Privacy notice

Privacy Notice

This privacy notice sets out how the Museums Association (MA) uses and protects any personal information that you give to us. This privacy notice is being issued in accordance with the new GDPR, or European General Data Protection Regulation, which comes into force on 25 May 2018 and will repeal and replace the current European data protection framework. It represents a significant change in data protection law throughout the European Union (EU).

We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this privacy statement.

The GDPR aims to consolidate and strengthen the protection of personal data. It introduces improved data protection rights for individuals and places enhanced compliance, governance and accountability obligations upon organisations involved in the processing of personal information of individuals.

This privacy notice is effective from 25 May 2018.

The data that we may collect

We may collect the following information:
• name and job title, place of work or study
• contact information including email address
• demographic information such as salary band, postcode, preferences and interests
• other information relevant to customer surveys and/or offers
• bank details for direct debit processing
• IP addresses
• access and dietary requirements or health information
• date of birth, gender, sexual orientation, ethnicity, disability and other information for monitoring diversity

Why we require this information

1. Members

For internal record keeping including membership processing, and in order to deliver your membership benefits including e.g. your membership card and the Museums Journal.

For marketing, market research, and to use the information to improve our products and services.

Legal basis for processing members’ data

We process the following data under contractual obligation as part of the information required in order for us to process your membership and deliver your benefits.
• Name.
• Contact information including email address.
• Bank details for direct debit processing.
• IP address.

We process the following types of data under our legitimate business interest, which is to keep our members informed and provide the best products and services we can.
• Name.
• Contact information including email address.
• Job title, place of work or study.
• Demographic information such as salary band, postcode, preferences and interests.
• Other information relevant to customer surveys and/or offers.

With your prior consent we will:
• periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided and;
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail.

2. Subscribers

For internal record keeping including processing of your subscription order; in order to ensure that the products you subscribe to are delivered to you correctly and to inform you about the MA’s activities.

For marketing, market research, and to use the information to improve our products and services.

Legal basis for processing subscribers data

We process the following data under contractual obligation as part of the information required in order for us to process your subscriptions.
• Name.
• Contact information including email address.
• Bank details for direct debit processing.
• IP address.

We process the following types of data under our legitimate business interest, which is to keep you informed and provide the best products and services we can.
• Name.
• Contact information including email address.
• Job title, place of work or study.
• Contact information including email address.
• Demographic information such as salary band, postcode, preferences and interests.
• Other information relevant to customer surveys and/or offers.

With your prior consent we will:
• periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided and;
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail.

3. Events attendees

For internal record keeping including processing of your order; in order to ensure that you are correctly booked on your chosen event/s and that any preferences e.g. around access and dietary requirements are correctly recorded, and to inform you about the MA’s activities.

For marketing, market research, and to use the information to improve our products and services.

Legal basis for processing event attendees data

We process the following data under contractual obligation as part of the information required in order for us to process your events attendance.
• Name.
• Contact information including email address.
• Bank details for payment processing.
• IP address.

We process the following types of data under our legitimate business interest, which is to keep you informed and provide the best products and services we can.
• Name.
• Contact information including email address.
• Job title, place of work or study.
• Demographic information such as salary band, postcode, preferences and interests.
• Other information relevant to customer surveys and/or offers.

With your prior consent we will:
• periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided and;
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail.

Sensitive data with consent and under the special condition of explicit consent:
• dietary requirements, access requirements, health information where relevant.

4. Website users

For internal record keeping in order to monitor the number of users our website receives and the demographics of users, and to inform you about the MA’s activities.

For marketing, market research, and to use the information to improve our products and services.

Legal basis for processing website users data

We process the following data under our legitimate business interests in order for us register you as a website user, to keep you informed and provide the best products and services we can.
• Name and job title, place of work or study.
• Contact information including email address.
• Demographic information such as salary band, postcode, preferences and interests.
• Other information relevant to customer surveys and/or offers.
• IP address.

With your prior consent we will:
• periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided and;
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail.

Processing of sensitive personal data

Sensitive personal data includes information relating to the following matters:
· your racial or ethnic origin
· your political opinions
· your religious or similar beliefs
· your trade union membership
· your physical or mental health or condition
· your sex life, or
· the commission or alleged commission of any offence by you.

The MA will only collect and process sensitive data primarily where it is necessary to enable the MA to meet its legal obligations, and in particular to ensure adherence to health and safety and vulnerable groups protection legislation or for equal opportunities monitoring purposes.

Currently we may collect sensitive data for the following purposes.

Equality, Diversity and Inclusion surveys where we may collect:
• date of birth, gender, sexual orientation, ethnicity, disability with consent, and also under the special condition of explicit consent

Events attendance where we may collect:
• dietary requirements, access requirements, health information where relevant, with consent and under the special condition of explicit consent

In most cases the MA will not process sensitive personal data without your consent.

