As a family historian I am committed to data protection and privacy. I have always and will always do all that I reasonably can to keep your personal information safe, handling it in a responsible manner and complying with the data protection laws.
Please feel free to contact me, Sarah Oxburgh, about any privacy issues or worries at Research My Family History on Tel: 01287 2004460, Mobile: 07557885415, or email me at firstname.lastname@example.org.
Your right to object
I will use your personal data as detailed below and with your express permission. You have a legal right to object to how your personal data is being used, for example, if a third party were to insist on obtaining your personal data for legal reasons, you can object to me transferring that data. However, you must be aware that there are other laws that can and could supersede your right to uphold your claim to withhold or restrict the transfer of your personal data to a third party. I will always inform you when a request for you personal data has been made by a third party and will make every effort to ensure the validity of the request and the requester before transferring data.
If it is deemed by me that information or documents you have shared with me are in the public interest (which is extremely unlikely), I may seek your permission to liaise with a recognised archive or relevant public body to ensure safe keeping of the relevant document or information. You have a right to object to your data being transferred or used in this way. If you do object, I will consult with the Information Commissioner’s Office and follow their statutory guidance.
Information I collect
When you send an enquiry, I collect your name and whatever other contact details you have supplied. This allows me to process your enquiry and keep in touch. When you commission research, I will also ask you for your postal address because many reports come with supporting documentation which needs to be posted. I will also collect from you your family history information and, for some of you, childhood memories. I usually recommend sending full names, dates and places of birth, marriage and death, occupations and religious denomination for the earliest couple of known generations. This information is then used to produce a family tree and accompanying report.
How I use the information and share data
I will use your personal information solely for the purpose for which you sent it, i.e., communicating with you about genealogical research and undertaking the work itself. I may contact you after sending you my initial response to your enquiry to check that it arrived safely and see if you would like to take up the quote. I may contact you after sending you the report to make sure it arrived safely and to see if you would like any new work undertaken, building on the results of the last round, for instance, or perhaps starting to explore a new line of your ancestry which we have not investigated already. I may contact you further down the line, too, if new information or opportunities for research have come to light as this is an ever improving field.
Client confidentiality is a paramount concern of mine. No personal information you supply will be shared with any third parties unless you have specifically instructed me to do so and it is necessary in order for me to fulfil the research you have commissioned: e.g., if you have asked me to obtain a copy of your birth certificate. I will ALWAYS ask for permission to request certificates on your behalf. With respect to certificates, I contact the General Registry Office on your behalf and they will issue me with the relevant certificates. I will NEVER take a copy of any certificates without your express approval or knowledge and would only do so to fulfil the obligations of my working contract with you (for example, to duplicate family history research for more than one family member).
When registering with the Information Commissioner’s Office, genealogists are given a standard template which cannot be edited. This includes the statement ‘where necessary or required I share information with: relatives, guardians or other people associated with the person whose personal information I am processing; enquirers; survey and research organisations’. I can assure my clients that I will not be undertaking surveys that involve the use of your personal information (unless I am legally obliged to do so), nor will I be imparting your personal details to relatives e.t.c., without your consent.
The only exceptions to the above are the demands of government departments legally empowered to see my files. Should H.M. Revenue and Customs (HMRC) or, ironically, the Information Commissioner’s Office wish to see my accounts and client files in the course of their routine tax or data protection inspections, I am – like everyone else – legally obliged to cooperate.
As mentioned above, sometimes, clients commission me to try to find living relatives. In those cases, I will use public records (particularly birth, marriage and death record, telephone directories and electoral registers). I will communicate the results obtained from those public records to you and you may then use that information to contact the person or people concerned. I strongly recommend that if you are indeed attempting to contact a close living relative that you also invest in an independent (separate cost to you) or local authority (should be free of charge) social worker, adoption agency or liaison officer. These are people who are qualified to help with the emotional ordeal of meeting and speaking to close family relatives with whom you have had minimal contact. If anyone who has been traced in this way wishes, the information I hold concerning them will be deleted immediately upon request by emailing me at email@example.com.
