During the current COVID 19 pandemic we may collect your contact details if you are visiting the Museum, in line with government guidance. This information will be stored securely and may be shared with NHS Test and Trace services if required. It will be retained for a maximum of 21 days as advised by government guidelines: https://www.gov.uk/guidance/maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace. If you have any queries about the use of your data please contact email@example.com.
The privacy and security of your personal information is extremely important to us. We are committed to treating your personal information responsibly and being open and transparent about how we do that. This notice explains how we use your personal information, and what measures we take to protect it.
We review our privacy notice regularly and we may make changes from time to time. It applies if you’re a supporter of the DNHAS (member, donor, volunteer, visitor, customer, employee) or use any of our services, visit our website, email, call or write to us.
By using the DNHAS website, any of our services, or providing us with any personal information we will assume you are agreeing to your information being used and disclosed in the ways described in this notice.
This notice has been designed to meet the requirements of the UK Data Protection Act 2018, the EU General Data Protection Regulation 2018, and Privacy of Electronic Communication Regulation 2003.
Who are ‘we’?
In this privacy notice, whenever you see the words ‘we’, ‘us’, ‘our’, ‘Society’ or ‘Museum’ it refers to The Dorset Natural History and Archaeological Society (or “DNHAS”). Our Information Commissioners Office registration number is Z980795X.
DNHAS is a Registered Charity (No. 1062400) aiming for: the advancement of education for the benefit of the public in the areas of archaeology, natural sciences, literature, the fine and decorative arts, antiquities and local history relating to the County of Dorset; and the acquisition, preservation, conservation, exhibition and development of collections relating to the areas outlined above.
DNHAS is also a Company Limited by Guarantee (No. 3362107) which carries out a range of commercial trading activities to generate income. These include operating Dorset County Museum, the sale of gifts and souvenirs in a shop and online, income from commercial partnerships including sponsorship, and other commercial activities such as catering and special events.
If you have any questions in relation to this privacy notice or how we use your personal data they should be sent to firstname.lastname@example.org or addressed to the Data Office, Dorset Natural History and Archaeological Society, Dorset County Museum, High West Street, Dorchester, Dorset, DT1 1XA.
What personal information do we collect?
We collect a variety of both personal and non-personal data in order to plan, support and execute our work. We’ll only collect the personal data that we need. Personal information we collect about you might include:
- your name, title, gender, date of birth
- postal address, email address and phone numbers
- payment details such as credit/debit card and whether you are a UK tax payer so that we can claim Gift Aid
- employment information, professional history
- details of correspondence sent to you/received by you
- current activities, interests, attitudes and opinions
- photographs, CCTV images
- family, spouse, relationships to other donors or volunteers
- any other information provided by yourself to DNHAS, that we feel is relevant to your relationship with us
3.1 Automatically collected data
If you do nothing other than read pages or download information from our website, we may gather information about this use, such as which pages are most visited and which events or activities are of most interest. This information can be used to help us improve our website and services and ensure we provide you with the best service. Wherever possible, the information we use for this purpose will be aggregated or anonymised i.e. it will not identify you as an individual visitor to our website.
3.2 Personal data created by your involvement with us
Most of the information we hold is provided directly by you through your activities and involvement with us. For example, you may give us your information in order to purchase a ticket, become a member, make a donation, sign up to an event, or volunteer for us.
3.3 Information we generate
We conduct research and analysis on the information we hold, which can in turn generate personal data. For example, by analysing your interests and involvement with our work we may be able to build a profile which helps us decide which of our communications or activities are likely to interest you. Section 4.9 gives more detail about how we use information for profiling and targeted marketing.
3.4 Information from third parties
We may buy anonymous external data (e.g. census data, Experian MOSAIC, TGI) and combine it with your personal data at an aggregated level to build profiles which help us work out what you’re most likely to want to hear from us about and how.
As part of our fundraising activity, in some instances we may receive personal data from a third party, such as a trustee recommending a personal friend that might like to learn more about our work or attend an event. See Section 4.10 for more information about fundraising and third party information.