Who we share your data with

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law.

We will share relevant data with external organisations, e.g. mailing houses, in order to process the mailing of the Museums Journal and other publications, and payment processing companies, e.g. Smart Debit to process subscription payments.

Your rights around your personal data

1. Withdrawing your consent

When you register you can set your user preferences as to how and about what we may contact you.

We will require at least one method of contact to communicate with you in order to administer your membership or other products and services.

If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to us at the address below, or emailing us at info@museumsassociation.org.

The Data Controller, Museums Association, 42 Clerkenwell Close, London, EC1R 0AZ, or via e-mail at info@museumsassociation.org.

2. How you may request the information we hold about you

You may request details of personal information which we hold about you under the GDPR 2018.

If you would like a copy of the information which we hold about you, please contact us using the details above. We will send this information to you in no more 30 days.

3. Data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

For example, this could apply if you wanted to transfer your data to another pension provider.

The right to data portability only applies:
• to personal data an individual has provided to a controller;
• where the processing is based on the individual’s consent or for the performance of a contract; and
• when processing is carried out by automated means.

If required we will provide the personal data in a structured, commonly used and machine-readable form, free of charge.

You can make a request verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.

4. Disclosure of information

We will ensure that your information will not be disclosed to government institutions or authorities except if required by law or when requested to by regulatory bodies or law enforcement organisations.

5. Right to rectification and erasure

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.

You can make a request for rectification verbally or in writing. We will respond to your request within 30 days.

The GDPR also introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. You can make a request for erasure verbally or in writing. However, there may be a legal basis for us to refuse the request, e.g. where we are required to hold the data, for example in relation to financial transactions.

You can make a request for erasure verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.

6. Right to object

The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances, for example you have an absolute right to stop your data being used for direct marketing.

You can make a request verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.

7. Complaints procedure

If you have a concern about the way the MA is handling your personal information – perhaps we hold information about you that is incorrect, we have held it for too long, or we are not keeping it securely, you can make a complaint verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.

You may also wish to raise your concerns with the ICO (the Information Commissioner’s Office), particularly if you do not feel that MA’s response has not been adequate.

If the ICO think the organisation has not complied with its obligations it can give the organisation advice and ask it to solve the problem. They do not award compensation. Their main aim is to improve the information rights practices of organisations. You can raise a complaint with the ICO through the following link:
https://ico.org.uk/concerns/

What information security we have in place

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
We have implemented training programmes for employees to ensure that we are prepared and can continue to provide the best possible service to our clients when the enhanced requirements of the GDPR come into force on 25 May 2018.

All our employees and data processors that have access to and are associated with the processing of your personal information are obliged to respect the confidentiality of your information.

We regularly review policies, data management processes and procedures to ensure they are compliant with the new GDPR. All employees who process your data will be required to familiarise themselves with these policies and agree to abide by them.

Please be aware that communications over the internet, such as emails/webmails, are not secure unless they have been encrypted. Your communications may route through a number of countries before being delivered - this is the nature of the world wide web/internet. The MA cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.

What we will do in the event of a data breach

The MA ensures that sufficient policies, processes and procedures are in place to detect, report and investigate a personal data breach.

We will notify the ICO (and where required individuals or organisations) of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

How we will update our contracts or agreements with data controllers and data processors

Data controllers and data processors are other organisations (or individuals) which control and/or process information on our behalf.

Under the GDPR, our contracts or agreements with data controllers and data processors need to contain certain minimum provisions, such as a description of the scope, nature and purpose of processing.

We are reviewing and updating our agreements and contracts with third parties to ensure they have appropriate policies and security measures in place to comply with the GDPR and safeguard the personal data we hold.

When we appoint new third parties to act as data controllers and data processors on our behalf, we will ensure that there are appropriate provisions in relation to their own compliance with the GDPR and other relevant matters such as compliance, monitoring and reporting.

Links to other websites

Our website may contain links to enable you to easily visit other websites of interest to museum professionals. However, once you have used these links to leave our site, you should note that we do not have any control over that other website.

Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. You should exercise caution and look at the privacy policy applicable to the website in question.

How long we will retain data

Data will only be processed in accordance with the purpose or purposes that it was originally collected for and will only be kept for as long as necessary. We will review at regular intervals the length of time we keep personal data.

We will consider the purpose or purposes we hold the information for in deciding whether (and for how long) to retain it.

We will securely delete information that is no longer needed for this purpose or these purposes; and update, archive or securely delete information if it goes out of date.

Transfer of data to outside the EU

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.

There are no current circumstances where the MA will transfer your data outside the EU.

How we use cookies on the Museums Association website

A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.