1.0 Purpose of the policy
The Bailiffgate Museum & Gallery (the “Museum”) is committed to complying with privacy and data protection laws including the Data Protection Act 1998 (the “Act”) and the General Data Protection Regulation which comes into force in May 2018. The policy, together with our Privacy Notice (available to view on our website) sets out what we do to protect individual’s personal information.
Anyone who handles personal data in any way on behalf of the Museum must ensure that they comply with this policy. Section 2 of the policy describes what constitutes “personal data”. Any breach of this policy will be taken seriously by the Museum and may result in disciplinary action or more serious sanctions by external agencies.
This policy may be amended to reflect any changes in legislation, regulatory guidance or internal policy decision.
2.0 Definitions of data protection terms
The following terms will be used in this policy:
Data subjects include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
Personal data means information relating to a living person who can be identified from that information (or from that information when combined with other information in our possession. Personal data can be factual (such as name, address or date of birth) or it can be an opinion (such as an appraisal).
Data controllers are the people who, or organisations which, decide the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to process personal data in compliance with the DPA. The Museum is the data controller of all personal data we manage.
Data processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include other organisations such as website or server hosts or other service providers that handle personal data on our behalf.
EEA is the European Economic Area which includes all countries in the European Union as well as Norway, Iceland and Liechtenstein.
ICO means the Information Commissioner’s Office (the authority which oversees data protection regulation in the UK). The Act lays down rules for the provision of a public register of certain organisations. This register is maintained by the ICO and the Museum has registered with the Information Commissioner’s Office.
Processing is any activity that involves use of personal data. It includes obtaining, recording, holding, organising, amending, using, disclosing or destroying personal data.
Sensitive personal data includes information about a person’s:
- Racial or ethnic origin
- Political opinions
- Religious or similar beliefs
- Trade union membership
- Physical or mental health conditions
- Sexual life or orientation
- Criminal record (including any allegation that they may have committed an offence).
3.0 The Data Protection Principles
Anyone processing personal data must comply with theeight data protection principles which are set out below-
- Personal data shall be processed fairly and lawfully.
- Personal data shall be processed for the purpose(s) which the individual has been told about and not in any way that is incompatible with that purpose(s)
- Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which it is processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
- Personal data shall be processed in accordance with individual’s rights under the Act.
- Personal data must be secure.
- Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
4.0 Processing data fairly and lawfully
The first data principle requires that personal data is obtained fairly and lawfully and processed for purposes that the data subject has been told about.
To comply with this, every time we receive personal data about a person, which we intend to keep, we need to provide that person with “fair processing information.” In other words, we need to tell them promptly:
- who will be holding their information i.e. the Museum
- why we are collecting their information and what we intend to do with it, e.g. send them updates about our events, and
- anything else necessary to make sure we are using their information fairly, e.g. if we plan to share their information with another organisation.
The Museum’s fair processing notice can be found in our Privacy Policy.
5.0 Processing data for the original purpose
The second data protection principle requires that personal data is only processed for the specific purpose(s) that the individual was told about when we first obtained their information.
This means we must not collect personal data for one purpose and then use it for another, unless the second purpose is implicit.
6.0 Personal data must be accurate
The third and fourth data protection principles require that personal data we keep must be accurate, adequate and relevant. Data must be reviewed regularly and any inaccurate data must be immediately corrected and updated.
7.0 Not retaining data longer than necessary
The fifth data protection principle requires that we must not keep personal data for longer than we need it for the purpose it was collected for. This means that personal data that we hold must be securely destroyed or fully erased from our systems (not archived, unless for specific purposes) where the data is no longer needed for the purposes we originally collected it.
8.0 Rights of individuals under the DPA
The sixth data protection principle gives people rights in relation to how organisations process their personal information. They include (but are not limited to) the right:
- to request a copy of any personal data we hold about them (as data controller), as well as a description of the type of information that we are processing, the uses that are being made of the information and details of anyone to whom their personal data has been disclosed (known as subject access rights)
- to have inaccurate data amended or destroyed
- to prevent processing that is likely to cause unwanted substantial damage or distress to themselves or anyone else; and
- to ask us to cease processing for direct marketing purposes.
Please do not hesitate to contact us if you have any questions about this policy. Communications should be sent to ask@bailiffgatemuseum.co.uk
If you are submitting a Subject Access Request, please email us on the address above with the heading “Subject Access Request” and provide the following details:
* your full name, address and contact telephone number
* details of the specific information you require and any relevant dates, for example your personal records or CCTV camera situated at X location and date and time.
When we have all the information we need from you we will respond to your query promptly and within the 40-day statutory time limit.
9.0 Data Security
The seventh data protection principle requires that we keep secure any personal data that we hold. We are required to put in place procedures to keep the personal data that we hold secure. In the unlikely event that we are dealing with sensitive personal data (as defined in paragraph 2 above), more rigorous security measures will be needed, for instance, if sensitive personal data is held on a memory stick or other portable device it must be encrypted.
