This page lists the Museum's privacy and data protection policies.

Privacy policy

Sir John Soane’s Museum is committed to protecting your privacy and security. The personal information we collect, process and use is treated securely and in accordance with our privacy policy, the Privacy and Electronic Communications Regulations 2003, the Data Protection Act 1998 and any replacement laws, and, from May 2018, the General Data Protection Regulation. This privacy policy explains how and why we use your personal data and is intended to help ensure that you remain informed and in control of your information.

1. About us

Sir John Soane’s Museum was founded in 1833 by private Act of Parliament. The Museum is now governed in accordance with the Charities (Sir John Soane’s Museum) Order, 1969 and is a Registered Charity no.313609. It is also a Non-Departmental Public Body funded by a combination of grant-in-aid allocated by the Department for Digital, Culture, Media and Sport (DCMS) and income secured through commercial, fundraising, sponsored and charging activities. The Trustees of Sir John Soane’s Museum own and control an associated company, Soane Museum Enterprises, which supports the Museum’s mission.

The official address of Sir John Soane’s Museum and its associated company is 13 Lincoln’s Inn Fields, London WC2A 3BP.

When we talk about “we” or “us” in this privacy policy we mean the Trustees of Sir John Soane’s Museum and the company they own and control.

2. Your personal Data

We collect “personal data”, which is information that identifies a living person, or which can be identified as relating to a living person.

When we talk about “you” or “your” in this policy we mean any living person whose personal data we collect.

When we talk about “Members” and “Membership” we are referring to supporting members of the Friends of the Soane, the Soane Patrons’ Circle and the Soane Inspectress’s Fund.

3. Personal data we hold

We hold the following categories of personal data:

3.1 Personal data you provide

We collect data you provide to us. This includes information you give when you communicate with us, choose to support us as a member, purchase tickets, products or services, sign up to receive emails from us, make a donation, apply for employment, volunteer or enter into a contract with us. For example we may hold:

personal details (name, gender, date of birth, email, address, telephone etc.)
family and spouse/partner or next of kin details
financial information (such as credit/debit card or Standing Order details, and whether you have signed a gift-aid declaraton):
your response to a special Soane Museum event or your intention to meet a member of staff; and
details of the ways in which you wish to be contacted by us.

If you purchase any Museum membership as a gift for someone your details will be recorded (as will the recipient’s).

3.2 Personal data generated by your involvement with the Museum

Your activities and involvement with the Museum will result in personal data being generated. This could include:

  • details of your areas of interest in the Museum’s collection
  • your visits to the Research Library
  • your attendance at special events
  • where you have asked us for information or written to us
  • your visits to our websites
  • images of you captured by our CCTV systems
  • your purchasing history
  • how you have helped us by volunteering or by making gifts, or
  • where you have applied for a job with us.

3.3 Personal data from third parties

We sometimes receive personal data about you from third parties, for example, if we are partnering with another organisation or where we may use third parties to help us conduct research and analysis about you to determine the success of our public offer and to help us to provide you with a better experience (and this can result in new personal data being created).

3.4 Special category (‘sensitive’) personal data

We do not normally collect or store special categories of personal data. However, there are some situations where we may need to do so. These may include, for example, if you work or volunteer with us or apply to do so, or if we need to know about any access, medical or dietary requirements you, or someone in your care, may have.

How we use your personal data

4.1 General use

We only ever use your personal data with your consent, or where it is necessary in order to:

  • enter into, or perform, a contract with you;
  • comply with a legal duty;
  • protect your vital interests;
  • carry out a task in the public interest; or
  • for our own (or for a third party’s) legitimate interests, provided your rights to do not override these interests.

In any event, we only use your personal data for the purpose or purposes for which it was obtained.

4.2 Marketing

If you confirm that you are happy for us to do so, we will use your personal data to communicate with you in order to promote our activities and events and to help with fundraising. This includes keeping you up to date with our exhibitions, events and products in our shop, and to send you general information about ways you may be able to support us or benefit from Sir John Soane’s Museum.

