How we use your information
This privacy notice tells you who we are and what to expect when the Natural History Museum collects your personal information. It is intended for visitors, customers, supporters and anyone who has a relationship with the Museum, whether or not they use the Museum's website and other digital channels.
The notice provides information on:
- who we are
- how we use your information
- cookies and tracking
- Wi-Fi service
- conditions under which we use your information
- visitor and customer analytics and prospect research
- who we share information with
- transfers of data abroad
- how long we keep your information
- your rights
- access to personal information and correction
- consent and your right to opt out
- complaints, enquiries and feedback
- how to contact us
- changes to this privacy notice
- useful links
This privacy notice does not cover links to external websites. We encourage you to read the privacy statements on the other websites you visit.
Who we are
The Natural History Museum exists to inspire a love of the natural world and unlock answers to the big issues facing humanity and the planet. More than five million people visit the sites in South Kensington and Tring every year, and the website receives over 500,000 unique visitors a month. It is a world-leading science research centre, and through its unique collections and unrivalled expertise it is tackling issues such as food security, eradicating diseases and managing resource scarcity.
The Natural History Museum Trading Company (NHMTC) carries out the commercial activities of the Museum (eg events, retail and the Wildlife Photographer of the Year exhibition). As a wholly owned subsidiary, NHMTC is subject to the Museum's policies and procedures.
In this privacy notice and in the data protection statements which you will see wherever we collect your personal information, 'the Natural History Museum', 'the Museum' and 'we' refer to the Natural History Museum and the Natural History Museum Trading Company.
The Museum is the data controller of your personal information.
How we use your information
When you give us your personal data we will explain specifically how we will use it in a fair processing statement with a link to this privacy notice. The main purposes for which we collect and process the details of customers, visitors, Members, service users, enquirers, donors and potential donors are to provide the service, goods or information that you have requested:
- for administration purposes (eg to administer donations, and to keep a record of our relationship with you)
- to further our charitable aims, including fundraising activities
- to gather feedback
- to enable the best possible supporter journey and experience
We may use your data to contact you by email (if you have given us your consent or are a business contact), post or phone with news and information about the Museum that we feel may be of interest to you as well as about our other special events, activities, products and services. We will not use your personal information in this way if you have opted out, unsubscribed or otherwise indicated that you do not wish to be contacted for such marketing purposes.
Cookies and tracking
When you visit www.nhm.ac.uk, nhmshop.co.uk, data.nhm.ac.uk or any of the Museum's websites, we collect standard internet log information and details of visitor behaviour patterns. We do this to find out, for example, the number of visitors to the various parts of the site, to compile statistical reports on website activity and to personalise our visitors' website experience. We also use similar technologies when sending marketing emails to understand which emails are being read and how customers interact with them.
We use advertising cookies from third parties to allow us to assess the effectiveness of our adverts, and to optimise our digital advertising. These cookies can affect what you see on third party sites. Advertising cookies remember that you have visited a website and use that information to provide you with advertising which is tailored to your interests. This is often called online behavioural advertising (OBA) and is done by grouping together shared interests based upon web browsing history.
It is important to note that at no time do we or our service providers attempt to identify you individually, nor do we create a profile of you, or the pages you have viewed, for the purposes of delivering advertising without given consent to email marketing, and in turn profiling for the purposes of delivering information that is relevant.
A guide to behavioural advertising and online privacy has been produced by the internet advertising industry.
Wi-Fi service and other sensing systems
We operate a Wi-Fi system, counting systems and other sensing systems to detect movement within the Museum’s premises.
Free Wi-Fi access is available throughout the Museum via the network named 'NHM-Free-wifi' or 'NHM-Tring-Free-WiFi'. If you access the Museum's free Wi-Fi network, you will be asked to agree to the Museum's Wi-Fi terms and conditions of use, which explain how your data will be used.
If you do not use the free Wi-Fi network but have Wi-Fi enabled on your smartphone, tablet or another internet-enabled device, your device can still be detected by the Museum's Wi-Fi service.
