Privacy Policy

Your trust is important to me. In fact it always has been important to me ever since this site first launched back in 2011.

However because many businesses, having been taking – shall we say – a rather romantic view of the rules established by the Data Protection Act back in the late 1990s, as at May 2018 we are all required to go to very detailed lengths to prove that those of us to whom your trust is important, really mean it.

This dramatic new initiative is called the General Data Protection Regulation, affectionately known as GDPR.

Way down below is a very long policy statement which people like me are meant to have, and which I have put together for those of you who like to read, well, very long documents in entry-level legalese. Be my guest.

Here, though, in simple language is how privacy works on HTWB

There are two ways in which I collect data from you.

One, is via the signup box on the HTWB home page, where you put in your name and email address and, subject to double-opt-in, you begin receiving my newsletter.

Two, is via personal contact – usually when we meet and exchange business cards. I hand those cards to my VA who then uses your email address to invite you to sign up for the newsletter and if you want to, you sign up via the same double opt-in process as above.

There are further details about the newsletter below (also in plain English.)

In either case, signup is done a a “double opt-in,” which means you have to confirm by email that you want to join my mailing list.

There are three (well, four) of us who deal with / have access to this information:

Me (Suzan St Maur)

My VA, Selina Johnson

My Webmaster, Barbara Saul

Mailchimp (a secure email platform)

That’s it.

What data?

Your name and email address. Only.

Where else does your data go?

Absolutely nowhere. I don’t sell data, any more than I accept advertising or sponsored posts. I value my credibility too much.

Where and how your data is stored

The signup software here on HTWB is GDPR compliant – in other words secure and can’t be fiddled with. When you sign up, your data goes via secure links to Mailchimp.

When you give me your business card or other promotional literature, I supply this by hand to Selina, who then enters it into the secure Mailchimp list. Business cards and other promotional literature are destroyed once their information is entered (they make excellent barbecue or fire pit lighters…)

Copies of both signups and business card records (in spreadsheet form) are held by Selina and me on our secure, password protected desktop computers.

(Barbara Saul does not have access to the spreadsheets or the Mailchimp list, but does have unlimited access to this website, so her name needs to be on this list!)

NB: All three of us individuals work from home. No-one else has password access to our work computers. Our homes are secure locations and in my case and Selina’s, also guarded by yappy dogs which many Police officers believe is the best burglary deterrent. Barbara’s cat is known to hiss and spit at strangers, too… ūüėČ

Where and how your data will be used

When you sign up here on the site: (after the double opt-in process) you will go on my list to receive one newsletter per month, called  The How To Write Better Personalised Digest. This will be done on the usual double opt-in basis.

When I receive your business card or other promotional material: you will be sent an invitation email similar to what I describe a few lines below, to join the list to receive The How To Write Better Personalised Digest newsletter at the rate of one per month. You can ignore, nix this invitation, or accept it and then do the same double opt-in procedure.

NB: I am not allowed to use your details to send you anything else other than the Digest. (So no more free Prosecco, I’m afraid…;-) LOL…)

Here is an example of the Digest’s format and content: bear in mind that this is the invitation email that is sent to people whose business cards or other promotional material have been given to me, but it’s near enough to how the email is being styled and formatted every month:


Hi, it’s Suze here.
We know each other through networking.
To get straight to the point…
Would you like to receive a *personalised digest of information from my resource website HTWB, to save you time and stress with your day-to-day writing for business, social and/or creative purposes?
Once a month?
No scams, no spam, no sell (just announcements of new books**), no smell?
Some of you will remember that I asked on social media a while back what topics would be of most interest to you, and I’ve taken note of the responses so far (please keep them coming, though.)

Popular areas are:

  • Grammar, spelling, punctuation, syntax advice
  • More powerful emails that get results whether day-to-day or as marketing
  • Delicate issues, e.g. how to write notes of condolence, or to someone with cancer
  • Blog posts for business or other purposes
  • Blog posts that can eventually become a book whether for business or other purposes
  • Books ‚Äď business, self-help, fiction
  • eBooks for business and other purposes, novellas, etc
  • Story telling and story writing, for adults and children
  • Humour and jokes (plus one request for some rude ones ‚Äď will see what I can do!)
  • Speeches, presentations, talks, including wedding speeches for everyone
  • Marketing copy

In each edition I pick the top six topics I think you’ll personally find most useful. Some examples…

To go to the articles/tutorials, click on them below

1.How, and what, to write to people who are in a bad place ‚Äď e.g. recently bereaved, diagnosed with cancer, having lost their job and more.

