Sign up for our newsletter
Keep up to date with all our latest news, online events and ways to visit the Museum from home.
Privacy notice
© Andy Brown
© Andy Brown
Sheffield Museums Trust is an independent registered charity in England and Wales. Our registration number is: 1194032. We operate six of Sheffield’s leading museums and heritage sites: Abbeydale Industrial Hamlet, Graves Gallery, Kelham Island Museum, Millennium Gallery, Shepherd Wheel and Weston Park Museum.
Our main address is:
Sheffield Museums Trust
Leader House
Surrey Street
Sheffield
S1 2LH
Sheffield Museums Trust is committed to taking the protection of your personal data seriously. On this page we will explain what personal data is, what data we collect, the legal basis for processing your personal data, the retention period and your rights.
If you have any questions or would like further information on our privacy policy please contact us by email at finance@sheffieldmuseums.org.uk or by telephone on 0114 278 2652.
An overview of personal data
Personal data means any information which could be used to, directly or indirectly, identify you - such as your name, email address, an online identifier, telephone number, postal address, IP address or one or more other factors including physical, physiological, genetic, mental, economic, cultural or social identity.
Special category personal data needs additional protection because it is more sensitive. For example, it would include racial or ethnic origin, religious or philosophical beliefs or health information. We only collect this type of data in specific circumstances such as part of our recruitment process or if we need to understand your needs when you visit us.
Processing means performing an action with your personal data. This could be saving your information as part of you getting in contact with us via our website, purchasing something, registering for an event, joining our mailing list, applying for a job or registering for our job alert service. Processing also relates to us sending you emails, actioning a subject access request response, updating or deleting your data in line with your personal data rights.
Pseudonymisation means replacing any information which could be used to identify you with a value which no longer allows you to be identified without the use of additional information.
A Data Controller is an organisation, public authority, agency, other body or legal person that is responsible for and determines the purposes and means for processing the personal data they collect. A Data Controller can pass your personal data to a Data Processor who would carry out the processing of your personal data on their behalf, for example to send you an email. Sheffield Museums Trust is a data controller.
A Data Processor is an organisation, public authority, agency, other body or legal person that processes your personal data on behalf of a Data Controller. Sheffield Museums Trust may use, for example, the services of another company to send email communications to you on our behalf. In order to do this, we would need to provide the 3rd party organisation with some of your personal data in order for them to fulfil their obligations.
A retention period is the period of time that we hold your personal data before deleting it. We hold your personal data only for as long as necessary for the purpose we collected it. If, in the future, you decide that you no longer wish to have communications from us, you can withdraw your consent at any time by emailing us at communications@sheffieldmuseums.org.uk or calling us on 0114 278 2760. Once we have removed you from our communications we may still retain some basic personal data in order to prevent us from sending you any further communications.
Cookies are small files that are stored on your device and which help us understand how visitors use our website so that we can improve your browsing experience. For information on which cookies we use on our website, as well as how to manage your cookie preferences, please refer to our Cookie policy.
Keeping your personal data secure is very important to us and as such, we have implemented policies, processes, procedures and technical measures to keep your personal data safe.
We do not share your personal data with others unless we are employing the services of a Data Processor in order to fulfil the Trust’s business activities and, in some cases, your data may be transferred outside of the European Economic Area (‘EEA’). We do not sell your personal data. Listed below are the Data Processors we use together with links to their privacy policies:
- Email communications (we use MailChimp – read their privacy policy)
- Recruitment (we use Networx – read their privacy policy)
- eCommerce, Donations, Friends Membership (we use Shopify – read their privacy policy) and WorldPay – read their privacy policy)
- Hospitality Events and Learning Bookings (we use Priava – read their privacy policy)
- General Events/Ticketing (we use Eventbrite – read their privacy policy)
- Online workshops/Online Talks – (we use Zoom – read their privacy policy)
If you engage with us on a social media platform, we would like to make you aware that the processing of this personal data is the responsibility of the social media platform you are using. Please refer to their privacy policy for further information on how they use your personal data.
The personal data we collect
Listed below we have outlined the personal data that we collect, why we collect it and the legal basis that we use for collecting and/or processing that data. For further information on the legal bases, please refer to The legal bases we use for processing your personal data section beneath the tables below.
