Sir John Soane’s Museum is committed to protecting your privacy and security. The Personal Data (as defined below) that we collect, process and use is treated securely and in accordance with this Privacy Notice, the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (DPA 2018). This Privacy Notice describes our processing practices of Personal Data that we collect and use when you visit the Museum or our website.
1. About us
Sir John Soane’s Museum (the “Museum”) was founded in 1833 by a private Act of Parliament. The Museum is now governed in accordance with the Charities (Sir John Soane’s Museum) Order 1969 and is a charity registered in England with charity number 313609. The Museum is also a Non-Departmental Public Body funded by a combination of grant-in-aid allocated by the Department for Culture, Media and Sport (DCMS) and income secured through commercial, fundraising, sponsored and charging activities. The Trustees of the Museum own and control an associated company, Soane Museum Enterprises, which is registered in England with company number 08171280, which supports the Museum’s mission (the “Company”). The Company’s key activities are described on our website here: https://www.soane.org/about/soane-museum-enterprises.
The official address of the Museum and the Company is 13 Lincoln’s Inn Fields, London WC2A 3BP.
The Museum and the Company (together, “us”, “we”, “our”) are independent data controllers of the Personal Data that we collect when you visit the Museum and/or our website. “Personal Data” is information that identifies you as an individual or relates to an identifiable individual. If you have any questions about this Privacy Notice, or if you would like to exercise any of your legal rights in respect of your Personal Data, please contact our Data Protection Officer using the following details:
- Email: spalmer@soane.org.uk;
- Post: 13 Lincoln’s Inn Fields, London WC2A 3BP
2. How we collect your Personal Data and the types of Personal Data that we collect
2.1 Personal Data that you provide to us
We collect Personal Data that you provide to us. This includes Personal Data that you give when you communicate with us, choose to support us as a member (of the Friends of the Soane, the Soane Patrons’ Circle or the Soane Inspectress’s Fund) or purchase membership as a gift for someone else, purchase tickets, products or services, sign up to receive emails from us, make a donation, or enter into a contract with us. For example, we may collect:
- ID information and contact details (including your name, prefix, date of birth, email, address, telephone etc.);
- financial information (such as credit/debit card or standing order details, and whether you have signed a gift-aid declaration);
- your response to a special Soane Museum event or your plans to meet a member of staff; and
- details of the ways in which you wish to be contacted by us.
2.2 Personal Data from your visits and involvement with us
Your visits to, activities and involvement with us (including any purchases and bookings via our store or online shop) will result in Personal Data being collected by us through communications between us, our library log, and CCTV. Personal Data collected may include:
- details of your areas of interest in the Museum’s collection;
- your visits to the Research Library;
- your attendance at special events;
- where you have asked us for information or written to us;
- images of you captured by our CCTV systems;
- your purchasing history; and/or
- how you have helped us by making gifts.
2.3 Personal Data from third parties
We sometimes receive Personal Data about you from third parties; for example, if we are partnering with another organisation or where we may use third parties to help us conduct research and analysis about you to determine the success of our public offer and to help us to provide you with a better experience.
2.4 Information from our website
When you use our website, we use cookies to collect information when you access and navigate around it.
3. How we use your Personal Data
3.1 Marketing
If you confirm that you are happy for us to do so, we will use your Personal Data to communicate with you in order to promote our activities and events and to help with fundraising. This includes keeping you up to date with our exhibitions, events and products in our shop, and to send you general information about ways you may be able to support us or benefit from the Museum.
3.2 Administration
We use your Personal Data for the administrative purposes set out below.
The Museum
- managing custody of our collection including our intellectual property rights;
- helping us respect your choices and preferences;
- carrying out due diligence to meet our compliance duties (for example, before making any acquisition into our collections, accepting financial support or making agreements for the supply of good and services);
- management of suppliers of goods and services;
- processing enquiries and requests for information;
- managing feedback, comments and complaints we receive;
- fulfilling orders for tickets, goods or services (whether placed online, over the phone or in person); and
- managing your visit to the Museum (e.g., health and safety; security, lost property; cloakroom and incident management).
The Company
- managing custody of our collection including our intellectual property rights;
- managing feedback, comments and complaints we receive;
- fulfilling orders for tickets, goods or services (whether placed online, over the phone or in person);
- helping us respect your choices and preferences;
- management of suppliers of goods and services; and
- managing your visit to the Museum (e.g., health and safety; security, lost property; cloakroom and incident management).
