Privacy and cookies

1. Who we are and the purpose of this policy

The National Army Museum group includes the National Army Museum (NAM), National Army Museum Trading Limited and the National Army Museum Foundation.  For the purposes of this policy, the terms NAM and Museum, apply to the NAM Group. This privacy policy explains how we use any personal information we collect about you when you use our website, engage with the Museum, or attend one of our events.

2. Who to contact regarding personal information

The designated Data Controllers for the National Army Museum group are:

• National Army Museum – Mike O'Connor, Museum Deputy Director
• National Army Museum Trading Limited – Mike O'Connor, Museum Deputy Director
• National Army Museum Foundation – Justin Maciejewski, Museum Director

Responsibility for information rests with the Director, Justin Maciejewski, supported by an appointed SIRO, Mike O’Connor, and the Museum Records Officer.

Questions about our privacy policy, or information we hold about you, can be obtained:

• By post: National Army Museum, Royal Hospital Road, Chelsea, London, SW3 4HT
• By telephone: 020 7730 0717
• By email: info@nam.ac.uk

3. Your rights over your personal information

The National Army Museum applies best endeavours to comply with the Data Protection Act (2018) and UK GDPR. As a data subject, you have certain rights over your personal information:

• The right to be informed about the information we hold about you
• The right to see what information we hold about you
• The right to amend and correct any information we hold about you
• The right to request that we delete all information we hold about you
• The right to restrict the ways in which we process your personal information
• The right to have a copy of your personal information in the format in which you request it
• The right to object to the processing of your personal data by us at any time
• The right to restrict any forms of automated decision making concerning your personal information, including profiling.

Where the National Army Museum has relied on consent as the legal basis for collecting and processing personal data, the data subject has the right to withdraw that consent at any time. Please use the contact details above to make a request concerning personal information held by the Museum about you. Please be aware that the Museum will require proof of identity for any removal or access requests.

4. What information we collect and how it is used

We collect information about you when you register with the Museum to use our services, attend our events, make a purchase, join as a supporter, or make a financial donation or donation of an item for the Museum’s collection. We also collect information when you voluntarily complete a survey, provide feedback, and participate in competitions and social media conversations.

When we ask you to provide your personal information we will let you know why we are asking, and how we will use your data, and direct you towards this notice for more information.

The reopening of the Museum following the Covid-19 outbreak adheres to guidance issued by the Government and the National Museums Directors’ Council (NMDC). In order to support the NHS Test and Trace system, all visitor, staff and contractor contact details will be retained for 21 days. Please note that your details will only be shared with NHS Test and Trace if requested. We ask that you assist us in helping to contain any further outbreaks by supplying NHS Test and Trace with full details of the party booked under your name.

We will not sell your details to any third parties, nor disclose personal data to any third parties or external organisations, other than trusted data processors and service providers carrying out work on our behalf. Examples of data processors would be mailing houses, bulk email distribution services, or data cleaning organisations. We do comprehensive checks on any companies working on our behalf before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they collect or have access to in line with the UK Data Protection Act (2018) and UK GDPR (2020).

We will apply for your explicit and informed consent in the event that we require to share your data in any other way that is not covered in this policy.

We collect information about you in order to fulfil our public task, as set out in the Museum's Royal Charter, and provide you with the service you have requested. The information we collect and how we use it depends on your relationship with the Museum, and the preferences you have indicated. The sections below provide specific details.

If you work for us, volunteer for us, or provide us with a service

Information we may collect:

Name, address, next of kin details, bank details, health information, training records, career details and disciplinary records

How we use this information:

Employment and training, pensions and benefits, health and safety, recruitment, future references, management of volunteer placements, payment of contractors and suppliers

Who we share this with:

Ministry of Defence as our sponsoring body for payments and third parties for pensions and payroll services

Retention of data:

Contractors and suppliers information retained for 6 years from end of financial year; volunteer and employment records are reviewed 6 years from end of placement/employment

Legal basis for collection:

Processing necessary for carrying out obligations under employment or for the performance of a contract (Articles 6.1(b) and 9.2(b)) 

Storage of information:

Paper records are kept within secure storage in our HR Office and semi-current storage; digital records are held within our personnel and finance databases.