| The data we collect | Why we collect it | The legal basis we use |
|---|---|---|
| Enquiry/Feedback We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to complete your enquiry or provide feedback. |
In order for us to communicate with you in connection with your enquiry or feedback. Retention period: 1 year from last contact. | Legitimate interest |
| Booking/Reservation/Order We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to complete your booking, reservation or order. |
In order for us to communicate with you in connection with your booking, reservation or order. Retention period: 1 year from last contact. | Contract |
| Data protection/Freedom of information requests We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to complete your request. |
In order for us to communicate with you in connection with your request. Retention period: 1 year from last contact. | Legal obligation |
| Register for mailing list We will collect your name, contact details (email, telephone and/or address) any further information that is required in order for you to register for receiving communications. |
In order for us to communicate with you in connection with our museums, events, offers, products and activities. Retention period: While subscribed. | Consent |
| Donations Form We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to complete your donation. |
In order for us to communicate with you in connection with your donation. Retention period: 1 year from last contact. | Contract |
| Gift Aid We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to complete your Gift Aid declaration. |
By signing up to Gift Aid we are required to collect your name and contact details. Retention period: 1 year from last contact. | Legal obligation |
| Become a Friend or Member We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to apply to become a Friend or Member. |
In order for us to communicate with you in connection with the Friend and/or Member programme. Retention period: 1 year from last contact. | Contract |
| Purchase a Gift Membership We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to purchase a gift membership. |
In order for us to communicate with you in connection with the gift membership you have purchased. Retention period: 1 year from expiry of membership. | Contract |
| Enter competition We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to enter a competition. |
In order for us to communicate with you in connection with the competition. Retention period: 1 year from last contact. | Legitimate interest |
| Venue Hire We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to complete your venue hire enquiry or reservation. |
In order for us to communicate with you in connection with your venue hire enquiry or reservation. Retention period: 1 year from last contact. | Enquiry: Legitimate interest Reservation: Contract |
| Collections We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to complete your Collections enquiry. |
In order for us to communicate with you in connection with your Collections enquiry. Retention period: While item is held in the Collection. | Enquiry: Legitimate interest Compliance: Legal obligation |
| The data we collect | Why we collect it | The legal basis we use |
|---|---|---|
| Donations We will ask for your debit or credit card details or bank details during the checkout process in order for us to process your donation. |
In order that we can process your donation. Retention period: 1 year from last contact. |
Contract |
| Events We will ask for your debit or credit card details during the checkout process in order for us to process your order. |
In order that we can process your payment. Retention period: 1 year from last contact. |
Contract |
| Online Purchases We will ask for your debit or credit card details during the checkout process in order for us to process your order. |
In order that we can process your payment. Retention period: 1 year from last contact. |
Contract |
| The data we collect | Why we collect it | The legal basis we use |
|---|---|---|
| In-person visits We may collect your name, contact details (email, telephone and/or address) and any further information that is required for your visit. |
In order for us to communicate with you or government bodies in connection with your visit. Retention period: 30 days. |
Contract COVID: Legal obligation |
| CCTV We operate CCTV at our premises for your safety and the security of our property. This video information is stored for x days and where CCTV is in operation, signs are prominently displayed. |
For your safety and in order to protect our property. Retention period: 1 year. |
Legitimate Interest |
| The data we collect | Why we collect it | The legal basis we use |
|---|---|---|
| Job Alert Service We will collect your name, contact details (email, telephone and/or address) and any further information that is required in order for you to register for our Job Alert Service. |
In order for us to communicate with you in connection with your job opportunities. Retention period: 1 year from last contact. |
Legitimate interest |
| Job Applications We will collect your name, contact details (email, telephone and/or address) and any further information that is may be required such as your CV and salary expectations, in order for you to complete your job application. |
In order for us to process your job application and communicate with you in connection with our HR process. Retention period: 1 year from last contact. |
Recruitment: Legitimate interest HR Process: Legal obligation. |
The legal bases we use for processing your personal data
As a Data Controller we can use one of a number of legal bases for processing your personal data. Set out below are the legal bases which we use in order to process your personal data:
This means you have explicitly given us permission to process your personal data. An example of this is that you want to receive our newsletter so you have registered on our website and consented that we can send you our newsletter. You have the right to withdraw this consent at any time.
This means that you have entered into an agreement with us and we need to process your personal data in order to comply with our obligations under the agreement. An example of this is that you wish to purchase something from us and we need to process your payment details and/or send you communications regarding your purchase.
This means there may be a legal or regulatory obligation for us to process your personal data. An example of this is if you apply for a job with us. There are employment laws which apply to our recruitment process so we may need to process your personal data under this legal basis.
This means that there might be scenarios whereby we have a legitimate interest to process your personal data. An example of this is if we decided to launch a fundraising campaign. Before we process your personal data using the legitimate interest basis we will conduct a Legitimate Interest Assessment (‘LIA’) to ensure that we identify the legitimate interest, then apply the necessity test and, lastly, do a balancing test. If we use legitimate interest to process your personal data we will ensure that we do not use it in ways that would cause you harm or that you would find intrusive, unless we have a very good reason to do so.
Your Personal Data Rights
The UK General Data Protection Regulations (GDPR) provides you with a number of rights you can exercise over your personal data. These are outlined below.
As an individual you have the right to be informed about the collection and use of your personal data. We have outlined on this page your rights, the data that we collect, how we process it and where applicable, who we share your data with.
