We collect and process personal data about our service users in order to provide a museum to the community. We are committed to being transparent about how we collect and use this data and meet our data protection obligations.
What information do we collect?
The organisation collects and processes a range of information about you. This includes:
- your name, address and contact details, including email address and telephone number
- your preferences for communication and marketing from us and our third party partners
- payment card details and transactional data including payments to and from you for products and services purchased
Events and Activities
- your child's name, date of birth, gender and attendance at our activities and events;
- your child's medical, learning, emotional and behavioural special needs
Collections/ Fashion interest groups
- information about the owner of an object given or loaned to museum and the history of the object
- institution addresses/ curator details
- name and contact details of teachers
- booking confirmations including dates, times, prices and number of pupils.
Our website cookies
your actions from page to page to track which web server to send you to improve the performance of our website and analytic tracking.
We collect this information in a variety of ways. For example, data is collected through application forms and correspondence with you about the following services;
- Events and activities
- Museum collections
- School bookings
Why do we process personal data?
We need to process data for the performance of a contract with you. For example, we need to process your data to provide you with the services referred to, or in order to take steps at your request, prior to entering into a contract for these services.
In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we have a duty to report safeguarding issues to the appropriate authority.
In other cases, we have a legitimate interest in processing personal data to provide the public with a historical record of local history. For example, we need to provide information in connection with the items on display at the museum. When considering what information should be used for this purpose, we take into account the privacy impact on those individuals. Where consent is not possible, we ensure an appropriate time period has elapsed before disclosing the information to the wider public.
Where we believe we have other services or events which may be of interest to you we would like to notify you of this. However, we will always ask for your consent and give you the opportunity to withdraw consent at any time.
Who has access to data?
Your information may be shared with the parties set out below for the purposes stated above.
- Surrey County Council (including Social Services)
- Emergency services (including Police)
- Other Runnymede Borough Council departments
- Other museums
- Online payment service (PayPal)
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes, in accordance with our instructions and data protection laws. They are also obliged to implement appropriate technical and
organisational measures to ensure the security of data.
The organisation will not transfer your data to countries outside the European Economic Area.
How do we protect data?
We take the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. Data will only be processed by members of staff authorised by us for this purpose. Access to our systems is limited to members of Chertsey Museum whose job role requires access to the personal data.
For how long do we keep data?
As our events are often annual, we may retain this information for a maximum of 2 years, after which time personal data will be deleted/destroyed unless there is a legal obligation to keep it longer. Or should you renew your consent for marketing information for a further 1-2 years.
Object entry forms will be kept indefinitely to prove provenance and ownership of objects.
School booking information will be kept for 5 years after the event or activity, however personal data will be removed after the event or activity has taken place.
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request (known as a subject access request)
- require us to change incorrect or incomplete data
- ask us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing. Where possible we will seek to comply with your request, but we may be required to hold or process information to comply with a legal requirement.
- object to the processing of your personal data in certain circumstances. We may still be required to hold or process information if there are legitimate grounds for doing so.
You can make a subject access request by following the instructions for making a subject access request.
To contact us about any of your other data protection rights, please contact the Data Protection Officer.
If you believe that Runnymede Borough Council has not complied with your data protection rights, you should initially contact our Data Protection Officer and if dissatisfied with the outcome you can make a complaint to the Information Commissioner. You can find out further information on making a complaint to the Information Commissioner on their website