Sir John Soane’s Museum is committed to protecting your privacy and security. The personal information we collect, process and use is treated securely and in accordance with this privacy notice, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This privacy notice explains how and why we use personal data relating to visitors to Sir John Soane’s Museum and its website. It is intended to help ensure that you remain informed and in control of your information.
1. About us
Sir John Soane’s Museum was founded in 1833 by private Act of Parliament. The Museum is now governed in accordance with the Charities (Sir John Soane’s Museum) Order, 1969 and is a charity registered in England with charity number 313609. It is also a Non-Departmental Public Body funded by a combination of grant-in-aid allocated by the Department for Digital, Culture, Media and Sport (DCMS) and income secured through commercial, fundraising, sponsored and charging activities (the Charity). The Trustees of Sir John Soane’s Museum own and control an associated company, Soane Museum Enterprises, which is registered in England with company number 08171280, which supports the Museum’s mission (the Company).
The official address of Sir John Soane’s Museum and Soane Museum Enterprises is 13 Lincoln’s Inn Fields, London WC2A 3BP.
The Charity and the Company (together, “us”, “we”, “our”) are data controllers of the personal data that you provide to us. The Company’s key activities are described on our website here: https://www.soane.org/about/soane-museum-enterprises.
If you have any questions about this privacy notice, or if you would like to exercise any of your legal rights in respect of your personal data, please contact the Charity’s Data Protection Officer, and the Company’s point of contact using the following details:
- Email: email@example.com;
- Telephone: 020 7440 4245
- Post: 13 Lincoln’s Inn Fields, London WC2A 3BP
2. How we collect your personal information and the types of information we collect
2.1 Information you provide to us
We collect personal data you provide to us. This includes information you give when you communicate with us, choose to support us as a member (of the Friends of the Soane, the Soane Patrons’ Circle or the Soane Inspectress’s Fund) or purchase membership as a gift for someone else, purchase tickets, products or services, sign up to receive emails from us, make a donation, or enter into a contract with us. For example, we may collect:
- ID information and contact details (including your name, gender, date of birth, email, address, telephone etc.);
- financial information (such as credit/debit card or Standing Order details, and whether you have signed a gift-aid declaration);
- your response to a special Soane Museum event or your plans to meet a member of staff; and
- details of the ways in which you wish to be contacted by us.
2.2 Information from your visits and involvement with us
Your visits to, activities and involvement with us will result in personal data being collected by us through communications between us, our library log, and CCTV. Personal data collected may include:
- details of your areas of interest in the Museum’s collection;
- your visits to the Research Library;
- your attendance at special events;
- where you have asked us for information or written to us;
- images of you captured by our CCTV systems;
- your purchasing history;
- how you have helped us by making gifts.
2.3 Information from third parties
We sometimes receive personal data about you from third parties, for example, if we are partnering with another organisation or where we may use third parties to help us conduct research and analysis about you to determine the success of our public offer and to help us to provide you with a better experience.
2.4 Information from our website
3. How we use your personal data
If you confirm that you are happy for us to do so, we will use your personal data to communicate with you in order to promote our activities and events and to help with fundraising. This includes keeping you up to date with our exhibitions, events and products in our shop, and to send you general information about ways you may be able to support us or benefit from Sir John Soane’s Museum.
We use your personal data for administrative purposes including:
- receiving donations (e.g. direct debits or gift-aid instructions);
- maintaining databases of current, former and prospective supporters;
- processing membership subscriptions;
- performing our obligations under membership arrangements;
- managing custody of our collection including our intellectual property rights;
- carrying out due diligence to meet our compliance duties (for example, before making any acquisition into our collections, accepting financial support or making agreements for the supply of good and services);
- processing enquiries and requests for information;
- managing feedback, comments and complaints we receive;
- fulfilling orders for tickets, goods or services (whether placed online, over the phone or in person);
- helping us respect your choices and preferences;
- management of suppliers of goods and services;
- managing your visit to Sir John Soane’s Museum (e.g. health and safety; security, lost property; cloakroom and incident management).