4.3 Administration

We use your personal data for administrative purposes including:

  • receiving donations (e.g. direct debits or gift-aid instructions);
  • maintaining databases of current, former and prospective  supporters
  • processing membership subscriptions
  • performing our obligations under membership arrangements
  • managing custody of our collection including our intellectual property rights
  • carrying out due diligence to meet our compliance duties (for example, before making any acquisition into our collections, accepting financial support or making agreements for the supply of good and services);
  • processing enquiries and requests for information;
  • managing feedback, comments and complaints we receive;
  • fulfilling orders for tickets, goods or services (whether placed online, over the phone or in person);
  • helping us respect your choices and preferences;
  • recruitment and staff management including pay, tax and pensions administration;
  • management of suppliers of goods and services;
  • managing your visit to Sir John Soane’s Museum (e.g. health and safety; security, lost property; cloakroom and incident management).

4.4 Internal research and profiling

We carry out research and analysis on our visitors, members and other supporters to determine the success of our public offer and programmes and other activities in the public interest and to help us provide you with a better experience (for example so that you only receive communications about areas of our activities or research you are mostly likely to be interested in).

We may evaluate, categorise and profile your personal data in order to tailor materials, services and communications (including targeted advertising) to your needs and preferences and to help us understand our audiences.

5 Disclosing and sharing your personal data

We will never sell your personal data.

If you have opted-in to marketing, we may contact you with information about our selected partners. These communications will always come from us and will usually be incorporated into our own marketing.

We may share your personal data with contractors or suppliers who provide us with services, For example, we may use a mailing house for the distribution of the Annual Review; we use email providers for our marketing communications. Information is transferred to data processors securely and we retain full responsibility for your personal data as the data controller. These activities are carried out under a contract which imposes strict requirements on our suppliers to keep your personal data confidential and secure.

Occasionally, we arrange events with other organisations, for example Sir John Soane’s Museum Foundation, a tax exempt organisation under section 501 (c) 3 of the US Internal Revenue Code.  We do not share your information with other organisations, we will share information about the event with you and you can choose whether or not to register for those events and share your personal data with them.

We may share your personal data where required to do so for prevention of crime or for taxation purposes (for example with the police, HMRC) or where otherwise required to do so by other regulators or by law (e.g. the Charity Commission, Companies House), in line with our Donations Due Diligence policy.

Fundraising and marketing communications

6.1 Consent

Unless you have already given us your email address or telephone number so that we can tell you about making donations to us or about the supply of goods and services we must ask you to ‘opt-in’ to receive fundraising and marketing emails from us. You have the choice as to whether you want to receive or continue to receive these messages. You are also able to select how you want to receive them (post, phone, email,) and to change your preference at any time.

When you receive a communication from us, we may collect information about your response and this may affect how we communicate with you in future.

6.2 Newsletters and magazines

If you are a Friend, Patron, Member of the Inspectress’s Fund or have supported the Museum recently, we will send you the Annual Review (unless you specifically ask us not to) and you can choose to unsubscribe from receiving the Annual Review and other general marketing communications at any time.

7. Children and young people

7.1 Information for parents and guardians

We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of those aged 16 or younger.

We will not use the personal data of children or young people for marketing purposes and we will not profile it.

Personal data about children and young people is only accessible by our staff on a strictly need-to- know basis.

8. Data security

8.1 Protection

We employ a variety of physical and technical measures to protect information we hold and to prevent unauthorised access to, or use or disclosure of your personal data.

Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Staff receive data protection training and we maintain a set of data protection procedures which our staff are required to follow when handling personal data.

8.2 Payment security

All electronic forms that ask you for your financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.

If you use a payment card to donate, to support as a Member or purchase something from us on-line, we will pass your payment card details securely to our payment provider. We comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council.

9. CCTV

Sir John Soane’s Museum premises are protected by CCTV and you may be recorded when you visit the Museum. We use CCTV to help provide a safe and secure environment for visitors, our staff and for the collection and to prevent or detect crime.

The system is managed in accordance with our standard operating procedures and with good practice guidance issued by the Information Commissioner’s Office. CCTV images will only be accessed by authorised security staff and are stored for 6 months.

10. Storing your personal data

10.1 Where we store data

We are wholly based in the UK and store data within the European Economic Area. Some organisations which provide data processing services to us do so under contract and may be based outside of the EEA. We will only allow them to do so if your data is adequately protected.

10.2 Retention of your personal data

We will only retain your personal data for as long as it is required for the purposes for which we collected it (e.g. we have a genuine and legitimate reason and we are not harming any of your rights or interests). This will depend on our legal obligations and the nature and type of information and the reason for which we collected it. For example, should you ask us not to send you marketing emails, we will stop using your address for marketing purposes; however, we will need to keep a record of your preference.

