Data Processing and Privacy Policy
1. Introduction
1.1 This policy relates to The Regimental Museum of The Royal Welsh, and describes how and why we use the personal data provided to us.
1.2 We are committed to treating all personal data responsibly, and being open and transparent about how we do that. The policy explains in detail how we use the information you share with us, and the measures we take to ensure it is protected.
1.3 The following definitions will apply for the purposes of this document.
- Data: information that is held in a manual filing system or is processed by a machine.
- Data subject: the living person to whom the data relates.
- Grounds for processing: an organisation’s lawful basis for processing personal data.
- Information assets: a body of information, defined and managed as a single unit, so that it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.
- Personal data: data relating to a living individual who can be identified from the information in isolation or in combination with other information.
- Subject access request: a written or electronic request by an individual to an organisation asking for access to information about the individual held by the organisation.
1.4 Our address is as follows.
The Regimental Museum of The Royal Welsh
The Barracks
The Watton
Brecon
Powys
LD3 7EB.
1.5 The Museum is registered with the Charity Commission as charity number 1145031.
1.6 The Museum is registered with the Information Commissioner’s Office (ICO) with reference number ZA283005.
1.7 The Data Controller (DC) is the Chair of the Museum’s Trustees, and it is with the DC that any legal liability lies.
1.8 The Data Protection Officer (DPO) is the Museum Curator. The DPO’s authority is devolved to them by the Museum’s Trustees. The DPO’s duties are as follows.
- Advice and training on data protection issues.
- Staying up-to-date with changes in relevant legislation, and implementing any relevant changes.
- Liaising with the Information Commissioner’s Office
- Raising awareness of data protection issues.
- Co-ordinating subject access requests.
- Investigating any data breaches and if necessary, informing the ICO.
1.9 This policy is effective from 25th May 2018.
2. How we keep your information secure
2.1 We have implemented security procedures, rules and technical measures to protect the personal data that we have under our control from the following activities.
- Unauthorised access.
- Improper use or disclosure
- Unauthorised modification.
2.2 All our employees and data processors who have access to and are associated with the processing of personal data are legally obliged to respect the confidentiality of the personal data that we hold, and the DPO ensures they do so.
2.3 More information about this subject can be found in the next section.
3. The data we collect
3.1 We will only ever gather the information we need. The following table explains what we collect, why it is collected, the legal basis for doing so, the grounds for processing, the period for which the data is retained and where it is stored.
Activity | The data we collect (the information asset) | Why it is collected | The legal basis for collection | Retention period | Storage location |
Signing up to Gift Aid. | Your name and postal address. | We have to collect these details to be able to make a claim. | Collecting this information is a legal requirement of the Gift Aid scheme. | Six years. | Lockable filing cabinet. |
Providing your credit card details. | Your house number, and the numbers from your postcode, the credit card’s number, expiry date and three digit security code. | To process your purchase or booking. | For the performance of a contract with the data subject. | Any information you provide to us over the telephone or via email will be securely destroyed following the successful completion of the transaction. | Not applicable. |
CCTV footage. | Security footage. | For your safety and security, CCTV is in operation in the Museum’s public areas. | It is necessary for the purposes of the legitimate interests pursued by the DC. | One month. | A hard disk drive located in an area inaccessible to the public. |
Providing your bank details. | Your account number and sort code, and the name of your bank. | To process your financial donation to the Museum. | For the performance of a contract with the data subject. | Any information you provide to us over the telephone or via email will be securely destroyed following the successful completion of the transaction. | Not applicable. |
Completing a visitor questionnaire, including the optional supply of an email address. | Your email address and the first part of tour post code. | To keep you informed of the Museum’s work and activities. | We will only send you these electronic communications if we have your consent to do so, and the voluntary supply of an email address will be taken as consent. | Permanently. | The completed questionnaires will be stored in a lockable filing cabinet, while the email address is stored on a password-protected computer. |
Managing the Museum’s collection. | Your name and address. | To record the details of disposals from and gifts, purchases and loans to our collections. | It is necessary for the purposes of the legitimate interests pursued by the DC and also for the performance of a task carried out in the public interest. | Permanently. | Secure safe, lockable filing cabinet and computers and a software program both protected by passwords. The data may also be shared with other museums, but only with your consent. |
4. General points
4.1 The Museum’s visitors’ book asks only for the person’s name, the date of their visit and their comments. Any other information relating to their place of residence is provided on a voluntary basis by the visitor.
4.2 As it is not possible to identify a specific individual just from the responses to the questions on the Museum’s questionnaire, the completed documents are not considered to constitute personal data. Nevertheless, the completed forms are still stored in a lockable filing cabinet.
4.3 Any person donating, loaning to or borrowing material from the Museum will be supplied with a privacy notice informing them of their rights regarding the processing of their personal data.
5. Sharing data
5.1 The Museum does not disclose, rent or sell personal data to any third parties or external organisations for any purpose.
6. Your data protection rights
6.1 Under new data protection laws that took effect on 25th May 2018, you have rights in relation to your personal data. These rights are as follows.
6.1.1 The right of access: you have the right to know whether we are processing any of your personal data. If we are, you have the right to access both the data and certain information, such as why we are processing the data.
6.1.2 The right of rectification: you have the right to ensure that we correct inaccuracies in your personal data that we are processing. The Museum always welcomes the opportunity to update the personal data it holds about donors and lenders.
6.1.3 The right of erasure (the “right to be forgotten”): in certain situations, you have the right to ensure that we erase your personal data.
6.1.4 The right to restriction of processing: in certain situations, you have the right to ensure that we restrict our processing of your personal data.
6.1.5 The right of data portability: in certain situations, you have the right to receive personal data that you provided to us in a structured, commonly used and machine-readable format.
6.1.6 The right to object: in certain situations, you have the right to object to our processing of your personal data and we are normally obliged to stop processing your data when requested. This right includes the right to object to our processing of your personal data for the purposes of direct marketing.
6.1.7 The right to complain: you have the right to make a complaint to the UK Information Commissioner’s Office (ICO) about our processing of your data, the exercise of your rights, and other data protection matters.
6.1.8 The right to withdraw consent: you have the right at any time to withdraw your consent for us to process your personal data.
6.2 These rights are not absolute and may not apply in all situations or in relation to all processing activities.
6.3 Requests to exercise any of these rights should be sent in writing to The Data Protection Officer at the address that appears on page one of this document.
7. Changes to this notice
7.1 This policy was prepared in September 2018, and adopted by the Museum’s Trustees on 7th November 2018. It will be updated as further information is received from the ICO, and additional clarification on the status of museum collections and the data associated with them is obtained.
8. Who to contact with questions about how your data is used
8.1 Queries relating to this notice should be directed to the DPO at the address listed in point 1.4 above.
8.2 You can write to the ICO if you are unhappy with the response you receive. Their address is as follows.
Information Commissioner’s Office – Wales
2nd Floor
Churchill House
Churchill Way
Cardiff
CF10 2HH.