Privacy & Data Retention Policy

Privacy & Data Retention Policy

Introduction

The Egham Museum Trust (‘TEMT’) has developed this policy based on guidance and advice from the Information Commissioner’s Office, the Local Government Association, the Data Protection Network, and other museum sector examples.

This policy applies to all staff and volunteers of TEMT, including Trustees, contracted freelancers, paid staff, volunteers, sessional workers, students or anyone working on behalf of or under the direction of TEMT (together ‘Museum workers’).

 

Purpose and Aim

The purpose of this Privacy & Data Retention Policy is to explain how TEMT manages and retains personal data and respects the privacy of our users (in electronic and paper format).  It lays out what information we will gather, where it comes from, how we will use it and how we will keep it secure.  This policy is used to:

  • ensure TEMT comply with data protection legislation the General Data Protection Regulation (GDPR) which applies in the UK from 25 May 2018;
  • ensure we respect the privacy of data held at the Museum and electronically, including our website.

Data Protection Principles

TEMT complies with the seven data protection principles, which are:

  1. Personal data must be processed fairly and lawfully;
  2. Personal data must only be collection for specified and lawful purposes, and not further processed in any manner incompatible with the original purpose(s);
  3. Personal data collected must be adequate, relevant and not excessive in relation to the purpose(s) for which it is collated;
  4. Personal data collected is accurate and, where necessary, kept up to date;
  5. Personal data is retained no longer than is necessary for the purpose for which you obtained it;
  6. Personal data is processed in accordance with the rights of the data subjects;
  7. Organisations take appropriate technical and organisational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Grounds for Processing Data

As a museum, TEMT has a lawful basis for processing personal data relating to our day-to-day business.  These are:

Consent: (i) We will collect personal data in order to distribute our Museum e-Newsletter to subscribers.  Individual consent will be freely given based on clear and unambiguous information provided clarifying this specific purpose.  This is carried out through a clear tick-box opt-in sign-up process provided through MailChimp who have their own GDPR policy.

(ii) We will collect personal data in order to gather feedback to evaluate and improve the Museum’s performance and in relation to specific projects funded by grant-giving bodies.  Individual consent will be freely given based on clear and unambiguous information that clarifies the use for the given purpose.  This will be carried out either through a clear opt-in process via SurveyMonkey who have their own GDPR policy, or through personal face-to-face written consent on survey forms.

(iii) We will collect personal data as necessary for the purpose of recording the provenance of the collection donations we receive.  Individual consent will be freely given based on clear and unambiguous information that clarifies the use for the given purpose.  This will be carried out through signed Entry and Transfer of Title forms.  This is required as part of our SPECTRUM Documentation Procedures as an Accredited Museum meeting national standards outlined by Arts Council England.

(iv) We will collect personal data in relation to recording and using oral histories.  Individual consent will be freely given based on clear and unambiguous information that clarifies the use for the given purpose.  This will be carried out through a signed form.

(v) We will collect personal data for individuals and organisations who sign up to our Patrons Scheme.  Individual consent will be freely given based on clear and unambiguous information that clarifies the use for the given purpose.  This will be carried out through a signed form.

(vi) We have access to limited personal data of individuals who sign up to our various social media accounts, subject to the users’ own privacy settings. These third party providers such as Facebook, Twitter and Instagram, are also ensuring compliance with GDPR.

Contractual: We will collect personal data necessary for the performance and fulfillment of a contract to which the data subject is party.  This includes freelancers, paid staff and volunteers via either a formal signed Contract or as part of the signed Volunteers Agreement and associated emergency contact forms.

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.  We will regularly review the personal data we hold, and delete anything we no longer need. Information that does not need to be accessed regularly, but which still needs to be retained, will be safely archived or saved offline.

What we collect

We may collect the following personal information:

  • Name
  • Age group
  • Job title
  • Contact information such as email address and telephone number
  • Demographic information such as postcode
  • Profiling information such as preferences and interests
  • Other information relevant to surveys and/or offers

Why we collect

We require this information to understand our workforce and user needs, and provide a better service.  Reasons for collecting this data include:

  • Maintain good internal record keeping of and for the workforce;
  • For research and evaluation purposes to improve our offer;
  • Send informational and promotional emails;
  • To gather relevant collection information, transfer of title and copyright permissions.

Data Security

We are committed to ensuring that personal information is secure.  In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect both electronically and in paper format.

Electronic Data

All computers within the Museum are password protected and only certain users have access to personal information under supervision of the Curator.  Data is stored on the network NAS Drive and is backed-up onto the Cloud using GoogleDrive who have their own GDPR Policy.

Paper Data

All completed forms (Entry/Transfer of Title Forms, Oral History Permission Forms, Contracts, Volunteer Agreements) are kept securely locked away and are only accessible by authorised persons under the supervision of the Curator.

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.

Website Privacy

This section of the policy states how TEMT uses and protects any information that is provided when individuals use our website (www.eghammuseumorg) and any sub-domains (for example, suffrage.eghammuseum.org and magnacarta.eghammuseum.org).

TEMT is committed to ensuring that individual’s privacy is protected.  Should we ask individuals to provide certain information which is identifiable when using our website, it will only be used in accordance with this privacy statement.

Cookies

A cookie is a small file which asks permission to be placed on a computer’s hard drive.  Once this is agreed, the file is added and the cookie helps analyse web traffic.  Cookies allow web applications to respond to individuals.  The web application can tailor its operations to user needs, likes and dislikes by gathering and remembering information about personal preferences.

We use traffic log cookies to identify which pages are being used.  This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs.  We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide users with a better website by enabling us to monitor which pages are used frequently.  A cookie in no way gives us access to a computer or any information about an individual, other than the data they choose to share with us.

Individuals can choose to accept or decline cookies.  Most web browsers automatically accept cookies, but browser settings can be modified to decline cookies.  This may prevent users from taking full advantage of the website.

Links

Our website may contain links to other websites of interest.  However, once users choose to leave our site, please note that we do not have any control over that other website.  Therefore, we cannot be responsible for the protection and privacy of any information which an individual provides whilst visiting such sites and such sites are not governed by this privacy statement.  Please exercise caution and look at the privacy statement applicable to the website in question.

Individual’s Rights

In line with GDPR, individuals have the following rights:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the right not to be subject to automated decision-making including profiling.

Individuals may request details of personal information which we hold free of charge, as long as the request is not manifestly unfounded or excessive.  We will comply with your request within 40 days.

 If you would like a copy of the information held on you please write to

The Egham Museum, The Literary Institute, 51 High Street, Egham, Surrey, TW20 9EW or email curator@eghammuseum.org.