If you have any questions in relation to this policy or how we use your personal information, please contact the Data Controller for the Royal Institution of Cornwall – please see section 10 of this policy for contact details.
- Your personal data: the legal basis and what we collect
We will need to collect personal data in some cases to carry out a service with you; in other cases, we will tell you if providing personal data is optional.
We will ask for your consent to collect your personal information for the following:
- to send you fundraising mailings
- to carry out fundraising research on you
- to send you museum newsletters and information about events
- to include you in photography or filming taking place in the Museum
- to register object donations
- to register you as an attendee at events and the museum club
We will collect your personal information to perform a contract with you for the following services:
- to process supporter and member payments
- to process contract and supplier payments
- to book you onto events
- to legally acquire objects that you donate to us
- any other collection enquiries and research
- making online bookings and enquiries
We will collect your personal information to comply with a legal obligation, such as:
- ownership and provenance of objects within the collection
- the disposal and loan of collections
- meeting requests made under data protection law or Freedom of Information
Personal information we collect and use and which identifies you, or which can be identified as relating to you personally, may include:
- your name, title, gender and date of birth
- postal and email addresses
- phone numbers
- family and spouse/partner details
- relationships to other donors and/or Trustees
- current interest and activities
- Direct Debit bank details
- Gift Aid status
- online or in-store retail or café purchases
- employment information and professional activities
- details about your volunteering activities
- your opinions and attitudes about the RIC, activities and interests, and your experiences of our services.
We may automatically collect the following information:
Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and if you access our website via your mobile device we will collect your unique phone identifier
Information about your visit, including, but not limited to the full Uniform Resource Locators (URL) and query string, clickstream to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as but not limited to, scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number
When we ask you to provide your personal information we will let you know why we are asking, and how we will use your data, and direct you towards this notice for more information. We will only collect the information we need.
We may collect and store personal information about you when you interact with us such as by registering as a member or friend, signing up to our e-newsletter, making a donation, volunteering, carrying out research, attending an event, through employment, ordering an image, joining the museum club, through social media on our website, or by corresponding with us (by phone, email, or post). If you join our museum club and you are the parent of one of our club members, your details will be recorded and your association with that relationship will also be recorded.
Information regarding donations to the Museum:
We collect information about you when you make a gift to the Museum’s collections, or indicate a future bequest. This information is used to verify the provenance and copyright of the item and to provide an audit of ownership. This information will not normally be made publicly available; consent will be sought from the donor if an occasion arises in which the donor’s name is required to be linked to an item on display.
We also collect information about you relating to any financial support you give the Museum, and this may be shared for processing purposes, eg, with HMRC or your bank.
- How will we use the information about you?
We collect information about you in order to fulfil our public task and provide you with the service you have requested. Personal data provided to us will be used for the purpose or purposes outlined in any fair processing notice in a transparent manner at the time of collection or registration where appropriate, in accordance with any preferences you express. If asked by the police, or any other regulatory or government authority investigating suspected illegal activities, we may need to provide your personal data.
Your personal data may be collected and used to help us deliver our charitable activities, help us raise funds, or complete your order or request. Below are the main uses of your data which depend on the nature of our relationship with you and how you interact with our various services, websites and activities.
Marketing and communication
If you consent, we well send you information about activities and services of the Royal Institution of Cornwall that may be of interest to you, by post, telephone or email. If you have consented to receive marketing and later change your mind, you may opt out at a later date by emailing firstname.lastname@example.org or using the contact details below.
Marketing communications may include:
- Details of other products, services or events related to the Museum, such as exhibitions, events, retail or offers
- News and updates about the Museum such as our marketing, learning or supporter e-newsletters
- Details of fundraising operations, including requests to consider giving financial support to Museum projects
- Surveys for market research purposes
- Responses to complaints, legal claims or other issues
However, if you tell us you don’t want to receive marketing communications, then you may not hear about events or other work we do that may be of interest to you.
