Who are we?
National Museums Liverpool (NML) is a diverse group of museums and galleries consisting of World Museum, Walker Art Gallery, Lady Lever Art Gallery, Sudley House, Merseyside Maritime Museum, Border Force National Museum, International Slavery Museum and the Museum of Liverpool. National Museums Liverpool wholly owns a subsidiary trading company, National Museums Liverpool Trading Limited, which provides a range of catering, retail, conferencing and general commercial services. This policy sets out National Museums Liverpool’s obligations to protect, store and manage your data correctly under UK and EU data protection law and covers both National Museums Liverpool and its wholly owned trading company, National Museums Liverpool Trading Ltd.
National Museums Liverpool is regulated by the Department of Digital, Culture, Media and Sport (DCMS). Museums and galleries regulated by DCMS are exempt charities under Schedule 3 of the Charities Act 2011. Registered Office: World Museum, William Brown Street, Liverpool, L3 8EN.
Your personal data
When we talk about “personal data”, we mean information that identifies a living person, or which can be identified as relating to a living person. When we talk about “you” or “your” in this notice, we mean any living person whose personal data we collect. When we talk about “Members” and “Membership” we are referring to current members of National Museums Liverpool.
Databases and storage of your data
National Museums Liverpool uses a number of databases to store data for different purposes, for example fundraising, commercial operations, ticketing and financial operations. Trained members of staff access these databases across the organisation in a secure environment.
National Museums Liverpool is a data controller registered with the Information Commissioner’s Office. We have a legal duty to protect any information we collect from you and to prevent any unauthorised access to or use of that information. We do not pass your details to any third party unless you give us permission to do so. We use only trusted third party solutions to deliver different aspects of your relationship with us, for example the delivery of e-newsletters. We follow current UK and EU data protection law.
Your relationship with us and your data are extremely important to us and we take all necessary steps to protect your data. We will never sell your personal data.
As a group of museums and galleries, caring for, preserving and adding to our collections is seen by HM Government as our primary purpose, and as such, these activities are exempt from data protection law.
Lawful purposes for processing data
As a group of museums and galleries, the following is a non-exhaustive list of the types of data we expect to process and corresponding lawful purposes for the processing of this data. The information we collect as described below is used for the purposes for which it was collected and the purposes for which you gave consent and for no other:
- E-newsletter subscriber’s data
- Fundraising subscriber’s data for appeals and campaigns
- Data of members of National Museums Liverpool
- Event invitees and attendees
- Contractor information/supply of goods and services
- Research and collections
- Managing custody of our collection including our intellectual property rights
- Display of collections
- Processing enquiries and requests for information
- Managing your visit to NATIONAL MUSEUMS LIVERPOOL
- Data from purchases for example tickets and merchandise
- Data of donors to National Museums Liverpool
- Data of visitors to our websites, as set out below in the section ‘our websites and apps’
- Stakeholders information
As you can seewe have a number of lawful reasons for using (or 'processing') your personal information. One of these lawful reasons is 'legitimate interest'. Broadly speaking legitimate interest means that we can process your personal information if we have a genuine, legitimate reason and we are not harming any of your rights and interests.
Some typical examples of when we might use this approach are for:
Prospect – when an individual is a subject of prospect research: (N.B we will always notify an individual if we have identified them as a prospect for fundraising outside of their position at a grant or donation giving body and when they provide explicit consent to an ongoing relationship with National Museums Liverpool a record will be added to our database)
Data on prospects we would expect to process:
- Name for the purposes of creating a record on the database
- Address, if supplied by the individual or if it is a work address in the public domain, for the purposes of contacting the individual about appeals, campaigns and projects the individual may be interested in if this is agreed to
- Email address if supplied by the individual or if it is a work email address in the public domain, for the purposes of contacting the individual about appeals, campaigns and projects the individual may be interested in
Occasionally we conduct a reasonable amount of research on individuals who would reasonably expect that we will have an interest in them, for example those who have a well-known interest in certain causes or subject matters that relate to our fundraising activities or who are publicly known to be philanthropists of the arts. We will only use information that has been made publicly available by the individual themselves.
Developing a good understanding of potential supporters through data about them allows us to fundraise more efficiently towards our goal of being the world’s leading example of an inclusive museum service and allows us to tailor our approaches to the right people who will be receptive to our goals.
We take practical precautions with prospect information and allow only Development Office staff to access proposal and prospect research data. If a prospect no longer consents to us storing their information, their database record will have all personal information suppressed so they will not be contacted in the future.
If you are a member, sponsor or patron of National Museums Liverpool, we will send you a postal copy of our guide newsletter and as a member, if you have opted in to receive emails from us, an email newsletter. You can opt out of receiving these at any time without this affecting your other membership/sponsorship/patronage benefits.
