How we use your information
This privacy notice tells you who we are and what to expect when the Natural History Museum collects your personal information. It is intended for visitors, customers, supporters and anyone who has a relationship with the Museum, whether or not they use the Museum's website and other digital channels.
The notice provides information on:
- who we are
- how we use your information
- cookies and tracking
- Wi-Fi service
- conditions under which we use your information
- visitor and customer analytics and prospect research
- who we share information with
- transfers of data abroad
- how long we keep your information
- your rights
- access to personal information and correction
- consent and your right to opt out
- complaints, enquiries and feedback
- how to contact us
- changes to this privacy notice
- useful links
This privacy notice does not cover links to external websites. We encourage you to read the privacy statements on the other websites you visit.
Who we are
The Natural History Museum exists to inspire a love of the natural world and unlock answers to the big issues facing humanity and the planet. More than five million people visit the sites in South Kensington and Tring every year, and the website receives over 500,000 unique visitors a month. It is a world-leading science research centre, and through its unique collections and unrivalled expertise it is tackling issues such as food security, eradicating diseases and managing resource scarcity.
The Natural History Museum Trading Company (NHMTC) carries out the commercial activities of the Museum (eg events, retail and the Wildlife Photographer of the Year exhibition). As a wholly owned subsidiary, NHMTC is subject to the Museum's policies and procedures.
In this privacy notice and in the data protection statements which you will see wherever we collect your personal information, 'the Natural History Museum', 'the Museum' and 'we' refer to the Natural History Museum and the Natural History Museum Trading Company.
The Museum is the data controller of your personal information.
How we use your information
When you give us your personal data we will explain specifically how we will use it in a fair processing statement with a link to this privacy notice. The main purposes for which we collect and process the details of customers, visitors, Members, service users, enquirers, donors and potential donors are to provide the service, goods or information that you have requested:
- for administration purposes (eg to administer donations, and to keep a record of our relationship with you)
- to further our charitable aims, including fundraising activities
- to gather feedback
- to enable the best possible supporter journey and experience
We may use your data to contact you by email (if you have given us your consent or are a business contact), post or phone with news and information about the Museum that we feel may be of interest to you as well as about our other special events, activities, products and services. We will not use your personal information in this way if you have opted out, unsubscribed or otherwise indicated that you do not wish to be contacted for such marketing purposes.
Cookies and tracking
When you visit www.nhm.ac.uk, nhmshop.co.uk, data.nhm.ac.uk or any of the Museum's websites, we collect standard internet log information and details of visitor behaviour patterns. We do this to find out, for example, the number of visitors to the various parts of the site, to compile statistical reports on website activity and to personalise our visitors' website experience. We also use similar technologies when sending marketing emails to understand which emails are being read and how customers interact with them.
We use advertising cookies from third parties to allow us to assess the effectiveness of our adverts, and to optimise our digital advertising. These cookies can affect what you see on third party sites. Advertising cookies remember that you have visited a website and use that information to provide you with advertising which is tailored to your interests. This is often called online behavioural advertising (OBA) and is done by grouping together shared interests based upon web browsing history.
It is important to note that at no time do we or our service providers attempt to identify you individually, nor do we create a profile of you, or the pages you have viewed, for the purposes of delivering advertising without given consent to email marketing, and in turn profiling for the purposes of delivering information that is relevant.
A guide to behavioural advertising and online privacy has been produced by the internet advertising industry.
Wi-Fi service and other sensing systems
We operate a Wi-Fi system, counting systems and other sensing systems to detect movement within the Museum’s premises.
Free Wi-Fi access is available throughout the Museum via the network named 'NHM-Free-wifi' or 'NHM-Tring-Free-WiFi'. If you access the Museum's free Wi-Fi network, you will be asked to agree to the Museum's Wi-Fi terms and conditions of use, which explain how your data will be used.
If you do not use the free Wi-Fi network but have Wi-Fi enabled on your smartphone, tablet or another internet-enabled device, your device can still be detected by the Museum's Wi-Fi service.
We record anonymous data about the location and type of devices in the Museum that have Wi-Fi enabled and other sensing data, for security and so that we can monitor the flow of visitors around the Museum and improve our services.
We will not link the anonymous device data with any other personal data that identifies you individually without your express permission. If in the future we want to process your data in this way to offer you new services, we will ask you via a consent form before doing so.
