Privacy and cookies

1. Purpose of this policy

The National Army Museum Group includes the National Army Museum (NAM) and National Army Museum Trading Limited (NAMTL). For the purposes of this policy, the terms NAM and Museum apply to the National Army Museum Group.

This privacy policy explains how we use any personal information we collect about you when you use our website, engage with, and support, the Museum, or attend one of our events.

This privacy policy had major updates between 2017 and 2019 in preparation for the EU General Data Protection Regulations, and following recommendations from an audit of the Museum’s GDPR compliance.

2. Who to contact regarding personal information

The designated Data Controllers for the National Army Museum Group are:

• NAM: Mike O'Connor, Museum Deputy Director
• NAMTL: Mike O'Connor, Museum Deputy Director

Responsibility for information rests with the Director, Justin Maciejewski, supported by an appointed SIRO, Mike O’Connor, and the Head of Archives, Library and Information.

Questions about our privacy policy, or information we hold about you, can be obtained:

• By post: National Army Museum, Royal Hospital Road, Chelsea, London SW3 4HT
• By telephone: 020 7730 0717
• By email: info@nam.ac.uk

3. Your rights over your personal information

The National Army Museum applies best endeavours to comply with the UK Data Protection Act (2018) and UK GDPR (2020). As a data subject, you have certain rights over your personal information:

• The right to be informed about the information we hold about you
• The right to see what information we hold about you
• The right to amend and correct any information we hold about you
• The right to request that we delete all information we hold about you
• The right to restrict the ways in which we process your personal information
• The right to have a copy of your personal information in the format in which you request it
• The right to object to the processing of your personal data by us at any time
• The right to restrict any forms of automated decision making concerning your personal information, including profiling.

Where the National Army Museum has relied on consent as the legal basis for collecting and processing personal data, the data subject has the right to withdraw that consent at any time. Please use the contact details above to make a request concerning personal information held by the Museum about you. Please be aware that the Museum will require proof of identity for any removal or access requests.

4. What information we collect and how it is used

We collect information about you when you register with the Museum to use our services, attend our events, make a purchase, join as a supporter, or make a financial donation or donation of an item for the Museum’s collection. We also collect information when you voluntarily complete a survey, provide feedback, and participate in competitions and social media conversations, and when you contact the Museum with an enquiry, comment or donation offer.

When we ask you to provide your personal information we will let you know why we are asking, and how we will use your data, and direct you towards this notice for more information.

We will not sell your details to any third parties, nor disclose personal data to any third parties or external organisations, other than trusted data processors and service providers carrying out work on our behalf. Examples of data processors would be mailing houses, bulk email distribution services, or data cleaning organisations. We do comprehensive checks on any companies working on our behalf before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they collect or have access to in line with the UK Data Protection Act (2018) and UK GDPR (2020).

We will apply for your explicit and informed consent in the event that we require to share your data in any other way that is not covered in this policy.

We collect information about you in order to fulfil our public task, as set out in the Museum's Royal Charter and Charitable Objects, and provide you with the service you have requested. The information we collect and how we use it depends on your relationship with the Museum, and the preferences you have indicated. The sections below provide specific details.

4.1. If you work for us, volunteer for us, or provide us with a service

Information we may collect:

Name, address, next of kin details, bank details, necessary health information, training records, career details and disciplinary records

How we use this information:

Employment and training, pensions and benefits, health and safety, recruitment, future references, management of volunteer placements, payment of contractors and suppliers

Who we share this with:

Ministry of Defence as our sponsoring body for payments and third parties for pensions, benefits and payroll services

Retention of data:

Contractors and suppliers information retained for six years from end of financial year; volunteer and employment records are reviewed six years from end of placement/employment

Legal basis for collection:

Processing necessary for carrying out obligations under employment or for the performance of a contract (Article 9.2(b))

Storage of information:

Paper records are kept within secure storage in our HR Office and within semi-current storage; digital records are held within our personnel and finance databases.

4.2. If you support us as a patron, sponsor, or member

Information we may collect:

Contact details, payment details, and information about your engagement with the Museum

How we use this information:

To engage with you for fundraising purposes and to offer exclusive events and benefits

Who we share this with:

May be shared with third parties for Gift Aid or mailing purposes

Retention of data:

Fundraising contact and payment details will be retained until six full financial years have elapsed since a donor’s last gift OR two full financial years have elapsed from notification of their death. In the case of lapsed donor details, where the Museum has failed to hear from an established donor for more than two years, the Museum will contact the donor before deletion. Some fundraising records may be retained for longer as a historical record of corporate fundraising activity and the donor engagement.

Legal basis for collection:

Consent of the data subject (Article 6.1(a))

Storage of information:

Contact records are held within our customer relationship management (CRM) system with restricted access; other digital records, including emails, are held within cloud storage with restricted access

4.3. If you visit the Museum

Information we may collect:

Contact details for the purposes of booking a ticket for events, and in order to respond to any enquiries, comments or complaints.

How we use this information:

To respond to comments, enquiries or complaints. We may also follow up your visit with a short survey in order to improve our service.