Membership and other essential communication
We’ll always act upon your choice of how you want to receive communications (for example, by email, post or phone). However, there are some communications that we need to send. These are essential to fulfil our promises to you as a member, as a volunteer, or as a donor. For example we need to send you membership-related mailings such as renewal reminders, newsletters, notice of our Annual General Meeting etc.
We also scan membership cards to check entitlement to free entry, to understand when our members visit and to help us send you more relevant communications. We may contact you for feedback on your visit.
Fundraising, donations and legacy pledges
Where we have your permission, we may invite you to support our work in the museum by making a donation, buying a raffle ticket, getting involved in fundraising activities, or leaving a gift in your will. We may invite supporters to attend special events to find out more about the ways in which donations and gifts in wills can make a difference to specific projects and to our cause. Unless you tel us not to, we’ll also send you updates on the impact that you make by supporting us in this way.
If you make a donation, we’ll use any personal information you give us to record the nature and amount of your gift, claim gift aid where you’ve told us you’re eligible, and thank you for your gift. If you interact or have a conversation with us, we’ll note anything relevant and store this securely on our systems.
If you tell us you want to fundraise to support our cause, we’ll use the personal information you give us to record your plans and contact you to support your fundraising efforts.
If you’ve told us that you’re planning to, or thinking about, leaving us a gift in your will, we’ll use the information you give us to keep a record of this – including the purpose of your gift, if you let us know this.
If we have a conversation or interaction with you (or with someone who contacts us in relation to your will, for example your solicitor), we’ll note these interactions throughout your relationship with us, as this helps to ensure your gift is directed as you wanted.
Charity Commission rules require us to be assured of the provenance of funds and any conditions attached to them. We follow a due diligence process which involves researching the financial soundness, credibility, reputation and ethical principles of donors who’ve made, or are likely to make, a significant donation to the RIC.
To help us understand our visitors and donors we may combine information that you volunteer to us with information from publicly available and professional resources to build a profile which will enable us to ensure that our communications are relevant to you, and to give us insight into your interest or capacity to support the Museum and in getting involved in our activities.
If you choose to take part in research, we’ll tell you when you start, what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part. For some of our research we may ask you to provide sensitive personal data (e.g. ethnicity). You don’t have to provide this data and we also provide a ‘prefer not to say’ option. We only use it at an aggregate level for reporting (e.g. equal opportunities monitoring).
Fundraising research is vital to our development activities to ensure that not only does the Museum continue to thrive for generations to come, but also to ensure that any fundraising requests are appropriate and justified. If this applies to you, we’ll remind you about the process when you make your donation.
You can choose to opt-out of being the subject of research, data cleansing or analysis simply by contacting us by email at email@example.com or using the contact details below to contact us by post or telephone.
Management of volunteers
We need to use your personal data to manage your volunteering, from the moment you enquire to the time you decide to stop volunteering with us. This could include contacting you about a role you’ve applied for or we think you might be interested in, expense claims you’ve made, shifts you’ve booked and to recognise your contribution. We may also ask you about your volunteering and your opinions on your volunteering experience.
We may also share this with third parties such as funders to help them monitor how their funding is making a difference to our work.
Recruitment and employment
In order to comply with our contractual, statutory, and management obligations and responsibilities, we process personal data, including ‘sensitive’ personal data, from job applicants and employees.
Such data can include, but isn’t limited to, information relating to health, racial or ethnic origin, and criminal convictions. In certain circumstances, we may process personal data or sensitive personal data, without explicit consent. Further information on what data is collected and why it’s processed is given below.
Contractual responsibilities: Our contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay; leave, maternity pay, pension and emergency contacts.
Statutory responsibilities: Our statutory responsibilities are those imposed through law on the organisation as an employer. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring.
Management responsibilities: Our management responsibilities are those necessary for the organisational functioning of the organisation. The data processed to meet management responsibilities includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters, e-mail address and telephone number.
