Wednesdays to Sundays, 10.00 - 17.00
Last entry at 16.30
Open on bank holidays, 10:00 - 17:00
Admission is free
This page lists the Museum's privacy and data protection policies.
Sir John Soane’s Museum was founded in 1833 by private Act of Parliament. The Museum is now governed in accordance with the Charities (Sir John Soane’s Museum) Order, 1969 and is a Registered Charity no.313609. It is also a Non-Departmental Public Body funded by a combination of grant-in-aid allocated by the Department for Digital, Culture, Media and Sport (DCMS) and income secured through commercial, fundraising, sponsored and charging activities. The Trustees of Sir John Soane’s Museum own and control an associated company, Soane Museum Enterprises, which supports the Museum’s mission.
The official address of Sir John Soane’s Museum and its associated company is 13 Lincoln’s Inn Fields, London WC2A 3BP.
We collect “personal data”, which is information that identifies a living person, or which can be identified as relating to a living person.
When we talk about “you” or “your” in this policy we mean any living person whose personal data we collect.
When we talk about “Members” and “Membership” we are referring to supporting members of the Friends of the Soane, the Soane Patrons’ Circle and the Soane Inspectress’s Fund.
We hold the following categories of personal data:
3.1 Personal data you provide
We collect data you provide to us. This includes information you give when you communicate with us, choose to support us as a member, purchase tickets, products or services, sign up to receive emails from us, make a donation, apply for employment, volunteer or enter into a contract with us. For example we may hold:
personal details (name, gender, date of birth, email, address, telephone etc.)
family and spouse/partner or next of kin details
financial information (such as credit/debit card or Standing Order details, and whether you have signed a gift-aid declaraton):
your response to a special Soane Museum event or your intention to meet a member of staff; and
details of the ways in which you wish to be contacted by us.
If you purchase any Museum membership as a gift for someone your details will be recorded (as will the recipient’s).
3.2 Personal data generated by your involvement with the Museum
Your activities and involvement with the Museum will result in personal data being generated. This could include:
3.3 Personal data from third parties
We sometimes receive personal data about you from third parties, for example, if we are partnering with another organisation or where we may use third parties to help us conduct research and analysis about you to determine the success of our public offer and to help us to provide you with a better experience (and this can result in new personal data being created).
3.4 Special category (‘sensitive’) personal data
We do not normally collect or store special categories of personal data. However, there are some situations where we may need to do so. These may include, for example, if you work or volunteer with us or apply to do so, or if we need to know about any access, medical or dietary requirements you, or someone in your care, may have.
How we use your personal data
We only ever use your personal data with your consent, or where it is necessary in order to:
In any event, we only use your personal data for the purpose or purposes for which it was obtained.
If you confirm that you are happy for us to do so, we will use your personal data to communicate with you in order to promote our activities and events and to help with fundraising. This includes keeping you up to date with our exhibitions, events and products in our shop, and to send you general information about ways you may be able to support us or benefit from Sir John Soane’s Museum.
We use your personal data for administrative purposes including:
We carry out research and analysis on our visitors, members and other supporters to determine the success of our public offer and programmes and other activities in the public interest and to help us provide you with a better experience (for example so that you only receive communications about areas of our activities or research you are mostly likely to be interested in).
We may evaluate, categorise and profile your personal data in order to tailor materials, services and communications (including targeted advertising) to your needs and preferences and to help us understand our audiences.
We will never sell your personal data.
If you have opted-in to marketing, we may contact you with information about our selected partners. These communications will always come from us and will usually be incorporated into our own marketing.
We may share your personal data with contractors or suppliers who provide us with services, For example, we may use a mailing house for the distribution of the Annual Review; we use email providers for our marketing communications. Information is transferred to data processors securely and we retain full responsibility for your personal data as the data controller. These activities are carried out under a contract which imposes strict requirements on our suppliers to keep your personal data confidential and secure.
Occasionally, we arrange events with other organisations, for example Sir John Soane’s Museum Foundation, a tax exempt organisation under section 501 (c) 3 of the US Internal Revenue Code. We do not share your information with other organisations, we will share information about the event with you and you can choose whether or not to register for those events and share your personal data with them.
We may share your personal data where required to do so for prevention of crime or for taxation purposes (for example with the police, HMRC) or where otherwise required to do so by other regulators or by law (e.g. the Charity Commission, Companies House), in line with our Donations Due Diligence policy.
Unless you have already given us your email address or telephone number so that we can tell you about making donations to us or about the supply of goods and services we must ask you to ‘opt-in’ to receive fundraising and marketing emails from us. You have the choice as to whether you want to receive or continue to receive these messages. You are also able to select how you want to receive them (post, phone, email,) and to change your preference at any time.