3.3 Internal research
We carry out research and analysis on our visitors, members, and other supporters to determine the success of our public offer and programmes and other activities in the public interest and to help us provide you with a better experience (for example so that you only receive communications about areas of our activities or research you are mostly likely to be interested in).
We may evaluate and categorise your Personal Data in order to tailor materials, services and communications (including targeted advertising) to your needs and preferences and to help us understand our audiences.
4. Sharing your Personal Data
We will never sell your Personal Data.
If you have opted in to marketing, we may contact you with information about our partners. These communications will always come from us and will usually be incorporated into our own marketing.
We may share your Personal Data with contractors or suppliers who provide us with services, for example, we may use a mailing house for the distribution of the Annual Review, and we use email providers for our marketing communications. Personal Data is transferred to data processors securely and we retain full responsibility for your Personal Data as the data controller. These activities are carried out under a contract which imposes UK GDPR requirements on our suppliers to keep your Personal Data confidential and secure.
Occasionally, we arrange events with other organisations, for example Sir John Soane’s Museum Foundation, a tax-exempt organisation under section 501 (c) 3 of the US Internal Revenue Code. We do not share your Personal Data with other organisations. We will share information about the event with you and you can choose whether or not to register for those events and share your Personal Data with them.
We may share your Personal Data where required to do so for prevention of crime or for taxation purposes (for example with the police or HMRC) or where otherwise required to do so by other regulators or by law (e.g., the Charity Commission or Companies House), in line with our Donations Due Diligence policy.
Finally, we sometimes share your Personal Data with each other (i.e., between the Company and the Museum) when you have provided your consent for us to do so.
5. The legal bases for processing your Personal Data
5.1 Where we have a contractual relationship with you
We will process your Personal Data because it is necessary for the performance of a contract with you (for example, when you purchase our products or services) or to take steps at your request prior to entering into a contract. In this respect, we use your Personal Data for the following:
- to carry out our obligations arising from any contracts entered into between you and us including processing payment transactions and to provide you with the products and services that you request from us;
- to interact with you before you enter into a contract with us, such as when you express your interest in our products or services (for example, to send you information about our products or services or answer enquiries about them).
5.2 Legitimate interests
Where the Company is data controller, we also process your Personal Data because it is necessary for our or a third party’s legitimate interests. Our legitimate interests include our commercial interests. In this respect, we may use your Personal Data for the following:
- to improve and customise the website for our users; and
- for advertising and marketing purposes.
5.3 Legal obligations
We also process your Personal Data for our compliance with our legal obligations. In this respect, we may use your Personal Data for the following:
- to meet our legal and regulatory obligations, such as our tax reporting requirements;
- in order to assist with investigations (including criminal investigations) carried out by competent authorities.
For these purposes, we may provide your data to our auditors, the police, and other competent authorities.
5.4 Consent
We also process your Personal Data where we have your specific consent to do so (for example, where we have sought and obtained your consent to send you direct marketing by email).
5.5 Public task
Where the Museum is data controller, we also process your Personal Data because it is necessary for the performance of a task carried out in the public interest. This may include processing Personal Data for administrative purposes in order to allow the public free access to the Museum; to encourage the public to appreciate and explore all aspects of the Museum and its collections whether as visitors or at a distance; and to provide opportunities for education in its broadest sense in all aspects of architecture and the history of art.
6. Fundraising and marketing communications
6.1 Preferences
Unless you have already given us your email address or telephone number so that we can tell you about making donations to us or about the supply of goods and services we must ask you to ‘opt in’ to receive fundraising and marketing emails from us. You have the choice as to whether you want to receive or continue to receive these messages. You are also able to select how you want to receive them (post, phone, email,) and to change your preference at any time.
When you receive a communication from us, we may collect information about your response, and this may affect how we communicate with you in future.
6.2 Newsletters and magazines
If you are a Friend, Patron or Member of the Inspectress’s Fund or have supported us recently, we will send you the Annual Review (unless you specifically ask us not to). You can choose to unsubscribe from receiving the Annual Review by emailing us at development@soane.org.uk and unsubscribe from receiving other general marketing communications at any time by clicking on the unsubscribe button on our email communications to you.
7. Children and young people
7.1 Information for parents and guardians
We take great care to protect and respect the rights of individuals in relation to their Personal Data, especially in the case of those aged 16 or younger (“Children”).
We may collect the following types of Personal Data of Children:
- ID information (including Children’s names and dates of birth);
- academic information (such as the name of the schools that are attended by Children); and
- medical information (such as Children’s food allergies).
We may also collect Personal Data of Children’s parents in the form of contact details (including the parent’s name and phone number).