3.3 Internal research
We carry out research and analysis on our visitors, members and other supporters to determine the success of our public offer and programmes and other activities in the public interest and to help us provide you with a better experience (for example so that you only receive communications about areas of our activities or research you are mostly likely to be interested in).
We may evaluate, and categorise your personal data in order to tailor materials, services and communications (including targeted advertising) to your needs and preferences and to help us understand our audiences.
4. Sharing your information with others
We will never sell your personal data.
If you have opted-in to marketing, we may contact you with information about our partners. These communications will always come from us and will usually be incorporated into our own marketing.
We may share your personal data with contractors or suppliers who provide us with services, for example, we may use a mailing house for the distribution of the Annual Review and we use email providers for our marketing communications. Information is transferred to data processors securely and we retain full responsibility for your personal data as the data controller. These activities are carried out under a contract which imposes GDPR requirements on our suppliers to keep your personal data confidential and secure.
Occasionally, we arrange events with other organisations, for example Sir John Soane’s Museum Foundation, a tax exempt organisation under section 501 (c) 3 of the US Internal Revenue Code. We do not share your information with other organisations, we will share information about the event with you and you can choose whether or not to register for those events and share your personal data with them.
We may share your personal data where required to do so for prevention of crime or for taxation purposes (for example with the police, HMRC) or where otherwise required to do so by other regulators or by law (e.g. the Charity Commission, Companies House), in line with our Donations Due Diligence policy.
5. The legal bases for processing your information
5.1 Where we have a contractual relationship with you
We will process your personal data because it is necessary for the performance of a contract with you (for example, when you purchase our products or services) or to take steps at your request prior to entering into a contract. In this respect, we use your personal data for the following:
- to carry out our obligations arising from any contracts entered into between you and us including processing payment transactions and to provide you with the products and services that you request from us;
- to interact with you before you enter into a contract with us, such as when you express your interest in our products or services (for example, to send you information about our products or services or answer enquiries about them).
5.2 Legitimate interests
Where the Company is data controller, we also process your personal data because it is necessary for our or a third party's legitimate interests. Our legitimate interests include our commercial interests. In this respect, we may use your personal data for the following:
- to improve and customise the website for our users; and
- for advertising and marketing purposes.
5.3 Legal obligations
We also process your personal data for our compliance with our legal obligations. In this respect, we may use your personal data for the following:
- to meet our legal and regulatory obligations, such as our tax reporting requirements;
- in order to assist with investigations (including criminal investigations) carried out by competent authorities.
For these purposes we may provide your data to our auditors, the police and other competent authorities.
We also process your personal data where we have your specific consent to do so (for example, where we have sought and obtained your consent to send you direct marketing by email).
5.5 Public task
Where the Charity is data controller, we also process your personal data because it is necessary for the performance of a task carried out in the public interest. This may include processing personal data for administrative purposes in order to allow the public free access to the Museum; to encourage the public to appreciate and explore all aspects of the Museum and its collections whether as visitors or at a distance; and to provide opportunities for education in its broadest sense in all aspects of architecture and the history of art.
6. Fundraising and marketing communications
Unless you have already given us your email address or telephone number so that we can tell you about making donations to us or about the supply of goods and services we must ask you to ‘opt-in’ to receive fundraising and marketing emails from us. You have the choice as to whether you want to receive or continue to receive these messages. You are also able to select how you want to receive them (post, phone, email,) and to change your preference at any time.
When you receive a communication from us, we may collect information about your response and this may affect how we communicate with you in future.
6.2 Newsletters and magazines
If you are a Friend, Patron, Member of the Inspectress’s Fund or have supported us recently, we will send you the Annual Review (unless you specifically ask us not to) and you can choose to unsubscribe from receiving the Annual Review and other general marketing communications at any time.
7. Children and young people
7.1 Information for parents and guardians
We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of those aged 16 or younger.
We will not use the personal data of children or young people for marketing purposes.
Personal data about children and young people is only accessible by our staff on a strictly need-to- know basis.
