Museum of London Privacy Notice
The Museum of London group includes the Museum of London, the Museum of London Docklands, the Museum of London Archaeological Archive and the Museum of London (Trading) Limited.
The Museum of London is an award-winning, charitable institution funded by a variety of organisations and individuals including the City of London Corporation and GLA.
The Museum of London (Trading) Limited, is a company limited by shares. Its principal activities are the provision of corporate hire and catering services and the retail function at the museum shops.
About this Privacy Notice
This privacy notice applies to information we collect about:
- Visitors to our digital channels (e.g. website, apps)
- Devices detected by our free Wi-Fi service
- People who use and support our services
- Job and volunteering applicants
The notice provides information on how we use any personal information we collect about you, your rights to access and correct the information we hold about you and how to contact us for queries or complaints about our use of your personal information, or to unsubscribe from marketing communications.
Charity number: 1139250
Company number: 05423292
ICO registration number: Z4956770
Registered office address
150 London Wall, London, EC2Y 5HN
The Data Protection Officer for the Museum of London is the Director of Assets, Nigel Ludlow.
You have a right at any time to stop us from contacting you for marketing or any other purpose. If you would like to opt out of receiving communications from us please email [email protected].
If you would like to make an enquiry about data protection, raise a concern or complain about how your information has been used you can contact us in the following ways:
By post: Data Protection Officer, Museum of London, 150 London Wall, London, EC2Y 5HN
By telephone: 020 7001 9844. Ask for the Records Manager
By email: [email protected]
If you would like to make a request to access the information we hold about you see the access to your information section of this notice.
Alternatively, you are entitled to raise a concern to the Information Commissioner’s Office (ICO) without first referring your complaint to us. See here for more information: https://ico.org.uk/concerns/
When we ask you to provide your personal information we will let you know why we are asking, and how we will use your data, and direct you towards this notice for more information. We take great care in storing this data.
When do we collect personal information?
Personal information is collected directly from you when you interact with us and allow us to do so, for example:
- When you book a free general admission ticket
- When you register with the Museum to use our services
- Attend our events
- Make a purchase
- Join as a supporter
- Make a financial donation
- Make a donation of an item for the Museum’s collection
- Sending or receiving an email
- Make an enquiry
- Visit our websites
- Apply for a role with us
- Hire a space for a corporate or private event
- Participate in a registered event
- When signing up to a campaign or for our newsletter
- When you voluntarily complete a survey or attend a consultation event
- Provide feedback
- Participate in competitions and social media conversations.
Information may be collected in person, over the phone, through our websites, social media or from something you’ve posted to us.
We also collect information when you allow others to share it with us via third parties, for example:
- Company contacts
- Organisations processing data on our behalf, e.g. Direct Debits
- Third party fundraising sites, e.g. Just Giving, Virgin Money
- Third party crowdfunding sites, e.g. Art Fund, CrowdFunder
What personal Information do we collect?
Personal information we collect may include:
- Your name, including your title
- Date of birth, only where needed for age related products
- Postal and email addresses
- Phone numbers
- Bank Details
- Your profession where appropriate
- Your age, ethnicity, disability and family status where appropriate
- Relationships including spouses, partners, work colleagues, connections where appropriate
- Current interest and activities
- Any accredited membership you belong to e.g. livery or trade organisation membership, or any other accredited organisation membership
- Standard internet log information and details of visitor behaviour patterns, including Wi-Fi usage
We will also collect and hold information about any contact you have with us as a visitor, customer or supporter of the Museum of London, and this may include details of:
- Ticket purchase, including free general admission tickets, and event registration/attendance
- Contact preferences
- Online or in store retail or café purchases
- Gift information, including Direct Debit bank details where applicable
- Gift Aid status
- Details of correspondence sent to you or received from you
- Donor status and wealth assessment information
- Employment information and professional activities
- Selected media coverage, where relevant
NHS Test and Trace
The Museum of London is committed to ensuring the safety of its visitors and staff. In support of this, we are now legally obliged to collect and maintain a record of visitors who come onto our premises for the purpose of contract tracing, under the NHS Test and Trace scheme.
