Data Protection and Privacy Policy - People's History Museum: The national museum of democracy

This policy sets out People’s History Museum’s (PHM) obligations to protect, store, and manage your data correctly under UK data protection law.

Please note that, whilst every effort is made to ensure the accuracy of the material included on this site, it is made available for general information only and does not constitute professional or legal advice.

We do not warrant that the operation of this website will be uninterrupted or error free, that defects will be corrected, or that this site or the server that makes it available are free of viruses or represent the full functionality, accuracy, and reliability of the materials. In no event will we be liable for any loss or damage including, without limitation, loss of profits, indirect or consequential loss or damage, or any loss or damages whatsoever arising from use, or loss of use of, data, arising out of, or in connection with, the use of this website.

These terms and conditions shall be governed by and construed in accordance with the laws of England and Wales. Any dispute arising under these terms and conditions shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Your personal data
When we talk about ‘personal data’, we mean information that identifies a living person, or which can be identified as relating to a living person. When we talk about ‘you’ or ‘your’ in this notice, we mean any living person whose personal data we collect.

Storing your data
PHM uses a number of databases to store data for different purposes, for example fundraising, commercial income, ticketing, and financial operations. Trained members of staff access these databases across the organisation in a secure environment.

We have a legal duty to protect any information we collect from you and to prevent any unauthorised access to or use of that information. We do not pass your details to any third party unless you give us permission to do so. We use only trusted third party solutions to deliver different aspects of your relationship with us, for example the delivery of e-newsletters. We follow current UK data protection law.

Your relationship with us and your data are extremely important to us and we take all necessary steps to protect your data. We will never sell your personal data.

Lawful purposes for processing data
At PHM, the following is a non-exhaustive list of the types of data we expect to process and corresponding lawful purposes for the processing of this data. The information we collect as described below is used for the purposes for which it was collected and the purposes for which you gave consent and for no other:

Consent

E-newsletter subscriber’s data
Fundraising subscriber’s data for appeals and campaigns
Data of staff members of PHM
Event invitees and attendees
Contractor information/supply of goods and services

Primary purpose

Acquisitions
Research and collections
Managing custody of our collection including our intellectual property rights
Display of collections
Processing enquiries and requests for information
Processing purchases through our online shop
Managing your visit to PHM

Legitimate interest

Data from purchases for example tickets and merchandise
Data of donors to PHM
Data of visitors to our website
Stakeholders’ information

We have a number of lawful reasons for using (or ‘processing’) your personal information. One of these lawful reasons is ‘legitimate interest’. Broadly speaking legitimate interest means that we can process your personal information if we have a genuine, legitimate reason, and we are not harming any of your rights and interests.

Some typical examples of when we might use this approach are for:

Sending postal invitations to those people who would expect to receive them because they have a relationship with PHM
Sending occasional letters about fundraising to those who would expect to receive them, for example long standing donors of PHM with whom we still have a relationship
Holding data on ticket and merchandise purchases, for the purposes of accounting and delivery of services or products purchased
Holding data of donors for accounting and fundraising purposes
Holding data of stakeholders to ensure they can have a mutually beneficial relationship with PHM

Occasionally we conduct a reasonable amount of research on individuals who would reasonably expect that we will have an interest in them, for example those who have a well known interest in certain causes or subject matters that relate to our fundraising activities or who are publicly known to be philanthropists of the arts. We will only use information that has been made publicly available by the individual themselves.

Developing a good understanding of potential supporters through data about them allows us to fundraise more efficiently.

Using our website
You may use the PHM website subject to the terms and conditions set out on this page. Access and use by you to the PHM website constitutes acceptance by you of the terms and conditions in force at the time of use.

Intellectual property
You may not copy, reproduce, republish, download, post, broadcast, transmit, make available to the public, or otherwise use the site content in any way except for your own personal, non-commercial use. You also agree not to adapt, alter or create a derivative work from any of the site content except for your own personal, non-commercial use. Any other use of the site content requires the prior written permission of PHM.

Virus protection
We cannot accept any responsibility for any loss, disruption, or damage to your data or your computer system which may occur whilst using material derived from this website.

Cookies
Cookies are pieces of data that can be automatically created on your computer or device when you visit a website or use an app. They are small text files that help us to understand how the website is being used by our visitors. You may refuse the use of cookies on our websites by choosing the appropriate settings on your browser, however some functionality may be lost.

We do not collect any information about your use of cookies. Cookies on our websites are not persistent (i.e. once you close the browser window they are no longer active).

However, occasionally we use retargeting, which does use persistent cookies. This means that if you accept the use of cookies on our website, you may see adverts for PHM content elsewhere on the web. You can opt out of the collection and use of information for advert targeting by visiting: http://www.youronlinechoices.eu/ or www.aboutads.info/choices.

Google Analytics
Our websites uses Google Analytics, a digital analytics service provided by Google. This helps us to analyse how our visitors use our website so that we can improve it for future visitors.

Google Analytics mainly uses first party cookies to report on user interactions on Google Analytics customers’ websites. These cookies are used to store non personally identifiable information.

We also use some Google Analytics Advertising Features for products like Google AdWords to display PHM marketing material.

Retention of data
PHM ensures that personal data is not stored for longer than necessary for:

Achieving the purpose the data was collected for
Providing you with the goods, services, or information you have requested
The administration of your relationship with PHM
Complying with the law
Ensuring PHM does not communicate with individuals who have requested no further communication

We destroy non relevant paper files at regular intervals and electronic information is stored securely. Under the General Data Protection Regulation (GDPR) you have the right to the erasure of all of your data we hold. When we receive a request for the erasure of data we will comply with this request within 14 working days. As a Data Controller, PHM must maintain a suppression list containing details of individuals who have asked not to receive direct marketing materials, in order to ensure the individual’s wishes are recorded, no future communications are sent out, and also to make sure a record of past communication exists.

