Fraser and Fraser (F&F) takes information security and data protection seriously as personal data is at the heart of the probate research business.
Overall the privacy risks are low – since the core research activity uses mostly publicly available register data or information volunteered from beneficiaries and family members. Because the firm has remained a partnership since 1969, the partners are fully liable and therefore acutely aware of their compliance responsibilities.
F&F have taken data protection seriously in the past, but the General Data Protection Regulation (GDPR) significantly changes the governance and transparency requirements and there has been a need to improve compliance in these areas, and in addressing data retention.
For the main research activity, F&F is processing personal data in its legitimate interests (Art 6, condition f) as a probate research company, matching beneficiaries with estates. This also benefits solicitors and estate administrators in achieving resolutions, and the beneficiaries in enabling them to exercise their claims.
Once a beneficiary has agreed to work with F&F, their data is processed for the fulfilment of a contract (Art 6, condition b).
One area where F&F has opted to retain reliance on consent (Article 6, condition a) is that, having identified a beneficiary the firm will not disclose their contact details to a solicitor or estate administrator to submit a claim to estate without a “form of authority”.
F&F does not process special category (sensitive) data in probate research and therefore need not identify additional processing conditions under Article 9.
How we use your data
Fraser and Fraser is an international probate and genealogical research firm. Our task as probate researchers consists of tracing people who are entitled to a share of an estate. If they are named in a Will but cannot be found, we work to discover their whereabouts. When there is no Will and that person has died intestate, we delve into their family history to enable us to find their next-of-kin.
It is vital to this research to process personal data. We do so in support of our legitimate interests as a probate research company and to fulfil our contractual relationships with beneficiaries.
Fraser and Fraser has been registered as a data controller with the Information Commissioner’s Office since 2002 (reference: Z6407527).
We hold ISO 27001:2013 Information Security Management certification and are regularly audited to ensure compliance.
F&F’s research activities are based on specific data elements drawn from questionnaires completed by potential beneficiaries or relatives (completed in face-to-face interviews, online or manually and remotely) and from publicly available registers and sources. While a range of data sources are used, the focus of the research is fairly narrow – identifying family relationships and current whereabouts. Therefore there is little risk of “scope creep” or the capture of unnecessary data.
In order to process your application/claim we will supply some of your personal information to 3rd party companies*, some of these companies are credit reference agency or tracing firms providing services such as credit risk and affordability checking, fraud prevention, anti-money laundering, identity verification and tracing.
The data we hold
For potential and actual beneficiaries and family members we may hold:
- First Name or Initial
- Last Name
- Date of Birth and other life events (for example marriage)
- Publicly available certificates of life events
- Family relationships
- Address, telephone numbers
- Payment history
We use these personal data for the purposes of our legitimate interests as a probate and genealogical research company and in support of the legitimate interests of potential beneficiaries. Where beneficiaries are identified, we will also process data for the fulfilment of our contractual relationship with beneficiaries.
We obtain the data from individuals through questionnaires, from instructing legal firms and other agents, and from publicly available sources such as registers of births, marriages and civil partnerships or from the electoral register.
We may share your personal data in order to identify and communicate with beneficiaries with instructing legal firms, executors or other relevant parties.
Because genealogical research is of lasting historical value to our business and to the beneficiaries, we retain our records of research cases (such as family trees, copies of certificates and relevant correspondence) as a permanent archival record after weeding out non-essential documents.
F&F applies data minimisation techniques – for example, family trees provided to beneficiaries are stripped of contact details, names of heirs’ living children and non-inheriting female spouses.
Your data rights
You have statutory rights relating to your own personal data:
- Access – you have the right to know what data we hold relating to you and why, and to receive a copy of it;
- Rectification – you have the right to have inaccurate information about you corrected;
- Objection – you have the right to object to us using your information, and we would have to stop unless we have a sound overriding reason to continue;
- Erasure, restriction and portability – in specific circumstances, you have the right to have your personal data deleted, to put limits on what we may do with it or to receive a copy of data you have provided online in machine-readable form to take to another organisation;
- (There are also specific legal rights relating to automated decision making but we have no such processes.)
For more information on your rights under the GDPR see https://ico.org.uk/for-the-public/
To exercise any of these rights or for more information, contact Fraser and Fraser on firstname.lastname@example.org or 02078321400.
If you believe that Fraser and Fraser has failed to manage your personal data appropriately, you have the right to complain to the statutory regulator – The Information Commissioner’s Office
You can telephone them on 0303 123 113
Or you can use their online tool for reporting concerns: https://ico.org.uk/concerns/
Or you can write to them at:
Information Commissioner’s Office
* links to 3rd party privacy notices
TransUnion: will use your personal information to provide services to us and its other clients. We use their services in order to trace and distribute unclaimed funds/assets. More information about TransUnion and the ways in which it uses and shares personal information can be found in its privacy notice at www.transunion.co.uk/legal-information/bureau-privacy-notice.
Lexis Nexis: provides to business customers, the ability to help them check the identities of people applying for or receiving products or services; to assist them in complying with regulations such as anti-money laundering (AML), anti-bribery and corruption or other legal requirements; to help them to prevent and investigate fraud and other potential offences, assist them with the management and accuracy of their own customer records and accounts; and help them to trace individuals for legally necessary purposes such as debt collection, asset reunification and process serving. https://risk.lexisnexis.co.uk/processing-notices/business-services3
GB Group Plc: https://www.gbgplc.com/privacy-policy/