When you receive a communication from us, we may collect information about your response and this may affect how we communicate with you in future.
If you are a Friend, Patron, Member of the Inspectress’s Fund or have supported the Museum recently, we will send you the Annual Review (unless you specifically ask us not to) and you can choose to unsubscribe from receiving the Annual Review and other general marketing communications at any time.
7.1 Information for parents and guardians
We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of those aged 16 or younger.
We will not use the personal data of children or young people for marketing purposes and we will not profile it.
Personal data about children and young people is only accessible by our staff on a strictly need-to- know basis.
We employ a variety of physical and technical measures to protect information we hold and to prevent unauthorised access to, or use or disclosure of your personal data.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Staff receive data protection training and we maintain a set of data protection procedures which our staff are required to follow when handling personal data.
8.2 Payment security
All electronic forms that ask you for your financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.
If you use a payment card to donate, to support as a Member or purchase something from us on-line, we will pass your payment card details securely to our payment provider. We comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council.
Sir John Soane’s Museum premises are protected by CCTV and you may be recorded when you visit the Museum. We use CCTV to help provide a safe and secure environment for visitors, our staff and for the collection and to prevent or detect crime.
The system is managed in accordance with our standard operating procedures and with good practice guidance issued by the Information Commissioner’s Office. CCTV images will only be accessed by authorised security staff and are stored for 6 months.
10.1 Where we store data
We are wholly based in the UK and store data within the European Economic Area. Some organisations which provide data processing services to us do so under contract and may be based outside of the EEA. We will only allow them to do so if your data is adequately protected.
10.2 Retention of your personal data
We will only retain your personal data for as long as it is required for the purposes for which we collected it (e.g. we have a genuine and legitimate reason and we are not harming any of your rights or interests). This will depend on our legal obligations and the nature and type of information and the reason for which we collected it. For example, should you ask us not to send you marketing emails, we will stop using your address for marketing purposes; however, we will need to keep a record of your preference.
We continually review what information we hold and will delete personal data which is no longer required.
11.1 Your rights
We want to ensure you remain in control of your personal data and that you understand your legal rights, which are:
There are some exceptions to the rights above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.
If you would like further information on your rights or wish to exercise them, please contact our Data Protection Officer at the address below.
Should you wish to make a subject access request, please contact our Data Protection Officer at the address below.
Should you have a complaint about how we have used (‘processed’) your personal data, you can complain to us directly by contacting our Data Protection Officer in the first instance.
If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk
Our websites use local storage (such as cookies) in order to provide you with the best possible experience and to allow you to make use of certain functionality (such as being able to shop online).
Cookies are small text files stored in your browser and are used by most websites to help personalise your web experience. You can change your browser settings to block cookies at any time – there is a guide on how to do this at aboutcookies.org. Please note that if you do block cookies, some features on this site will not be available to you and some pages may not display properly.
Google Analytics Cookies
These cookies allow us to count page visits and traffic sources so we can measure and improve the performance of our site, using a service provided by Google Analytics. The data collected by these cookies is anonymised. Cookies used: _ga; _gat; _gid; _gali
Third Party Cookies
These cookies may be set through our website by other companies. Data may be collected by these companies that enable them to serve up adverts on other sites that are relevant to your interests. The list of third party cookies currently set on the Soane website include:
Mailchimp Cookies: SSL
Twitter Cookies: _ga; _gat; _gid; _twitter_sess; ads_prefs; auth_token; ct0; dnt; eu_cn; guest_id; kdt; personalization_id; remember_checked_on; twid
Our websites contain links to other external websites. We are not responsible for the content or functionality of any such websites. Please let us know if a link is not working by contacting firstname.lastname@example.org
This Policy was approved in May 2018 and will be reviewed no later than 2021.
Sir John Soane’s Museum (the Museum) needs to keep certain personal data and sensitive personal data, for example about staff, volunteers, visitors and customers, in order to fulfil its purpose.
Under the provisions of the Data Protection Act 1998, which came into force on 1 March 2000 and the General Data Protection Regulation 2018, the Museum has a legal duty to ensure that personal information is collected and used fairly, stored safely and not disclosed to any other person or organisation unlawfully.
The purpose of the Act is ‘to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy’ and in doing so it also provides data subjects (ie. individuals about whom personal information/sensitive personal information is processed) increased protection through express new rights.
The General Data Protection Regulation (GDPR) gives individuals even more rights and requires organisations to be more transparent about their activities in regards to personal data; therefore the Museum has reviewed and updated all process and procedure to reflect required compliance.
