The British Museum is committed to protecting your privacy and security.
The British Museum was founded in 1753. Its aim is to hold for the benefit and education of humanity a collection representative of world cultures ('the collection'), and ensure that the collection is housed in safety, conserved, curated, researched and exhibited. The Museum is now governed in accordance with the British Museum Act 1963 and Museums and Galleries Act 1992.
The Museum is an exempt charity under schedule 3 of the Charities Act 2011 and is also a Non-Departmental Public Body funded by a combination of grant-in-aid allocated by the Department for Digital, Culture, Media & Sport (DCMS) and income secured through commercial, fundraising, sponsored and charging activities. Today, the Trustees of the British Museum own and control a number of associated companies, which support the British Museum's mission. These companies are The British Museum Company Limited, British Museum Ventures Limited, The British Museum Great Court Limited and The British Museum Friends.
The official address of the British Museum, and all its companies, is Great Russell Street, London WC1B 3DG.
We collect 'personal data', which is information that identifies a living person, or which can be identified as relating to a living person.
When we talk about 'you' or 'your' in this policy we mean any living person whose personal data we collect.
When we talk about 'Members' and 'Membership' we are referring to subscribing Members of the British Museum Friends.
We hold the following categories of personal data:
3.1. Personal data you provide
We collect data you provide to us. This includes information you give when you communicate with us, apply for Membership, purchase tickets, products or services, sign up to receive communications from us, make a donation, apply for employment, volunteer or enter into a contract with us. For example we may hold:
- personal details (name, gender, date of birth, email, address, telephone etc.)
- family and spouse/partner or next of kin details
- financial information (such as credit/debit card or direct debit details, and whether your donations are gift-aided)
- your response to a special British Museum event or your intention to meet a Member of our staff
- details of the ways in which you wish to be contacted by us
If you purchase Museum Membership as a gift for someone or join as a family, your details will be recorded (as will the recipient's) and your relationship to that person will be recorded.
3.2. Personal data generated by your involvement with the Museum
Your activities and involvement with the Museum will result in personal data being generated. This could include:
- details of your areas of interest in the Museum's collection
- your visits to our study rooms and libraries
- your attendance at special events
- where you have asked us for information or written to us
- your visits to our websites
- images of you captured by our CCTV systems
- your use of our public wifi and our audio guides
- your purchasing history
- how you have helped us by volunteering or by donating money or objects to us
- where you have applied for a job with us
3.3. Personal data from third parties
We sometimes receive personal data about you from third parties, for example, if we're partnering with another organisation or where we may use third parties to help us conduct research and analysis about you to determine the success of our public offer and to help us provide you with a better experience (and this can result in new personal data being created).
We may collect information from social media about you, or if you post on any of our social media pages.
Occasionally, we may collect personal data about you (for example if you are particularly well known or influential) from the media and other publicly available sources. This may come from public databases (such as Companies House), news or other media. The sort of information we obtain from these sources might include details of other charities you may support and indicators of your leisure interests and financial status such as house value or post code.
3.4. Special category ('sensitive') personal data
We don't normally collect or store special categories of personal data. However, there are some situations where we may need to do so. These may include, for example, if you work or volunteer with us or apply to do so, or if we need to know about any access, medical or dietary requirements you, or someone in your care, may have. Information about your ethnicity, religion or disability may be captured by the recording of images through our CCTV system, but we don't further process, collect or retain special category data from those records. Please see the below section on CCTV for further information.
4.1. General use
We only ever use your personal data with your consent, or where it's necessary in order to:
- enter into, or perform, a contract with you
- comply with a legal duty
- protect your vital interests
- carry out a task in the public interest
- for our own (or for a third party's) legitimate interests, provided your rights don't override these interests
In any event, we will only use your personal data for the purpose or purposes for which it was obtained.
We use your personal data to communicate with you in order to promote our activities and events and to help with fundraising. This includes keeping you up to date with our exhibitions, events and products in our shops, and to send you general information about fundraising, Membership and other ways you may be able to support us or benefit from the British Museum.
We use your personal data for administrative purposes including:
- receiving donations (for example, Direct Debits or gift-aid instructions)
- maintaining databases of our Members and other supporters
- processing Membership subscriptions
- performing our obligations under Membership contracts and other supporters' agreements
- managing custody of our collection including our intellectual property rights
- carrying out due diligence to meet our compliance duties (for example, before making any acquisition into our collections, accepting financial support or making agreements for the supply of goods and services)
- processing enquiries and requests for information
- managing feedback, comments and complaints we receive
- fulfilling orders for tickets, goods or services (whether placed online, over the phone or in person)
- helping us respect your choices and preferences
- recruitment and staff management including pay, tax and pensions administration
- management of suppliers of goods and services
- managing your visit to the British Museum (for example, health and safety, security, lost property, cloakroom, safeguarding and incident management)
4.4. Internal research and profiling
We carry out research and analysis on our visitors, Members and other supporters to determine the success of our public offer and programmes and other activities in the public interest and to help us provide you with a better experience (for example so that you only receive communications about areas of our activities or research you are mostly likely to be interested in).
We may evaluate, categorise and profile your personal data in order to tailor materials, services and communications (including targeted advertising) to your needs and your preferences and to help us to understand our audiences. For example, we may keep track of the amount, frequency and value of your support including your philanthropic involvement elsewhere. This information helps us to ensure communications are relevant, timely and in the best interest of our charitable purposes.
We will never sell your personal data.
If you've opted-in to marketing, we may contact you with information about our selected partners. These communications will always come from us and will usually be incorporated into our own marketing.
