GDPR COMPLIANCE STATEMENT FOR:
Christine M. Thomas,
Historical
Researcher
1 AWARENESS
I am an Independent Researcher with no staff or
assistance and I am fully aware that the law is changing/has changed in May
2018.
I work with a Windows based computer system
consisting of two desktops and a laptop.
All are password protected. No
one else has access to, or uses, my office.
I do not print enquiry emails or the results of research commissions
unless specifically requested to do so by the person who has contacted me.
I am fully aware that family history related
information is sensitive. The majority
of my research involves building up background information on deceased British
Expatriates who spent time in Hong Kong & China in the 19th. and
early 20th. centuries (1842 – 1941).
2 INFORMATION
I HOLD ON LIVING PERSONS
1) The
names and email addresses of people who have contacted me and to whom I have
replied. These arrive via BT Mail,
Mail.com or Gmail and are downloaded/copied to my system.
2) Information
sent to me by family researchers who have requested that I carry out research
on their behalf.
3) The
results of research applicable to individual commissions.
Names and email addresses of clients are deleted
from my system one month after a research commission has been completed.
I never share clients personal information with
anyone else. I have never shared clients
personal information with anyone else.
3 COMMUNICATING
PRIVACY INFORMATION
This document is on my website & blogs and will
in future be included in all responses for research assistance.
4 INDIVIDUAL
RIGHTS
If someone asks to see a copy of their data I will
email it to them as a pdf document.
5 SUBJECT
ACCESS REQUESTS
If someone should request details which I hold on
them I can normally respond within 48 hours.
If I am abroad or crossing an ocean by ship then my
response will be delayed until I have internet/wifi access.
As the law requires data to be deleted within 30
days of receiving a request I do not accept new commissions one month prior to
leaving on long overseas trips.
6 LAWFUL
BASIS FOR PROCESSING DATA
If a client contacts me requesting assistance then
I need to have their name and email address in order to contact them with
results. At no time will I impart this
information to anyone else.
If a client has settled their account via Paypal
then that organisation will have their details. Their privacy policy can be
found here:
The only details I have access to via this method
are clients name and email address. I do not have access to clients credit card
or bank details.
7 CONSENT
I have never harvested or purchased email lists and
will never do so.
As from 25 May 2018 anyone who submits an enquiry
to me will be provided with a pdf copy of this statement and will be asked to
confirm that they wish me to undertake research on their behalf.
8 CHILDREN
I never accept research commissions from children.
I never accept research commissions which involve
tracing living children.
9 DATA
BREACHES
All my computers are password protected and
provided with security/anti-virus software.
If I was informed of a data breach in my system I would seek advice from
appropriate experts on how it should be handled.
10. DATA
PROTECTION BY DESIGN & DATA PROTECTION IMPACT ASSESSMENTS
I have familiarised myself with ICO’s code of
practice on Privacy Impact Assessments as well as guidance from the Article 29
working party.
11 DATA PROTECTION OFFICER
As I am an Independent Researcher this will have to
be myself.
12 INTERNATIONAL
My lead data protection supervisory authority is UK
ICO.
This has been written (to the best of my ability) after research into
what is required from micro businesses in relation to GDPR
23rd May
2018
