Last updated
This policy was last updated on 2 September 2020.
This policy sets out the Natural History Museum's commitment to data protection legislation (meaning any UK Data Protection Act in force and the General Data Protection Regulation) and good practice in handling personal data.
The Museum collects and uses personal details about customers, visitors, donors and patrons, current, past and prospective employees, suppliers, clients and other contacts as part of our work. We do this to provide or improve services, administer contracts of employment, encourage and administer donations and to comply with the legal requirements of government departments and others. However it is recorded or used, whether on paper, electronically, or in any other medium, this data must be dealt with properly.
This policy applies to all personal data obtained, held, used and otherwise processed by the Natural History Museum. This may be factual information such as names and addresses, or expressions of opinion, images or any other recorded information that can identify or tell something of significance about a living individual.
This policy applies to all staff who collect and/or use personal data in the course of their work. Separate guidance (including an intranet site) provides more detailed information for staff on how to comply with the requirements of this policy.
Data protection legislation provides a framework for organisations to ensure that personal data is handled properly and gives individuals important rights in relation to their personal information, including being able to find out what is held about them.
Data protection legislation applies to any processing of personal data.
'Processing' encompasses almost anything that can be done to data, including (but not exclusively) obtaining, organisation, use, retrieval, consultation, disclosure and destruction. All processing must be justified under one of the six lawful bases identified in the GDPR.
'Personal data' means data which relate to a living individual ('data subject') who can be directly or indirectly identified, in particular by reference to an identifier such as their name, ID number, location data, email address or online identifier (e.g. IP addresses and cookies).
The GDPR sets out a series of principles on the handling of personal data with which organisations must comply. Personal data shall be:
Data subjects have the right to be informed about the collection and use of their data, the rights of rectification and erasure, the right to restrict or object to processing, the right to data portability and the right not to be subject to a decision based on automated processing.
Separate from but complementary to data protection legislation, the Privacy and Electronic Communications Regulations require particular measures to be in place when collecting and using personal data electronically. Two key areas relate to the use of cookies on websites, and the requirement to obtain a positive indication of consent from data subjects prior to direct marketing - encompassing both promotional activities and fundraising - by electronic means (email/automated telephone calls/SMS).
The Natural History Museum is committed to compliance with data protection legislation and takes seriously the responsibility of handling personal information. To this end the Museum endorses the data protection principles and the concept of data protection by design and default.
The Museum will ensure that all appropriate procedures and staff training are in place, so that all personal data obtained, held or used by the Museum is protected and managed in accordance with data protection legislation.
The Museum will document its use of the lawful bases for processing data in its Record of Processing Activities and will communicate the bases used to the public via the privacy notice and fair processing statements.
The Museum will always be honest, open and proactive in communicating with people about how it intends to collect, keep, analyse and use their personal data.
The Museum will facilitate the exercise of the rights of individuals as enshrined in data protection legislation.
Data Protection Impact Assessments will be undertaken as appropriate on new projects and initiatives involving personal data which meet the threshold for requiring a DPIA as according to the screening checklist from the Information Commissioner's Office. This will ensure that any potential privacy risks are identified and addressed at an early stage before they materialise.
Personal data will only be shared with third parties under strictly controlled conditions. Any transfer of data outside the Museum, whether within the UK or abroad, will be accompanied by a Data Processing and Confidentiality Agreement. Personal data will only be transferred outside the UK where there is deemed to be an adequate level of protection, for example one of the conditions as laid out in the GDPR are met. If the transfer is to the USA, the recipient should be able to prove they have signed up to the US Department of Commerce Privacy Shield Scheme, and that they have updated their public commitment to comply with the Privacy Shield to include the UK.
The Museum will implement risk-based and proportionate technical and organisational measures to ensure and demonstrate compliance with data protection legislation.
Data subject rights requests will be dealt with within 1 calendar month. The Museum reserves the right to charge for or refuse to act on a request that is manifestly unfounded or excessive.
The Museum will also comply with the requirements of the Privacy and Electronic Communications Regulations (PECR).
The Museum will operate its CCTV system and manage the automatically gathered data in accordance with the principles of data protection legislation and the Information Commissioner’s CCTV Code of Practice.
This policy was last updated on 2 September 2020.
If you wish to make a complaint, request further explanation or suggest an improvement to how we use personal data, please contact:
Data Protection Officer, Natural History Museum, Cromwell Road, London SW7 5BD
or email us at dataprotection@nhm.ac.uk.