Who are we?
National Museums Liverpool (NML) is a diverse group of museums and galleries consisting of World Museum, Walker Art Gallery, Lady Lever Art Gallery, Sudley House, Merseyside Maritime Museum, Border Force National Museum, International Slavery Museum and the Museum of Liverpool.
We wholly own a subsidiary trading company, NML Trading Limited, which provides a range of catering, retail, conferencing and general commercial services.
This policy sets out our obligations to protect, store and manage your data correctly under UK and EU data protection law and covers both National Museums Liverpool and its wholly-owned trading company, NML TradingLtd.
The Department of Digital, Culture, Media and Sport (DCMS) regulate us. Museums and galleries regulated by DCMS are exempt charities under Schedule 3 of the Charities Act 2011.
Our registered office is World Museum, William Brown Street, Liverpool, L3 8EN
Your personal data
When we talk about “personal data”, we mean information that identifies a living person, or which can be identified as relating to a living person. When we talk about “you” or “your” in this notice, we mean any living person whose personal data we collect. When we talk about “Members” and “Membership”, we are referring to current members of National Museums Liverpool.
Under the General Data Protection Regulation (GDPR), you have the right to:
- Obtain access to, and copies of, the personal data that we hold about you;
- Require us to correct any inaccurate personal data we hold about you;
- Require us to restrict our processing of your personal data;
- Object to us processing your personal data;
- Object to receiving marketing communications from us;
- Withdraw your consent to processing of your personal data (see Section 8);
- Require us to erase your personal data ('right to be forgotten'); and
- Obtain from us the personal data that you have provided, in order to transmit it to another organisation ('data portability').
Please note that the above rights are not absolute, and we may be entitled to refuse requests where exceptions apply. How we deal with some of your rights are set out elsewhere in this privacy notice. You also have the right to refer your concerns or queries to the supervisory authority, the Information Commissioner’s Office.
As a Data Controller, we are accountable for compliance with the data protection principles under EU and UK Data Protection laws, in respect of lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.
How to get access to your data
To request a copy of your data held by National Museums Liverpool simply email our Data Protection Officer on email@example.com, or by writing to the Data Protection Officer, World Museum, William Brown Street, Liverpool, L3 8EN
Email firstname.lastname@example.org to check or update your preferences or call 0151 478 4734.
Databases and storage of your data
We use a number of databases to store data for different purposes, for example fundraising, commercial operations, ticketing and financial operations. Trained employees access these databases across the organisation in a secure environment.
National Museums Liverpool is a data controller registered with the Information Commissioner’s Office (ICO). We have a legal duty to protect any information we collect from you and to prevent any unauthorised access to or use of that information. We do not pass your details to any third party unless you give us permission to do so. We use only trusted third party solutions to deliver different aspects of your relationship with us, for example the delivery of e-newsletters. We follow current UK and EU data protection law.
Your relationship with us and your data are extremely important to us and we take all necessary steps to protect your data. We will never sell your personal data.
Lawful purposes for processing data
We follow the principles of fair and legal processing described in the General Data Protection Regulation. We will only process personal data under one of the available lawful conditions (legal bases) - for example, if:
a) You have consented to the use of your personal data for the specific purpose in question, such as for a particular type of marketing, relationship management or fundraising;
b) We need to process your personal data in order to deliver a contracted service, such as when you buy a ticket for an event or we pay a supplier;
c) We are entitled or required by law to process personal data in a certain way, such as for tax or employee pension administration;
d) We need to protect the vital interests of any person, such as if we provide a service tailored to specific health conditions;
e) we are required to process personal data in performance of a task carried out in the public interest or in the exercise of our official authority - our public task, such as in the management of the collections, or using CCTV to protect the Museum and its visitors; or
f) The processing of personal data is within our legitimate interests, where we carry out activities that would not be considered to fall into the definition at (e) above, but are enabling the Museum to meet its objectives as laid out in legislation.
This may include:
- marketing, publicity and fundraising mailshots that do not require consent (e.g. postal or phone contact from Development and Communications staff or business to business communications);
- prospect research prior to first contact;
- due diligence research on potential donors;
- visitor and customer analytics;
- exercising or defending legal claims; or
HM Government has defined our public task as to:
- care for, preserve and add to our collections;
- exhibit these to the public;
- make the collections available for study and research; and
- Promote the public enjoyment and understanding of art, history and science.
Public task activities are exempt from data protection law
Prospect – when an individual is a subject of prospect research
We will always notify an individual if we have identified them as a prospect for fundraising outside of their position at a grant or donation giving body and only if they provide explicit consent to an ongoing relationship with National Museums Liverpool will a record will be added to our database.