The following security procedures must be followed in relation to all personal data processed by the Museum:
- secure lockable desks and cupboards: desks and cupboards must be kept locked if they hold confidential information of any kind (personal data is always considered confidential)
- methods of disposal: paper documents must be shredded. Memory sticks, CD-ROMs and other media on which personal data is stored must be physically destroyed when they are no longer required
- backing up data: daily back-ups must be taken of all data on our systems. Data must not be stored on local drives or removable media as these will not be backed up
- travelling with personal data and remote working: Staff must keep data secure when travelling or using it outside of our offices
- secure exchange of data: Personal data must always be transferred in a secure manner. The degree of security will depend on the nature of the data; the more sensitive and confidential the data, the more stringent the security measures must be.
10.0 Transfer of data outside the EEA
The eighth data protection principle requires that when organisations transfer personal data outside the EEA they take steps to ensure that the data is properly protected.
The European Commission has determined that certain countries provide an adequate data protection regime. These countries currently include Andorra, Argentina, Canada, Guernsey, Isle of Man, Israel, New Zealand, Switzerland, Faroe Islands, Jersey and Uruguay and this list may be updated. As such, personal data may be transferred to people or organisations in these countries without the need to take additional steps beyond those you would take when sharing personal data with any other organisation. In transferring personal data to other countries outside the EEA (which are not on the approved list), it may be necessary to seek the consent of the individuals whose data is being transferred or to enter into an EC-approved agreement.
In most instances the Museum only transfers personal data within the EEA. However, there may be occasions when some transfers take place to individuals or organisations based in countries outside the EEA. If this happens arrangements should be made to encrypt the data.
11.0 Processing sensitive personal data
In the unlikely event that we collect sensitive personal data special rules apply to the processing of it. The categories of sensitive personal data are set out in the definition in section 2. Purely financial information is not technically defined as sensitive personal information by the DPA, however, particular care must be taken when processing such data, as the ICO is likely to treat a breach relating to financial data very seriously.
In most cases, in order to process sensitive personal data, we must obtain explicit consent from the individuals involved. As with any other type of information we will also have to be absolutely clear with people about how we are going to use their information.
12.0 Data held by the Museum
Under company law we are obliged to maintain a list of members of the Company including names and addresses. A copy of the list is available for scrutiny at 14 Bailiffgate, Alnwick and copies provided, on request, to members of the public, on payment of a charge.
The Museum also maintains records of employees, volunteers, donors and purchasers from the Museum website and others who have registered their details (including specific demographic and personal interest details) on the website and have also specifically chosen to receive future e-mails from us.
The information about employees includes that which was recorded on application forms and may include the following:
- name, home address, telephone and email contact details
- marital status
- bank account details
- tax code
- next of kin and / or contact details in the event of an emergency
- CRB
- copies of references obtained or written about the employee
- details of qualifications or skills
- details of trade union membership/activities
- terms and conditions of employment
- grievances and disciplinary matters
- appraisal forms
- holiday records
- accident records
- self-certification sickness forms and doctors’ sick notes
- medical reports
- documentation relating to or authorising deductions from pay
- consent forms.
This list is not exhaustive and is subject to change.
The information about volunteers includes that which was recorded on the Volunteer Application forms. The Museum may also hold the following personal data:
- attendance record as a volunteer
- CRB, if required
- copies of any references obtained or of any references written about the volunteer
- accident records
- complaints and disciplinary matters
- records of any personal development meetings
- consent forms.
The Museum also maintains a list of email addresses and addresses of members of the public for the sole purpose of marketing events at the Museum.
13.0 Procedures
- All hard copies of personal information by the Museum must be held at its registered office and is be kept in a locked cabinet in the Museum office both of which can only be accessed by named keyholders.
- All data held on a computer must be protected by a password which is known only by specified users, agreed by the trustees.
- A record must be maintained by the Museum Coordinator of any personal information in use outside the office for essential work at home (e.g. arranging volunteer rota).
- Any changes to data stored should be made immediately by the Museum Coordinator and arrangements should be put in place to review all information annually to ensure that it is correct.
- All email communications will use ‘bcc’ to ensure data protection, unless individuals have agreed to have their email address identified.
- The accountants (Greaves Grindle) must be informed immediately of changes affecting the list of trustees.
- All trustees, staff and volunteers must be advised of these procedures and requested to comply with its obligations.
- The eight principles will apply to data which is collected when interviewing potential trustees, employees and volunteers.
- The Museum must ensure that any third parties holding databases on behalf of the Museum operate to equivalent secure standards of data management, fully compliant with all relevant legislation.
- Ensure that in every information e-mail or SMS sent on behalf of the Museum it is possible for the recipient to unsubscribe to further emails or SMS from us.
14.0 Offences, fines and liability
Any offences under the DPA could result in prosecution under section 55 of the Act by the ICO. A person must not knowingly or recklessly, without data controller’s consent:
- obtain or disclose personal data or the information contained in personal data, or
- procure the disclosure to another person of the information contained in personal data.
Museum employees and volunteers can be individually liable under section 55 and consequently they may be fined directly by the ICO. They may also face disciplinary action under the Museum’s disciplinary policy.
15.0 Policies to be read in conjunction with this policy