If you support us as a patron, sponsor, or member

Information we may collect:

Contact details, payment details, and information about past engagement with the Museum

How we use this information:

To engage with patrons, sponsors and members for fundraising purposes and to offer exclusive events and benefits

Who we share this with:

Not shared

Retention of data:

Reviewed for transfer to the Museum’s Institutional Archive for historic research at the end of membership

Legal basis for collection:

Consent of the data subject (Article 6.1(a))

Storage of information:

Digital records are held within our customer service management system

If you visit the Museum

Information we may collect:

Contact details for the purposes of booking a ticket, and in order to respond to any enquiries, comments or complaints.

How we use this information:

To respond to comments, enquiries or complaints. We may also follow up your visit with a short survey in order to improve our service.

Who we share this with:

Third parties who handle our booking and mailing service; NHS Test and Trace if required.

Retention of data:

Destroyed at the end of 2 years in line with the Museum’s retention schedule. Booking information for the purposes of NHS Test and Trace will be destroyed after 21 days.

Legal basis for collection:

Processing necessary for performance of task carried out in public interest, ie to accommodate the visitor, improve our service, and respond to any enquiry, comment or complaint associated with the visit (Article 6.1(e))

Storage of information:

Contact details added to a central, secure database in line with enquiry procedures; feedback cards or paper correspondence destroyed once enquiry completed

If you contribute to our collections and galleries

Information we may collect:

Contact details, family details relevant to the item or gallery, and copyright information

How we use this information:

To provide provenance, ownership and copyright details about collections, and ensure compliance with copyright regulations for items and images displayed in our galleries

Who we share this with:

Not shared

Retention of data:

All information retained for the life of the Museum

Legal basis for collection:

Collected to enable the Museum to perform its public task, ie to collect, preserve and exhibit objects and records relating to the history and traditions of Our Army, and for archiving purposes (Article 6.1(e))

Storage of information:

Paper records are held in secure storage as part of the Museum’s Institutional Archive; digital records are held within the Museum’s collections management system. Please see our Collections Development Policy for further details.

If you engage with us as a speaker or major contributor at an event

Information we may collect:

Name, contact details, speaker biographical details, bank details for expenses

How we use this information:

To manage events and process expenses

Who we share this with:

Professional biographical details shared as part of event marketing

Retention of data:

Destroyed at the end of 6 years from last engagement with NAM

Legal basis for collection:

Processing necessary for carrying out public task, ie the dissemination of information and knowledge, Article 6.1(e) and performance of a contract, Article 6.1(b)

Storage of information:

Digital records are held within our payment and customer service management systems

If you engage with us a researcher or send us an enquiry

Information we may collect:

Contact details, and proof of identity for TSC reader members

How we use this information:

To respond to enquiries received and provide for research services in the TSC

Who we share this with:

Not shared

Retention of data:

All information destroyed after 2 years

Legal basis for collection:

Collected as part of the Museum’s public task, ie to encourage research into, and the accumulation and dissemination of information and knowledge bearing on the history of Our Army, and with the consent of the data subject (Article 6.1(a))

Storage of information:

Digital records are held within our customer service management system and in our email system and shared drive.

If you receive our newsletter

Information we may collect:

Contact details

How we use this information:

To distribute the e-newsletter or hard copy of ‘What’s On’

Who we share this with:

Shared with mailing distribution third parties, including MailChimp

Retention of data:

Retained until the data subject opts out of receiving the newsletter

Legal basis for collection:

Consent of the data subject (Article 6.1(a)

Storage of information:

Digital records are held within our customer service management system

If you book to attend an event at the Museum

Information we may collect:

Contact details, bank details for paid events, health information that may be relevant to the event, age of children if relevant to the event

How we use this information:

To facilitate attendance at an event and take any relevant payment

Who we share this with:

Online booking and payment system hosted by a third party, with whom the Museum has an information sharing agreement

Retention of data:

All information destroyed 6 years from end of financial year

Legal basis for collection:

Processing necessary for performance of contract (Article 6.1(b))

Storage of information:

Digital records are held within our payment and customer service management systems

If you make a transaction in the Museum shop

Information we may collect:

Payment details for card payments and contact details for any advance orders

How we use this information:

To facilitate orders and payment for items in the Museum’s shop

Who we share this with:

Payment system hosted by a third party, with whom the Museum has an information sharing agreement

Retention of data:

All information destroyed 6 years from end of financial year

Legal basis for collection:

Processing necessary for performance of contract (Article 6.1(b))

Storage of information:

Digital records are held within our payment and customer service management systems

If you hire our spaces

Information we may collect:

Contact details, bank details, health information that may be relevant to the event, age of children if relevant to the event

How we use this information:

To facilitate hire of space at the Museum, including Playbase and birthday parties

Who we share this with:

Online booking and payment system hosted by a third party, with whom the Museum has an information sharing agreement

Retention of data:

All information destroyed 6 years from end of financial year

Legal basis for collection:

Processing necessary for performance of contract (Article 6.1(b))

Storage of information:

Digital records are held within our payment and customer service management systems

If you visit our website

Information we may collect:

Information collected through the use of cookies. This consists of things like IP addresses (often anonymised), sites visited and actions taken. We do not use cookies to identify you personally, or to gather other personal details like names or email addresses.

How we use this information:

To improve website experience for the visitor, to help us understand our website visitors better, and to help us to promote the Museum and our offer.

Who we share this with:

Website hosts and Google Analytics through standard information sharing agreements. Third parties to provide certain functionality and services.

Retention of data:

Information collected through cookies has various retention schedules depending on the type of cookie. Some is automatically deleted at the end of your website session. Other information is retained for up to 26 months.

Legal basis for collection:

Consent of the data subject informed by the Museum’s Cookies Policy (Article 6.1(a))

Storage of information:

None of this information is retained on the Museum’s systems.

If you engage with us on social media

Information we may collect:

Contact details

How we use this information:

To engage with the public over social media regarding activities and the Museum’s public task.

Who we share this with:

The Museum does not share this information beyond the confines of the social media platform in question.

Retention of data:

No data is held by the Museum; please check the privacy statements of the social media platforms in question.

Legal basis for collection:

No personal data is collected or processed by the NAM.

Storage of information:

Information is not collated and held on Museum systems.

5. Where your information is stored and how it is kept secure

The National Museum has implemented security procedures and rules to protect the personal data under our control from unauthorised access, improper use or disclosure, or unauthorized modification. All employees and data processors are obliged to respect the confidentiality of the personal data of our visitors and supporters.

Personal information is held within our paper files in secure storage facilities on all Museum sites and on our shared drive, with restricted access only to trained staff. The Museum controls membership and user data within restricted access customer management systems, financial systems and payment systems.

Procedures are in place to document and minimise loss or misuse of information through an Information Asset Owner’s group.

6. CCTV

CCTV is used extensively throughout the Museum and its outstations to monitor the activities of individuals and the safety and security of our visitors, staff, volunteers and collections. The Museum abides by the CCTV Code of Practice in the management of information recorded and retained by surveillance equipment. Images are retained for thirty days afterwhich they are automatically deleted unless they are required for the purposes of proof of wrong doing.

7. Cookies and privacy

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. More details about the Museum’s use of cookies can be found in the​​​​​ Cookies Policy. For more general information, visit www.aboutcookies.org or www.allaboutcookies.org.

You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

8. Changes to our privacy policy

We keep our Privacy Policy under regular review. This Privacy Policy had major updates between 2017 and 2019 in preparation for the EU General Data Protection Regulations 2018, and following recommendations from an audit of the Museum’s GDPR compliance. This version of the policy was approved in July 2021.