We may share your personal data with contractors or suppliers who provide us with services. For example, we may use a mailing house for the distribution of The British Museum Magazine; we use Direct Debit processors for the handling of payments and email providers for our marketing communications. Information is transferred to data processors securely, and we retain full responsibility for your personal data as the data controller. These activities are carried out under a contract which imposes strict requirements on our suppliers to keep your personal data confidential and secure.
Occasionally, we arrange events with other organisations, for example The American Friends of the British Museum, a tax exempt organisation under section 501 (c) (3) of the U.S. Internal Revenue Code. We may share your personal data with such organisations, for example where you register to attend events. We will only share information when necessary.
We may share your personal data where required to do so for prevention of crime or for taxation purposes (for example, with the police, HMRC). These requests will be assessed on a case-by-case basis and in line with data protection law. We may be required to share your data with regulators or with other organisations in line with the law (e.g. the Charity Commission, Companies House and local authorities).
Unless you've already given us your email address or telephone number so that we can tell you about making donations to us or about the supply of goods and services, we must ask you to 'opt-in' to receive fundraising and marketing emails from us. You have the choice as to whether you want to receive or continue to receive these messages. You are also able to select how you want to receive them (post, phone, email, text) and to change your preferences at any time.
When you receive a communication from us, we may collect information about your response and this may affect how we communicate with you in future.
6.2. Newsletters and magazines
If you are a Member or a Patron, we will send you the British Museum Magazine (unless you specifically ask us not to) and you can choose to unsubscribe from general marketing communications to Members without cancelling your subscription to the British Museum Magazine.
7.1. Information for parents and guardians
We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of those aged 13 or younger.
We won't use the personal data of children or young people for marketing purposes and we won't profile it.
Personal data about children and young people is only accessible by our staff on a strictly need-to-know basis. Further information about Safeguarding is available within our Safeguarding and Adults at Risk Policy.
We employ a variety of physical and technical measures to protect information we hold and to prevent unauthorised access to, or use or disclosure of your personal data.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Staff receive data protection training and we maintain a set of data protection procedures which our staff are required to follow when handling personal data.
8.2. Payment security
All electronic forms that ask you for your financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.
If you use a payment card to donate, to buy Membership or to purchase something from us online, we will pass your payment card details securely to our payment provider. We comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council.
The British Museum premises are protected by CCTV and you may be recorded when you visit the Museum in Bloomsbury. We use CCTV to help provide a safe and secure environment for visitors, for our staff and for the collection and to prevent or detect crime.
All information is processed on our CCTV system in line with our CCTV Policy. The system is managed in accordance with our standard operating procedures and in line with good practice guidance issued by the Information Commissioner's Office. CCTV images will only be accessed by authorised security staff and are stored for up to 31 days, unless flagged for review.
10.1. Where we store data
We are wholly based in the UK. We will store your personal data within the United Kingdom, or on servers in a country with an adequacy regulation such as the European Economic Area. Where the Museum uses an organisation to process your data which is based outside of the UK and hasn't been awarded an adequacy regulation by the UK Government, we will enter into UK approved standard contractual clauses and ensure the security of the systems offer an adequate level of data protection.
10.2. Retention of your personal data
We will only retain your personal data for as long as it's required for the purposes for which we collected it. How long we keep your personal data for will depend on:
- our legal obligations
- the nature and type of information we are processing and
- the reason for which we collected it.
For example, should you ask us not to send you marketing emails, we will stop storing your email address for marketing purposes. However, we will need to keep a record of your preference.
We continually review what information we hold and will delete personal data which is no longer required.
11.1. Your rights
Under data protection law, you have rights which allow you to have a say in how we use your personal data. These are called Data Subject Rights. You have:
- the right to know whether we hold your personal data
- the right to receive copies of the personal data we hold about you (a 'subject access request')
- the right to have your personal data erased (however this is conditional on why we are storing your personal data)
- the right to have inaccurate personal data corrected (rectification)
- the right to object to your personal data being used for direct marketing or profiling
- the right to be given a copy of personal data that you have provided to us electronically (and which we process automatically on the basis of your consent or the performance of a contract) in a common electronic format
- the right to have any automated decisions made about you explained by a person.
Under data protection law, we have one month to fulfil any of your data subject rights. In certain situations, we may extend the statutory deadline by a further two calendar months. We may also ask you to provide further information to help us identify you (such as a Membership number or ID) or identify where you have interacted with the Museum. Where this is the case, the request will only be considered valid on receipt of this information.
Sometimes we can't fulfil your data subject rights request in the way that you may expect. This is because an exemption may apply, or we are processing your information for a lawful reason which may mean that you can't exercise that right. Where appropriate, we will inform you of the decision.
If you'd like further information on your rights or wish to exercise them, please contact our Data Protection Officer at the address below.
Should you wish to make a subject access request, please contact our Data Protection Officer providing:
- a clear explanation about what information you are requesting
- your Membership number (where you are a Member)
- a copy of your ID (where you are requesting CCTV or where we can't identify you through other means).
Please be aware that we may ask for other information from you on a case-by-case basis to help us to identify you.
Should you have a complaint about how we have used ('processed') your personal data, you can complain to us directly by contacting our Data Protection Officer in the first instance.
If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner's Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk.
Our websites use local storage (such as cookies) in order to provide you with the best possible experience and to allow you to make use of certain functionality (such as being able to shop online). Further information can be found in our Cookies policy.
Our websites contain links to other external websites. We are not responsible for the content or functionality of any such websites. Please let us know if a link isn't working by contacting email@example.com.
This policy was approved by the Trustees of the British Museum in May 2018 and updated in December 2022. It will be reviewed no later than 2023.