Conditions under which we use your information
We follow the principles of fair and legal processing described in the General Data Protection Regulation. We will only process personal data under one of the available lawful conditions - for example, if:
a) You have consented to the use of your personal data for the specific purpose in question. Examples of when we use this legal basis include:
- to use your personal email account to send you marketing information – this includes information about our news, fundraising, events, products, and services
- to take identifiable photographs or film footage of you on your own or in a small group, to be used by the Museum for marketing, promotional, publicity, editorial, general communication, or record keeping purposes
- to continue to contact you if you are a Museum donor, or potential donor, so that we can build and maintain our relationship and correspondence with you, once first contact has been made under legitimate interests
- to conduct research and collect feedback from you regarding your visits to the Museum and to our website
- to contact you by email if you have taken part in one of our citizen science projects and we require some more information about what you have found or seen
- to provide you with access to our recruitment portal if you are a prospective applicant for a job vacancy or volunteer role
- to contact you by post or phone if you are a Development Group contact who is signed up to the Telephone Preference Service or Mail Preference Service and you are not an existing donor
b) we need to process your personal data in order to deliver a contracted service, for example if you:
- buy a ticket for an event
- become a Member - the services we provide to Members are outlined in the membership terms and conditions and include: contacting you to renew your membership; sending out regular letters via email; analysing member activity to improve our services to you; providing customer service to answer questions or respond to feedback; contacting you about becoming a patron or making a donation to the Museum; and showing you relevant adverts on your social media based on your other activity and interactions as a Member
- become a Patron - the way we use personal data of our Patrons is outlined in the Patrons application form and include: administrating your Patron membership; sending you a regular email newsletter and event invites; and sending you the Evolve magazine
- register for an account to enter the Wildlife Photographer of the Year competition
- take part in a competition the Museum is running
- make an enquiry regarding booking a Museum venue for an event
- decide to book a Museum venue for an event
- enter into a brand licensing agreement with us
- make a donation directly to the Museum, or through a third-party giving platform such as Just Giving with whom we have a contract
- have a contract with us regarding requesting a research loan from the Museum’s collections
- are donating an item to the Museum’s collections
- complete the application process for a job or volunteer role at the Museum
- are named as a signatory on a commercial contract that we have entered into, or we are seeking to enter into
c) we are entitled or required by law to process personal data in a certain way, for example:
- for fraud or crime prevention purposes
- if you submit a data subject rights request we will process your information in order to assess and, where appropriate, action your request as according to the GDPR and Data Protection Act 2018
- if you make a donation, we have a legal obligation to continue to store certain information about you and the donation for financial records keeping purposes as required under the Companies Act 2006
- if you choose to add Gift Aid to a donation that you make, then we have a legal obligation to retain your gift aid declaration in order to comply with HMRC legislation
- if you apply for a job at the Museum and provide us with any information about reasonable adjustments you require under the Equality Act 2010
d) we need to protect the vital interests of any person
- to ensure that we meet the needs of attendees to certain events at the Museum, for example ensuring that dietary allergies are accounted for
e) we are required to process personal data in performance of a task carried out in the public interest or in the exercise of our official authority. Under Section 3 of the British Museum Act 1963, the Museum’s public task can be defined as a responsibility for keeping its collections and making them available for inspection by the public. Therefore, we will process your data under this legal basis if:
- you are a collector, borrower or lender and have entered your details into our collection management system or data portal in association with one or more specimens or objects.
- you are requesting or providing a loan, we will use the personal information you provide to contact you about the loan and help manage that loan
- you are donating an object or specimen to the Museum, personal data will be used on the Material Transfer Agreement for the donation
- your personal information forms part of an object or specimen's history
- you wish to access Library, Archive and Public Records items in the Reading Rooms
- you are captured in CCTV footage in and around the Museum premises in order to ensure safety and security of the collections and the public
f) the processing of personal data is within our legitimate interests, where we carry out activities that would not be considered to fall into the definition at (e) above, but are enabling the Museum to meet its objectives.
Types of personal data processing which are based upon the Museum’s legitimate interests include:
- sending you marketing, publicity and fundraising mailshots that do not require your consent (such as postal or phone contact, or business to business communications)
- if you are a Development Group contact who may be able to make a donation to the Museum, we may carry out prospect research on you before we first contact you to make sure we are aware of your interests and your giving capacity
- if you are making a significant donation to the Museum, we may carry out due diligence research to ensure that the source of the donation aligns with our Mission and Values
- carrying out visitor and customer analytics so we can better understand people’s interactions with the Museum and make improvements to make them better
- exercising or defending against occasional legal claims that the Museum encounters, for example in the area of health and safety
- corresponding with you if you have contacted the Museum with an enquiry or some feedback, this may involve passing on your email address to the relevant colleague who is able to best assist you
- processing booking requests for education visits
- to carry out profiling activities so that we can send you relevant emails based on your interests and behaviour. We will do this by analysing commercial transactions (e.g. ticket and retail purchases) and activities (e.g. email actions, point of sign up to marketing) and postcode data in order to personalise the communications you receive and better target our marketing. Please note this will not always be 'profiling' in the sense the term is used in GDPR, meaning a form of automated decision-making about individuals.