We record anonymous data about the location and type of devices in the Museum that have Wi-Fi enabled and other sensing data, for security and so that we can monitor the flow of visitors around the Museum and improve our services.
We will not link the anonymous device data with any other personal data that identifies you individually without your express permission. If in the future we want to process your data in this way to offer you new services, we will ask you via a consent form before doing so.
Conditions under which we use your information
We follow the principles of fair and legal processing described in the General Data Protection Regulation. We will only process personal data under one of the available lawful conditions (legal bases) - for example, if:
a) you have consented to the use of your personal data for the specific purpose in question, such as for a particular type of marketing
b) we need to process your personal data in order to deliver a contracted service, such as when you buy a ticket for an event or become a Member
c) we are entitled or required by law to process personal data in a certain way, such as for fraud or crime prevention
d) we need to protect the vital interests of any person
e) we are required to process personal data in performance of a task carried out in the public interest or in the exercise of our official authority , such as in the management of the collections, or using CCTV to protect the Museum and its visitors
f) the processing of personal data is within our legitimate interests, where we carry out activities that would not be considered to fall into the definition at (e) above, but are enabling the Museum to meet its objectives as laid out in legislation
This may include:
- marketing, publicity and fundraising mailshots that do not require consent (eg postal or phone contact from Development and Communications staff or business to business communications)
- prospect research prior to first contact
- due diligence research on potential donors
- visitor and customer analytics
- exercising or defending legal claims
Visitor and customer analytics and prospect research
It is within the Museum's legitimate interests to hold and analyse your data to continue to improve our understanding of our target audiences and supporters. This is so we can provide world-class, transformative, visitor-focused experiences, customer service and educational engagement, and effective and appropriate supporter engagement. We are also looking at how we might in the future use the latest technologies to improve and personalise the services that we offer.
Visitor analytics data is collected on an anonymous basis wherever possible, or pseudonymised so that individuals cannot be readily identified. This includes monitoring visitor numbers and tracking movement of people and collections of individuals around the Museum. (For more information see sections on cookies and Wi-Fi.)
We carry out customer analytics to improve our understanding of our target audiences. We do this by analysing your commercial transactions (eg ticket and retail purchases) and activities (eg email interaction with the Museum, such as which emails you open and how often, use of Museum Wi-Fi including via cookies and similar technologies). This helps us target our marketing more efficiently, understand what topics you are interested in, and personalise and improve your experience if you have consented to receive marketing from us, by providing the most relevant and timely content.
You can object to our carrying out this kind of activity for marketing purposes by using this form, and we will review our basis for doing so in your case. Please note that objecting to this activity will mean that you are automatically unsubscribed from marketing.
Prospect research (that is, building up a profile of a particular individual, their interests, suitability and likelihood they will donate to the Museum) is fundamental to the ability to generate income through fundraising, as the Museum is expected to do. We may therefore analyse personal information collected from you, from publicly available sources and occasionally from third parties, to create a profile of your interests and preferences.
This helps us understand the background of the people who support us, and enables us to contact you in the most appropriate way, with the most relevant information. You can object to our carrying out this kind of activity for fundraising purposes by emailing email@example.com, and we will review our basis for doing so in your case.
Who we share information with
We will never sell your data. We will not share personal data with third-party organisations for their marketing purposes without your permission. We may, however, occasionally outsource functions when we do not have the in-house capacity required, such as the use of a mailing house for mailings, companies that run competitions on our behalf and analytical services that enable us to target our communications with customers and supporters more effectively.
In such cases the personal data will only be processed in accordance with our lawful instructions, and we will remain controller of the data. For example, if we are running a social media advertising campaign, this may require us to provide some partial identifiable (hashed) data to a third party site for matching purposes only (namely, so that you see relevant advertising in your feed), but that third party would never be permitted to use the personal data for its own purposes.