3.5 Sensitive personal data
Sometimes we have to collect sensitive personal data (known as ‘Special Category Data’ under the UK Data Protection Act 2018) about our employees, volunteers, and to a lesser extent our supporters. This is defined as information about racial or ethnic origin, political opinions, religious or other similar beliefs, trade union membership, physical or mental health, sexual life, and criminal allegations, proceedings or convictions. At times we’ll collect sensitive personal data to help us monitor equal opportunities, and to research whether we deliver great experiences for everyone, regardless of their background or beliefs, but this is only ever analysed at an aggregate rather than individual level.
There are sometimes circumstances where it is necessary to collect sensitive personal data about event guests (such as dietary and access requirements) – these are usually where the individual has volunteered the information and it is relevant. In these circumstances we will always ask for explicit consent to record that information and make it clear what we are collecting it for and why.
Why do we collect it and How do we use it?
We’ll only use your personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation 2018, UK Data Protection Act 2018 and Privacy of Electronic Communication Regulation 2003.
Any personal data you provide to us will be used for the purpose or purposes outlined in this privacy notice, in a transparent manner, at the time of collection, in accordance with any preferences you express.
Your personal data may be collected and used to help us deliver our charitable activities, help us raise funds, or complete your order or request. Below are the main uses of your personal data.
4.1 Fulfilling your requests
- membership administration
- placing an order through our shop
- volunteer enquiries
- subscribing to our newsletter
- registering for events
- purchasing of entry tickets
- provision of information
- participation in visitor surveys
- participation in events
4.2 Processing and administration of financial transactions
Such as the processing of donations and administration of Direct Debit donations, sale transactions, or other payments and verifying the transactions
4.3 Collection management and documentation
If you loan, gift or sell an object to the museum we will keep a record of your details.
4.4 Internal record keeping
Such as the management of feedback or complaints.
4.5 Management of volunteers
If you’re a volunteer then we may collect extra information about you (e.g. references, criminal records checks, details of emergency contacts, medical conditions etc.). This information will be retained for legal or contractual reasons, to protect us (including in the event of an insurance or legal claim) and for safeguarding purposes.
We also need to use your personal data to manage your volunteering; from the moment you enquire to the time you decide to stop volunteering with us. This could include: contacting you about a role you’ve applied for or we think you might be interested in, shifts you’ve booked on to, and to recognise your contribution. Management could also include information about your volunteering experience. We may share this with funders to help them monitor how their funding is making a difference.
4.6 Children’s personal data
Children aged under 18 are included in the personal details of family memberships for DNHAS (with the explicit consent of their parents/guardians). We won’t send marketing or fundraising emails, letters or telephone calls to people under the age of 18.
When we run competitions for children we will require their personal details (name, age and the contact details of their parents/guardians). Following the end of the competition (within 4 weeks) we will delete the personal data but will retain anonymised demographic information (such as age and postcode) so that we can analyse the participants at an aggregate level, enabling us to improve and grow future competitions and activity for families. We will seek explicit consent (from the parents/guardian) to publish the winners’ names after the competition. We will also present the parents/guardians with a link to this privacy notice and a marketing permissions statement inviting them to opt-in to future electronic marketing.
4.7 Membership including newsletters and magazines
We use the personal data you provide as a DNHAS member to service your membership. This includes sending renewal information to annual members by mail and email, sending Society magazines, Newsletters and the Proceedings, and information about our Annual General Meeting.
4.8 Marketing communications
Your privacy is important to us, so we’ll always keep your details secure. But we’d like to use your details to keep in touch about things that may matter to you.
If you choose to hear from us we may send you information based on what is most relevant to you or things you’ve told us you like. We may also show you relevant content online. This might be about visiting the Museum, volunteering with us, membership, events and activities, conservation work, fundraising, or offers in our shop and tea room.
From November 2020 we will operate under a new communications policy. While we continue to follow an opt-in approach for email and text, we will use Legitimate Interest as the basis for post and phone communications with new supporters. After reviewing our previous opt-in only policy, we believe a combination of these two approaches is more appropriate and enables us to respect your rights and personal data while meeting the needs of the charity.