- taking crowd photographs of large groups at Museum events. Information notices for filming or photography will always be put in place at events and all reasonable efforts will be made to avoid capturing images of those who notify a staff member that they object.
- conducting feedback surveys in relation to specific events or exhibitions
- processing visitor requests for disabled parking spaces at the Museum
- processing information about individuals involved in security or health and safety incidents during a visit to the Museum, or whilst at an event on our premises
- collecting names of participants involved in our citizen science activities, in order to ensure we have the necessary information to form a biological record
- sharing your contact details with the NHS Test and Trace service so they can identify and inform those at risk of infection of COVID-19, in the event that there is a local outbreak or a confirmed case among a visitor to the Museum who was on the premises at the same time as you. This contact information will be stored securely, will only be used for this purpose for a period of 21 days after the date of your visit, and will only be transferred to the Test and Trace service in a way which keeps it safe and secure during transit. If you do not want your contact details passed on to the NHS Test and Trace service, you can opt out by contacting us. Please note that your contact details will still be collected when you book your ticket so that we can provide important safety information about your visit.
The legitimate interest legal basis also covers the processing of personal data during some of the Museum’s business to business activities, for example:
- to review names and CVs of lead specialist individuals working at an organisation, in order to assess the expertise on offer from a supplier during the procurement process
- to contact press and media contacts
- to contact government contacts
- to facilitate management of our teacher advisory network
- to contact personal assistants of donors (or prospective donors) regarding matters such as whether the donor (or prospective donor) would like to attend a Museum event
- to contact prospective donors in their business capacity - for example to consider corporate partnership opportunities, or emailing contacts at philanthropic trusts or foundations
- to manage security requirements for business contacts visiting the Museum to meet with staff members
- to encourage collaboration between our science staff with other researchers, scientists and curators beyond the Museum for purposes including research, collections use, laboratory use, and publications.
Special category personal data and criminal convictions information
Special category data is defined at Article 9 GDPR as personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health, or
- data concerning a natural person’s sex life or sexual orientation.
Processing special category data will sometimes be necessary to ensure that the Museum can effectively provide a service to you, or so you can best enjoy what the Museum has to offer. For example, we may need information regarding accessibility requirements or dietary requirements so that you are able to access and enjoy our facilities and events. We may also need to process special category information, such as medical information, when recording and managing health and safety incidents.
Criminal conviction data
Article 10 GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’
When the Museum carries out due diligence research in order to accept support and donations, we may access special category information or information relating to criminal offences or convictions.
Visitor and customer analytics and prospect research
It is within the Museum's legitimate interests to hold and analyse your data to continue to improve our understanding of our target audiences and supporters. This is so we can provide world-class, transformative, visitor-focused experiences, customer service and educational engagement, and effective and appropriate supporter engagement. We are also looking at how we might in the future use the latest technologies to improve and personalise the services that we offer.
Visitor analytics data is collected on an anonymous basis wherever possible, or pseudonymised so that individuals cannot be readily identified. This includes monitoring visitor numbers and tracking movement of people and collections of individuals around the Museum. (For more information see sections on cookies and Wi-Fi.)
We carry out customer analytics to improve our understanding of our target audiences. We do this by analysing your commercial transactions (eg ticket and retail purchases) and activities (eg email interaction with the Museum, such as which emails you open and how often, use of Museum Wi-Fi including via cookies and similar technologies). This helps us target our marketing more efficiently, understand what topics you are interested in, and personalise and improve your experience if you have consented to receive marketing from us, by providing the most relevant and timely content.
You can object to our carrying out this kind of activity for marketing purposes by using this form, and we will review our basis for doing so in your case. Please note that objecting to this activity will mean that you are automatically unsubscribed from marketing.
As a recognised charity we seek to maximise our income from fundraising in order to achieve ouraims and objectives. This support is vital in helping us continue our pioneering scientific research, education and conservation. In order to make our fundraising activities as effective as possible we therefore undertake supporter research in order to appropriately engage with high value donors.
