For other policies, please click here.
This policy sets out People’s History Museum’s (PHM) obligations to protect, store and manage your data correctly under UK data protection law.
Please note that, whilst every effort is made to ensure the accuracy of the material included on this site, it is made available for general information only and does not constitute professional or legal advice.
We do not warrant that the operation of this website will be uninterrupted or error free, that defects will be corrected, or that this site or the server that makes it available are free of viruses or represent the full functionality, accuracy, reliability of the materials. In no event will we be liable for any loss or damage including, without limitation, loss of profits, indirect or consequential loss or damage, or any loss or damages whatsoever arising from use, or loss of use of, data, arising out of, or in connection with, the use of this website.
These terms and conditions shall be governed by and construed in accordance with the laws of England and Wales. Any dispute arising under these terms and conditions shall be subject to the exclusive jurisdiction of the courts of England and Wales.
When we talk about “personal data”, we mean information that identifies a living person, or which can be identified as relating to a living person. When we talk about “you” or “your” in this notice, we mean any living person whose personal data we collect.
PHM uses a number of databases to store data for different purposes, for example fundraising, commercial income, ticketing and financial operations. Trained members of staff access these databases across the organisation in a secure environment.
We have a legal duty to protect any information we collect from you and to prevent any unauthorised access to or use of that information. We do not pass your details to any third party unless you give us permission to do so. We use only trusted third party solutions to deliver different aspects of your relationship with us, for example the delivery of e-newsletters. We follow current UK data protection law.
Your relationship with us and your data are extremely important to us and we take all necessary steps to protect your data. We will never sell your personal data.
At PHM, the following is a non-exhaustive list of the types of data we expect to process and corresponding lawful purposes for the processing of this data. The information we collect as described below is used for the purposes for which it was collected and the purposes for which you gave consent and for no other:
· E-newsletter subscriber’s data
· Fundraising subscriber’s data for appeals and campaigns
· Data of members of PHM
· Event invitees and attendees
· Contractor information/supply of goods and services
· Research and collections
· Managing custody of our collection including our intellectual property rights
· Display of collections
· Processing enquiries and requests for information
· Processing purchases through our online shop
· Managing your visit to PHM
· Data from purchases for example tickets and merchandise
· Data of donors to PHM
· Data of visitors to our websites, as set out below in the section ‘our websites and apps’
· Stakeholders information
As you can see we have a number of lawful reasons for using (or ‘processing’) your personal information. One of these lawful reasons is ‘legitimate interest’. Broadly speaking legitimate interest means that we can process your personal information if we have a genuine, legitimate reason and we are not harming any of your rights and interests.
Some typical examples of when we might use this approach are for:
Occasionally we conduct a reasonable amount of research on individuals who would reasonably expect that we will have an interest in them, for example those who have a well-known interest in certain causes or subject matters that relate to our fundraising activities or who are publicly known to be philanthropists of the arts. We will only use information that has been made publicly available by the individual themselves.
Developing a good understanding of potential supporters through data about them allows us to fundraise more efficiently.
Children’s records are only created for the purposes of delivering the benefits of family membership, under the express permission of the parent or guardian and will not be used for any purpose other than the delivery of the membership benefits, for example to produce and administer a membership card. Children will not be contacted separately by PHM; the communications for their membership benefits is always through the parent or guardian. When a membership is renewed, consent for a child’s membership record to remain is re-sought.
Please note that this privacy statement applies to this website only.
Terms and conditions
Using our website
You may use the PHM website subject to the terms and conditions set out on this page. Access and use by you to the PHM website constitutes acceptance by you of the terms and conditions in force at the time of use.
You may not copy, reproduce, republish, download, post, broadcast, transmit, make available to the public, or otherwise use the site content in any way except for your own personal, non-commercial use. You also agree not to adapt, alter or create a derivative work from any of the site content except for your own personal, non-commercial use. Any other use of the site content requires the prior written permission of the PHM.