8. Data security
8.1 Technical and organisational measures
We employ a variety of physical and technical measures to protect information we hold and to prevent unauthorised access to, or use or disclosure of your personal data.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Staff receive data protection training and we maintain a set of data protection procedures which our staff are required to follow when handling personal data.
8.2 Payment security
All electronic forms that ask you for your financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.
If you use a payment card to donate, to support as a Member or purchase something from us on-line, we will pass your payment card details securely to our payment provider. We comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council.
Sir John Soane’s Museum premises are protected by CCTV and you may be recorded when you visit the Museum. We use CCTV to help provide a safe and secure environment for visitors, our staff and for the collection and to prevent or detect crime.
The system is managed in accordance with our standard operating procedures and with good practice guidance issued by the Information Commissioner’s Office. CCTV images will only be accessed by authorised security staff and are stored for 6 months.
10. Storing your personal data
10.1 Where we store data
We are wholly based in the UK and store data within the European Economic Area.
10.2 Retention of your personal data
We will only retain your personal data for as long as it is required for the purposes for which we collected it (e.g. we have a genuine and legitimate reason and we are not harming any of your rights or interests). This will depend on our legal obligations and the nature and type of information and the reason for which we collected it. For example, should you ask us not to send you marketing emails, we will stop using your address for marketing purposes; however, we will need to keep a record of your preference.
We continually review what information we hold and will delete personal data which is no longer required.
11. International transfers of personal data
In the course of providing services to you, some of the personal data we process about you may be transferred to suppliers at a destination outside of the European Economic Area. In these circumstances, your personal data will only be transferred on one of the following bases:
- a decision by the European Commission that the third country, territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection;
- standard data protection clauses in the form of template transfer clauses adopted by the European Commission have been entered into by us and the recipient of the data;
- there exists another situation where the transfer is permitted by law (for example, where we have your explicit consent).
12. Your rights
We want to ensure you remain in control of your personal data. Under the GDPR you have the following rights in relation to our processing of your personal data:
- to obtain access to, and copies of, the personal data that we hold about you;
- to require us to correct the personal data we hold about you if it is incorrect;
- to require us to erase your personal data in certain circumstances;
- to require us to restrict our data processing activities in certain circumstances (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for transmitting that personal data to another data controller;
- to object, on grounds relating to your situation, to any of our processing activities, where you feel this has a disproportionate impact on your rights;
- to complain about the processing of your data to the relevant supervisory authority (in the UK this is the Information Commissioner’s Office).
Please note that the above rights are not absolute, and we may be entitled to refuse your requests where exceptions apply. For example, if you ask for your personal data to be erased, we may nevertheless continue to maintain certain details about you for our accounting and audit purposes and to comply with our legal obligations.
If you would like further information on your rights or wish to exercise them, or have a complaint about how we have used your personal data, please contact our Data Protection Officer or point of contact using the contact details provided at the start of this privacy notice.
13.1 About Cookies
Cookies are small text files stored in your browser and are used by most websites to help personalise your web experience. You can change your browser settings to block cookies at any time – there is a guide on how to do this at aboutcookies.org. Please note that if you do block cookies, some features on this site will not be available to you and some pages may not display properly.
13.2 Types of cookies
Some of these are essential – for example cookies that track items in your shop basket. These cookies should always be on for the website to function properly.
Some of these cookies measure use of our website. This includes our Google Analytics cookies, which allow us to count page visits and traffic sources so we can measure and improve the performance of our site. The data collected by these cookies is anonymised.
14. Links to other sites
Our websites contain links to other external websites. We are not responsible for the content or functionality of any such websites. Please let us know if a link is not working by contacting firstname.lastname@example.org
If a third party website requests personal data from you (e.g. in connection with an order for goods or services), the information you provide will not be covered by this privacy notice. We suggest you read the privacy notice of any other website before providing any personal information.
15. Changes to this privacy notice
We may amend this privacy notice from time to time to ensure it remains up-to-date and continues to reflect how and why we use your personal data. The current version of our privacy notice will always be posted on our website.
This Policy was last updated in July 2021 and will be reviewed no later than 2024.