This means we will not seek opt-in consent to communicate with new supporters by post or phone, but each communication will include the option to opt-out of future communications of this type.
If you have previously opted in to receive DNHAS communications, we will continue to respect the preferences that you last stated. But if you get in touch with us and complete a new marketing permissions statement, we will use your latest instruction. You can change your marketing preferences at any time by emailing email@example.com.
We’ll always act upon your choice of how you want to receive communications (for example, by email, text, post or phone). However, there are some communications that we need to send. These are essential to fulfil our promises to you as a member, volunteer, donor or buyer of goods or services from the Museum. Examples are:
Transaction messaging, such as Direct Debit schedules, shop purchase confirmations and ticket booking confirmations
Membership-related mailings such as renewal reminders, DNHAS Newsletter, the Proceedings of DNHAS and notice of our Annual General Meeting
4.9 Market research and profiling
We carry out research with our members, visitors, customers, staff and volunteers to get feedback on their experience with us. We use this feedback to improve the experiences that we offer and ensure we know what is relevant and interesting to you.
If you choose to take part in research, we’ll tell you when you start what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part. For some of our research we may ask you to provide sensitive personal data (e.g. ethnicity). You don’t have to provide this data and we also provide a ‘prefer not to say’ option. We only use it at an aggregate level for reporting (e.g. equal opportunities monitoring).
We use profiling to analyse how you interact with us and to help us understand our members, visitors and supporters and make sure that:
- our communications and services are relevant, personalised and interesting to you
- our services meet the needs of our members, visitors and supporters
- we only ask for further support and help from you if it’s appropriate
- we use our resources responsibly and keep our costs down
We use specific tools to profile how you interact with us online, for example, Adobe Analytics, Google Analytics and Double Click for Advertisers. Much of the information we collect is aggregated, however we may also collect some personal data with the intention of personalising your experience, optimising our marketing campaigns, and to ensure our website is functioning as intended.
Personal data provided to us may also be profiled to help us with advertising targeting. For example, your membership data may be used to ensure we do not show you online membership advertisements. Or we may use your personal data to find online users with a similar profile to you who may be interested in our products or services.
Under strictly controlled circumstances we may use third party organisations to capture, research and analyse personal data on our behalf. Please refer to Section 6.3 for further information about how we share personal data.
4.10 Fundraising and campaigns
We may invite you to support our vital heritage, learning conservation and collections development work by making a donation, getting involved in fundraising activities or leaving a gift in your will.
We may use the information we hold about you to identify the most efficient and effective way to interact with you. This means we may use your past interactions with us to determine what activities we believe will be of interest and relevance to you.
Occasionally, we may invite some members and supporters to attend special events to find out more about the ways in which donations, gifts and legacies can make a difference to specific projects and to our cause. We’ll also send you updates on the impact that you make by supporting us in this way, unless you tell us not to.
If you make a donation, we’ll use any personal information you give us to record the nature and amount of your gift, claim gift aid where you’ve told us you’re eligible and thank you for your gift.
We may sometimes also record details from conversations and interactions we have with you, if we feel it is relevant to your relationship with us. If it potentially sensitive information, we promise to check with you first before recording it.
If you tell us you want to fundraise to support our cause, we’ll use the personal information you give us to record your plans and contact you to support your fundraising efforts.
If you’ve told us that you’re planning to, or thinking about, leaving us a gift in your will, we’ll use the information you give us to keep a record of this – including the purpose of your gift, if you let us know this.
Major donor supporters come to us through a variety of ways: some are already members or volunteers; others are introduced to our work by friends or colleagues who are passionate about DNHAS; and others may donate after attending a fundraising event or meeting with our Director or staff.
As a charity reliant on fundraised income, it is in our legitimate interests to undertake research to gather information about your professional, personal and charitable interests and your likely capacity to support us.
Where we do this we use:
Information we may hold about you on our database (such as a record of events you have attended, conversations or correspondence we have had with you in the past)
Publicly available information from reputable sources, where you might expect your information to be read by the public. This includes professional profiles (LinkedIn, corporate biographies etc.); resources such as Companies House, the Charity Commission and charity websites, media coverage and third party publications such as the Sunday Times Rich List.
