Data Protection Policy

Mission Statement

The name of the Charitable Incorporated Organisation (the CIO”) is Woodbridge Tide Mill Charitable Trust

The objectives of the CIO are:

To administer the building known as the Tide Mill, of which was conveyed within a Deed dated 1^st of March 1977 in perpetuity to Woodbridge Town Council for the benefit of the public and of primarily the inhabitants of Woodbridge in the county of Suffolk as a building of historical and architectural interest, as an installation of historical and technical importance, and as a museum of social and cultural history, which should be retained for the education of the present and future generations and shall be used to provide facilities available to the inhabitants of Woodbridge and to members of the public at large for recreation or other leisure-time occupation with the object of improving the conditions of life for the persons for whom the facilities are primarily intended.

Introduction

This policy explains how and why we use your personal data, so you can make sure you stay informed and be confident about giving us your information.

The privacy and security of your personal information is extremely important to Woodbridge Tide Mill Museum. We never sell or pass on your personal data unless required by authorities for legislative or law enforcement reasons. We will only share it when it’s necessary, and the privacy and security of your data is assured.

1. Who are “we”

In this notice, whenever you see the words ‘we’, ‘us’, ‘our’ or ‘Museum’ it refers to Woodbridge Tide Mill Charitable Trust. The Museum is a Charitable Incorporated Organisation (CIO) registered with the Charity Commission. We are a ‘data controller’ under Data Protection Law. We are entered in the Information Commissioner’s Register of Data Controllers with registration number ZB290138.

2. What Personal data do we collect?

We collect and use your personal data (any information which identifies you, or which can be identified as relating to you personally) in connection with activities such as, but not limited to, membership administration, donations, loans, volunteering, collections management and documentation, conducting research, competitions and online shop purchases.

This data will include but is not limited to, name, title, address, date of birth, age, gender, employment status, email address, and telephone numbers. Your data may be collected by us in writing, online, person or by phone.

Why do we collect personal data?

We ask for your data to fulfil our ‘legitimate interests’ in the running of our organisation. These include but are not limited to:

Membership: – Legal Bases for processing – Legitimate Interest, Legal Requirement

• When you join the Museum as a member, we ask for contact details for administration and communication. This information comprises: name, home address, email address, phone number(s) and gift aid declaration (if applicable). You will also tell us your preferred options in terms of how we communicate with you.
• Financial information (your payment choice (cheque, direct debit, standing order or bank transfer), and whether subscriptions are gift aided

Gifts and donations: – Legal Bases for processing – Legal Requirement

• If you decide to donate a sum of money to the Museum then we will keep records of when and how much, and whether your donation is gift-aided
• When you donate an item to the Museum we ask for contact details to enable us to complete a legal Transfer of Title. These details provide a record of the donor and also essential information regarding the provenance of the item
• When you lend an item to the Museum we ask for contact details to allow us to remain in touch for the duration of the loan, and as a record of the legal contract you have with us

Volunteering: – Legal Bases for processing – Legitimate Interest and Safeguarding

• When volunteers join the Museum we need contact details so that we can manage the work our volunteers do
• When you choose to volunteer with the Museum in any role, we need contact details so we can contact you about the work you do, or in case of emergency
• We may collect extra information about you (e.g. references, criminal records checks (DBS), details of emergency contacts, etc.). We may also collect personal data such as ethnic origin and information about disability to ensure that we are meeting our inclusion and accessibility obligations. This information will be retained for legal or contractual reasons, to protect us (including in the event of an insurance or legal claim) and for safeguarding purposes.

