At Hertford Museum, we are committed to maintaining the trust and confidence of our visitors and supporters. In particular, we want you to know that Hertford Museum will never sell, rent or trade email lists with other companies and businesses for marketing purposes. We respect your privacy and are committed to protecting your personal data. In this Privacy Policy, we’ve provided lots of detailed information on when and why we collect your personal information, how we use it, the limited conditions under which we may disclose it to others and how we keep it secure. 

1. Information we collect about you 

We are registered with the Information Commissioner Office. We collect and process personal information to provide a voluntary service for the benefit of the public. There are a number of purposes for which we process information. You can see a full copy of the Museum’s Registration on the Information Commissioner’s Office website. We might hold information from or about you, that you give us or that we collect, as follows: 

Information that you give us: we may collect information such as your name, age, contact details that you give when you: 

• ask us for information
• make a booking with us
• purchase items from us
• visit us at the Museum
• send us an email
• register or sign in to our digital services, including email, Wi-Fi and website
• apply for Membership of the Friends of Hertford Museum
• make a donation to us
• join or subscribe to our social media channels 

You may give us payment card details. The payment card information you supply to us for any online or in the shop transaction is used solely for the purpose of processing that transaction. 

You may give us this data by filling in forms or by corresponding with us by post, phone, email or otherwise 

Information that we collect: we collect information when you use our services such as a) our website and b) our Wi-Fi service. 

a) Website cookies: we only use ‘performance cookies’ to collect information about how many visitors use the 

website, which pages they go to most often and if they get error messages from web pages. These cookies do not collect information that identifies a visitor. 

All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how the website works. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. 

By using our Website, you agree that we can place these types of cookies on your device. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. 

b) Hertford Museum WIFI: when you use our Wi-Fi we may collect data about your device, the volume of data which you use, the websites and applications which you access and your usage by access time, frequency and location. 

2. Using your information 

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data: 

• To provide a service or product you have requested. We will use this information to administer your Membership, to administer gifts, bequests, donations and legacies made by you or on your behalf or to supply you with goods or services ordered from us.
• To communicate with you by telephone, social media, text, email and/or post about the Museum’s activities, promotions and events, deliver service emails such as purchase confirmation emails, contact you and ask you to respond to surveys, inform you about Museum services and products.
• To improve existing experiences, services and products or to create new ones
• To measure the effectiveness of our digital marketing: we use cookies and other technologies such as pixel tags and tracking links to help measure the effectiveness of our advertising campaigns.
• To report to our stakeholders: on key statistics such as visitor numbers. Statistics on visitors are published in our Annual Report and Annual Review. We also analyse the performance of services and products and provide information to our stakeholders and funders as part of our on-going relationships with them.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with legal or regulatory obligations. 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. 

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 

3. Sharing your information 

We do not share any personal information you provide to us to any third party and which we otherwise collect and we will never sell your personal information to any third party organisation. 

4. Marketing 

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. You can ask us or third parties to stop sending you marketing messages at any time by contacting us. 

5. Your rights 

You have the right to ask in writing for a copy of the information we hold about you, to find out for which purposes it is being processed, to whom it may be disclosed, to correct any inaccuracies or ask for this data to be erased. You also have the right to request the transfer of your personal data to you or to a third party or restrict the processing of your personal data. 

We will usually respond within 1 calendar month from the date of the request for a copy of the data we hold about you. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. 

If the lawful basis of us collecting your data is your consent, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 

You also have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. 

If you wish to exercise any of the rights set out above, please contact the Data Protection Officer, Hertford Museum, 18 Bull Plain, Hertford, SG14 1DT. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. 

6. Data security 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

7. Data retention 

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

8. Children 

We do not routinely collect data about children under 16. There are a limited number of activities we undertake that require data about children to be collected and held. For example:

• photo and other permission forms
• safeguarding reports 

Information about children is stored securely, can only be accessed by staff with a current Disclosure and Barring Service (DBS) check and is destroyed as soon as it is no longer needed. 

If we need to collect information from children, other than in the circumstances described above, we will ensure that such information is handled lawfully and in accordance with this policy. 

This policy was reviewed in May 2018.