Gift of membership
When the gift of National Museums Liverpool membership is given to an individual or family, the name and address and gift details are recorded on our systems to ensure smooth delivery of membership benefits. The gift buyer can ask us to anonymise this information at any time and this will not affect the delivery of membership benefits.
Children’s records are only created for the purposes of delivering the benefits of family membership, under the express permission of the parent or guardian and will not be used for any purpose other than the delivery of the membership benefits, for example to produce and administer a membership card. Children will not be contacted separately by National Museums Liverpool; the communications for their membership benefits is always through the parent or guardian. When a membership is renewed, consent for a child’s membership record to remain is re-sought.
Our websites and apps
Please note that this privacy statement applies to the websites and apps of National Museums Liverpool.
If you follow a link to a third party website, the data protection statement on that site should be consulted.
Enquiries and comments about our websites and apps
You can send us your enquiries and comments directly through our website. You can also contact us by post (see address at the end of this document). If you use a contact form on the website you do not need to give any personal information, e.g. your email address or name, unless you want us to respond to your enquiry, in which case you should provide us with your email address as a minimum. When dealing with your enquiry we do not pass any personal information outside our organisation, nor do we use that information for any other purpose without first seeking your permission. If you require a response from us, we will need to record your personal contact details to be able to reply to you and to track the progress of your request.
http://www.youronlinechoices.eu/ or www.aboutads.info/choices.
Our websites and apps use Google Analytics, a digital analytics service provided by Google. This helps us to analyse how our visitors use our websites and apps so that we can improve them for future visitors.
Google Analytics mainly uses first-party cookies to report on user interactions on Google Analytics customers’ websites. These cookies are used to store non-personally identifiable information.
We also use some Google Analytics Advertising Features for products like Google AdWords to display National Museums Liverpool marketing material.
Log files allow us to record and analyse visitors' use of our websites and so improve it for our users. Log files do not contain any personal information about you or information about which other sites you have visited. Your IP address is recorded but not used to identify individuals, or used for any other purpose than for the analysis of log files to monitor website usage.
Retention of data
National Museums Liverpool ensures that personal data is not stored for longer than necessary for:
- Achieving the purpose the data was collected for
- Providing you with the goods, services or information you have requested
- The administration of your relationship with National Museums Liverpool
- Complying with the law
- Ensuring National Museums Liverpool does not communicate with individuals who have requested no further communication.
We destroy non-relevant paper files at regular intervals and electronic information is stored securely. Under the General Data Protection Regulation you have the right to the erasure of all of your data we hold. When we receive a request for the erasure of data we will comply with this request within 14 working days. As a Data Controller, National Museums Liverpool must maintain a suppression list containing details of individuals who have asked not to receive direct marketing materials, in order to ensure the individual’s wishes are recorded, no future communications are sent out and also to make sure a record of past communication exists.
National Museums Liverpool has a dedicated Database Team, responsible for ensuring all data entry is accurate and that the Raiser’s Edge database is secure and confidential. UK and EU data protection law requires that all data held on individuals is as accurate and as up-to-date as possible.
The Database Team regularly complete data cleansing exercises to check our contacts against death, change of address and ‘requests no mailings’ registers. Any inactive, invalid addresses or deceased records are marked accordingly and in turn excluded from any processing unless they have donated to National Museums Liverpool, in which case we may process their details for historical financial reporting. Donors updated under data cleansing processes will remain as inactive records on the database as a safeguard so we do not add the same people to the database again and so there is a record of why people are excluded from mailings/not contacted again about a project they have previously expressed interest in or donated to. The Database Team use a reputable third party organisation for our data cleansing projects and always carry out due diligence as to the suitability of the third party with respects to adherence to data protection law. We also make sure we have a data processor and controller agreement in place before work begins, in accordance with UK and EU data protection law.
National Museums Liverpool only stores data that is not excessive for the purposes for which it was acquired and makes sure data stored is adequate and relevant for the purposes of processing.
When you give us your data:
- We keep a record of when and how we got consent from you.
- We keep a record of exactly what you were told at the time of giving us your data.
- We regularly review consents to check that the relationship, the processing and the purposes have not changed.
- We have processes in place to refresh consent at appropriate intervals, including any parental consents.
- We consider using privacy dashboards or other preference-management tools as a matter of good practice.
- We make it easy for you to withdraw your consent at any time, and publicise how to do so.
- We act on withdrawals of consent as soon as we can.
- We do not penalise individuals who wish to withdraw consent.
We ensure a data protection statement and clear opt-in options are present at the point of any data collection. Individuals are also given the option to update their mailing preferences or unsubscribe at regular intervals.