We continually review what information we hold and will delete personal data which is no longer required.

11. Control of your personal data

11.1 Your rights

We want to ensure you remain in control of your personal data and that you understand your legal rights, which are:

  • the right to know whether we hold your personal data and, if we do so, to be a copy of the personal data that we hold about you (a “subject access request”) within one month;
  • the right to have your personal data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason);
  • the right to have inaccurate personal data rectified;
  • the right to object to your personal data being used for marketing or profiling; and
  • (where technically feasible) the right to be given a copy of personal data that you have provided to us (and which we process automatically on the basis of your consent or the performance of a contract) in a common electronic format for your re-use.

There are some exceptions to the rights above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.

If you would like further information on your rights or wish to exercise them, please contact our Data Protection Officer at the address below.

Should you wish to make a subject access request, please contact our Data Protection Officer at the address below.

11.2 Complaints

Should you have a complaint about how we have used (‘processed’) your personal data, you can complain to us directly by contacting our Data Protection Officer in the first instance.

If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk

12. Cookies

Our websites use local storage (such as cookies) in order to provide you with the best possible experience and to allow you to make use of certain functionality (such as being able to shop online).

About Cookies
Cookies are small text files stored in your browser and are used by most websites to help personalise your web experience. You can change your browser settings to block cookies at any time – there is a guide on how to do this at aboutcookies.org. Please note that if you do block cookies, some features on this site will not be available to you and some pages may not display properly.

Google Analytics Cookies
These cookies allow us to count page visits and traffic sources so we can measure and improve the performance of our site, using a service provided by Google Analytics. The data collected by these cookies is anonymised. Cookies used: _ga; _gat; _gid; _gali

Third Party Cookies
These cookies may be set through our website by other companies. Data may be collected by these companies that enable them to serve up adverts on other sites that are relevant to your interests. The list of third party cookies currently set on the Soane website include:

Mailchimp Cookies: SSL

Twitter Cookies: _ga; _gat; _gid; _twitter_sess;  ads_prefs; auth_token; ct0; dnt; eu_cn; guest_id; kdt; personalization_id; remember_checked_on; twid

13. Links to other sites

Our websites contain links to other external websites. We are not responsible for the content or functionality of any such websites. Please let us know if a link is not working by contacting admin@soane.org.uk

If a third party website requests personal data from you (e.g. in connection with an order for goods or services), the information you provide will not be covered by this privacy policy. We suggest you read the privacy notice of any other website before providing any personal information.

14. Changes to this privacy policy

We may amend this privacy policy from time to time to ensure it remains up-to-date and continues to reflect how and why we use your personal data. The current version of our privacy policy will always be posted on our website.

Any questions you may have in relation to this privacy policy or how we use your personal data should be sent to our Data Protection Officer at Sir John Soane’s Museum, 13 Lincoln’s Inn Fields, London WC2A 3BP or email spalmer@soane.org.uk.

This Policy was approved in May 2018 and will be reviewed no later than 2021.

Data Protection (GDPR) Policy

1) Introduction

Sir John Soane’s Museum (the Museum) needs to keep certain personal data and sensitive personal data, for example about staff, volunteers, visitors and customers, in order to fulfil its purpose.  

Under the provisions of the Data Protection Act 1998, which came into force on 1 March 2000 and the General Data Protection Regulation 2018, the Museum has a legal duty to ensure that personal information is collected and used fairly, stored safely and not disclosed to any other person or organisation unlawfully.  

The purpose of the Act is ‘to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy’ and in doing so it also provides data subjects (ie. individuals about whom personal information/sensitive personal information is processed) increased protection through express new rights. 

The General Data Protection Regulation (GDPR) gives individuals even more rights and requires organisations to be more transparent about their activities in regards to personal data; therefore the Museum has reviewed and updated all process and procedure to reflect required compliance.

2)  Scope

The aim of this policy is both to ensure that all staff are aware of their particular responsibilities in relation to the Data Protection Act and its associated codes of practices; and to inform members of the public how the Museum complies with the legislation.  It is also to minimise the risk of the Museum breaching the Act; thereby potentially damaging valued relationships with staff; customers; and other audiences as well as its reputation.  

This policy covers all personal data and sensitive personal data held in electronic format or in relevant manual filing systems that is processed by Sir John Soane’s Museum.

It applies to all individuals working for the Museum in whatever role.  This includes permanent and contracted staff, as well as temporary employees, volunteers, interns etc.