We will not use the Personal Data of Children or young people for marketing purposes.
Personal Data about Children is only accessible by our staff on a strictly need-to-know basis and is collected for safeguarding purposes or for us to cater towards allergies, learning or medical requirements.
8. Data security
8.1 Technical and organisational measures
We employ a variety of physical and technical measures to protect Personal Data. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us by contacting our Data Protection Officer using the details provided in Section 1 of this Privacy Notice.
Electronic data and databases are stored on secure computer systems, and we control who has access to Personal Data (using both physical and electronic means). Staff receive data protection training, and we maintain a set of data protection procedures which our staff are required to follow when handling Personal Data.
8.2 Payment security
All electronic forms that ask you for your financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.
If you use a payment card to donate, to support us as a Member, or purchase something from us on-line, we will pass your payment card details securely to our payment provider. We comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council.
8.3 CCTV
The Museum premises are protected by CCTV, and you may be recorded when you visit the Museum. We use CCTV to help provide a safe and secure environment for visitors, our staff and for the collection and to prevent or detect crime.
The system is managed in accordance with our standard operating procedures and with good practice guidance issued by the Information Commissioner’s Office (the “ICO”). CCTV images will only be accessed by authorised security staff and are stored for 6 months.
9. Retention period
9.1 Retention of your Personal Data
We will only retain your Personal Data for as long as it is required for the purposes for which we collected it as outlined in this Privacy Notice (e.g., we have a genuine and legitimate reason and we are not harming any of your rights or interests), unless a longer retention period is required or permitted by law, for example, for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. This will depend on our legal obligations and the nature and type of Personal Data and the reason for which we collected it. For example, should you ask us not to send you marketing emails, we will stop using your address for marketing purposes; however, we will need to keep a record of your preference.
We continually review what Personal Data we hold and will delete Personal Data which is no longer required. The criteria used to determine our retention periods include (i) the length of time for which we have an on-going relationship with you (for example, for as long as you are a subscribed member); (ii) whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
10. International transfers of Personal Data
In the course of providing services to you, some of the Personal Data that we process about you may be transferred to suppliers at a destination outside of the United Kingdom (the “UK”) and, by using our services, you understand that your Personal Data may be transferred to countries outside of the UK. As required by applicable law, we implement safeguards to protect your Personal Data when we transfer it outside of the UK. For example, we ensure that a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:
- Adequacy Decisions: The UK recognises the European Economic Area member states and certain other countries as providing an adequate level of data protection according to UK standards (the full list is available here).
- Appropriate Measures: For transfers from the UK to countries not considered adequate by the UK government, we have put in place appropriate measures, such as standard contractual clauses adopted by the ICO, to protect your Personal Data. You may obtain a copy of these measures by emailing our Data Protection Officer using the details provided in Section 1 of this Privacy Notice.
11. Your rights
We want to ensure you remain in control of your Personal Data. Under the UK GDPR you have the following rights in relation to our processing of your Personal Data:
- to obtain access to, and be provided with copies of, the Personal Data that we hold about you;
- to require us to correct the Personal Data that we hold about you if it is incorrect;
- to require us to erase your Personal Data;
- to require us to restrict our data processing activities (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
- to receive from us the Personal Data that we hold about you which you have provided to us, in a reasonable format specified by you, including for transmitting that Personal Data to another data controller;
- to object, on grounds relating to your situation, to any of our processing activities, where you feel this has a disproportionate impact on your rights.
Please note that the above rights are not absolute, and we may be entitled to refuse your requests where exceptions apply. For example, if you ask for your Personal Data to be erased, we may nevertheless continue to maintain certain details about you for our accounting and audit purposes and to comply with our legal obligations.
If you would like further information on your rights or wish to exercise them or have a complaint about how we have used your Personal Data, please contact our Data Protection Officer using the contact details provided in Section 1 of this Privacy Notice.
You may also lodge a complaint with the ICO, as the data protection authority in the UK.
12. Links to other site
Our websites contain links to other external websites. We are not responsible for the content or functionality of any such websites. Please let us know if a link is not working by contacting admin@soane.org.uk.
If a third party website requests Personal Data from you (e.g., in connection with an order for goods or services), the Personal Data that you provide will not be covered by this Privacy Notice. We suggest that you read the privacy notice of any other website before providing any Personal Data.
13. Changes to this Privacy Notice
We may amend this Privacy Notice from time to time to ensure that it remains up-to-date and continues to reflect how and why we use your Personal Data. The current version of our privacy notice will always be posted on our website.
This Policy was last updated in September 2024.