Privacy Policy | Headstone Manor & Museum

Headstone Manor & Museum and its staff and volunteers are compliant with the Harrow Council policies, including its GDPR-Data Protection policy (which can be found here: https://www.harrow.gov.uk/downloads/file/26930/gdpr-privacy-notice-council-wide-updated-16th-december-2019).

Each department within the council has developed from this parent policy its own privacy policy in relation to the type of data which the department collects, retention schedules, and potential exemptions.

Headstone Manor & Museum is Harrow’s dedicated local history museum run by the Harrow London Borough Council. We take your right to privacy seriously. This Policy deals with personally identifiable information, your “Data”, that we may collect. Our privacy policy is fully compliant with General Data Protection Regulation introduced on 25th May 2018.

Identity and contact details

Headstone Manor & Museum collects and processes personal information about you. This information is by default accessible to our parent organization, Harrow Council. Harrow Council is registered as a Data Controller under the Data Protection legislation and the contact details are:

Darren Davies
Civic Centre
Station Road
Harrow
HA1 2XY
dpo@harrow.gov.uk
020 3773 7161

The purposes and legal bases for processing your personal data

Marketing Communications: We aim to communicate with you about the work that we do in ways that you find relevant, timely and respectful. To do this we use data that you have given us when signing up to our mailing list, as well as any preferences you have told us about. We use our legitimate organisational interest as the legal basis for communications by post and email and will only contact you about events and news that is relevant to the data stored.
Services and activities: We collect personal information through specific activities such as tour and group visit bookings, special events, feedback and enquiries, loans and donations, and volunteer applications. The information is needed to fulfil your requests, to provide you with a service, or in relation to collections documentation. We use our legitimate organisational interest as the legal basis for the collection of this information. In some cases, largely related to loans and donations, processing of your personal data is necessary for archiving purposes in the public interest and/or historical research purposes.
We will always let you know why we are asking for particular personal data, and how we will use it, primarily through this notice. Although you have the right to withhold any information, this may impactour ability to deliver certain services to you.

The sources and categories of personal data we obtain

Information you give us: For example, when you sign up to our mailing list or donate an object, we’ll store personal information you give us such as your name, email address, phone number, and postal address. If you contact us with an enquiry or request via email, we will retain the information provided within the body of email.
Information about your interactions with us: For example, when you visit our website, we collect information about how you interact with our content. When we send you a mailing we store a record of this, and in the case of emails we keep a record of which ones you have opened and which links you have clicked on. This information is stored by our third-party marketing platform, Mailchimp. Learn more about Mailchimp’s privacy practices here: https://mailchimp.com/legal/
Sensitive personal data: Protection law recognises that certain categories of personal information are more sensitive such as health information, race, religious beliefs and political opinions. There are instances where we do collect this type of information. For example, members of the local community are sometimes invited to participate in the creation of exhibitions, oral histories, or events where the themes touch on sensitive personal data, and where that data may then be shared with the public.

In these cases, it is necessary to process this sensitive information for archiving or research purposes which serve the public interest, so long as it is reasonable given the aim of the project. You will always be informed in advance if this type of information will be collected, how it will be held and shared, and will be given the option to decline to participate. The information will be safeguarded and stored appropriately. For the legal basis of this processing, please see Article 9(2j) and 89(1) of EU GDPR.

How we collect your information

‘Opt In’ Marketing Communications: We operate a strict ‘opt in’ policy which assumes you do not wish to receive marketing communications. When signing up to our mailing list you will be asked whether you would like to ‘opt in’ to receive marketing communications.

Directly: In some circumstances we will directly ask you to provide personal information for archiving purposes in the public interest or historical research. If you donate or loan an object to the Museum, attend an appointment to view an object privately, or request an image reproduction of an object in the Collection, you will be asked to fill out a form with your personal information.

Indirectly: At times the Museum may indirectly obtain personal information relating to individuals through the objects within the collection, oral histories, or research. In many cases, it would be impossible or require a disproportionate effort to find these individuals and give a privacy notice. It should be noted that the information processed will still be treated with the same confidentiality as that obtained directly from individuals.

The recipients or categories of recipients of your personal data

Internal: All employees who have access to the processing of your personal data are trained with the security procedures and legally required to respect the confidentiality of your personal data. We may at times share relevant personal data with our volunteers or employed contractors undertaking research or work for the museum. These persons have also signed an agreement through which they agree to abide by the Museum and Council’s data protection policies.

External: There are certain circumstances under which we may disclose your personal information to third parties. These are as follows:
•    To our own service providers who process data on our behalf and on our instructions (for example our marketing platform provider, Mailchimp). In these cases, we require that these third parties comply strictly with our instructions and with data protection laws.
•    Where we are under a duty to disclose your personal information in order to comply with any legal obligation (for example to government bodies and law enforcement agencies).
•    Research access: In some circumstances, when deemed to be fair to the individual and proportionate to the purpose of the research, we may make selected personal information related to objects held in our collection available to researchers.

The details of transfers of personal data overseas

It may sometimes be necessary to transfer personal information overseas. When this is needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the Data Protection legislation.

How long we keep your personal data

We will only keep your information for as long as is required by law and to provide you with the necessary services. See specific details below:

Communications: Your data will be stored with us for a period of at least two years. If after this time, you have not interacted with our communications, your information will be deleted.
Collections documentation: Information given for collections documentation (donations, loans, etc.) is retained indefinitely in accordance to Museum Policy procedures and for archiving purposes in the public interest or historical research purposes. This information is stored safely in password-protected and encrypted digital form, or in locked cabinets in physical form.

Google Analytics: We use Google Analytics to monitor website usage, and to inform and optimise marketing strategy. Google analytics data will be stored for a period of 2 years. If you would like the ability to prevent your data from being used by Google Analytics please see Google Analytics' currently available opt outs for the web.

We may also anonymise some personal data you provide to us to ensure that you cannot be identified and use this data to allow the Museum to target and plan future services and funding.

Your rights in respect of the processing

You have the right to request a copy of the information that we hold about you. The new General Data Protection Regulation also gives you additional rights about the information we hold about you and how we use it, including the right to:
•    Withdraw consent and the right to object and restrict further processing of your data (Opt Out); however, this may affect service delivery to you.
•    Request to have your data deleted where there is no compelling reason for its continued processing and provided that there are no legitimate grounds for retaining it.*
•    Request your data to be rectified if it is inaccurate or incomplete You can change your preferences anytime by contacting info@headstonemanor.org

*Data linked to objects held in the collection will be retained for as long as the object is held by the Museum, unless compelling evidence shows that this requirement can be overridden. This is in line with law and is a requirement of museum accreditation.

Your right to lodge a complaint with the ICO

You have a right to complain to us if you think we have not complied with our obligation for handling your personal information; please visit Harrow Council’s Compliments and Complaints page here: https://www.harrow.gov.uk/council/compliments-complaints?documentId=13033&categoryId=210283. If you are not satisfied with the Council’s response you have a right to complain to the Information Commissioner’s Office (ICO). You can report a concern by visiting the ICO website.

Automated decision making

We do not carry out any automated decision making.

Changes in your circumstances

You must notify us immediately if there are any changes in your circumstances and personal details so we can maintain an accurate and up to date record of your information.