Data on prospects we would expect to process:
- Name for the purposes of creating a record on the database;
- Address - if supplied by the individual or if it is a work address in the public domain, for the purposes of contacting the individual about appeals, campaigns and projects the individual may be interested in if this is agreed to; and
- Email address - if supplied by the individual or if it is a work email address in the public domain, for the purposes of contacting the individual about appeals, campaigns and projects the individual may be interested in.
Occasionally we conduct research on individuals who would reasonably expect that we will have an interest in them, for example those who have a well-known interest in certain causes or subject matters that relate to our fundraising activities or who are publicly known to be philanthropists of the arts. We will only use information that has been made publicly available by the individuals themselves.
Developing a good understanding of potential supporters through data about them allows us to fundraise more efficiently towards our objectives and allows us to tailor our approaches to people that are more likely to be receptive to our goals.
We hold prospect information securely and allow only Development Office employees to access proposal and prospect research data. If a prospect no longer consents to us storing their information, their database record will have all personal information suppressed so that they will not be contacted in the future.
If you are a member, sponsor or patron, we will send you a postal copy of our guide newsletter and as a member, if you have opted in to receive emails from us, an email newsletter. You can opt out of receiving these at any time without this affecting your other membership/sponsorship/patronage benefits.
Gift of membership
When a gift of membership is given to an individual or family, the name and address and gift details are recorded on our systems to ensure smooth delivery of membership benefits. The gift buyer can ask us to anonymise this information at any time and this will not affect the delivery of membership benefits.
Children’s records are only created for the purposes of delivering the benefits of family membership, under the express permission of the parent or guardian and will not be used for any purpose other than the delivery of the membership benefits, for example to produce and administer a membership card. Children will not be contacted separately by us; the communications for their membership benefits is always through the parent or guardian. When a membership is renewed, consent for a child’s membership record to remain is re-sought.
When you give us your data we:
- Keep a record of when and how we got consent from you;
- Keep a record of exactly what you were told at the time of giving us your data;
- Regularly review consents to check that the relationship, the processing and the purposes have not changed;
- Have processes in place to refresh consent at appropriate intervals, including any parental consents;
- Consider using privacy dashboards or other preference-management tools as a matter of good practice;
- Make it easy for you to withdraw your consent at any time, and publicise how to do so;
- Act on withdrawals of consent as soon as we can; and
- Do not penalise individuals who wish to withdraw consent.
If we intend to use your personal information for certain types of marketing or other purposes where your consent is required (namely, because the use of your data is not covered by other legal bases explained in this notice), we will seek your specific consent to use your information for these purposes. Whenever we seek your consent, we will explain how we intend to use your data. Consent will require a positive affirmation from you, generally in the form of an opt-in such as ticking a box to signal your agreement.
Subscribing to marketing communications is optional - you do not need to subscribe to marketing from us when you buy products, book tickets, donate or use any other of our services.
After you subscribe to our services or give consent to receiving news and information from us, you can cancel your subscription, withdraw your consent to being contacted for these purposes, or change your preferred method of contact at any time. For example, you can stop e-mail newsletters by clicking the 'Unsubscribe' link in the emails you receive. If you do withdraw your consent for or object to marketing, we will need to keep a record so that we can suppress future marketing activity to those contact details.
You can also register with the Telephone, Mail and Fundraising Preference Services if you do not wish to receive marketing communications from us.
Specific consent given for communications remains the same until the individual contacts us to change their options or unsubscribe from our communications, or until consent will need to be renewed for it to be lawful under UK and EU data protection law. 30 days after a removal request no mailings will be received again from us.
Our websites and apps
Please note that this privacy statement applies to all of our websites and apps.
If you follow a link to a third party website, you should review the data protection statement on that site.
Enquiries and comments about our websites and apps
You can send us your enquiries and comments directly through our website. You can also contact us by post (see address at the end of this document). If you use a contact form on the website, you do not need to give any personal information, e.g. your email address or name, unless you want us to respond to your enquiry, in which case you should provide us with your email address as a minimum. When dealing with your enquiry we do not pass any personal information outside our organisation, nor do we use that information for any other purpose without first seeking your permission. If you require a response from us, we will need to record your personal contact details to be able to reply to you and to track the progress of your request.
Our websites and apps use Google Analytics, a digital analytics service. This helps us to analyse how our visitors use our websites and apps so that we can improve them for future visitors.
Google Analytics mainly uses first-party cookies to report on user interactions on Google Analytics customers’ websites. These cookies are used to store non-personally identifiable information.
We also use some Google Analytics Advertising Features for products like Google AdWords to display National Museums Liverpool marketing material.
Log files allow us to record and analyse our visitors' use of our websites and so improve it for our users. Log files do not contain any personal information about you or information about which other sites you have visited. Your IP address is recorded but not used to identify individuals, or used for any other purpose than for the analysis of log files to monitor website usage.