Specific consent given for communications remains the same until the individual contacts us to change their options or unsubscribe from National Museums Liverpool communications, or until such time as consent will need to be renewed for it to be lawful under UK and EU data protection law. 14 days after a removal request no mailings will be received again from National Museums Liverpool.
For certain projects, National Museums Liverpool engages the services of trusted external partners, for example for data cleansing and delivery of e-newsletters. When we engage the services of these organisations, we make sure we have a data processor/controller agreement in place to ensure strict data protection procedures are being adhered to.
When partner organisations offer contact information of people who are to be invited to an event, we do not add them to our mailing lists or indeed to our database apart from as a participant of the specific event. We do not count these people as having a relationship with National Museums Liverpool unless they respond to this invitation, giving consent for specific future contact options; at this point we add them to the database because they have requested this.
Links to other sites
Our website may contain links to other external websites. We are not responsible for the content or functionality of any such website.
If a third party website requests personal data from you (e.g. in connection with goods or services), the information you provide will not be covered by National Museums Liverpool’s privacy rules. We suggest you read the privacy notice of any other website before providing any personal information.
Government processing of personal data
As National Museums Liverpool is a non-departmental public body under the governance of the Department of Digital, Culture, Media and Sport, in exceptional circumstances it may be necessary for us to share personal information with the government if this is necessary for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
National Museums Liverpool’s premises are protected by CCTV, so you may be recorded when you visit National Museums Liverpool. CCTV images are being monitored and may be recorded for the purpose of public safety, crime prevention, detection and prosecution of offenders.
The system is managed in accordance with our standard operating procedures and with good practice guidance issued by issued by the Information Commissioner’s Office. CCTV images will only be accessed by authorised security staff and are stored for up to 30 days, unless flagged for review.
Security and filing issues
We have security measures in place to protect against the loss, misuse and alteration of personal data held by National Museums Liverpool. All systems and databases are UK and EU data protection law compliant.
Databases are password protected where possible and passwords are changed on a regular basis and have strict structure criteria. Email updates for databases are taken care of in a timely manner and filed in an archive folder for future reference until such time this filing is in violation of data retention timescales, at which point the data is deleted.
Papers to be destroyed which contain personal data from the database are shredded, never thrown away. Paper forms used for sign up to e-newsletters in one of our venues are kept securely in central locations until such time they can be destroyed because the data retention period has come to an end.
All personal data is stored in a secure environment.
Online data collection and the Privacy and Electronic Communications Regulations(PECR)
We aim to ensure that people joining the e-newsletter mailing lists are aged 18 or over, but all our publications, events and exhibitions are designed to be enjoyed by a Family audience.
In accordance with The Privacy and Electronic Communications (EC Directive) Regulations 2003, we collect explicit consent from someone to use their email address for specific purposes. This means we have received explicit consent from the individual for specific purposes. If an individual unsubscribes from an e-newsletter we take action to comply with the request within a reasonable amount of time and update the database to reflect the individual’s new preferences.
We want to ensure you remain in control of your personal data and that you understand your legal rights, which are:
- the right to know whether we hold your personal data and, if we do so, to be sent a copy of the personal data that we hold about you (a “subject access request”) within 30 days;
- the right to have your personal data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason);
- the right to have inaccurate personal data rectified;
- the right to object to your personal data being used for marketing or profiling; and
- (where technically feasible) the right to be given a copy of personal data that you have provided to us (and which we process automatically on the basis of your consent or the performance of a contract) in a common electronic format for your re-use.
There are some exceptions to the rights above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.
If you would like further information on your rights or wish to exercise them, please contact our Data Protection Officer at email@example.com or by writing to the Office of the Data Protection Officer, World Museum, William Brown Street, Liverpool, L3 8EN
National Museums Liverpool as a Data Controller is accountable for compliance with the data protection principles under EU and UK Data Protection laws, in respect of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.
How to get access to your data
To request a copy of your data held by National Museums Liverpool simply email our Data Protection Officer on firstname.lastname@example.org or use our subject access request web page, or by writing to the Office of the Data Protection Officer, World Museum, William Brown Street, Liverpool, L3 8EN
To check or update your preferences, email email@example.com or call 0151 478 4734.
If you want to make a comment or complaint to us about any aspect of our activities relating to your personal data, please contact us:
- Click here for the data enquiry form on our website
Office of the Data Protection Officer
William Brown Street
The registered Data Protection Officer for National Museums Liverpool is the Secretary to the Board.
Changes to this privacy notice
If we change our approach to the use of personal data we will amend this notice to ensure it remains as up-to-date as possible. Any changes will be published on our website.
This document was approved in May 2018. Review due May 2020.