South Western Federation of Museums and Art Galleries

Privacy Policy

This page provides our Privacy Notice.


Privacy Notice

Last Update: 10 December 2018

Purpose of this privacy notice (“notice”)

The South West Federation of Museums and Art Galleries (“South West Fed”) takes data protection seriously. We have put together this notice to explain to you how, why and on what basis we use your data, together with the protections we provide and the rights you have in that regard.

This notice is addressed to our members, officers, trustees and staff.

Terms used

Certain terms used in this notice have specific meanings, as follows:

“Data Protection Law” means the European Union General Data Protection Regulation 2016/679, the UK Data Protection Act 2018 and any other privacy or data protection laws (including any statutes, regulations, by-laws, ordinances, mandatory codes of conduct or rules of common law or equity) applying at any time.

“Personal Data” means any personal data (as that term is defined in the GDPR) provided to or accessed or obtained by us under or in connection with this notice. In essence, this means any information relating to any identified or identifiable natural person (known under Data Protection Law as a ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

“staff” means all volunteers, employees and contractors of the South West Fed.

“we”, “us” or “our” are references to the South West Fed.

“you” and “your” are references to our members, officers, trustees and staff.

Our status

The South West Fed is a data controller for the purpose of Data Protection Law. This means that we alone determine the purposes and means of processing the Personal Data that we hold.

We have assessed our status and determined that we are not required to register ourselves as a data controller with the Information Commissioner’s Office (the UK regulator, “ICO”) or pay a data protection fee to the ICO, because we collect and use Personal Data only for not-for-profit purposes, a permitted exemption under Data Protection Law.





Types of Personal Data we collect

We collect the following types of Personal Data:

Name

Email addresses

Residential addresses

Telephone numbers (staff only)

Dietary or access requirements (which may constitute Sensitive Data – see below)

IP addresses (if you have made contact with us via our website)

Cookie information (if you have made contact with us via our website)

Employment/role details and related candidate background and experience (staff only)

For more information on how and why we use Cookies, please see our Cookie Policy.

Sensitive Data: We may request certain sensitive Personal Data (known under Data Protection Law as ‘special category personal data’) from you, where it is appropriate and necessary for the purpose for which it is obtained. For example, we may ask you to confirm any dietary or medical/access requirements in connection with the administration of our events (see the section headed ‘Purposes for which we use Personal Data’ below).

We will only use this Sensitive Data where we have your explicit consent to do so.

Personal Data we collect directly from you

Principally, we collect Personal Data in electronic and paper format by telephone (staff only), email, in person, through our website (via electronic forms) and from any emails you send to us. Where we use electronic forms, these make clear where any information is mandatory for the form’s related purpose.

Personal Data we collect indirectly from third parties/sources

On occasion, we may receive Personal Data from third parties, which might include outside organisations or individuals, or via publicly available sources such as social media and Companies House.

Where we receive Personal Data from third parties/sources, we will always provide a copy of this notice at the time we first communicate with the individual(s) concerned (if applicable) and in any event within one month of having received the Personal Data. In providing a copy of this notice, we will also specify the source from which we obtained the relevant Personal Data and confirm whether the source is publicly accessible.


Purposes for which we use Personal Data

We use Personal Data to provide a range of services to our members and in the administration and management of the South West Fed as a charitable company.

The purposes for which we use (process) Personal Data and the grounds (lawful bases) upon which we process it in each case are as follows:

Purpose Lawful basis/bases
Complying with our statutory and legal obligations as a charitable company Compliance with legal obligation
Company and charity administration, including administering associated officer, trustee and staff roles Legitimate interest

Compliance with legal obligation
Processing applications and/or contracts (as applicable) for voluntary, trustee or staff roles within the South West Fed Consent

Compliance with legal obligation

Performance of contract
Management and maintenance of our records, including archive records Legitimate interest

Compliance with legal obligation
Management and maintenance of our assets Legitimate interest

Compliance with legal obligation
Administering the assessment and collection of revenue, including grants Consent