Data cleansing
PHM is dedicated to ensuring all data entry is accurate and that all databases are secure and confidential. UK data protection law requires that all data held on individuals is as accurate and as up to date as possible.

Donors updated under data cleansing processes will remain as inactive records on the database as a safeguard so we do not add the same people to the database again and so there is a record of why people are excluded from mailings/not contacted again about a project they have previously expressed interest in or donated to.

PHM only stores data that is not excessive for the purposes for which it was acquired, and makes sure data stored is adequate and relevant for the purposes of processing.

Consent management
When you give us your data:

We keep a record of when and how we got consent from you
We keep a record of exactly what you were told at the time of giving us your data
We regularly review consents to check that the relationship, the processing and the purposes have not changed
We have processes in place to refresh consent at appropriate intervals, including any parental consents
We consider using privacy dashboards or other preference management tools as a matter of good practice
We make it easy for you to withdraw your consent at any time, and publicise how to do so
We act on withdrawals of consent as soon as we can
We do not penalise individuals who wish to withdraw consent

We ensure a data protection statement and clear opt in options are present at the point of any data collection. Individuals are also given the option to update their mailing preferences or unsubscribe at regular intervals.

Specific consent given for communications remains the same until the individual contacts us to change their options or unsubscribe from PHM communications, or until such time as consent will need to be renewed for it to be lawful under UK data protection law. 14 days after a removal request no mailings will be received again from PHM.

Which radical are you? quiz data
On sign up to our free membership using the ‘Which radical are you?’ quiz we will store only the personal data provided, plus ‘radical’ quiz result (one of eight possible results). This is in order to better tailor our communications to your interests. We do not store any of the specific answers to any individual question on the quiz. The quiz is run by our insight partner Morris Hargreaves McIntyre (MHM). MHM do not have any access to personal data provided to PHM.

External partners
For certain projects, PHM engages the services of trusted external partners, for example for data cleansing and delivery of e-newsletters. When we engage the services of these organisations, we make sure we have a data processor/controller agreement in place to ensure strict data protection procedures are being adhered to.

When partner organisations offer contact information of people who are to be invited to an event, we do not add them to our mailing lists or indeed to our database apart from as a participant of the specific event. We do not count these people as having a relationship with PHM unless they respond to this invitation, giving consent for specific future contact options; at this point we add them to the database because they have requested this.

Links to other sites
Our website may contain links to other external websites. PHM is not responsible for the contents or reliability of any site to which it is linked and does not necessarily endorse the views expressed within them. Linking to or from this site should not be taken as endorsement of any kind.

If a third party website requests personal data from you (e.g. in connection with goods or services), the information you provide will not be covered by PHM’s privacy rules. We suggest you read the privacy notice of any other website before providing any personal information.

Government processing of personal data
In exceptional circumstances it may be necessary for us to share personal information with the government if this is necessary for the exercise of any functions of the Crown, a Minister of the Crown, or a government department. This may include funding and grant applications.

CCTV
PHM’s premises are protected by CCTV so you may be recorded when you visit PHM. CCTV images are being monitored and may be recorded for the purpose of public safety, crime prevention, detection, and prosecution of offenders.

The system is managed in accordance with our standard operating procedures and with good practice guidance issued by the Information Commissioner’s Office. CCTV images will only be accessed by authorised staff and are stored for up to 30 days, unless flagged for review.

Security and filing issues
We have security measures in place to protect against the loss, misuse, and alteration of personal data held by PHM. All systems and databases are UK data protection law compliant.

Databases are password protected where possible and passwords are changed on a regular basis and have strict structure criteria. Email updates for databases are taken care of in a timely manner and filed in an archive folder for future reference until such time this filing is in violation of data retention timescales, at which point the data is deleted.

Papers to be destroyed which contain personal data from the database are shredded, never thrown away. All personal data is stored in a secure environment.

Online data collection and the Privacy and Electronic Communications Regulations (PECR)
In accordance with Privacy and Electronic Communications Regulations (PECR) 2003, we collect explicit consent from someone to use their email address for specific purposes. This means we have received explicit consent from the individual for specific purposes. If an individual unsubscribes from an e-newsletter we take action to comply with the request within a reasonable amount of time and update the database to reflect the individual’s new preferences.

Your rights
We want to ensure you remain in control of your personal data and that you understand your legal rights, which are:

The right to know whether we hold your personal data and, if we do so, to be sent a copy of the personal data that we hold about you (a ‘subject access request’) within 30 days
The right to have your personal data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason)
The right to have inaccurate personal data rectified
The right to object to your personal data being used for marketing or profiling
Where technically feasible – the right to be given a copy of personal data that you have provided to us (and which we process automatically on the basis of your consent or the performance of a contract) in a common electronic format for your re-use

There are some exceptions to the rights above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.

Our rights
PHM as a Data Controller is accountable for compliance with the data protection principles under UK Data Protection laws, in respect of lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.

How to get access or make changes to your data
Any requests in relation to your data, or any comments or complaints in relation to data protection at PHM can be sent to enquiries@phm.org.uk.

When dealing with your enquiry we do not pass any personal information outside our organisation, nor do we use that information for any other purpose without first seeking your permission. If you require a response from us, we will need to record your personal contact details to be able to reply to you and to track the progress of your request.

Changes to this privacy notice
If we change our approach to the use of personal data we will amend this notice to ensure it remains as up to date as possible. Any changes will be published on our website.