provided with a pdf copy of this statement and will be asked to confirm that they wish me to undertake research on their behalf.


8          CHILDREN

I never accept research commissions from children.

I never accept research commissions which involve tracing living children.


9          DATA BREACHES

All my computers are password protected and provided with security/anti-virus software.  If I was informed of a data breach in my system I would seek advice from appropriate experts on how it should be handled.


10.  DATA PROTECTION BY DESIGN & DATA PROTECTION IMPACT ASSESSMENTS

I have familiarised myself with ICO’s code of practice on Privacy Impact Assessments as well as guidance from the Article 29 working party.


11        DATA PROTECTION OFFICER

As I am an Independent Researcher this will have to be myself.


12        INTERNATIONAL

My lead data protection supervisory authority is UK ICO.

This has been written (to the best of my ability) after research into what is required from micro businesses in relation to GDPR


23rd May 2018