Legitimate interest

Compliance with legal obligation
Membership administration and services Performance of contract
Marketing our services/events/training, the South West heritage sector and/or South West Fed membership benefits to our members by way of electronic newsletter as a membership benefit (see the section headed ‘E-bulletin using MailChimp’ below)
Performance of contract
Marketing our services/events/training, the South West heritage sector and/or South West Fed membership benefits by way of electronic newsletter to non-members (see the section headed ‘E-bulletin using MailChimp’ below)
Consent
Marketing our services/events/training, the South West heritage sector and/or South West Fed membership benefits in any other medium (e.g. direct email to requesting individuals or via our website) Consent
Conducting relevant regional surveys Consent
Administering event bookings, including South West Fed conferences and fora (see the sections headed ‘Event bookings ’ and ‘Event administration’ below)
Consent

Explicit consent (Sensitive Data)
Undertaking research Legitimate interest


Consent: If you have given us your consent to process your Personal Data, you can of course withdraw that consent at any time, by emailing or writing to us using the details in section headed ‘Contact us’ below. Where you have subscribed to our electronic newsletters (“e-bulletins”), we will always include an option for you to unsubscribe from receiving these at any time. See the section headed ‘Your rights’ below for further detail.

Legitimate interest: where we use (process) your Personal Data on the basis of legitimate interest, we do so in order to carry out our legitimate charitable operations and objectives for the benefit of our all our members, officers, trustees and staff (as applicable), providing always that our legitimate interests are not overridden by your data protection interests or fundamental rights and freedoms.

How we hold your Personal Data

We hold your Personal Data strictly in accordance with our Document Retention Schedule. That document sets out, among other things, the periods of time for which we hold certain records that may contain your Personal Data and is available on request.

How we protect your Personal Data

The South West Fed is committed to keeping your Personal Data confidential and secure. We have appropriate technical and organisational measures in place to prevent accidental or unlawful destruction, loss, alternation, unauthorised disclosure of or access to the Personal Data that we hold. We use the following security measures to protect your Personal Data:

1. Encryption on our website with SSL technology
2. Access controls on systems and to information comprising Personal Data
3. Security awareness at induction for all officers, trustees and staff (we treat it is a disciplinary matter if Personal Data is misused or not looked after properly)

Notwithstanding all of the above, absolute security of your Personal Data cannot be guaranteed. Should you have any concerns about a particular method of data transmission or security measure, please contact us using the details set out in the section headed ‘Contact us’ below and we will take all reasonable steps to address your concerns.

Sharing of Personal Data

We use and share Personal Data with: (1) MailChimp in connection with our e-bulletins; and (2) certain online booking management providers in connection with event bookings, in each case as set out below:

1. E-bulletin via MailChimp: We use and share Personal Data with MailChimp as our marketing automation platform in order to provide our e-bulletins. By ‘clicking’ at the appropriate places on our website to confirm you would like to receive our e-bulletins, you will be consenting to the Personal Data you provide for that purpose being transferred to MailChimp for processing accordingly. MailChimp acts as our data processor* in this regard, processing the Personal Data we transfer to it on our behalf and strictly in accordance with our instructions (*save in limited circumstances where MailChimp may need to process Personal Data for its own legitimate business purposes, in which case it will be a controller). This means that, when you provide Personal Data in order to receive our marketing, this notice governs the use of your Personal Data in that context. See the section headed ‘International transfers’ below for more information about the steps we take to protect your Personal Data in this regard.

2. Event bookings: We use and share Personal Data with certain online booking management providers in order to manage the bookings for our events. Unless otherwise specified, in such circumstances, we will be the data controller and the relevant booking management provider will be our data processer (processing Personal Data on our behalf and strictly in accordance with our instructions). This means that when you provide Personal Data as part of the event booking process, this notice governs the use of your Personal Data in that context. (Please note that by using such online booking management providers, you separately agree to the relevant provider’s terms of service, available on their website or as otherwise specified.)