Sensitive personal data
GDPR defines special categories of personal data as information about racial or ethnic origin, political opinions, religious beliefs or other similar beliefs, trade union membership, physical or mental health or conditions, sexual life or orientation, genetic data, biometric data, criminal allegations, proceedings or convictions, and other categories that may be designated as ‘special categories of personal data’ under the legislation.
In certain limited circumstances, we may legally collect and process sensitive personal data without requiring the explicit consent of an employee:
(a) We will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and, where necessary, consent.
(b) We will process data about, but not limited to, an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding our equal opportunities policies and related provisions.
(c) Data about an employee’s criminal convictions will be held as necessary.
- Who might we share your information with?
We will not sell your details to any third parties, nor disclose personal data to any third parties or external organisations, other than trusted data processors and service providers carrying out work on our behalf. For example in order to carry out our statutory and contractual responsibilities such as employment contracts, we are required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs.
Other examples of data processors would be mailing houses, bulk email distribution services, or data cleaning organisations. We do comprehensive checks on any companies working on our behalf before we work with them and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they collect or have access to in line with the 1998 Data Protection Act and the incoming General Data Protection Regulations.
We will apply for your explicit and informed consent in the event that we require to share your data in any other way that is not covered in this policy.
- How we keep your information secure
The RIC has implemented security procedures and rules to protect the personal data under our control from unauthorised access, improper use or disclosure, or unauthorised modification. All employees and data processors are obliged to respect the confidentiality of the personal data of our staff, visitors, and supporters.
Your information will be retained within the Museum’s secure systems for as long as you continue to engage with the Museum’s services and events. We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory legal requirements.
- Access to your information, its retention, and updating your data and marketing preferences
You have the right to request a copy of the information that we hold about you: this is called a Subject Access Request. If you would like a copy of some or all of your information or to amend your personal data or marketing preferences, please contact us in the following ways:
Post: c/o Data Controller, Royal Cornwall Museum, 25, River Street, Truro. TR1 2SJ
Call us: 01872 272205. Open 9.00am – 5.00pm weekdays, weekends & bank holidays
We fully comply with the terms of the Data Protection Act (1998) and the incoming General Data Protection Regulations (2018), and will respond to any requests to remove, change or provide any personal details you have given us under the terms of the Act and Regulations, including the right to be forgotten. Verification, updating or amendment of personal data will take place within 30 days of receipt of your request.
You will be asked to provide the following information in your request:
- The personal information you want to access
- Where it is likely to be held
- The date range of the information you wish to access
We will also need you to provide information that will help us confirm your identity. If we hold personal information about you, we will give you a copy of the information in an understandable format together with an explanation of why we hold and use it. Once we have all the information necessary to respond to your request we’ll provide your information to you within 30 days.
What to do if you’re not happy
In the first instance, please talk to us directly so we can resolve any problem or query. You also have the right to contact the Information Commissions Office (ICO) if you have any questions about Data Protection. You can contact them using their help line 0303 123 113 or at www.ico.org.uk.
- Cookies and links to third party websites
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our website.
- Analytical/performance cookies. These cookies allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- CCTV and filming/photography by the Museum
CCTV is used extensively throughout the Museum to monitor the activities of individuals. The Museum abides by the CCTV Code of Practice in the management of information recorded and retained by surveillance equipment.
Filming and photography may take place within the Museum during special events and other occasions, and visitors will be notified of this through the use of posters and verbal instructions.
Visitors will be asked to sign a consent form if they are to feature prominently in any recording made, and these consent forms will be retained according to the Museum’s retention schedule in a secure environment.
- Other websites
- Data controllers and how to contact us
The designated Data Controller for the Royal Institution of Cornwall is the Museum Director. You have a right at any time to stop us from contacting you for marketing or any other purpose.
c/o the Royal Cornwall Museum
25, River Street,
telephone: 01872 272205