2.Why talking about ‚Äúwe‚ÄĚ in your advertising text needs to be kept to a minimum ‚Ķ and how to capture readers‚Äô attention by writing about ‚Äúyou.‚ÄĚ

3.Blogging for your business, charity, interest or just for fun: how to organise it so it’s easy for you to do and keep going.

4.Do you sometimes feel you’re not getting a good, fast response to your day-to-day emails? It could be you need to sharpen them up. Here is some advice to help you with that.

5.You know that short story you’ve always wanted to write? There’s lots of information on how to do it and most of it’s confusing. Here I’ve shared the simple way to do it. Works for me, anyway!

6.The wedding season is coming up and should you, or someone you know, be making a speech ‚Ķ it can be quite a scary prospect. There is lots of advice here, and for everyone ‚Äď not just the men.

OKies. Now here is the GDPR and PRIVACY stuff … (as above)

My intentions in sharing this with you are 99 percent honourable, i.e. free advice on writing. My accountant thinks I’m crazy, but I like to share. The other one percent is that I would like, please, to let you know when my own new books are published, (two coming up this year), when my coaching clients’ books are published, and also tell you about a few (yes, seriously – few) more new books you might like, from the publishers with whom I have a close working relationship ‚Äď Corona Books. Currently they only publish about 10 books per year including some of mine, so you will hardly be flooded.

And that’s it, although I might wish you Happy Holidays in December…


What if you want to check on the information I hold about you?

Well, we both know that it’s your name and email address. But you may want to change your email address. So you just drop me a note, tell me what information you want and/or give me the changes you want, and it gets done within a a couple of days. Probably sooner.

What if you don’t want to receive any more emailed newsletters?

You simply hit the UNSUBSCRIBE button in the email. That’s it. Goodbye and good luck. No hard feelings.

And to comply with the new rules, your data will be “destroyed” (in the GDPR jargon … so dramatic … ) i.e. deleted from Mailchimp and Selina’s and my spreadsheets ASAP. (The new rules call that “the right to be forgotten.” Even more dramatic…)

To sum up: when you sign up here on HTWB, you get one email per month that shares some of my top tips on how to write better across a variety of areas, mostly chosen by you – my readers. (I’ll also tell you when there’s a nice new book in the offing.) And if you want to stop getting those newsletters you just say, your name and email address come off the list and disappear.¬†

Now, for those who like details, here is the full story. Good luck…




Introduction is committed to a policy of protecting the rights and privacy of individuals. needs to collect and use certain types of Data in order to carry on our work. This personal information must be collected and dealt with appropriately.

The Data Protection Act 2018 governs the use of information about people (personal data). Personal data can be held on computer or in manual files, and includes email, minutes of meetings, and images etc. will remain the data controller for the information held. and its named associates will be personally responsible for processing and using personal information in accordance with the Data Protection Act 2018.

Named associates running who have access to personal information, will be expected to read and comply with this policy.


The purpose of this policy is to set out the commitment and procedures for protecting personal data. regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal with.

The Data Protection Act 2018 Principles for Handling Personal Data

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‚Äėlawfulness, fairness and transparency‚Äô);
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with¬†Article 89 of the European GDPR, not be considered to be incompatible with the initial purposes (‚Äėpurpose limitation‚Äô);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‚Äėdata minimisation‚Äô);
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‚Äėaccuracy‚Äô);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 of the European GDPR,¬†subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‚Äėstorage limitation‚Äô);
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‚Äėintegrity and confidentiality‚Äô).


The following list contains definitions of the technical terms we have used and is intended to aid understanding of this policy:

  1. ‚Äėpersonal data‚Äô means any information relating to an identified or identifiable natural person (‚Äėdata subject‚Äô); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  2. ‚Äėprocessing‚Äô means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  3. ‚Äėrestriction of processing‚Äô means the marking of stored personal data with the aim of limiting their processing in the future;
  4. ‚Äėprofiling‚Äô means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person‚Äôs performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  5. ‚Äėpseudonymisation‚Äô means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  6. ‚Äėfiling system‚Äô means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
  7. ‚Äėcontroller‚Äô means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  8. ‚Äėprocessor‚Äô means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  9. ‚Äėrecipient‚Äô means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  10. ‚Äėthird party‚Äô means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  11. ‚Äėconsent‚Äô of the data subject means any freely given, specific, informed and unambiguous indication of the data subject‚Äôs wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  12. ‚Äėpersonal data breach‚Äô means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  13. ‚Äėgenetic data‚Äô means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
  14. ‚Äėbiometric data‚Äô means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
  15. ‚Äėdata concerning health‚Äô means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;*
  16. ‚Äėmain establishment‚Äô means:
    1. as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
    2. as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
  17. ‚Äėrepresentative‚Äô means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to¬†Article 27 of the European GDPR, represents the controller or processor with regard to their respective obligations under this Regulation;
  18. ‚Äėenterprise‚Äô means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
  19. ‚Äėgroup of undertakings‚Äô means a controlling undertaking and its controlled undertakings;
  20. ‚Äėbinding corporate rules‚Äô means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
  21. ‚Äėsupervisory authority‚Äô means an independent public authority which is established by a Member State pursuant to¬†Article 51 of the European GDPR;
  22. ‚Äėsupervisory authority concerned‚Äô means a supervisory authority which is concerned by the processing of personal data because:
    1. the controller or processor is established on the territory of the Member State of that supervisory authority;
    2. data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
    3. a complaint has been lodged with that supervisory authority;
  23. ‚Äėcross-border processing‚Äô means either:
    1. processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
    2. processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
  1. ‚Äėrelevant and reasoned objection‚Äô means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
  2. ‚Äėinformation society service‚Äô means a service as defined in point (b) of Article 1(1) of¬†Directive (EU) 2015/1535of the European Parliament and of the Council (¬Ļ);
  3. ‚Äėinternational organisation‚Äô means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
  4. *It is not expected that will hold special category data as it is not intended to hold any information on health or finance under its contract membership information unless a member requests access to the extra levels of website. Under the contract for this will ensure that such special category data will be held until finances are no longer required and then it will be deleted.

Applying the Data Protection Act 2018 within

Access to personal information is limited to the named associates of

Correcting Data

Individuals have a right to have data corrected if it is wrong, to prevent use which is causing them damage or distress or to stop marketing information being sent to them. In some circumstances the data will be corrected by striking a line through the incorrect data and adding an explanation for this strike-through with any amendment clearly shown. This is for legal evidence needs of both the organisation and the person to who the data refers.

Reasons for Processing Data will process data for this reason:

In the case of the normal operations of, Personal Data will be processed as is necessary for the performance of a contract to which the person providing their Personal Data is party or in order to take steps at the request of that person prior to entering into the contract. This contract will be membership of the mailing list and will enable the named associates to pass relevant information to the person (the member) in the act of compiling and disseminating the monthly newsletter. If the member wishes, this contract will be explained in more detail to him or her prior to signing up to the contract of membership.


Suzan L.M. St Maur, owner of, is the Data Controller under the Act, and is legally responsible for complying with the Act, which means that it determines what purposes personal information held will be used for.

Suzan L.M. St Maur and the other named associates will take into account legal requirements and ensure that they are properly implemented, and will through appropriate management, ensure strict application of criteria and controls:

  • Observe fully conditions regarding the fair collection and use of information,
  • Meet its legal obligations to specify the purposes for which information is used,
  • Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs and/or to comply with any legal requirements,
  • Ensure the quality of information used,
  • Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:
    • The right to be informed that processing is being undertaken
    • The right of access to one‚Äôs personal information
    • The right to be forgotten
    • The right to prevent processing in certain circumstances and
    • The right to correct, rectify, block or erase information which is regarded as wrong information, when this is possible.
  • Take appropriate technical and organisational security measures to safeguard personal information,
  • Ensure that personal information is not transferred abroad without suitable safeguards,
  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information,
  • Set out clear procedures for responding to requests for information

The Data Controller of is:

Name:   Suzan Lucette Manou St Maur

Contact Details: or tel: 07767 354090

The Data Controller will be responsible for ensuring that the policy is implemented and will have overall responsibility for:

  • Everyone processing personal information understands that they are contractually responsible for following good data protection practice
  • Everyone processing personal information is appropriately trained to do so
  • Everyone processing personal information is appropriately supervised
  • Everyone processing personal information has read and signed this Policy
  • Anybody wanting to make enquiries about handling personal information knows what to do
  • Dealing promptly and courteously with any enquiries about handling personal information
  • Describe clearly how it handles personal information
  • Will regularly review and audit the ways it holds, manages and uses personal information
  • Will regularly assess and evaluate its methods and performance in relation to handling personal information
  • All named associates are aware that a breach of the rules and procedures identified in this policy may lead to action being taken against them

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 2018.