We will only use reputable and vetted firms and have contracts and processes in place that ensure the safe and confidential processing of personal data at all times.
Transfer of data abroad
We will always ensure an adequate level of protection is provided for personal information transferred outside the European Economic Area. If the organisation we share personal data with is in a country without adequate data protection in place, we will place contractual requirements on the third-party organisation to handle personal data to the same standard that is required by legislation in the United Kingdom.
How long we keep your information
We only use your data for the purposes for which it was obtained. It will only be kept for as long as it is required for those lawful reasons.
Under the General Data Protection Regulation (GDPR) you have the following rights:
- to obtain access to, and copies of, the personal data that we hold about you
- to require us to correct any inaccurate personal data we hold about you
- to require us to restrict our processing of your personal data
- to object to us processing your personal data
- to object to receiving marketing communications from us
- to withdraw your consent to processing of your personal data
- to require us to erase your personal data ('right to be forgotten')
- to obtain from us the personal data which you have provided, in order to transmit it to another organisation ('data portability')
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply. How we deal with some of your rights are set out elsewhere in this privacy notice. You also have the right to refer your concerns or queries to the supervisory authority, the Information Commissioner’s Office.
Access to personal information and correction
We strive at all times to ensure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate by contacting us as detailed in the 'How to contact us' section of this notice. If your personal details change, please help us to keep your information up to date by notifying us at the address below.
Under the terms of data protection legislation you have the right to request access to and a copy of information that we hold about you, by making a Subject Access Request. You can do this in several ways:
Consent and your right to opt out
If we intend to use your personal information for certain types of marketing or other purposes where your consent is required (namely, because the use of your data is not covered by other legal bases explained in this notice), we will seek your specific consent to use your information for these purposes. Whenever we seek your consent we will explain how we intend to use your data. Consent will require a positive affirmation from you, generally in the form of an opt-in such as ticking a box to signal your agreement.
Subscribing to marketing communications is optional - you do not need to subscribe to marketing from us when you buy products, book tickets, donate or use any other of our services.
After you subscribe to our services or give consent to receiving news and information from us, you can cancel your subscription, withdraw your consent to being contacted for these purposes, or change your preferred method of contact at any time. For example you can stop e-mail newsletters by clicking the 'Unsubscribe' link in the emails you receive. If you do withdraw your consent for or object to marketing, we will need to keep a record so that we can suppress future marketing activity to those contact details. Opting out of email marketing will, by default, mean opting out of post and phone communications as well, unless you inform us otherwise.
You can also register with the Telephone, Mail and Fundraising Preference Services if you do not wish to receive marketing communications from us.
Where we have your consent to send you marketing material by email, but are not aware of any interaction with the Museum (ie at least opening one of our emails and clicking on a link in it, or responding to a communication from Development and Communications staff) for more than three years, we will contact you to ask if you wish to renew your consent. If you do not, we will remove your details from our marketing mailing lists.
Complaints, enquiries and feedback
The Museum strives to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice is intended to be brief and clear. It does not provide exhaustive detail of all aspects of the Museum's collection and use of personal information, but we are happy to provide you with any additional information or explanation.
If you have an enquiry, a complaint or suggestions regarding our data protection processes, please contact:
Data Protection Officer, Natural History Museum, Cromwell Road, London SW7 5BD
or email us at firstname.lastname@example.org.
If you are not satisfied by the response to your complaint, you are entitled to escalate your concern. The first step is to seek an internal review of the Museum's handling of your complaint. Please submit your application for a review in writing to the Data Protection Officer at the above address. The review will be undertaken by the Head of Risk and Assurance.
Changes to this privacy notice
We keep our privacy notice under regular review. Please visit this page periodically in order to keep up to date with any changes.
This privacy notice was last updated on 25 February 2019.
How to contact us
If you wish to make a complaint, request further explanation or suggest an improvement to how we use personal data, please contact:
Data Protection Officer, Natural History Museum, Cromwell Road, London SW7 5BD
or email us at email@example.com.