Retention of data
We ensure that personal data is not stored for longer than necessary to:
- Achieve the purpose the data was collected for;
- Provide you with the goods, services or information that you have requested;
- Administer your relationship with us;
- Comply with the law; or
- Ensure that we do not communicate with individuals who have requested no further communication.
We destroy non-relevant information at regular intervals and all personal information is stored securely.
You have the right to the erasure of all data about you that we hold. When we receive a request for the erasure of data, we will comply with this request within 14 working days. As a Data Controller, we maintain a suppression list containing details of individuals who have asked not to receive direct marketing materials, in order to ensure the individual’s wishes are respected, no future communications are sent out and that a record of past communication exists.
National Museums Liverpool has a dedicated Database Team, responsible for ensuring all data entry is accurate and that the fundraising database is secure and confidential. UK and EU data protection law requires that all data held on individuals is as accurate and as up-to-date as possible.
The Database Team regularly complete data cleansing exercises to check our contacts against death, change of address and ‘requests no mailings’ registers. Any inactive, invalid addresses or deceased records are marked accordingly and in turn excluded from any processing unless they have donated to National Museums Liverpool, in which case we may process their details for historical financial reporting. Donors updated under data cleansing processes will remain as inactive records on the database as a safeguard so we do not add the same people to the database again and so there is a record of why people are excluded from mailings and not contacted again about a project they have previously expressed interest in or donated to. The Database Team use a reputable third party organisation for our data cleansing projects and always carry out due diligence as to the suitability of the third party with respects to adherence to data protection law. We also make sure we have a data processor and controller agreement in place before work begins, in accordance with UK and EU data protection law.
We only store data that is necessary for the purposes for which it was acquired and make sure data stored is adequate and relevant for the purposes of processing.
We sometimes engage the services of trusted external partners, for example for data cleansing and delivery of e-newsletters. When we engage the services of these organisations, we make sure we have a data processor/controller agreement in place to ensure strict data protection procedures are being adhered to.
When partner organisations offer contact information of people who are to be invited to an event, we do not add them to our mailing lists or database apart from as a participant of the specific event. We do not count these people as having a relationship with us unless they respond to this invitation, giving consent for specific future contact options. At this point, we would add them to the database because they have requested this.
Links to other sites
Our website may contain links to other external websites. We are not responsible for the content or functionality of any such website.
If a third party website requests personal data from you (e.g. in connection with goods or services), the information you provide will not be covered by our privacy rules. We suggest you read the privacy notice of any other website before providing any personal information.
Government processing of personal data
As a non-departmental public body under the governance of the Department of Digital, Culture, Media and Sport, in exceptional circumstances it may be necessary for us to share personal information with the UK Government if this is necessary for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
Our premises are protected by CCTV so you may be recorded when you visit us. CCTV images are being monitored and may be recorded for the purpose of public safety, crime prevention, detection and prosecution of offenders.
The system is managed in accordance with our standard operating procedures and with good practice guidance issued by issued by ICO. CCTV images are only accessed by authorised security staff and are stored for up to 30 days then deleted, unless flagged for review.
Security and filing issues
We have security measures in place to protect against the loss, misuse and alteration of personal data held by us. All systems and databases are UK and EU data protection law compliant.
Databases are password protected where possible and passwords are changed on a regular basis and have strict structure criteria. Email updates for databases are taken care of in a timely manner and filed in an archive folder for future reference until such time this filing is in violation of data retention timescales, at which point the data is deleted.
If paper records that are to be destroyed contain personal data, they are shredded and never thrown away. Paper forms used for sign up to e-newsletters in one of our venues are kept securely in central locations until such time they can be destroyed because the data retention period has ended.
All personal data is stored in a secure environment.
Online data collection and the Privacy and Electronic Communications Regulations (PECR)
We aim to ensure that people joining the e-newsletter mailing lists are aged 18 or over, but all our publications, events and exhibitions are designed to be enjoyed by a family audience.
In accordance with The Privacy and Electronic Communications (EC Directive) Regulations 2003, we collect explicit consent from someone to use their email address for specific purposes. This means we have received explicit consent from the individual for specific purposes. If an individual unsubscribes from an e-newsletter we take action to comply with the request within a reasonable amount of time and update the database to reflect the individual’s new preferences.
If you want to make a comment or complaint to us about any aspect of our activities relating to your personal data, please contact us:
- Click here for the data enquiry form on our website
- By post:
Data Protection Officer
William Brown Street
The registered Data Protection Officer for National Museums Liverpool is the Director of Finance, Risk & Governance.
Changes to this privacy notice
If we change our approach to the use of personal data, we will amend this notice to ensure it remains as up-to-date as possible and publish the updated version on our website.
We last revised this notice in January 2020.