With your consent, I may use a third party to print a family tree, thus sharing some of your personal data. There will be a contract between the third party and myself in which all of the principles contained within this document are outlined and agreed to by the third party. The third party company also has a duty to operate their business with reference to the GDPR. Under my contract terms, they will be obliged to delete your personal data on the satisfactory receipt of your family tree.
Deleting data and restricting data use
You are entitled to request that I delete your data. I have to comply with this request as long as it is not in conflict with any other legal obligations that I may have. As well as requesting that I delete your data, you are also entitled to restrict how I use your personal data. Again, I must comply with this request in line with the GDPR and other legislation. The restriction of data may apply when making contact with a potential close or distant relative. I will take special care to be clear about which data you wish to release to a potential relative.
There may occasion for me to request and be in possession of DNA data that links you to other people. I would only do this with your EXPRESS consent. I will NOT arrange a DNA test to establish parentage, that would have to undertaken by you and your potential parent or child. It is possible that I would suggest a DNA test between distant relatives and that I would therefore be in possession of DNA data in order to transfer those details to you and to, with consent, the other person involved. I would process this data under Section 9 of the GDPR. I would request “explicit consent” for the specified purpose of a DNA test for “historical research purposes...proportionate to the aim pursued”. As in the case of other personal data, this DNA information can be immediately deleted from my records at the request of either parties by emailing me at firstname.lastname@example.org. It will not be kept for the purposes of HMRC tax returns. I would only release this information to a third party if required to do so by law, for example, in the extremely unlikely event that a you were potentially involved in an act that was deemed, by British legal authorities, to be beyond the boundaries of the British legal system.
Personal data relating to, for example, a public figure will not be taken away from my premises on a laptop, or on a hard drive, unless it is being transported to an off-site combination safe or being taken off my premises by a mutually agreed courier. Certificates will not be taken off my premises unless they are being taken to an off-site combination safe, in the process of being taken to the post office or taken by a mutually agreed courier.
Family history information never goes out of date. Whilst I am not obliged to keep your details (except under HMRC’s seven year rule), I will keep some digital records, e.g., a GEDCOM file, so that you can come back later and easily commission more research. It has been known for some clients to come back many years later to request further research once new records are released or index systems are improved. This being the case, I will keep digital records for 10 years, at which point I will contact you, via the original method of contacting you, to ask whether or not you are happy for your family tree to be deleted from my records. If I do not hear back from you, I will delete your digital records.
Please note that by keeping the details of your family tree, I cannot in anyway be relied upon to produce evidence for you to prove your eligibility as a beneficiary of a Will. You must do one or all of the following in order to secure the possibility of being able to prove your entitlement to an estate:
1. Keep your own copy of the report, certificates and family tree.
2. Lodge a copy of your family tree, certificates and report with your own Will at a solicitors or in a safety deposit box.
3. Lodge a copy of your family tree, certificates and report with the Probate Service (currently a £20 flat fee).
I WILL NOT do the following:
If you do not want me to keep any details concerning you, other than those which I am legally obliged to retain by HMRC, I am happy to delete them – please simply let me know by emailing me at email@example.com.
How I protect your information
I have reasonable and appropriate security measures (including a firewall and virus checker) to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. I have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where I am legally required to do so.
Correcting your information
You are entitled to have your personal information updated and corrected, so please let me know of any changes in your contact details and circumstances. You are entitled to ask me to confirm what personal information I hold about you and to have this corrected, altered or deleted, and I will always be happy to do so, provided this does not contravene my obligation to keep records for HMRC. No fee will be charged for this unless your request is (in the ICO’s words) ‘clearly unfounded or excessive’.
You have the right to withdraw your consent to any processing that is currently being done under your consent. Consent can be withdrawn by emailing firstname.lastname@example.org. Once I have received notification that you have withdrawn your consent, I will no longer process your personal information, unless I have another legitimate basis for doing so under the terms of our engagement or due to legal requirements (i.e., the retention of details for tax purposes).
Right of complaint to the regulator for data protection
If you have any questions or concerns regarding this, please contact me at email@example.com and I will be happy to help.
You also have the right to complain about data protection issues to the Information Commissioner’s Office (ICO): Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF, 0303 123 1113 or 01625 545 745, https://ico.org.uk/concerns, firstname.lastname@example.org.
Last updated: 26 June 2018