This personal data privacy policy covers the personal data collected and processed[1] by the Royal Engineers Museum in order to support the legitimate operations of our charity. The policy explains why we collect your data, what we use it for and how long we keep it. It sets out your rights and our responsibilities and how you can query our holdings of your data.

[1] Includes collecting; storing; accessing; and deleting.

Who We Are

Royal Engineers Museum
Brompton Barracks
Prince Arthur Road
Chatham
Kent
ME4 4UG

We are registered as a charity and our registration number is: 295173.

We are registered with the Information Commissioner’s Office and our registration number is: A8348007

The RE Museum is one of a number of charities linked to the Corps of Royal Engineers and the Ministry of Defence through the management of the Regimental Headquarters of the Royal Engineers. We share our governance and Trustees with the Institution of Royal Engineers (Registered Charity No. 249882).

Our website address is: http://www.re-museum.co.uk.

What Information We Collect About You

We collect the personal data that you may give as part of ticket booking, research or museum service enquiry, online purchase, Friends of the Museum or learning club membership, object donations, newsletter sign up and visitor surveys. This may include:
• Details of financial transactions including the payment of membership fees and service charges.• Address, email address and phone number.
• Name, title, gender and age.
• In the case of our learning service customers, we may keep details of special education needs and disabilities that you provide.

We will also collect and hold information about you as a visitor, service customer or supporter of the RE Museum. This may include:
• Details of financial transactions including the payment of membership fees and service charges.
• Details of financial donations.
• Gift Aid status.
• Details of correspondence sent by or to you.

Images and video footage of you as a visitor may also be collected by the Museum.
• CCTV is in place as a crime prevention measure for the security and safety of the Museum Collection, staff and visitors.
• Staff may also take photographs of visitors at Museum events and activities. Notices will inform visitors and invite those not wanting to be photographed to inform Museum staff.

We will also hold personal and career information of our staff and volunteers. This may include:
• Payroll and pension information.
• Next of Kin details.
• Details of sick and maternity leave.
• Performance and disciplinary records.

WEBSITE COMMENTS
• When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
• An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.
• Visitor comments may be checked through an automated spam detection service.

WEBSITE CONTACT FORMS
Your submitted content is collected.

WEBSITE COOKIES
The RE Museum website uses Cookies to improve the usability of our website. This means that our website may store pieces of information from your browser. The information is not held permanently and is not shared.

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

EMBEDDED CONTENT FROM OTHER WEBSITES
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

WEBSITE ANALYTICS
We use Google Analytics to track user activity – this data is anonymised.

How We Use Your Data

Your data will be used only to support the legitimate purposes of the Royal Engineers Museum. Depending on your relationship with the Museum and, where necessary, the consent you have given we may use your information to:
• Deliver a service requested by you, process a payment or to fulfil a contract with the Museum, for example, the payment of an image reproduction request or purchase of online tickets.
• Enable the collection of Gift Aid.
• Inform you or events, exhibitions and activities organised by the Museum.
• Send you our e-newsletter or Friends of the Museum annual newsletter/report.
• Keep records of provenance and ownership of objects donated to the Museum.
• Inform you of the Museum’s fundraising activities, including details of new fundraising campaigns and targets.
• Meet the legal requirements of an employer towards its employees and, where appropriate, the management of volunteers.
• In the case of CCTV, for the security and safety of the Museum Collection, staff and visitors.
• Develop Museum services and tailor them to specific user needs.

How Long We Keep Your Data

We will retain your data:
• Until you inform us that you no longer wish to be contacted by the Museum.
• While you are a member of any Museum club or association.
• As required under UK law; for seven years in the case of financial transactions and for a minimum of 6 years after employment ceases in the case of employee basic personal data (name, address and contact details).
• Details of object donors will be retained in perpetuity or as long as the Museum holds said objects.
• As stated in the terms of specific agreement entered into, e.g. permissions for child photography are held for 5 years.
• If you leave a comment on the website, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
• For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Information will be destroyed or deleted in a manner appropriate to its sensitivity.

How and When We Share Your Data

The RE Museum is one of a number of charities linked to the Corps of Royal Engineers and the Ministry of Defence through the management of Regimental Headquarters of the Royal Engineers (RHQ RE). The Museum uses the services of a charitable accounts department and personnel manager provided by the MOD.

In order to safeguard personal information shared with these external departments the Museum is part of a data protection structure that incorporates all of the charities and RHQ RE. This is overseen by the Secretary of the Corps of Royal Engineers who acts as Data Protection Officer for the charities and Regimental Headquarters. Data Privacy Policy of the Regimental Headquarters is available on request.

All Corps charities also use the same single database to manage, where appropriate, their members, contact and customer details. Personal data will be shared between the charities in order to ensure that any changes you make with one charity automatically update your membership details of other Corps charities to which you subscribe. We will only share any sensitive data (e.g. bank details; family or benevolence details) with your express permission.

The Museum also has contracts and agreements in place for the management of its website, till, CCTV and IT network services. We ensure that our external suppliers have appropriate privacy and security policies and procedures in place.

With the exceptions listed above, we will only share your data with someone with your permission or where we are required to by law. We will never use your data, or allow others to use your data, for any marketing purposes other than that expressly connected with Museum activities.

How We Keep Your Data Secure

• The RE Museum has security procedures and protocols in place to protect the personal data. This includes:
• All staff receive periodic training and updates on the correct method of safe and secure handling of personal data.
• Other digital soft copy data e.g. emails, financial transactions (tills, e-tickets), are held on secure servers maintained under agreement and/or contracts.
• Data held in hard copy is secured locked cabinets or rooms with access restricted to the relevant Museum staff only.
• Museum CCTV footage is held for up to 90 days before being deleted. If, following a security incident, footage is required then it will be saved, securely, for as long as necessary.
• DATAWARE hosts the single members and contacts database that supports all Corps charities; no data is stored or processed outside the EU; data is fully encrypted both ‘at rest’ (ie, when stored on the server) and ‘in motion’ (when being sent between computers). Your data only appears as ‘open’ information when being viewed by an authorised member of staff and the Museum has a formal Data Sharing agreement in place with other Corps charities that use the database.

What Are Your Rights?

You may request to see the personal information the Museum holds on you by submitting a Subject Access Request to the Museum’s Data Controller. To make a Subject Access Request you will have to provide adequate proof of identity such as a passport or driving licence. The Museum will respond within 40 days of receipt of your request. Exemptions to disclosure may apply in some circumstances.

If at any point you believe the information we hold on you is incorrect you may ask to see what data we hold and, where necessary, have it corrected or removed.

Complaints Procedure

If you want to complain about how we handle your data you should contact our data controller; if that does not help then contact our Data Protection Officer and finally, if you still feel we are not processing your data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).

Contacting Us

Our Data Controller is the Museum Director who can be contacted at:
RE Museum
Brompton Barracks
Chatham
Kent
ME4 4UG
director@re-museum.co.uk
01634 8222261

Our Data Protection Officer is the Corps Secretary who can be contacted at:
Corps Secretary
Regimental Headquarters Royal Engineers
Brompton Barracks
Chatham
Kent
ME4 4UG
charles.holman988@mod.gov.uk
01634 822121

Changing Our Privacy Policy

This privacy notice was agreed in May 2018.

We may change our privacy policy from time to time to reflect changes in working practices or the law. Changes will be announced on line as necessary and the updated policy will be available via our website or as a hard copy on request.