Museums privacy notice

1 Council contact details

1.1 West Northamptonshire Council
Registered Office:
One Angel Square
Angel Street
Northampton
NN1 1ED

Tel: 0300 126 7000

This privacy notice explains how Northampton Museums and Art Gallery (NMAG) collects, uses and protects any personal information that you give to us.

This privacy notice should be read alongside our Corporate Privacy Notice.

In order to meet our responsibilities as a local authority museums service and provide this service we collect and process personal information. Being able to use your personal information and information about how you use our services helps us fulfil our function as a museum caring for museum collections and associated information and to monitor, develop and enhance the services we provide for all users.

The personal data you supply is processed in accordance with the General Data Protection Regulations (GDPR) and the Data Protection Act (DPA) 2018.

We are committed to ensuring that your privacy is protected. This privacy notice will tell you who we are and what to expect when NMAG collects your personal information and is intended for visitors, customers, donors and lenders, enquirers, volunteers, suppliers, supporters and anyone who uses the museum service.

Northampton Museums and Art Gallery

NMAG consist of Northampton Museum and Art Gallery and Abington Park Museum. We are a local authority museum service governed by West Northampton Council. The museum service cares for the largest historic shoe collection in the world and is designated as being of national and international significance by Arts Council England. The other collections cared for by the museum service include fine and decorative art, social history, archaeology, geology, costume, ethnography and military.

2 Information that we hold

2.1 We collect personal information relating to the services delivered below. Personal information identifies a living person or can be identified as relating to a living person.

We collect information when you sign up to, participate in, or purchase an activity or service from us, or enter a contract with us including:

  • sign up for mailing lists
  • sign up for events
  • book learning activities and sessions
  • book and attend any training, learning or development activities
  • evaluate our service
  • hire a space
  • sell goods at an event or fair
  • provide permission for us to use photographs for marketing/promotional purposes

In this instance we collect the following information:

  • personal or organisational details such as title, full name, organisation name, date of birth, address, post code
  • communication details such as email address, home address, business address, telephone numbers
  • equalities monitoring details (optional) such as disability, ethnicity, gender and religion/belief
  • transaction information and financial account details and payment history
  • organisational details such as title, full name, organisation name, address, post code
  • any other information relevant to your booking
  • information that allows us to profile you in a pseudonymised format as part of our audience segmentation model

We collect information when you volunteer with us including:

  • personal details such as title, full name, date of birth, address, post code
  • communication details such as email address, home address and telephone numbers
  • equalities monitoring details (optional) such as disability, ethnicity, gender, religion or belief
  • emergency contact details such as full name and telephone number of nominated contacts
  • availability
  • reasons for wanting to volunteer
  • whether or not you have a disability or additional support needs for which the organisation needs to make reasonable adjustments
  • referees (personal details: title, full name, date of birth, address and post code, email, telephone)
  • information that allows us to profile you in a pseudonymised format as part of our audience segmentation model
  • Emergency Contact:
    • personal details: title, full name, date of birth, address, post code
    • communication details: email address, home address and telephone numbers
    • emergency contact details: full name and telephone number of nominated contacts

We collect information when you donate to or loan from the museum collections including:

  • donate or loan a physical or digital object, oral history, or image to the museum
  • grant Intellectual Property Rights (IIP) such as copyright of an artwork, image, film or audio recording to the museum
  • loan an object, oral history or image from the museum

In this instance we collect the following information:

  • personal or organisational details: title, full name, organisation name, date of birth, address, post code
  • communication details such as email address, home address, telephone numbers
  • information associated with the object such as memories and stories
  • special category personal information (sensitive personal data) includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, generic or biometric, physical or mental health conditions, sex life or sexual orientation.

We collect the following information when you visit our website

  • In order that we can improve our online services we will collect information about your visits to this website through cookies. These statistics do not contain personal data and cannot be traced back to an individual. We do not use cookies to store personal data nor do we link non-personal information stored in cookies with personal data about specific individuals. Your cookie preferences can be selected.

We collect the following information when you make a visit to one of our museums

  • Our museums have CCTV and you may be recorded when you visit them. CCTV is there to help security and protect museum collections, staff and users. Any footage that is captured on our CCTV will only be viewed by museum staff and law enforcement agencies when detecting and preventing crimes or for criminal investigations. Once the footage is not required it will be overwritten unless flagged for review for the reasons listed above
  • We operate a counting and sensing system our museums to detect movement within the museum buildings. These help us record visitor statistics
  • Free Wi-Fi access is available at our museum sites. If you access this network, you will be asked to agree to the museums service Wi-Fi terms and conditions which will explain how your information will be used
  • The use of museum audio or similar downloadable application guides may require proof of identity information and may collect pseudonymised information on visitor behaviour.