PHM is not responsible for the contents or reliability of any site to which it is linked and does not necessarily endorse the views expressed within them. Linking to or from this site should not be taken as endorsement of any kind. We only link to our sponsoring bodies, exhibition and museum partners and other government departments.
We cannot accept any responsibility for any loss, disruption or damage to your data or your computer system which may occur whilst using material derived from this website.
You can send us your enquiries and comments directly through our website. You can also contact us by post (see address at the end of this document). If you use a contact form on the website you do not need to give any personal information, e.g. your email address or name, unless you want us to respond to your enquiry, in which case you should provide us with your email address as a minimum. When dealing with your enquiry we do not pass any personal information outside our organisation, nor do we use that information for any other purpose without first seeking your permission. If you require a response from us, we will need to record your personal contact details to be able to reply to you and to track the progress of your request.
Our websites uses Google Analytics, a digital analytics service provided by Google. This helps us to analyse how our visitors use our websites and apps so that we can improve them for future visitors.
Google Analytics mainly uses first-party cookies to report on user interactions on Google Analytics customers’ websites. These cookies are used to store non-personally identifiable information.
We also use some Google Analytics Advertising Features for products like Google AdWords to display PHM marketing material.
PHM ensures that personal data is not stored for longer than necessary for:
We destroy non-relevant paper files at regular intervals and electronic information is stored securely. Under the General Data Protection Regulation you have the right to the erasure of all of your data we hold. When we receive a request for the erasure of data we will comply with this request within 14 working days. As a Data Controller, PHM must maintain a suppression list containing details of individuals who have asked not to receive direct marketing materials, in order to ensure the individual’s wishes are recorded, no future communications are sent out and also to make sure a record of past communication exists.
PHM is dedicated to ensuring all data entry is accurate and that all databases are secure and confidential. UK and EU data protection law requires that all data held on individuals is as accurate and as up-to-date as possible.
Donors updated under data cleansing processes will remain as inactive records on the database as a safeguard so we do not add the same people to the database again and so there is a record of why people are excluded from mailings/not contacted again about a project they have previously expressed interest in or donated to.
PHM only stores data that is not excessive for the purposes for which it was acquired and makes sure data stored is adequate and relevant for the purposes of processing.
When you give us your data:
We ensure a data protection statement and clear opt-in options are present at the point of any data collection. Individuals are also given the option to update their mailing preferences or unsubscribe at regular intervals.
Specific consent given for communications remains the same until the individual contacts us to change their options or unsubscribe from PHM communications, or until such time as consent will need to be renewed for it to be lawful under UK and EU data protection law. 14 days after a removal request no mailings will be received again from PHM.
Radicals quiz data
On sign up to our free membership using the ‘Which radical are you?’ quiz we will store only the personal data provided, plus ‘radical’ quiz result (one of eight possible results). This is in order to better tailor our communications to your interests. We do not store any of the specific answers to any individual question on the quiz. The quiz is run by our insight partner Morris Hargreaves McIntyre (MHM). MHM do not have any access to personal data provided to PHM.
For certain projects, PHM engages the services of trusted external partners, for example for data cleansing and delivery of e-newsletters. When we engage the services of these organisations, we make sure we have a data processor/controller agreement in place to ensure strict data protection procedures are being adhered to.
When partner organisations offer contact information of people who are to be invited to an event, we do not add them to our mailing lists or indeed to our database apart from as a participant of the specific event. We do not count these people as having a relationship with PHM unless they respond to this invitation, giving consent for specific future contact options; at this point we add them to the database because they have requested this.
Our website may contain links to other external websites. We are not responsible for the content or functionality of any such website.
If a third party website requests personal data from you (e.g. in connection with goods or services), the information you provide will not be covered by PHM’s privacy rules. We suggest you read the privacy notice of any other website before providing any personal information.
In exceptional circumstances it may be necessary for us to share personal information with the government if this is necessary for the exercise of any functions of the Crown, a Minister of the Crown or a government department. This may include funding and grant applications.