This research helps us to understand more about you as an individual so we can focus conversations we have with you about fundraising and volunteering in the most effective way, and ensure that we provide you with an experience as a donor or potential donor, which is appropriate to you. It also enables us to use our limited resources as effectively as possible.
In some instances we may receive personal data from a third party, such as a trustee recommending a personal friend that might like to learn more about our work or attend an event. In these cases, and where we have a legitimate interest in doing so, we might write to you to tell you more about our work, and invite you to an event or a meeting to learn more. At this point we will give you the option to opt-out of further communications from DNHAS.
You will always have the right to opt out of this processing. If you would prefer us not to use your data in this way, please email us at firstname.lastname@example.org or call 01305 262735.
4.11 Dealing with people in vulnerable circumstances
We recognise the importance of protecting our supporters in vulnerable circumstances and follow the guidance issued by the Institute of Fundraising on treating donors fairly. We support our staff to provide high quality customer care, ensuring anyone supporting DNHAS is in a position to make a free and informed decision.
4.12 Complying with charity law and other regulations
We process personal data where it is required or authorised by law. If asked by the Police, or any other regulatory or government authority investigating suspected illegal activities, we may need to provide your personal data.
Charity Commission rules require us to be assured of the provenance of funds and any conditions attached to them. We will assess your personal information for the purposes of credit risk reduction or fraud prevention. We follow a due diligence process which involves researching the financial soundness, credibility, reputation and ethical principles of donors who’ve made, or are likely to make, a significant donation to DNHAS. We will use publicly available sources to carry out our due diligence.
4.13 Where you have given us your consent
We require your explicit consent to:
- use your image
- send you electronic communications
- hold your sensitive personal information (for example access or dietary requirements)
4.14 Retail sales and events management
We process customer data in order to fulfill event bookings, ticket sales and other retail activities. Your data will be used to communicate with you throughout the process, including to confirm we’ve received your order and payment, to confirm dispatch, to clarify where we might need more detail to fulfill an order or booking, or to resolve issues that might arise with your order or booking.
Dorset Museum has Closed Circuit Television (CCTV) and you may be recorded when you visit.
CCTV is used to provide security and protect our visitors, volunteers and staff. CCTV will only be viewed when necessary (e.g. to detect or prevent crime) and footage is stored for set period of time after which it is recorded over. DNHAS complies with the Information Commissioner’s Office CCTV Code of Practice and we put up notices so you know when CCTV is used.
Online data and e-commerce
5.2 Links to other websites
Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy notices and that we don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites. This privacy notice applies solely to the personal data collected by the DNHAS.
5.3 Online Payment Card Security
The DNHAS has an active PCI-DSS compliance programme in place. This is the international standard for safe card payment processes. As part of our compliance to this very stringent standard, we ensure that our IT systems do not directly collect or store payment card information; for example the full 16 digit number on the front of the card or the security code on the back. Our online payment solutions are carried out using a ‘payment gateway’ which is a direct connection to a payment service provided by a bank. This means that when you input card data into an online payment page, you are communicating directly with the bank and the bank passes your payment to us, this means that your payment card information is handled by the bank and not processed or held by us.
Keeping your information
We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory legal requirements. When we no longer need to retain your information we will ensure it is securely disposed of, at the appropriate time, and in accordance with our Data Retention Schedule. We review our data retention schedule annually.
6.1 How we secure your data
Information system and data security is imperative to us to ensure that we are keeping our customers, members, visitors, volunteers, employees and contractors safe. We operate a robust and thorough process for assessing, managing and protecting new and existing systems which ensures that they are up to date and secure against threats.
When you trust us with your data we will always keep your information physically secure to maintain your confidentiality. By utilising encryption when your information is stored or transmitted electronically we minimise the risk of unauthorised access or disclosure.
