As a freelance photographer also working in the fields of oral history and community engagement, my work necessarily involves the collection, processing and storage of different kinds of data including personal data and sensitive category data.
The 2018 Data Protection Act requires that all individuals and organisations capturing, storing, processing and using personal data register with the Information Commissioners Office (ICO) and have policies and procedures in place for the handling, management and storage of data to ensure compliance with the 2018 Act.
As a consultant gathering, managing and processing data on behalf of clients, I have read and completed the checklist issued by the ICO concerning the collection and management of personal data and I am registered as a Data Controller with Information Commissioner’s Office (Reference Number ZB626435).
Types of data held
In the course of my work, I gather and store personal data such as photographs, names, addresses and telephone numbers of interviewees, participants and other individuals who are connected with the project or activity I am delivering. I also capture and store data relating to living individuals through the recording of oral history. This data may relate to the interviewee themselves and other named individuals discussed during the recording. Archival research may also generate personal data relating to living individuals, which I use and process in the same way as personal data captured through other sources.
Data required for the purposes of my work may be gathered directly from individuals who are involved with a project I am leading, or shared with me by a third party such as participant, client, heritage organisation, local authority or charity. Where this is the case, I ensure there is a Data Sharing Agreement in place as part of the contractual arrangement.
Data that I have been given or gathered for professional purposes will only be shared with a third party with your informed prior consent and where the sharing of data is deemed essential for business administration and continuity. I manage all data personally and do not subcontract data handling to third parties.
Data storage and security
Personal data is stored electronically on my computer and/or my iPad and/or my camera. These are backed up digitally onto external hard drives and via iCloud. Electronic records are kept secure by password protected access mechanisms. Apple Inc operating systems for Mac and iPad have integral firewall and antivirus mechanisms and software is updated on a regular basis. In addition, I use Norton Antivirus software.
Personal data is also held in written form on hard copy (paper) files such as contractual agreements and consent forms. All reasonable measures are taken to keep records secure.
Subject access requests, data amendment or deletion
Data Protection Act 2018 gives you as a Data Subject the right to know what information is held about you, along with the right to amend or correct that information and to request for that information to be erased, subject to exclusions specified in the Act. Details of any personal data I hold about you can be accessed on application to me as Data Controller. An acknowledgement of the request will be given within two working days of the request having been received. Provision of data will be actioned on verification of your identity and by the method of your choice within seven working days of the request having been acknowledged. This process also applies to requests for data to be destroyed.
Under Data Protection law, data should be stored no longer than the purpose for which it was gathered. All data gathered through the course of my work is held for a period of seven years from the end of the year in which it was collected, in order to comply with the legal requirements of reporting to HM Revenue and Customs for tax purposes. Providing no investigations or external audits are required, data captured eight years ago or more and no longer being used in conjunction with current project work, will be destroyed. Where project files or parts of thereof are retained for research purposes, personal data will be erased or redacted, and files securely anonymised. Material which is published as part of a project and therefore in the public domain may be retained if it is considered to be of significant research value.
• Ensure your personal data is accurate and up to date
• Protect your personal data in accordance with UK law and ensure it is kept securely
• Ensure transparency in how I collect, process and store your data
• Use your personal data lawfully and only in accordance with my professional activities
• Retain records in accordance with UK law and anonymise or redact personal data from any material retained for research purposes
• Process any data requests within seven working days.
Please contact me directly if you have any queries about this Policy or the way in which I collect, manage, use or store personal data.