Supporter researchinvolves building up a holistic summary of an individual, their interests, suitability and likelihood they will donate and is fundamental to the ability to generate income through fundraising. Therefore, we may collect personal information to research potential supporters that have been identified through publicly available sources, personal referrals, recommendations from existing supporters, through their existing involvement with the Museum and occasionally from fully contracted independent researchers who work with us when we do not have the in-house capacity required.
In addition to information that our supporters provide to us, we may use data collected from publicly available quantitative and qualitative information to assess an individual’s inclination to provide financial and non-financial support and their areas of philanthropic interest, to enable the formulation of an approach which the individual finds attractive.
This may include:
- Financial information (including whether particular donations or funding appeals may be of interest)
- philanthropy and other giving (including donations to other organisations)
- other support (for example,details of volunteering roles)
- career highlights and other life achievements
- and information about areas of interest and extra-curricular activities.
We use targeted internet searches and may search the following websites where relevant in order to obtainand maintain the accuracy of the data listed above:
- Archives from media outletsand archived press releases
- company websites
- Higher education institution websites
- business-related resources including Companies House, One Source, BoardEx and Fame
- Charity Commission and other internet sources for non-profits
- LinkedIn, to check business details
- public records databases
- published rich lists.
We will not collect special category data without explicit consent from individuals, except in some specific instances, for example to record dietary or mobility requirements for attendance of an event.
We review this information using manual processes to gain a holistic understanding of potential supporters’ ability and willingness to make donations and also to determine which particular donations or funding appeals may be of interest to them.
This research helps us understand the background of the people who support us, and enables us to contact you in the most appropriate way, with the most relevant information. You can object to our carrying out this kind of activity for fundraising purposes by emailing firstname.lastname@example.org, and we will review our basis for doing so in your case.
Our teams foster long term relationships with our existing and potential donors. However, we are committed to only keeping data on individuals with whom we have an active relationship. We therefore remove all non essential data captured if the existing or potential donor has not interacted with us in the previous three years, or if we no longer plan to engage with the individual as a supporter in the future. In specific situations approved on a case-by-case basis, we may occasionally decide to re-engage with these contacts should supporter research or the individual themselves offer strong evidence that they would be receptive to hearing from us and we determine after careful consideration that the processing is lawful and within the individual’s reasonable expectations.
We rely on legitimate interests as our lawful basis for processing data on our potential supporters. We have entered an ambitious period of change for the Museum, as we embark on our new strategy to 2031. Over the next decade, we will secure the future of our collection, deepen engagement with multiple audiences, and revolutionise the study of natural history. Supporter research enables us to deliver successful fundraising initiatives and unleash the Museum’s potential to help create a future where people and the planet thrive.
Due diligence research
Properly screened and fully contracted independent professional researchers may carry out due diligence on individuals before we seek or accept major donationsto ensure compliance with legislation, financial rules, international agreements and guidance from statutory bodies and to protect us from reputational risk, as required. These legal and regulatory obligations mean that if you object to analysis of your data for the supporter research purposes detailed above, we may still conduct some due diligence research that is required in order for us to accept donations from you.
Who we share information with
We will never sell your data. We will not share personal data with third-party organisations for their marketing purposes without your permission. However, we may disclose your personal information in the following circumstances:
- to other Natural History Museum entities and trading subsidiaries
- to suppliers, contractors or service providers who work for the Museum to help us provide products or services, for example: payment processing companies; ticketing providers; security services; mailing houses; event providers; companies that run competitions on our behalf; and analytical services that enable us to target our communications with customers and supporters more effectively
- to third-party advertisers such as Facebook who help us to target our advertising communications. For example, if we are running a social media advertising campaign, we may provide some pseudonymised data to the third-party site for matching purposes, which enable us to identify new users likely to be interested in our content
- in the case of Supporter Research information, where appropriate we may occasionally share information with development partners closely related to us, to process data for specific purposes on our behalf, on a considered, confidential basis managed through agreed processes
- to corporate or strategic partners of the Museum, for example if we are running a joint event and you have signed a consent form to give your permission for images taken of you to be shared with the partner organisation so they can promote their relationship with the Museum
- to professional advisers including lawyers, bankers and auditors
- to the NHS Test and Trace service if required as a result of someone who has tested positive for COVID-19 having listed the Museum as a place they recently visited, or because the Museum has been identified as the location of a local outbreak of COVID-19. NHS Test and Trace have provided assurance that they will only ever use the data provided to them for this specific public health purpose, and that they will handle the data in line with the highest ethical and security standards.