6.2 Storage of information
DNHAS’s operations are based in the UK and we store all our data within the European Union (EU). Some organisations which provide services to us may transfer data outside the European Economic Area but we’ll only allow this if your data is adequately protected (e.g. US Privacy Shield or Standard EU contractual clauses).
We aim to ensure that all information we hold about you is accurate and, where necessary, kept up to date. If any of the information we hold about you is inaccurate and either you advise us or we become otherwise aware, we will ensure it is amended and updated as soon as possible. We cleanse data every year, your data will be checked against software to make sure that it is accurate, this data will not be passed to any third party for their use.
6.4 Disclosing and sharing information
We may share your information with carefully selected partners that are carrying out work on our behalf. Your data will only be shared when it is necessary to do so. All our trusted partners are required to comply with data protection laws and our high standards and are only allowed to process your information in strict compliance with our instructions. We will always make sure appropriate contracts and controls are in place so that we have complete control of what they see, how long they see it for and what they are allowed to do with it. We regularly monitor all our partners to ensure their compliance.
Personal data collected and processed by us may be shared with the following groups where necessary:
- DNHAS employees and volunteers
- Audience development, marketing and fundraising consultants
- IT specialists and web hosting companies
- Also, under strictly controlled conditions:
- Service Providers
- Advisors and agents
We may disclose your personal information to third parties if we are required to do so through a legal obligation (for example to the police or a government body); to enable us to enforce or apply our terms and conditions or rights under an agreement; to protect the rights, property, or safety of the DNHAS, our members, supporters and visitors; or to protect us, for example, in the case of suspected fraud or defamation.
We do not sell your personal information for other organisations to use. We do not share your information for any other purposes.
Recruitment and employment
In order to comply with our contractual, statutory, and management obligations and responsibilities, we process personal data, including sensitive personal data, from job applicants and employees.
Such data can include, but isn’t limited to, information relating to health (sick pay, maternity leave), financial (payroll, tax, bank account), professional development (recruitment, training) racial or ethnic origin, and criminal convictions. In certain circumstances, we may process personal data or sensitive personal data, without explicit consent.
Updating your data and marketing preferences
We want you to remain in control of your personal data. If, at any time, you want to update or amend your personal data or marketing preferences please contact us in one of the following ways:
Email: email@example.com with your full name, full address and, if applicable, your DNHAS membership number
Telephone: 01305 262735. Line open 10.00am – 4.30pm Monday to Saturday (not including bank holidays)
Write to: Dorset Natural History and Archaeological Society, Dorset County Museum
High West Street, Dorchester, Dorset. DT1 1XA
Verification, updating or amendment of personal data will take place within 30 days of receipt of your request.
Your data protection rights
You have the right to:
Request a copy of the information we hold about you;
- Update or amend the information we hold about you if it is wrong;
- Change your communication preferences at any time;
- Ask us to remove your personal information from our records;
- Object to the processing of your information for marketing purposes; or
- Raise a concern or complaint about the way in which your information is being used.
9.1 Subject access request
If you wish to find out more about these rights, or obtain a copy of the information we hold about you, please contact us at:
Subject Access Request, Executive Director/CEO, Dorset Natural History and Archaeological Society, Dorset County Museum, High West Street, Dorchester
Dorset. DT1 1XA
Tel: 01305 262735
You will be asked to provide the following details:
The personal information you want to access;
Where it is likely to be held;
The date range of the information you wish to access
We will also need you to provide information that will help us confirm your identity. If we hold personal information about you, we will give you a copy of the information in an understandable format together with an explanation of why we hold and use it. Once we have all the information necessary to respond to your request we’ll provide your information to you within one month. This timeframe may be extended by up to two months if your request is particularly complex.
In the first instance, please talk to us directly using the contact information above so we can try to resolve any problem or query. You also have the right to contact the Information Commissions Office (ICO) if you have any questions about Data Protection. You can contact them using their help line 0303 123 113 or at www.ico.org.uk.
Changes to this policy
We’ll amend this privacy notice from time to time to ensure it remains up to date and reflects how and why we use your personal data and new legal requirements. Please visit our website to keep up to date with any changes. The current version will always be posted on our website.