In order to help reduce the risk of a local outbreak of COVID-19, we will share the following information regarding your visit with the NHS Test and Trace service, if requested. This information will be collected when booking a free ticket to visit the Museum.
- Your name, including title
- Phone numbers and/or email address and/or postal address
- Date, arrival and departure times of your visit
- Number of tickets booked
Please note that we will only share this information with NHS Test and Trace, if asked, in the event of a fellow visitor testing positive for coronavirus. We will never share personal data of a child under 16 but may share the details of their accompanying adult.
All personal data relating to your visit will be retained in line with the present Museum records retention schedule and in compliance with GDPR.
Information collected regarding donations to museum collections
We collect information about you when you make a gift to the Museum’s collections, or indicate a future bequest. This information is used to verify the provenance and copyright of the item and to provide an audit of ownership. This information will not normally be made publicly available; consent will be sought from the donor if an occasion arises in which the donor’s name is required to be linked to an item on display.
We also collect information about you relating to any financial support you give the Museum, and this may be shared for processing purposes, e.g. with HMRC or your bank.
Free Wi-Fi access is available throughout both the Museum of London and the Museum of London Docklands via the Museum’s free Wi-Fi network. If you access the Museum’s free Wi-Fi network, you will be asked to agree to the Museum’s Wi-Fi terms and conditions of use, which provide information about how your data will be used. You will be asked if you would like to subscribe to hear from the Museum in the future. This is voluntary and you can still use Wi-Fi without subscribing to hear from us.
We use Wi-Fi data to monitor the flow of visitors in to the museum and any analysis is anonymised. However, we do also use Wi-Fi data to get a better understanding of visitor preferences and may use this information to tailor the marketing materials we send you in the future. We also record the number of times and the location that you have used the Museum’s Wi-Fi as well as your subscription information (first and last name, email address, times and location of Wi-Fi use) on each use. This information is mainly used to inform us how often you return to the Museum and allow us to tailor marketing materials further.
For those using the Museum’s Wi-Fi network we record location, IP address and the type of the devices used. We will not link the anonymous device data with any other personal data that identifies you individually without your express permission. If in future we want to process your data in this way to offer you additional services, before doing so we will always ask you if you agree to take part.
A cookie is a small file which stores information that a website puts on your hard disk so that it can remember something about you at a later time. Typically, a cookie records your preferences when using a particular site. Read our cookies policy for more information.
We collect information about you in order to fulfil our public task and provide you with the service/s you have requested.
When you sign up to a newsletter or opt-in to our communications using our forms (e.g. a donation form or online form) or in person, then you are giving us your consent to send you marketing and fundraising materials by the methods you have chosen (e.g. email or phone call). We will never send you marketing by email or SMS without your consent, and you can withdraw your consent at any time.
If you have provided us with your postal or telephone contact details, but haven’t specifically opted-in to receive our communications (for example, making a donation by post), then we will carry out an assessment of whether it would be fair and reasonable to use them to send marketing and fundraising information to you without your explicit consent (i.e. it is in the interests of our aims and will not cause undue prejudice to you). This is called a legitimate interests assessment. You can opt out of our marketing and fundraising communications at any time if you don’t want to receive them.We will ensure we have a legal basis to use your personal information for the other purposes mentioned in this policy (usually with your consent, further to a legitimate interests assessment, or because the use of your data is necessary to comply with a legal obligation).
Processing your donation or purchase
When you make a donation or other payment to us, we will use your payment and contact details, payment amount, date and time of payment; to process that payment and take any follow-up administrative action needed (for example, sending a receipt or acknowledgement letter).
There are some membership and donation communications that we are required to send regardless of your contact preferences. These are essential communications, deemed necessary to fulfil our contractual obligations to you. This would include Direct Debit confirmations, thank you and renewal letters, member benefits, and queries regarding returned mail or bounced payments. .
Gift Aid Processing
If you choose to include Gift Aid with a donation to us, then we will also ask for your address and UK taxpayer status as this information is required by law. You can read more about how Gift Aid works here. This information is needed for us to fulfil our obligations under tax (sections 413 to 430 Income Tax Act 2007) and charity law. Information associated with Gift Aid declarations must be retained for 7 years. This information will be shared with HMRC for tax regulation purposes and may also be shared with the Fundraising Regulator and the Charity Commission in the event of an enquiry or investigation.