In case of any queries or questions in relation to this policy please contact the Data Controller.

Data Collection and Processing

Contract Data and Consent

Contract data and consent is when

  • A person providing their personal contract data so as to become a member must clearly understand exactly why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the contract data
  • Consent is required if requests further information above and beyond what was required for contract data. will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form being either paper based or online.

When collecting data, will ensure that the person supplying their data:

  • Clearly understands why the information is needed
  • Understands what it will be used for and what the consequences are should the person/member decide not to agree to the contract or give consent to the processing
  • As far as reasonably possible, agrees to the contract, or grants explicit consent, either written or verbal for the data to be processed
  • Is, as far as reasonably practicable, competent enough to give agreement to the contract or consent and has given so freely without any duress*
  • Has received sufficient information on why their data is needed and how it will be used

Data Storage does not have its own offices and works through named associates who own their own computers and use those to administer and store information about the newsletter provides. Information and records relating to newsletter subscribers will be stored securely and will only be accessible to authorised, named associates.

Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately. Each named associate will be requested to purge their computer each year to ensure we are not storing information that is no longer required.

It is’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.

Data Subject Access Requests

Members of the public may request a copy of the personal data that hold on them. This includes the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in¬†Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In cases where this applies the Procedure in Appendix One (a) should be followed.

Consent Withdrawal

If members have been asked to provide extra information by and give their consent for that to happen but then change their mind, the withdrawal of their consent should be as easily to withdraw as it was to give. The procedure for this is to be found in Appendix One (b).

Right to Change Their Personal Data

Members of the public have the right to ensure the records stored about them are correct. If they believe a record is incorrect they can apply to have these amended or added to correct any wrongs. If a request of this type is received the, Procedure in Appendix One (c) should be followed.

Right to be Forgotten Requests

Members of the public have a new right which is termed as ‚Äėto be forgotten‚Äô. This means that they have the right to be removed from the records of the organisation if they request it. This is not an absolute right as parts of the record could well be required to be kept under statute and therefore when such a request is received, will follow the Procedure in Appendix One (d) should be followed. This includes an explanation of why it might be detrimental to completely expunge their records.

Right to Transfer Personal Data

If another service similar to is available the member has the right to have their personal data transferred to this other service. The member would then transfer to this third party service and would no longer provide services. The process for this is to be found in Appendix One (e).

Disclosure may need to share data with other agencies such as the local authority, funding bodies and other voluntary agencies. will, where it can, supply the information in anonymised form or general fingers so that no personal data is given.

The person providing their personal information will be made aware how and with whom their information will be shared within the membership contract.  There are circumstances where the law allows to disclose data (including sensitive data) without the data subject’s consent. regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal. intends to ensure that personal information is treated lawfully and correctly.

Risk Management 

The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled. Named associates should be aware that they can be personally liable if they use customers’ personal data inappropriately. This policy is designed to minimise the risks and to ensure that the reputation of the is not damaged through inappropriate or unauthorised access and sharing.

Breach of the Duties

In cases where there is any breach of duties under the Act or inappropriate release or theft of Personal Data, the Data Controller must be informed immediately. has only 72 hours to inform the Information Commissioners Office (ICO) of the breach and therefore it must be actioned immediately. Reporting is achieved through the ICO’s website at:

Destroying Personal Data

Personal data should only be kept for as long as it is needed i.e. only keep that data for the duration of administering the newsletter and securely dispose of once the period is complete. Members’ personal data will be removed when they leave the mailing list at the first review after they leave. will ensure that all computers and paper files will be reviewed annually. We will ensure that this information is confidentially destroyed at the end of the relevant retention period. However, any data that has to be retained for a legal reason (e.g. HMRC), then this will be reviewed during the first review when destruction becomes available as an option.

New Software, Hardware and Other Systems

When new systems are put in place, whether computerised or manual, the Data Protection Act provisions must be taken into account at the planning stage. Design must include the provisions of the Act and a Privacy Impact Assessment must be completed.

Further Information 

If anyone has specific questions about information security and data protection in relation to the please contact the Data Controller: Suzan L.M. St Maur on .

The Information Commissioner’s website ( is another source of useful information.