Online Ticketing and Online shop purchases: – Legal Bases of processing – Contract (sale of   product or service)

• We need personal and financial details in order to supply you with the purchased goods or services

Salaried Staff: Legal Bases for processing – Legal Requirement

• To hold and process personal information for payroll processing reasons
• To provide information to Her Majesty’s Revenue and Customs service (HMRC) and pension providers for taxation and pension reasons

Other: – Legal Bases for processing – Legitimate Interest

• Visitor surveys via Audience Finder and other means
• Newsletter and General Tide Mill communications via opt-in consent
• We process photograph requests and research enquiries. For this we take only essential contact information and keep it no longer than required to process the request/enquiry

3. Examples of how we use your personal data

We will only use your personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation (GDPR), UK Data Protection Act and Privacy of Electronic Communication Regulation. Personal data provided to us will be used for the purpose outlined above in a transparent manner at the time of collection or registration where appropriate, in accordance with any preferences you express. You can choose how you want to receive these communications (by email, post or phone).

Below are the main uses of your data, which depend on the nature of our relationship with you.

Marketing communications:

We will use your details to keep in touch about things that may matter to you but we will only send you marketing information if you agree to receive it and you will be able to opt out of receiving further marketing emails at any time. This information may be about visiting the Museum, volunteering with us, membership, events and activities, conservation work, special promotions in our online shop and fundraising.

Membership:

We use the personal data you provide as a Member to send you relevant information regarding events, AGM, newsletters and membership renewal.

Fundraising, donations, legacy pledges, volunteering and sales:

If you make a monetary donation, we’ll use personal information you give us to record the nature and amount of your gift, claim Gift Aid if you’re eligible and to thank you for your gift.

If you tell us you want to fundraise to support our cause, we’ll use the personal information you give us to record your plans and contact you to support your fundraising efforts.

If we have a conversation or interaction with you (or with someone who contacts us in relation to your will, for example your solicitor), we’ll note these interactions throughout your relationship with us, as this helps to ensure your gift is directed as you wanted.

We use your personal data to manage your volunteering from your initial enquiry to when you stop volunteering, for example notifying you about your shift rota or sending out instructions.

We use personal data for taking event bookings and ticket sales. We will send you tickets or notify you that they are ready for collection.

We use personal data where online shop purchases are made. We will use the data supplied to process the transaction and to send you details of  the order dispatch.

Salaried Staff

We use the data you provide as a paid member of staff to be able to pay your salary and fulfil our legal obligation to provide the necessary information to Her Majesty’s Revenue and Customs service (HRMC) and pension providers for taxation and pension provision reasons.

4. Online data and our website

Cookies:

Cookies are small text files stored on your computer when you visit certain websites. We use first-party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience. We also use third-party cookies (cookies that are set by an organisation other than the owner of the website) for the purposes of website measurement and targeted advertising. You can control the use of cookies yourself via your browser.

Links to other websites:

Our website may, from time to time, contain links to and from the websites of other organisations as well as our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and privacy notices and that we don’t accept any responsibility or liability for their policies.

Automatically collected data:

We use respected third parties to process data on our behalf, and provide below links to their respective privacy policies.

• ‘Mailchimp’ – for administering our mailing list. They will be given your email address for this purpose. [URL: https://mailchimp.com/] Privacy Policy at [https://www.intuit.com/privacy/statement]

• ‘Art Fund Tickets’ – for purchasing and delivering tickets to visit Woodbridge Tide Mill. [URL: https://woodbridge-tide-mill-museum.arttickets.org.uk/pages/privacy-policy]
• Online shop – for payment and order processing. [URL:https://www.tidemillshop.com/privacy-policy]
• ‘STRIPE’ for processing financial transactions. [URL: https://stripe.com/gb/privacy]
• Audience Finder – Where you agree to undertake a visitor experience survey. [URL:https://original.audiencefinder.org/audience-finder-privacy-notice]

5. Keeping your information

We will only use and store your information for as long as it is required, depending on the purposes for which it was collected and sometimes, statutory legal requirements. We will keep your information physically secure by taking appropriate technical and organisational measures against its unauthorised or unlawful processing and against its accidental loss, destruction or damage.