Information for parents and guardians of children or young people

  • We will protect and respect the personal information of individuals, especially those under the age of 13 or younger
  • We will not use the personal information of children or young people for marketing purposes or profile purposes
  • Personal information about children and young people will only be accessible to museum staff on a strictly need to know basis
  • For permission to use images we will collect parent or carer name, address, telephone number, signature, date of consent, consent option for image use and name and age of child

3 How the information is obtained

3.1 Collecting personal information

Most of the personal information we process is provided to us directly by you when you:

  • signup to participate or purchase an activity or service from us
  • take part in a survey to help us improve our service
  • enter a contract with us
  • volunteer with us
  • donate a physical or digital object to the collection
  • loan an object from the collection
  • grant IIP on a physical or digital object to us
  • agree to the terms and conditions of our free Wi-Fi
  • agree to the terms and conditions of an audio guide or downloadable application

This information will only be used for the intended purpose and should we wish to use it for any other purpose, we will ask for your permission first.

We may collect personal information from you in the following ways. Paper, electronic or online forms, email, telephone, website, social media, personal contact with one of our employees or one of our partners, consultations and surveys. We also collect information through CCTV, Wi-Fi and audio guides. To use our online services and forms we will ask you to register your name, email address and other relevant personal details.

In order that we can improve our online services we will collect information about your visits to our website. These statistics do not contain personal data and cannot be traced back to an individual. We do not use cookies to store personal data nor do we link non-personal information stored in cookies with personal data about specific individuals. Like many other websites we use cookies on our site. Cookies can help a website to personalise your visit. A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer's hard disk so that the website can, among other things, remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the "lifetime" of the cookie, and a value, usually a randomly generated unique number. Since 2011 a new European Union directive has required us to gain the consent of our users to download cookies on to their machines. There are various methods we could use to gain users consent; for example, we could use pop-ups, prompting users to tick a box to confirm they give permission for us to download cookies on their machine. Alternatively, we could use an online form that all users must complete before using the website. We consider both solutions as obtrusive. We want our users to find information and services quickly. Therefore, we have taken the decision to promote how we use cookies on our website instead. This will enable users to make an informed decision whether they want to disable this feature.

Analytics information is collected anonymously and includes monitoring visitor numbers and movement of people and individuals in the museum buildings. Our museums have CCTV and you may be recorded when you visit them. We operate a counting and sensing system our museums to detect movement within the museum buildings.

3.2 What is the basis for us to process your data?

We will only process your personal data if we have a legal basis for doing so under UK data protection legislation, this can be for one or more of the following reasons:

  • Processing data which is necessary for the performance of a contract to which you are a party, or in order to take steps prior to entering into a contract, for example when you: book a workshop or event; or purchase goods or services
  • Where you have given your consent for us to process your data, for example you have requested to join our mailing list or volunteer with us. You can, at any time withdraw your consent and your details will be removed from our records for mailing purposes. There is an option to unsubscribe
  • Where archiving is in the public interest, we do not need your consent to process your personal data. We have appropriate safeguards and policies in place which meet the Art Council’s Accreditation Scheme for museums and galleries and follow SPECTRUM processes
  • Where there is a legitimate interest to process your personal data without your consent, and which does not override your fundamental rights and freedoms.

4 What we do with the information

4.1 Conditions under which we use your information

We will follow the principles of fair and legal processing according to the General Data Protection Regulation (GDPR).

We will only process personal information under the following lawful conditions:

  • You have consented to the use of your personal information for a specific purpose such as marketing
  • We need to process your personal information to deliver a contracted service such as ticket buying
  • We are entitled or required by law to process certain personal information to prevent fraud or crime prevention
  • The need to protect the vital interests of any person
  • We are required to process personal information in the performance of a task carried out in the public interest or the exercise of our official authority, such as management of collections or using CCTV to protect the museum and museum visitors
  • The processing of personal information for legitimate interests that are not covered by previous definitions but enable the museum to meet its legislation objectives. These may include potential donors, donations, purchases, bequests, loans, insurance, intellectual property rights management (copyright), marketing, publicity, fundraising, visitor and customer analytics, exercising or defending legal claims and correspondence

We use your information to:

  • to deliver services that are relevant to you as a user
  • to develop and improve our services to you as a user
  • to manage, shape and grow the museum service to continue to meet the demands of our audiences
  • to prevent or detect fraud or crime
  • to monitor and research service delivery
  • to improve the understanding of the museum target audiences and improve customer service delivery (visitor analytics)
  • to deliver ticket and retail purchases
  • to improve marketing
  • to provide free Wi-Fi
  • to help fundraising by analysing data (fundraising is a way for the museum service to generate income)
  • to improve the experience of the museum website (we collect standard internet log information and details of visitor behaviour patterns)
  • to help us record visitor numbers (through counting and sensing system at Northampton Museum and Art Gallery and Abington Park Museum)
  • to ensure the security of collections, staff and visitors (CCTV)
  • to offer experiences such as audio tours and applications

4.2 Who we share your personal information with

We will not sell, distribute or lease your personal information to third parties unless we have your permission or as required by law.

We will share relevant data with external organisations such as transfer or loan of museum items to other organisations, mailing house in order to process mailings, analytical services to enable us to target our communications with customers and supporters and payment processing companies.

We will share relevant information internally with partners that work for West Northamptonshire Council.

We ensure that your personal data will not be disclosed to government institutions and other authorities except if required by law or other regulation.

We may also disclose personal information where required by law or where necessary for a lawful purpose such as the Police (only for the purposes of preventing or detecting crime or fraud).

There are very few current circumstances where Northampton Museums and Art Gallery will transfer your data outside the EU, such as exhibition loans. If ever necessary, we will always ensure an adequate level of protection is provided for any personal information transferred outside of the European Economic Area as required by the General Data Protection Regulation (GDPR).

4.4 NMAG uses a bespoke audience segmentation model to achieve a deeper understanding of existing and future audiences. Data is used in a pseudonymised format to analyse visitor analytics within this context.

5 How long we keep your information for and how we securely dispose of it after use

5.1 We keep your personal information for all aspects of processing in line with the council’s retention schedules.

Data security

  • Museum staff receive personal data training and follow a set of data protection procedures required for handling personal information
  • Museum staff must use appropriate levels of security to store or share personal information
  • Paper records of personal information are secured physically for storage and access protection
  • Electronic personal information and databases are held on a secure computer network controlled by authorised username and password protection. Passwords must not be shared, and personal information not held on the computer network must be encrypted
  • All the personal data stored the website is recorded in a secure database
  • All our employees and data processors, who have access to and are associated with the processing of personal data, are obliged to respect the confidentiality of our visitors' personal data
  • Any payment or financial information is transmitted using 128bit encryption using THWATE SSL certification
  • Data Privacy Impact Assessments (DPIA’s) will be produced by the project manager and reviewed by the DPO for any new projects involving personal information
  • Any suspected breach of security, data loss or cyber-attack will be investigated by the Data Protection Officer (DPO) who will manage the actions necessary and report the incident
  • Any suspected breaches of data must be reported by museum staff to the DPO
  • A personal data asset register and personal data process maps will be maintained by the DPO identifying all personal data held, where it is held, security measures used to restrict access, how the data is processed, what teams or individuals have access to data, who has overall responsibility for the data

5.2 All information is held securely and will be securely destroyed when no longer needed.

We will only keep your personal information for as long as required for the purpose it was collected. We will continually review the personal information we hold and delete when no longer required.

6 How we store your information

6.1 Your information is securely stored on the council’s secure digital and physical systems.

7 Your data protection rights

7.1 The law gives you a number of rights to control what personal information is used by us and how we can use it. Please see section 15 of the council’s Privacy Policy for further information.

7.2 Please be aware that your rights may differ depending on the lawful basis for processing your personal data.

7.3 The right to withdraw consent (if applicable). You can ask that we no longer use your details for this [processing/groups of processing]. If you wish to exercise this right, please contact the Data Protection Officer detailed in section 8.1 below.

8 Who to contact

8.1 If you would like further information about how we use your personal information, or you wish to exercise one of your data rights or you wish to complain about the use of your personal information please contact the Data Protection Officer.

8.2 If you are still dissatisfied once you have contacted the Data Protection Officer, you have the right to complain to the ICO.

The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Completion and review dates

This privacy notice was completed on 23 March 2021.
The privacy notice review date is March 2022.

Why information is on a different website
We are in the process of adding information to this new unitary council website. Some pages will give you a link back to a previous council website to help you find what you need. Read more about the changes.