Governing Body: Weymouth Museum Trust (“The Museum”)
Address: Brewers Quay Hope Square Weymouth DT48TR
Charity Number: 1143692
Date when this policy was approved by governing body to take effect: November 2020
Date when this policy is due for review: November 2022
This policy has been drawn up to comply with the EU General Data Protection Regulation (GDPR) applicable in the United Kingdom from 25 May 2018. It documents the use of personal data provided to, used by, or retained by The Museum and it explains the implementation by the Museum of the GDPR.
The GDPR applies when an individual uses or visits The Museum, its website, apps or other services. The Museum may supplement the GDPR in due course by additional privacy statements, terms or notices provided to you.
The Museum is the primary controller of your personal information and section 3 (below) explains from whom it collects data, how it is used and where/with whom it is stored and, or, retained.
- Glossary of Terms
This section describes the terminology to be found within GDPR literature and how the Governing Body has decided that it applies to The Museum.
- Data Subject. This is any individual person who is known to the organisation and uniquely identifiable. The Museum classifies its Data Subjects into distinct groups, although individuals often belong to more than one group. Thus:
- Association of ‘Friends of Weymouth Museum’
- External contacts
- Donors of legacies and other funds to The Museum
- Donors and lenders of artefacts to The Museum
- Personal data. Any information which identifies and describes a Data Subject. It may be held electronically or as hardcopy. It may range from simple contact details (such as name, postal address and email address) to more specific, or sensitive, “Special Category” data (such as ethnicity, religious belief and bank account details).
- Data Controller of The Museum. The organisation ultimately responsible for strategy relating to the storage and use of personal data is Weymouth Museum Trust. The main contact is the Museum Manager Mr Roger Dalton
- Data Processor. Any organisation which uses data on behalf of the Data Controller. The Museum processes all its personal data itself, therefore the terms Data Controller and Data Processor are indistinguishable from each other here.
- Lawful Use. This criterion is the reason the Data Controller believes it is entitled to process personal data. The legislation includes a short list of Lawful Uses, one of which for GDPR purposes must be clearly identified and stated for each of the relevant processes/uses involved by The Museum. In the case of The Museum the use of the “Legitimate Interest” criterion is deemed to be the applicable criterion relied on in most cases.
- Legitimate Interest. As noted at 2.5 above, one example of a Lawful Use, is where the storage and use of personal data is considered necessary by the Data Controller for the effective operation of the organisation (i.e. The Museum), and which is deemed beneficial to both the Data Controller and the Data Subject and provided that the interests or fundamental rights and freedoms of the data subject are not overriding (taking into consideration the reasonable expectations of data subjects based on their relationship with the Data Controller i.e. here The Museum). The main exception to this is where the Data Subject is a child (being a person under the age of 13). Here The Museum, having considered this point carefully, has opted for a policy of enquiring where a Data Subject might be a child and if this is the case its policy is not to record any data in respect of the child.
- For many smaller charitable organisations, like The Museum, Legitimate Interest represents an appropriate alternative to a “Consent-based” protocol (where Data Subjects must opt into the use of their personal data by clearly giving their consent). In addition to this, when relying on Legitimate Interest as a Lawful Use criterion, as here, the Data Controller must inform individuals of their right to object to such processing and this will be done by The Museum at the point of data collection when Legitimate Interest is cited. In this connection, and as required by the GDPR, The Museum has carried out and recorded a Legitimate Interests Assessment balancing its right to process the relevant Personal data against the data protection rights of the individuals involved.
- Privacy Notice (see attached). This is a statement of intent by the Data Controller of The Museum to the Data Subject, which describes the personal data being retained and how it will be used. It often includes a request for Consent but such Consent is not required if the chosen Lawful Use of the personal data by The Museum is deemed a Legitimate Interest as here (see 2.6 and see 3 – 8 below).
- Personal data for Trustees
The personal data held by the Data Controller comprises exactly the same data as is required to be provided to it by the Charity Commissioners, including signatures, for and relating to each trustee.
The Data Controller believes that this constitutes Legitimate Interest (see 2.6 above) and accordingly there is no need to request the consent from, nor to issue a Privacy Notice to, any trustee. The data will never be shared with any other party or person (apart from the Charity Commissioners’’ separate entitlement to it).
- Personal data for ‘ Friends of Weymouth Museum’
The Friends of the Museum are not constituted as part of The Museum in any legal or other formal manner but are linked informally with The Museum via their background ties and as such The Museum’s GDPR registration does not cover them. The Museum’s Data Controller does hold personal data relating to some of The Friends’ members and it consists of contact details, enabling this group of Data Subjects to receive a regular newsletter (to which they are entitled via their membership ‘contract’) and other possible occasional communications. The Data Controller believes that this constitutes Legitimate Interest and accordingly it thus has no need to request consent. In addition, as a courtesy to all ‘ Friends’, The Museum will informs them of exactly how their personal data will be processed via the friends committee
- Personal data for Volunteers
The personal data held by the Data Controller consists of contact details (covering almost exclusively the extent of any data processing), and in addition there is a paper Volunteer Details Form, containing, inter alia, more sensitive information such as health conditions and criminal convictions. Operational communication with Volunteers is conducted primarily by email, and quite frequently by telephone, which necessitates the sharing of key contact details. When volunteers sign on and complete the Volunteer Details form, they confirm that they are happy to have their contact details shared with other volunteers and so it is possible to verify where permission has been granted. If any contact data is required to be displayed on noticeboards the Data Controller first verifies that permission has been granted by the Data Subject(s) concerned. It is the policy of The Museum that no personal data is shared without the express permission of the individual Data Subject concerned. The personal details of the volunteers are kept, at The Museum, in a locked cabinet and electronically in a password-protected file on a single laptop.