In cases where the third party in question is supporting the Natural History Museum’s operations and services under our instructions as Data Controller, they would be defined by data protection law as Data Processors. These Data Processors are trusted partners who work with us to assist us in achieving our aims and objectives; they will not be permitted to use the data that we share with them for their own purposes. We require them to act lawfully in accordance with our instructions, and we ensure that appropriate controls (such as contractual Data Processing and Confidentiality Agreements) are in place to keep your information secure.
In addition, if we are required to do so in order to comply with a legal obligation (for example money laundering legislation or a court order) we may share your personal information with the police, law enforcement or regulatory bodies or relevant government authorities.
Transfer of data abroad
We will always ensure an adequate level of protection is provided for personal information transferred outside the European Economic Area. If the organisation we share personal data with is in a country without adequate data protection in place, we will place contractual requirements on the third-party organisation to handle personal data to the same standard that is required by legislation in the United Kingdom.
How long we keep your information
We will only use your personal data for the purposes for which it was obtained, unless we consider that we need to use it for another reason which is compatible with the original purpose.
The information that we hold about you will only be kept for as long as it is required to perform the required purpose.
Under the General Data Protection Regulation (GDPR) you have the following rights:
- to obtain access to, and copies of, the personal data that we hold about you
- to require us to correct any inaccurate personal data we hold about you
- to require us to restrict our processing of your personal data
- to object to us processing your personal data
- to object to receiving marketing communications from us
- to withdraw your consent to processing of your personal data
- to require us to erase your personal data ('right to be forgotten')
- to obtain from us the personal data which you have provided, in order to transmit it to another organisation ('data portability')
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply. How we deal with some of your rights are set out elsewhere in this privacy notice. You also have the right to refer your concerns or queries to the supervisory authority, the Information Commissioner’s Office.
Access to personal information and correction
We strive at all times to ensure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate by contacting us as detailed in the 'How to contact us' section of this notice. If your personal details change, please help us to keep your information up to date by notifying us at the address below.
Under the terms of data protection legislation you have the right to request access to and a copy of information that we hold about you, by making a Subject Access Request. You can do this in several ways:
Consent and your right to opt out
If we intend to use your personal information for certain types of marketing or other purposes where your consent is required (namely, because the use of your data is not covered by other legal bases explained in this notice), we will seek your specific consent to use your information for these purposes. Whenever we seek your consent we will explain how we intend to use your data. Consent will require a positive affirmation from you, generally in the form of an opt-in such as ticking a box to signal your agreement.
Subscribing to marketing communications is optional - you do not need to subscribe to marketing from us when you buy products, book tickets, donate or use any other of our services.
After you subscribe to our services or give consent to receiving news and information from us, you can cancel your subscription, withdraw your consent to being contacted for these purposes, or change your preferred method of contact at any time. For example you can stop e-mail newsletters by clicking the 'Unsubscribe' link in the emails you receive. If you do withdraw your consent for or object to marketing, we will need to keep a record so that we can suppress future marketing activity to those contact details. Opting out of email marketing will, by default, mean opting out of post and phone communications as well, unless you inform us otherwise.
You can also register with the Telephone, Mail and Fundraising Preference Services if you do not wish to receive marketing communications from us.
Where we have your consent to send you marketing material by email, but are not aware of any interaction with the Museum (ie at least opening one of our emails and clicking on a link in it, or responding to a communication from Development and Communications staff) for more than three years, we will contact you to ask if you wish to renew your consent. If you do not, we will remove your details from our marketing mailing lists.
Complaints, enquiries and feedback
The Museum strives to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice is intended to be brief and clear. It does not provide exhaustive detail of all aspects of the Museum's collection and use of personal information, but we are happy to provide you with any additional information or explanation.
If you have an enquiry, a complaint or suggestions regarding our data protection processes, please contact:
Data Protection Officer, Natural History Museum, Cromwell Road, London SW7 5BD
or email us at email@example.com.
If you are not satisfied by the response to your complaint, you are entitled to escalate your concern. The first step is to seek an internal review of the Museum's handling of your complaint. Please submit your application for a review in writing to the Data Protection Officer at the above address. The review will be undertaken by the Head of Risk and Assurance.
Changes to this privacy notice
We keep our privacy notice under regular review. Please visit this page periodically in order to keep up to date with any changes.
This privacy notice was last updated on 14 July 2020.
How to contact us
If you wish to make a complaint, request further explanation or suggest an improvement to how we use personal data, please contact:
Data Protection Officer, Natural History Museum, Cromwell Road, London SW7 5BD
or email us at firstname.lastname@example.org.