Storage of information

Your personal data may be stored in the following ways:

• Electronically on computer, and on cloud storage, and in paper format in a locked location. Electronic files containing personal data will be password protected
• Membership information is held electronically by the Membership Secretary and is password protected
• Emergency contact details for volunteers are kept securely at the Mill

Disclosing and sharing information

Personal data collected by us may be shared with the following groups:

• Museum volunteers and staff, where appropriate for operational reasons
• Audience Finder – for the processing of survey data
• Art Tickets – for the processing of ticket purchases
• Wix – for online shop transaction processing
• MailChimp – for marketing mailings

Our employees and volunteers who have access to and are associated with the processing of personal data are obliged by law to respect the confidentiality of that data.

Retention and disposal of personal data:

We will not keep personal data for any longer than is absolutely necessary. Paper-based data will be disposed of by shredding. Electronic records will be deleted from our computers. While the length of time we retain records will necessarily vary depending on specific purposes, the main parameters are as follows:

Personal data type	Storage duration
Membership forms and data	Membership data will be retained until the end of the year in which a subscription is resigned or lapsed.
Name/address of donor	Data on donors is stored in perpetuity as part of the donated object history file and transfer of title information
Name/address of lender	Data related to loans will be stored in perpetuity as part of the object history file
Volunteer data	Retained for 1 year after resignation or termination of contract for safeguarding and reference request purposes
Financial records	7 years for HMRC tax, and Gift Aid inspection purposes
Research requests and photographs	Until the request has been completed; a record of the photograph(s) and research topic may be retained.
Miscellaneous correspondence	Data is kept for operational purposes only and at the Museum’s discretion. Correspondence related to donations and loans is stored in perpetuity as part of the object history file

6. Updating your data and marketing preferences

If, at any time, you want to update or amend your personal data or marketing preferences please use the options in our electronic communications or contact us in one of the following ways:

Email: comms@woodbridgetidemill.org.uk with your full name and full address and your request

Post:

Woodbridge Tide Mill
Tide Mill Way
Woodbridge
Suffolk
IP12 1BY

7. Your data protection rights

The Data Protection Act (2018) gives individuals the following rights regarding their personal data:

• The right of access: you have the right to know whether we are processing any of your personal data. If we are, you have the right to access the data and certain information, such as why we are processing the data
• The right of rectification: you have the right to ensure that we correct inaccuracies in your personal data that we are processing
• The right of erasure(the ‘right to be forgotten’): in certain situations you have the right to ensure that we erase your personal data
• The right to restriction of processing: in certain situations you have the right to ensure that we restrict our processing of your personal data
• The right of data portability: in certain situations you have the right to receive personal data that you provided to us in a structured, commonly used and machine-readable format
• The right to object: in certain situations you have the right to object to our processing of your personal data and we are normally obliged to stop processing your data when requested. This right includes the right to object to our processing of your personal data for the purposes of direct marketing
• The right to complain: you have the right to make a complaint to the UK Information Commissioner’s Office (ICO) about our processing of your data, the exercise of your rights, and other data protection matters
• The right to withdraw consent: you have the right at any time to withdraw your consent for us to process your personal data.

If you would like further information on your rights or wish to exercise them, please contact us at the address or via email as shown above. You will be asked to provide the following details:

• The personal information you want to access
• The date range of the information you wish to access

We will also need you to provide information that will help us confirm your identity. If we hold personal information about you, we will give you a copy of the information in an understandable format. We will respond to your request as soon as possible. Please allow additional time for more complex requests.

What to do if you are not happy:

In the first instance, please talk to us directly using the contact information above so we can try to resolve any problem or query. You also have the right to contact the Information Commissions Office (ICO) if you have any questions about Data Protection. You can contact them using their helpline 0303 123 1113 or at www.ico.org.uk.

8. Personal Data Breaches

In the event that a personal data breach is detected, we will follow the guidance provided by the Information Commissioner’s Office as described and updated at the following link

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/

9. Changes to this Privacy Notice

This privacy notice will be reviewed every 3 years and amended as necessary to ensure it remains up to date and reflects how and why we use your personal data and to meet any new legal requirements.