Event administration: We may also need to share certain information associated with your Personal Data with event organisers and hosts. Any such information will be limited, such as dietary and access requirements, and will not specifically identify you as an individual.

We will not share your Personal Data with any other individual or organisation.

International transfers

Our relationship with MailChimp (explained above) means your Personal Data may be transferred overseas, in this case to the USA, where MailChimp are head-quartered.

We adopt the following safeguards when transferring Personal Data overseas:

• we will always make such transfers in accordance with Data Protection Law; and
• we will always require any overseas third party to which we transfer your Personal Data (including MailChimp) to, among other things: (a) only use the Personal Data for the purposes for which it was disclosed; (b) use all technical and organisational measures that are reasonable in the circumstances to secure the Personal Data; (c) delete Personal Data when it is no longer required; and (d) treat Personal Data in accordance with this notice and their local data privacy law.

For information, a copy of MailChimp’s privacy policy is available here: https://mailchimp.com/legal/privacy/

We do not transfer Personal Data overseas in any other circumstance.

Your rights

You have various rights under Data Protection Law. If you would like to exercise any of these, please write to us using the details provided in the section headed ‘Contact us’ below.

Where you exercise any of these rights, we will provide you with the requested information and/or take the relevant action without undue delay and in any event within one month of our notice of your exercise of your right(s). In accordance with Data Protection Law, this period may be extended by two further months in some cases, where necessary, taking into account the complexity and number of any requests you make. We will inform you of any such extension within one month of receipt of your initial request(s), together with the reasons for any anticipated delay. Where you make a request in electronic form (e.g. by email), we will respond and provide any requested information in electronic form where possible, unless otherwise requested by you.

Your right to access your Personal Data: You have the right to obtain access to and a copy of any Personal Data we hold about you. You also have the right to find out whether your Personal Data has been transferred outside the EU and any safeguards relating to this transfer (though please see the section headed ‘International Transfers’ above in the first instance).

Your right to have your Personal Data rectified: You have the right to request that we update any Personal Data you think is inaccurate or incomplete.

Your right to object to us using your Personal Data: You have the right to request that we stop using your Personal Data in certain circumstances. Please note that where you exercise this right, this may cause delays or prevent us from delivering a particular service/membership benefit to you. If this is the case, you will be informed of the consequences.

Your right to restrict our use of your Personal Data: In certain circumstances, you have the right to ask us not to use your Personal Data for certain purposes.

Your right to have your Personal Data erased: You have the right to request that we destroy all of the Personal Data that we hold about you in certain circumstances, providing we do not have any lawful reason for needing to retain it (in which case, we will explain this to you).

Your right to Personal Data portability: In certain circumstances, you have the right to request a copy of your Personal Data in a structured, commonly used and machine-readable format and to ask that we transfer the Personal Data you gave us from one organisation to another, or give it to you.

Your right to refuse automated individual decision-making and profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling. The South West Fed does not conduct any automated decision-making or profiling.

Your right to withdraw consent: as set out above, if you have given us your consent to process your Personal Data, you can withdraw that consent at any time, by emailing or writing to us using the details in the section headed ‘Contact us’ below.

As explained above, we will always include an option for you to unsubscribe from receiving our e-bulletins at any time.

Your right to complain to the ‘supervisory authority’: you have the right to complain to the ICO (as the UK’s supervisory authority) at any time. Details are available via the ICO website: www.ico.org.uk

Contact Us

You are welcome to ask us any questions or raise any concerns you have about how we deal with your Personal Data by contacting our Company Secretary, in the first instance, by email at privacy@swfed.org.uk or via our registered address: FAO: Company Secretary, The South Western Federation of Museums and Art Galleries, 5 Moccasin Way, Street BA16 0GS. We may ask you to verify your identity in order to help us respond efficiently to your request.

Changes to this notice

This notice was last updated on the date set out at its beginning.

We keep this notice under regular review and will inform you of and place any updates to this notice on our related webpage(s).