The aim of this policy is both to ensure that all staff are aware of their particular responsibilities in relation to the Data Protection Act and its associated codes of practices; and to inform members of the public how the Museum complies with the legislation. It is also to minimise the risk of the Museum breaching the Act; thereby potentially damaging valued relationships with staff; customers; and other audiences as well as its reputation.
This policy covers all personal data and sensitive personal data held in electronic format or in relevant manual filing systems that is processed by Sir John Soane’s Museum.
It applies to all individuals working for the Museum in whatever role. This includes permanent and contracted staff, as well as temporary employees, volunteers, interns etc.
The security of information held by the Museum is governed by the Museum’s Information Security Policy.
Under the terms of the Act:
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, visual, physiological, genetic, mental, economic, cultural or social identity of that natural person. This excludes business or commercial engagement.
Sensitive personal data is a subset of personal data and subject to tighter controls on its processing. Sensitive personal data means personal data consisting of information as to -
Data subject means the individual about whom the personal data/sensitive personal data is held.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Electronic format means data held as word documents, e-mails, in databases etc.
Relevant manual filing systems means a filing system in which information about individuals is readily available. For example, files ordered alphabetically by name (exhibition lenders files, staff files, notes on sitters) or by which there is another point of access (reference number system etc.). It does not apply to incidental references to individuals in files structured by reference to topics not relating to those individuals.
The Museum’s responsibilities in relation to data protection are determined by the General Data Protection Regulation (2018). Third party access to data is additionally conditioned by the Freedom of Information Act (2005).
Sir John Soane’s Museum is committed to the six principles of data protection, as set out in Article 5 of the GDPR.
Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
These principles must be followed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, the Museum will:
The GDPR sets a high standard for consent and requires a positive opt-in. Neither pre-ticked boxes nor any other method of default consent are allowed. As required by the GDPR, the Museum takes a "granular" approach i.e. it asks for separate consent for separate items and will not use vague or blanket requests for consent. As well as keeping evidence of any consent, the Museum ensures that people can easily withdraw consent (and tells them how this can be done).
It should be noted, however, that consent is only one of the lawful bases on which data processing depends. In brief, the others include the following.
Note that the GDPR provides for special protection for children’s personal data and the Museum will comply with the requirement to obtain parental or guardian consent for any data processing activity involving anyone under the age of 16.
A subject may request details of personal information which the Museum holds about them under the GDPR. If a subject would like a copy of the information held on him or her, they should write to the Data Protection Officer at Sir John Soane’s Museum, 13 Lincoln’s Inn Fields, London WC2A 3BP or email email@example.com. The requested information will be provided within one month. If there is any reason for delay, that will be communicated within the four-week time period. A request which is manifestly unfounded or excessive may be refused. The person concerned will then be informed of their right to contest this decision with the supervisory authority, the Information Commissioner’s Office (the ICO).
If the subject believes that any information held on him or her is incorrect or incomplete, then they should communicate with the Data Protection Officer as soon as possible, at the above address. The organisation will promptly correct any information found to be incorrect.
The Policy does not form part of the formal contract of employment for staff but it is a condition of employment that staff will abide by the rules and policies made by the Museum from time to time. Any failure to follow the Data Protection Policy may lead, therefore, to disciplinary proceedings.
This Policy was approved in May 2018 and will be reviewed no later than 2021.
The Board of Trustees of the Sir John Soane Museum is the Data Controller. The Data Controller is the legal entity who must comply with the Act and the Regulation ensures that its provisions are upheld in all processing across the Museum.
The Archivist and Head of Library Services is the Museum’s Data Protection Officer. The Data Protection Officer is accountable and responsible for overseeing all Data Protection activities and promoting compliance throughout the Museum.
The HR Department will ensure that appropriate guidance and training on compliance with the General Data Protection Regulation 2018 is made available to all staff engaged in the processing of personal data/sensitive personal data.
All Staff are responsible for ensuring that they understand and are compliant with the act in their area and to raise any concerns about how personal data/sensitive personal data is collected and managed in their area with the Data Protection Officer. The Museum will ensure they are given appropriate training to fulfil this responsibility.
Staff are also responsible for:
Breach of data protection legislation is a criminal and potentially civil offence and the Museum will regard wilful or reckless breach of this policy as a disciplinary offence and such breaches will be subject to the Museum’s disciplinary procedures.
It is the duty of all members of staff to flag immediately to their Head of Department and the Data Protection Officer any matter arising which involves, or is thought to involve, a breach of data protection legislation. Any serious breach will be reported to the Chair of the Audit Committee.
Breach of data occurring in the Museum will be reported to those whose data might have been affected by the breach, as well as to the supervisory authority (the Information Commissioner’s Office).