All named associates are expected to follow the organisation’s policies in these areas, which will review at least every two years.

Named associates of

Suzan L.M. St Maur (Data Controller)


6 Mount Pleasant

Aspley Guise

Milton Keynes MK178LA

United Kingdom

Phone +44 (0) 7767 354 090



Barbara Saul

Webmaster, (Data Processor)



Selina Johnson

Administrator, (Data Processor)



If the Data Controller is unavailable for any reason the person to contact must always be either of the following:


Barbara Saul (Data Processor)

Selina Johnson (Data Processor)

(details as above)


Signed :   

Suzan St Maur  

Date :       

May 7th, 2018



Appendix One

All references to days will be calendar days and not working days.

  1. a) Data Subject Access Requests

When a Subject Access Request is received the Data Controller needs to be informed immediately. The Data Controller will firstly ensure that the person requesting the Data is legally entitled to that data. If the person requesting personal data is acting on behalf of somebody else, then consent will have to be obtained for to release the information to that third party. If the subject of the personal data is deceased then only the Executor of the Will or somebody who has an interest in the Will can receive such information. If there is no Will then the Data Controller will ensure themselves that the person concerned is a suitable person to receive the information by either encouraging them to get a legal consent or ensuring they are the closest relative. For third parties, consent and personal identity would be required. Personal identity can be confirmed by seeing the Passport or Driving Licence of the person and proof of their current address (a utility bill or bank statement).

When it is clear that the person has a right to the information, the Data Controller will request all other named associates of to search their computers for any information they hold. They should provide this within 7 days. If for any reason they are away then they should supply this information in 21 days at the very longest. The Data Controller will provide the person requesting the information with all the data found within one month of the request being received and/or of the validation of the person’s identity. If this cannot be met the Data Controller will inform the person of the reasons why this cannot be achieved, and will agree a new timeframe with them.

  1. b) Consent Withdrawal

When consent has been requested from a member for extra non-contract information to be given to the person must be able to withdraw consent at any time as easily as it was to give it. When a request to withdraw consent is received, this must immediately be passed to the Data Controller who will arrange for the consent to be withdrawn.

Whatever the consent was received for, that person’s role and information will immediately cease and any non-contract information gathered will be destroyed. The Data Controller will request the named associates to purge their computers of any non-contract information within 7 days and cease to use that person’s information for the purpose it was requested. Once this has been completed, all named associates will inform the Data Controller before the 10th day that they have completed this and the Data Controller will then inform the person that their information has been deleted and while the process might continue their data is no longer being used. This will be done within 21 days. There is no fee for this service.

  1. c) Right to Change Their Personal Data

Members have the right to change personal data that they believe to be incorrect. If a request is received by for data on a person on their mailing list to be changed this must be passed to the Data Controller immediately. The Data Controller will discuss this with the member and ensure the right changes are noted. In some cases, it may not be possible to change what has be noted either on computers or in written format. If for instance the member requests something deleted or changed that is covered by a legal requirement to keep that information (Income Tax for instance), then a change cannot be made. However, a note can be added to the record stating the members view of the record.

  1. d) Right to be Forgotten Requests

Everyone whose data holds has the right to be forgotten. That means a member of the mailing list on which data is held can request for the whole of the data to be deleted. must them complete the request unless there is some legal reason that the data needs to be kept for. If there is, the data must not be kept for any longer than the requirement and this must be explained to the person making the request. (An example of data that legally may need to be kept, is that of income tax or other data relevant to HMRC.)

When such a request is received the Data Controller must immediately be informed. The Data Controller will request all named associates of to search their computers for any information they hold and to delete it. They should provide confirmation of this within 7 days. If for any reason they are away then they should supply this information in 21 days at the very longest. The Data Controller will provide the person requesting to be forgotten confirmation that this has been done within one month of the request being received or the validation of the person’s identity. If this cannot be met the Data Controller will inform the person of the reasons why this cannot be achieved, and agree a new timeframe with them.

  1. e) Right to Transfer Personal Data

Under the Data Protection Act everyone has the right to transfer information. This is something that will not perform under any circumstances unless the member concerned specifically expresses that such a transfer takes place. However members of the How mailing list are, of course, free to transfer their data to other resources as they wish.

If a request is received by to transfer information, such a request must be given to the Data Controller who will contact the member to discuss the request. If the Data Controller is satisfied that the transfer is correct then arrangements will be made to send the information to the relevant organisation.