Responding to enquiries
If you contact us with a question, comment, compliment or complaint then we will keep a record of this correspondence and any associated documents so that we have the information available in the event of a follow-up, dispute or investigation.
Notifying you of changes to policies
If we make significant changes to our policies which may affect you, we will use your contact details to inform you of the changes.
Requesting information if you are attending our events
If you participate in an event that we have organised, we may ask you to provide information to make sure we can manage the event safely and efficiently. We may also ask you for details of any accessibility need which you may have, so that we ensure our event is inclusive, in line with the provisions of the Equality Act 2010.
If you participate in an event organised by an external party or make a donation through a processor like Just Giving, then your information may be passed to us by the processor. We would only use it for marketing purposes if you have given your consent for this.
Fundraising, Marketing and Communications
We may use your information to invite you to become involved with us in new ways, raise funds and grow our supporter base. If you consent we will send you information about activities and services of the Museum of London group that may be of interest to you, by post, telephone or email. Some of these will include:
Sharing marketing and fundraising materials with you
Marketing and fundraising materials that we might share with you include:
- Details of other products, services or events related to the Museum, such as exhibitions, events, retail or café offers
- News and updates about the Museum such as our marketing, learning or supporter e-newsletters
- Details of fundraising operations, including requests to consider giving financial support to Museum projects
- Surveys for market research purposes
Where you have provided your postal address or telephone number we may send this information to you by post or by calling your telephone unless you have asked us not to. We may also email you this information or send by SMS if you have agreed for us to do so.
Targeting our communications and researching our supporters
We undertake some research and analysis to inform our decisions on what communications our supporters would prefer, in order to work out whom to contact, what to say and when to get in touch. We want to send the most effective messages that we can in the most efficient way possible.
We undertake some research and analysis to inform our decisions on what to put on display, how to display it and what kinds of activities to programme to continually work to offer the best experiences when you visit. Responses to survey questions may be quoted in research reports. All data is anonymised when used for this purpose.
We log the IP address of the computer you are using in order to protect our servers against abuse and malicious activity. The logs are deleted every 30 days. Other information is used to measure the performance of the website, the volume of traffic that the site receives, how site users move around the site and what sort of users the site attracts. You can find out more in our website and cookies policy.
We use Google Analytics and Hotjar to collect information about how our visitors use and navigate this website. We use this information to report to funders and to analyse usage of the website so that we can continually work to improve the website and your experience of it. The cookies collect information such as the number of visitors to the site, which pages they visited and whereabouts they came to the site from. We also use Hotjar to provide polls to our visitors. This information is anonymous and cannot be used to identify you personally.
Analysing how emails are opened and read
We track emails which we have sent to you to see which messages have the highest response rates and whether there are messages that generate better engagement with particular groups of people. We do this by logging whether emails we send have been opened, deleted and interacted with (for example, by clicking on links within the emails). Although we only use this information to look at general patterns, it is still personal information because it is linked to your email address.
We analyse all data provided to us by supporters to review behavioural patterns like direct debit donations, communication preferences, interests in the museum, and which events you have attended.
As a recognised charity we seek to maximise our income from fundraising in order to achieve our aims and further our ability to be a world- class museum.
Analysing our supporter base to send different communications to people who might choose to give higher donations
We undertake in-house research and engage other organisations such as geodemographic data sources to help us identify people who may be able to support us with a larger gift, using information you have given us and publicly available records such as the electoral roll, land records, ‘rich lists’, Who’s Who publications and Companies House records. This is known as ‘wealth screening’.
We may also collect information on your interests, for example board memberships, hobbies, or articles about you in newspapers or magazines.
We use this information to tailor our communication with you and invite potential supporters to meetings, groups and events which may be of interest to them.