Where we collect and/or process data we will let you know:
- Our purposes for processing your personal data
- Our data retention periods for that personal data
- Who we will share that data with.
If you have any questions, would like further information or would like to withdraw your consent, please contact us by email at finance@sheffieldmuseums.org.uk or by telephone on 0114 278 2652.
You have the right to request access and receive a copy of your personal data and other supplementary information. This is commonly known as a Subject Access Request (‘SAR’). To make a request, please contact us by email at finance@sheffieldmuseums.org.uk or by telephone on 0114 278 2652.
Once we have received your request we will respond within one month. However, if we have received a number of requests from you, or the requests are complex and we believe your request will take longer than one month to action, we will let you know whether we need to extend our response time by up to three months.
This right allows you to request to have inaccurate personal data rectified. You may also be able to have incomplete personal data completed. To make a request, please contact us by email at finance@sheffieldmuseums.org.uk or by telephone on 0114 278 2652.
Once we have received your request we will respond within one month. However, if we have received a number of requests from you, or the requests are complex and we believe your request will take longer than one month to action, we will let you know whether we need to extend our response time by up to three months.
This right allows you to request to have some, or all, of the personal data we hold about you erased. This right to erasure is also known as ‘the right to be forgotten’ and is only applicable to the personal data that we hold at the time that the request is received. You might ask us to do this where:
- The personal data is no longer necessary for the purpose which we originally collected or processed it for
- You previously consented but now wish to withdraw that consent
- We have processed your personal data unlawfully
- We have to erase your personal data to comply with a legal obligation.
To make a request, please contact us by email at finance@sheffieldmuseums.org.uk or by telephone on 0114 278 2652.
Once we have received your request we will respond within one month. However, if we have received a number of requests from you, or the requests are complex and we believe your request will take longer than one month to action, we will let you know whether we need to extend our response time by up to three months.
This right allows you to request the restriction or suppression of your personal data. This means that you can request that we limit the way we use your personal data and is an alternative to requesting the erasure of your personal data.
You can make a request if you believe that:
- The personal data we hold for you is inaccurate and should not continue to be processed by us until the data has been verified and/or rectified
- We have processed your personal data unlawfully
- You need us to retain the personal data in order to establish, exercise or defend a legal claim
- You have objected to us processing your personal data and we are considering whether we have legitimate grounds to override your request.
To make a request, please contact us by email at finance@sheffieldmuseums.org.uk or by telephone on 0114 278 2652.
Once we have received your request we will respond within one month. However, if we have received a number of requests from you, or the requests are complex and we believe your request will take longer than one month to action, we will let you know whether we need to extend our response time by up to three months.
This right allows you to request a copy of your personal data that you have provided to us in a structured, commonly used and machine-readable format so that you can reuse this personal data for your own purposes across difference services. This right also allows us to provide this data directly to another Data Controller at your request. A request for a copy of your personal data doesn’t mean that we would erase your data. If this was required, you would need to request this. Please refer to The right to erasure.
To make a request, please contact us by email at finance@sheffieldmuseums.org.uk or by telephone on 0114 278 2652.
Once we have received your request we will respond within one month. However, if we have received a number of requests from you, or the requests are complex and we believe your request will take longer than one month to action, we will let you know whether we need to extend our response time by up to three months.
This right allows you to object to the processing of your personal data at any time where we use Legitimate Interests as the legal basis for processing your personal data. The objection may be in relation to all of the personal data or only certain personal data that we hold.
To make a request, please contact us by email at finance@sheffieldmuseums.org.uk or by telephone on 0114 278 2652.
Once we have received your request we will respond within one month. However, if we have received a number of requests from you, or the requests are complex and we believe your request will take longer than one month to action, we will let you know whether we need to extend our response time by up to three months.
In addition to above rights, the UK GDPR has provisions on:
- Automated individual decision making
This is where a decision is made solely by automated means without human involvement. - Profiling
This is automated processing of personal data to evaluate certain things about you. Profiling can be part of an automated decision-making process.
We will only carry out these types of decision making if the decision:
- Is necessary for entering into or performance of a contract between us and you; or
- Authorised by domestic law; or
- Based on your explicit consent.
In addition to the principles set out above, you also have a right to be informed if your personal data is breached or compromised and would put you at risk. In the event of this occurring, we will contact you within a reasonable timeframe to let you know what has happened and how it happened, what data is affected and what action we are taking to resolve the breach.
If you wish to make a complaint which is in relation to our privacy policy or your personal data, please contact us by email at finance@sheffieldmuseums.org.uk or by telephone on 0114 278 2652.
If you wish to make a complaint in relation to your personal data directly to the Information Commissioner’s Office (‘ICO’), you can find more information on their website at https://ico.org.uk/make-a-complaint/.
Changes to our Privacy policy
We regularly review our privacy policy and any updates which may be made from time-to-time will be published on this page.
Last updated: 2 November 2022