PHM’s premises are protected by CCTV so you may be recorded when you visit PHM. CCTV images are being monitored and may be recorded for the purpose of public safety, crime prevention, detection and prosecution of offenders.
The system is managed in accordance with our standard operating procedures and with good practice guidance issued by issued by the Information Commissioner’s Office. CCTV images will only be accessed by authorised staff and are stored for up to 30 days, unless flagged for review.
We have security measures in place to protect against the loss, misuse and alteration of personal data held by PHM. All systems and databases are UK and EU data protection law compliant.
Databases are password protected where possible and passwords are changed on a regular basis and have strict structure criteria. Email updates for databases are taken care of in a timely manner and filed in an archive folder for future reference until such time this filing is in violation of data retention timescales, at which point the data is deleted.
Papers to be destroyed which contain personal data from the database are shredded, never thrown away. Paper forms used for sign up to e-newsletters are kept securely in central locations until such time they can be destroyed because the data retention period has come to an end.
All personal data is stored in a secure environment.
We aim to ensure that people joining the e-newsletter mailing lists are aged 18 or over, but all our publications, events and exhibitions are designed to be enjoyed by a Family audience.
In accordance with The Privacy and Electronic Communications (EC Directive) Regulations 2003, we collect explicit consent from someone to use their email address for specific purposes. This means we have received explicit consent from the individual for specific purposes. If an individual unsubscribes from an e-newsletter we take action to comply with the request within a reasonable amount of time and update the database to reflect the individual’s new preferences.
We want to ensure you remain in control of your personal data and that you understand your legal rights, which are:
There are some exceptions to the rights above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.
If you would like further information on your rights or wish to exercise them, please contact our Data Protection Officer using the details at the end of this policy.
PHM as a Data Controller is accountable for compliance with the data protection principles under EU and UK Data Protection laws, in respect of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.
To request a copy of your data held by PHM or to make changes to it simply contact our Data Protection Officer. If you want to make a comment or complaint to us about any aspect of our activities relating to your personal data, you should also contact the Data Protection Officer.
The registered Data Protection Officer is the Executive Support Officer.
People’s History Museum
If we change our approach to the use of personal data we will amend this notice to ensure it remains as up-to-date as possible. Any changes will be published on our website.
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, People’s History Museum has decided to collect and keep a limited record of staff and visitors who come onto our premises for the purpose of contract tracing. By maintaining records of staff and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the Coronavirus.
As a customer/visitor of People’s History Museum you will be asked to provide some basic information and contact details. The following information will be collected:
NHS Test and Trace advise us to retain this information to enable contact tracing to be carried out by NHS Test and Trace following your visit for 21 days. We will only share information with NHS Test and Trace if it is specifically requested by them. For example, if another customer at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (e.g.: this may be all customers who visited on a particular day or time-band, or over a two-day period).
We will require you to pre-book your visit or to complete a form on arrival.
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes (such as surveillance of an individual’s movements or marketing activities), and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (e.g. as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing it will be destroyed by us 90 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, date of birth and phone number). Where this is the case, this information only will continue to be held after 90 days and we will use it as usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation.
The use of your information is covered by the General Data Protection Regulations Article 6 (1) (f) – legitimate interests of the venue/establishment. The legitimate interest in this case is the interest of the venue/establishment in co-operating with NHS Test and Trace in order to help maintain a safe operating environment and to help fight any local outbreak of coronavirus.
If you do not wish your contact information to be passed to NHS Test and Trace if requested, please speak to Charlie Corkin, Executive Support Officer (Data Protection Officer) – 0161 838 9190 / email@example.com
By law, you have a number of rights as a data subject, such as the right to access information held about you. If you are unhappy or wish to complain about how your information is used, you should contact a member of staff in the first instance to resolve your issue.
If you are still not satisfied, you can complain to the Information Commissioner’s Office. Their website address is www.ico.org.uk