Here are some examples of the sources we might use:
- Public registers (e.g. Electoral roll, Companies House, Land Registry often accessed via Zoopla)
- Articles about you in newspapers or magazines (e.g. ‘rich lists’, Who’s Who publications)
- Subscription services (e.g. Directory of Social Change, opencharities.org, Trustfunding.org, New Trust List service)
- Dow Jones Risk and Compliance Database including Factiva
- Internet search engine results
- Public Information Source Sites including Wikipedia, Linked-In
- Google Maps
- Company websites
- Public blogs or any Public websites you manage or are about you
- Aggregator sites that collate info (e.g. 192.com, Duedil, Directory Enquiries)
- Public records of other charities or organisations you might be affiliated with (e.g. if you are listed as patrons of a charity)
- Family tree websites (e.g. ancestory.co.uk, Thepeerage.com)
- Professional registers (e.g. , City of London Directory and Livery Companies Guide, Academics, Solicitors, Accountants, Chartered Surveyors, House of Lords Register of Interests, NHS employees (doctors), ACF (Association of Charitable Foundations).
- Reputable news sources including but not limited to FT, Times, Telegraph, BBC News, City AM, Financial News, The Economist, Bloomberg
- City of London Livery Company information
Fundraising research is vital to our development activities to ensure that not only does the Museum continue to thrive for generations to come, but also to ensure that any fundraising requests are appropriate and justified.
You can choose to opt-out of being the subject of wealth screening or research (if it is not a legal requirement – see compliance with the law section) simply by contacting us by email at: [email protected].
When might we add information to your record that you may not have given to us directly?
We may also add information or update your record with us, from publicly available sources where you have given your consent, or information gathered in data cleaning exercises sometimes involving third party companies (see ‘Who might we share your information with’ below), to check if we have accurate contact details for you.
This may include your company details, telephone number, address related information, information from death registers, age or the information mentioned in the section above ‘Targeting our communications and researching our supporters’. We use this information to tailor our communications with you and send you more appropriate information.
These activities form a vital part of keeping support for our work going. You can request more information on these activities, or change your preferences, by using the information in the ‘Contacting us’ section at the beginning of this document.
You can choose to opt-out of being the subject of data cleaning or analysis simply by contacting us by email at: [email protected].
As with all charities, we ensure that our activities comply with the law. Therefore we may need to share or use your personal information if we are required to do so by law (for example, in response to a warrant or court order) and we may use information from other sources for the purposes of fraud prevention, for example to comply with money laundering regulations, or to protect people’s rights, property or safety.
If certain levels of donation are made, the Fundraising Regulator’s Code of Fundraising Practice requires us, and all charities in the UK, to perform checks. More details can be found at www.fundraisingregulator.org.uk.
We will not sell your details to any third parties, nor disclose personal data to any third parties or external organisations, other than trusted data processors and service providers carrying out work on our behalf. Examples of data processors would be mailing houses, bulk email distribution services, or wealth screening (a tool that organisations may use to help determine donors’ capacities to give, looking at top indicators of wealth like real estate ownership, business affiliations, and stock holdings in public companies) and data cleaning organisations.
We do comprehensive checks on any companies working on our behalf before we work with them. We will put a contract in place that sets out our expectations and requirements regarding how they manage the personal data they collect, or have access to, in line with the 1998 Data Protection Act and the General Data Protection Regulation. We will apply for your explicit and informed consent in the event that we need to share your data in any other way that is not covered in this policy.
We will never share your details with other organisations to use for their own purposes, other than where we are required to by law. The Museum of London will not, under any circumstances, share with or sell your personal information to any third party for marketing purposes and you will not receive offers from other companies or organisations as a result of giving your details to us.
Certain third party organisations collect information on our behalf as well as for their own use. We may receive your personal details from other organisations for our marketing purposes where you have consented for this information to be shared, for example Just Giving and Virgin Money Giving. These organisations have their own data protection and privacy policies and we urge you to make yourself aware of these before signing up.
We may also use other companies to provide services and process your personal information on our behalf, including delivering postal mail, making telephone calls to our supporters, sending emails, sending SMS messages, processing credit card payments and analysing our supporter information as outlined above, to help us offer you communications that are most appropriate to you and your interests. In some cases, our suppliers may use software which analyses publicly available information (as outlined above) to build up a picture about you based on the factors set out in the ‘Targeting our communications and researching our supporters’ section.
For information about NHS Test and Trace please see section 2.