The Data Controller believes that this constitutes Legitimate Interest. It feels no need to request consent, and ensures that all volunteers are made aware of exactly how their own personal data will be processed, as well as how they should take due care of each other‘s personal data. The Governing Body of The Museum can only function effectively with an ethos of mutual trust and goodwill. To that end, it routinely communicates by ‘open email’ (i.e. no blind-copying) to encourage transparency and a sense of shared ownership, and it plans not to change this practice. Any Volunteer may request in writing at any time to opt out of open correspondence.
- Personal data for External Contacts
Other than suppliers and providers to The Museum re business purposes, such External Contacts are very few, their unique identifiers being either email addresses (typically company related) on personal computers and smartphones, or as telephone numbers in personal telephones and address books. Volunteers hold the data only as a convenience with the data consisting only of contact details and only to be used for such business purposes.
Data arising from such contacts with individual suppliers and providers for business purposes, is held on-site at The Museum secured in locked cabinets or is saved electronically on-site and is vital for the purpose of providing the service of The Museum and used only for that purpose.
The Data Controller believes that this constitutes Legitimate Interest. Volunteers and staff are made aware of their responsibilities relating to privacy when contacting Data Subjects on behalf of The Museum. Accordingly, there are no plans to issue Privacy Notices to these Data Subjects.
- Personal data for Visitors
Members of the public who come as visitors to The Museum normally leave behind little or no trace of their identity. They might choose to write a comment in the Visitors’ Book, but they decide for themselves how much identification data to record – typically they include only their name and geographical area. Weymouth Museum Trust occasionally quotes some of the comments in its own literature, but any names are always anonymised or excluded, to prevent any possible identification of an individual.
Visitors may also voluntarily supply the Data Controller with personal information for Gift Aid purposes as required by HM Revenue & Customs to validate the claim. Gift Aid records must be kept for six years after the relevant accounting period to which they relate.
Online visitors automatically supply the Data Controller with contact information. This might be simply their email address or, if ordering products from the museum, their postal address too. Any online payments are securely managed through PayPal. Visitors may supply the Data Controller with more detailed personal information if submitting a research enquiry and here any information provided is used solely for answering the query or communication received. All of this data is confined to the email address book of The Museum and the body of individual emails on the personal device of the recipient of the email and any other member of staff or volunteer to whom the recipient has forwarded it.
When visiting the website, the visitor’s IP address, browser and version, operating system and the site the visitor came from is stored in a log file held at The Museum. These log files do not contain any personal information and the information is only used for statistical purposes. The host website itself does not store any personal information submitted, e.g. such as that entered into the contact form.
Whenever the museum initiates customer or visitor surveys, it always ensures that all of the data collected is completely anonymous.
The Data Controller believes that all of the above practices constitute Legitimate Interest. Visitors (of either type) are never required to leave or give contact information and any subsequent correspondence thereafter will always be initiated voluntarily by them and not by The Museum and it will be they who provide their contact details in order for the correspondence to continue. The Data Controller advises Volunteers to be aware of the data protection responsibilities of The Museum with regard to both the security of the data belonging to any visitor and the need for it to be destroyed when it when no longer needed.
- Personal data for Donors and Lenders
The Data Controller is obliged to maintain a record of the source of all items in its collections. The Object Entry Form, which contains the Data Subject’s contact details, the gift/loan decision and signature, is required to prove The Museum’s entitlement to call the item its own, or to show how and when a loaned item should be returned. This information is also transcribed into the hardcopy Accessions Register, which serves a similar purpose). No attempt is made to keep the contact details current, because the requirement is to store the data as it was at the time of the acquisition. The only data processing is storage and browsing and care is taken to ensure (via electronic permissions, etc.) that the Data Subject details are never shown to any members of the public.
The Data Controller believes that this constitutes Legitimate Interest. The indefinite retention of the personal data is mandated by museum standards, even though the data is never actively used in any way. The Data Controller never checks whether the Data Subject is still alive or contactable using the data provided. Contact details of lenders are necessary for the return of their property at the end of the loan period.
- General notes
- Some, but not all, personal data is held on museum computers, all of which are protected by passwords. For operational reasons, some personal data may occasionally also be held on private computers at home by research volunteers. All volunteers entrusted with such data are made aware of their responsibilities with regard to the safeguarding of the data whilst in their care. Any personal data on paper is held in securely locked cabinets at The Museum.
- All hardcopy data is stored behind locked doors at The Museum. Where appropriate some is also held under further lock and key within The Museum.
- Under the GDPR, individuals have a number of rights that can be exercised free of charge. These can be viewed at: www.ico.org.uk. Individuals have the right to contact The Museum at any time during its normal opening hours to see a copy of any information held on them via a Subject Access Request. The museum will respond to such requests within 40 days and charge a nominal fee of £10 per individual data subject in relation to whom a request is submitted for processing. Such a request includes an entitlement for the applicant individual to be (a) told if any personal data held is being processed (b) to be given a description of the data, the reason it is being processed and whether it will be shared, and (c) given the source of the data.
- The Museum and its staff and Volunteers are aware that despite the items specified at 3 to 8 (inclusive) above, Legitimate Interest does not extend/apply at any time to the following activities i.e. (a) direct marketing by e mail, SMS, or automated telephone calls (b) detailed research profiles created in-house or externally sourced (c) wealth screening (d) sharing data, and that in each of these situations the Consent of individuals is required re data capture. However, The Museum’s policies and activities do not include any of the activities listed above here at v.(a) to (d).
- How to get in touch with The Museum – please visit the website at www.weymouthmuseum.org.uk