Who we share this with:

Third parties who handle our booking and mailing service

Retention of data:

Destroyed at the end of two years

Legal basis for collection:

Processing necessary for performance of tasks carried out in public interest, eg to accommodate the visitor, improve our service, and respond to any enquiry, comment or complaint associated with the visit (Article 6.1(e))

Storage of information:

Contact details added to our CRM system; feedback cards or paper correspondence destroyed once enquiry completed

4.4. If you contribute to our collections and galleries

Information we may collect:

Contact details, family details relevant to the item or gallery, and copyright information

How we use this information:

To provide provenance, ownership and copyright details about collections, and ensure authenticity and compliance with copyright regulations for items and images displayed in our galleries

Who we share this with:

Not shared

Retention of data:

For the life of the Museum

Legal basis for collection:

Processing necessary for performance of public task, ie to collect, preserve and exhibit objects and records relating to the history and traditions of the British Army, and for archiving purposes (Article 6.1(e))

Storage of information:

Paper records are held in secure storage within the Museum’s Institutional Archive and Registrar's filing system; digital records are held within the Museum’s collections management system. Please see our Collections Development Policy for further details.

4.5. If you engage with us as a speaker or major contributor at an event

Information we may collect:

Contact details, speaker biographical details, bank details for expenses

How we use this information:

To manage events and process expenses

Who we share this with:

Professional biographical details shared with event attendees

Retention of data:

Destroyed at the end of six years from last engagement with NAM

Legal basis for collection:

Processing necessary for performance of a contract with data subject, Article 6.1(b)

Storage of information:

Digital records are held within our payment and CRM systems

4.6. If you engage with us as a researcher or send us an enquiry

Information we may collect:

Contact details, proof of identity for registration as a reader

How we use this information:

To respond to enquiries received and provide for research services within our study centres

Who we share this with:

Not shared

Retention of data:

Destroyed after two years

Legal basis for collection:

Consent of the data subject (Article 6.1(a))

Storage of information:

Digital records are held within our CRM system, in our email system and within our digital filing system. Visitor information, such as vehicle registration details, is held on our visitor booking system.

4.7. If you receive any of our newsletters

Information we may collect:

Contact details

How we use this information:

To distribute the Museum's newsletters

Who we share this with:

Third party mailing service

Retention of data:

Retained until the data subject opts out of the mailing list

Legal basis for collection:

Consent of the data subject (Article 6.1(a)

Storage of information:

Contact details are held within our CRM system and third party mailing platform

4.8. If you book to attend an event at the Museum

Information we may collect:

Contact details, bank details for paid events, health information that may be relevant to the event, age of children if relevant

How we use this information:

To facilitate attendance at an event and payments

Who we share this with:

Third party online booking and payment system

Retention of data:

Destroyed six years from end of financial year

Legal basis for collection:

Processing necessary for performance of contract (Article 6.1(b))

Storage of information:

Digital records are held within our payment and CRM systems

4.9. If you make a transaction in the Museum shop

Information we may collect:

Payment details for card payments and contact details for any advance orders

How we use this information:

To facilitate orders and payments for items in the Museum’s shop

Who we share this with:

Third party payment system

Retention of data:

Destroyed six years from end of financial year

Legal basis for collection:

Processing necessary for performance of contract (Article 6.1(b))

Storage of information:

Digital records are held within our payment and CRM systems

4.10. If you hire our spaces

Information we may collect:

Contact details, bank details, health information and age of children if relevant

How we use this information:

To facilitate hire of space and services at the Museum, including Play Base and birthday parties

Who we share this with:

Third party online booking and payment system

Retention of data:

Destroyed six years from end of financial year

Legal basis for collection:

Processing necessary for performance of contract (Article 6.1(b))

Storage of information:

Digital records are held within our payment and CRM systems

4.11. If you engage with us on social media

Information we may collect:

Contact details

How we use this information:

To engage with the public over social media regarding activities and the Museum’s public task.

Who we share this with:

Not shared

Retention of data:

Please check the privacy statements of the social media platforms in question.

Legal basis for collection:

No personal data is collected or processed by the Museum.

Storage of information:

Information is not collated and stored on Museum systems.

5. Where your information is stored and how it is kept secure

The National Museum has implemented security procedures and rules to protect the personal data under our control from unauthorised access, improper use or disclosure, or unauthorised modification. All employees and data processors are obliged to respect the confidentiality of the personal data of our visitors and supporters.

Personal information is held within our paper files in secure storage facilities on all Museum sites and on shared digital filing systems, with restricted access only to trained employees. The Museum controls membership and user data within restricted access CRM systems, financial systems and payment systems.

Procedures are in place to document and minimise loss or misuse of information through an Information Asset Owner’s group, which reports to the Museum Council's Performance, Audit and Risk Committee.

6. CCTV

Closed-circuit television (CCTV) is used extensively across the Museum sites to monitor the activities of individuals for the safety and security of our visitors, staff, volunteers and collections.

The Museum abides by the CCTV Code of Practice in the management of information recorded and retained by surveillance equipment. Images are retained for 30 days, after which they are automatically deleted, unless required as evidence in a lawful investigation.

7. Cookies and privacy

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. More details about the Museum’s use of cookies can be found in the​​​​​ Cookies Policy. For more general information, visit www.aboutcookies.org or www.allaboutcookies.org.

You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

Policy approval and review

• Policy owner: Head of Archives, Library and Information
• Last updated/approved: January 2025
• Next review: January 2027