Transfer of personal information outside of the EEA
The Museum of London is aware that countries outside the European Economic Area have differing approaches to data privacy laws, and that enforcement may not be as robust as it is within Europe’s borders.
The transfer of your information is governed by EU model contract clauses which set out how the organisation outside the EEA is required to protect your privacy rights by adhering to European data protection standards.
Organisations we work with who process personal information in the USA have verified their data processing standards meet the EU-US Privacy Shield, which sets out clear safeguards and transparency responsibilities for US-based organisations processing personal information from EU citizens.
The Museum of London takes the care of your information seriously and protects your personal information in a range of ways including secure servers, firewalls and SSL encryption. We follow payment card industry (PCI) security compliance requirements when processing credit card payments. We operate a policy of restricted, password controlled, access to any of your information which is stored on our systems.
If you apply to work at Museum of London, we will use the information you supply to process your application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Criminal Records Bureau we will not do so without informing you beforehand unless the disclosure is required or otherwise permitted by law.
We sometimes use third-party job application platforms to publish and receive applications for roles at Museum of London. When you apply through these portals the organisation’s privacy information will be available to you. We only work alongside other organisations in this way if we are satisfied that they will keep your information safely and use it only in the same legal ways that we would.
During the recruitment process, we will perform some checks on your identity, your right to work in the UK, your eligibility to work with vulnerable people and your past employment references.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed. We retain de-personalised statistical information like ethnicity, sexuality and disability to ensure that our recruitment processes are inclusive and not discriminatory, but this is completely anonymised, so no individuals are identifiable from that data.
Once you have taken up employment with the Museum, we will compile a file relating to your employment. The information contained in this will be kept secure and will be used for purposes relevant to your employment. Once your employment with the Museum has ended, we will retain the file in accordance with the requirements of our retention schedule and the law.
If we are required by law to share your information, (for example; in response to a warrant or court order), we will do so.
CCTV is used throughout the Museum of London sites to monitor the safety and security of our visitors, staff, artefacts, merchandise, and events. The Museum abides by the CCTV Code of Practice in the management of information recorded and retained by surveillance equipment.
While we do not actively collect information from children (under 16s) in the UK, we appreciate that our visitors and supporters are of all ages. Where appropriate, we will always ask for consent from a parent or guardian to collect information about children. All events will have clear rules on whether or not children can take part, and the collection of information will be managed in accordance with each individual event, with appropriate safeguards in place.
You have the right to request a copy of the information that we hold about you: this is called a Subject Access Request. We will provide it in a clear and easy to follow format. Please note that if you ask for the material to be sent electronically but prefer not to use our secure file transfer, Museum of London cannot be held responsible for the security risk to your information as it travels across the Internet. If you would like a copy of some or all of your information, please email or write to us by contacting the Data Protection Officer (see who we are and how to contact us).
How to ask us to amend or delete your information
We fully comply with the terms of the Data Protection Act (1998) and the incoming General Data Protection Regulations (2018), and will respond to any requests to remove, change or provide any personal details you have given us under the terms of the Act and Regulations, including the right to be forgotten. If you information is incorrect, out of date or if there is no longer justification for us to hold it, you can ask for it to be updated, removed or blocked from our use.
To amend or delete your information you should email [email protected], use our online unsubscribe or amend your mailing list settings by visiting our preference centre. Please note that whilst we endeavour to update your information in a timely manner there may be a slight delay of up to 48 hours to deal with your request. If you ask us not to contact you, we will keep some basic information about you on our suppression list in order to avoid sending you unwanted materials in the future.
The personal data collected by the Museum of London is evaluated periodically to determine whether it is current and still needs to be held. Subject to any legal requirements we will keep your personal information for no longer than is necessary for the purposes for which it is processed (in accordance with our internal policies/retention schedule).
You can find out more about your data protection rights on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.
You can find out more about data protection law here:
Data Protection Act 1998 until the 25th May 2018 (external link)
General Data Protection Regulation 2018 from 25th May 2018 (external link)
We keep our privacy notice under regular review. You are advised to visit this page periodically in order to keep up to date with any changes. By continuing to use our services you will be deemed to have accepted such changes.
This privacy notice was last updated in October 2020.