The security of information held by the Museum is governed by the Museum’s Information Security Policy.

3)  Definitions

Under the terms of the Act:

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, visual, physiological, genetic, mental, economic, cultural or social identity of that natural person. This excludes business or commercial engagement.

Sensitive personal data is a subset of personal data and subject to tighter controls on its processing. Sensitive personal data means personal data consisting of information as to -

  • the racial or ethnic origin of the data subject,
  • his / her political opinions,
  • his / her religious beliefs or other beliefs of a similar nature,
  • whether he / she is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
  • his / her physical or mental health or condition,
  • his / her sexual life,
  • the commission or alleged commission by him / her of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by him / her, the disposal of such proceedings or the sentence of any court in such proceedings.

Data subject means the individual about whom the personal data/sensitive personal data is held.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Electronic format means data held as word documents, e-mails, in databases etc.

Relevant manual filing systems means a filing system in which information about individuals is readily available.  For example, files ordered alphabetically by name (exhibition lenders files, staff files, notes on sitters) or by which there is another point of access (reference number system etc.). It does not apply to incidental references to individuals in files structured by reference to topics not relating to those individuals.

4)  Legal Basis

The Museum’s responsibilities in relation to data protection are determined by the General Data Protection Regulation (2018). Third party access to data is additionally conditioned by the Freedom of Information Act (2005).

5)  Data Protection Principles

Sir John Soane’s Museum is committed to the six principles of data protection, as set out in Article 5 of the GDPR.

  1. Data must be processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

These principles must be followed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, the Museum will:

  • observe fully the conditions regarding the fair collection and use of information including the giving of consent
  • meet its legal obligations to specify the purposes for which information is used
  • collect and process appropriate information only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirements
  • ensure the quality of information used
  • ensure that the information is held for no longer than is necessary
  • ensure that the rights of people about whom information is held can be fully exercised under the GDPR (i.e. the right to be informed that processing is being undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct, rectify, block or erase information that is regarded as incorrect)
  • take appropriate technical and organisational security measures to safeguard personal information
  • publicise and abide by individuals' right to appeal or complain to the supervisory authority (the Information Commissioner's Office (ICO)) in the event that agreement cannot be reached in a dispute regarding data protection
  • ensure that personal information is not transferred abroad without suitable safeguards.

6)  Subject Consent

The GDPR sets a high standard for consent and requires a positive opt-in. Neither pre-ticked boxes nor any other method of default consent are allowed. As required by the GDPR, the Museum takes a "granular" approach i.e. it asks for separate consent for separate items and will not use vague or blanket requests for consent. As well as keeping evidence of any consent, the Museum ensures that people can easily withdraw consent (and tells them how this can be done).

It should be noted, however, that consent is only one of the lawful bases on which data processing depends. In brief, the others include the following.

  • Contract: if processing someone’s personal data is necessary to fulfil the organisation's contractual obligations to them (e.g. to provide a quote).
  • Legal obligation: if processing personal data is necessary to comply with a common law or statutory obligation.
  • Vital interests: not one that will occur often as it refers to processing personal data to protect someone’s life (and even then, it cannot be relied on with regard to health data or other special category data if the individual is capable of giving consent).
  • Legitimate interests: the most flexible lawful basis for processing and one which applies when data is used in ways people would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

Note that the GDPR provides for special protection for children’s personal data and the Museum will comply with the requirement to obtain parental or guardian consent for any data processing activity involving anyone under the age of 16.

7) Subject Access

A subject may request details of personal information which the Museum holds about them under the GDPR. If a subject would like a copy of the information held on him or her, they should write to the Data Protection Officer at Sir John Soane’s Museum, 13 Lincoln’s Inn Fields, London WC2A 3BP or email spalmer@soane.org.uk. The requested information will be provided within one month. If there is any reason for delay, that will be communicated within the four-week time period. A request which is manifestly unfounded or excessive may be refused. The person concerned will then be informed of their right to contest this decision with the supervisory authority, the Information Commissioner’s Office (the ICO).

If the subject believes that any information held on him or her is incorrect or incomplete, then they should communicate with the Data Protection Officer as soon as possible, at the above address. The organisation will promptly correct any information found to be incorrect.

8) Status of this Policy

The Policy does not form part of the formal contract of employment for staff but it is a condition of employment that staff will abide by the rules and policies made by the Museum from time to time. Any failure to follow the Data Protection Policy may lead, therefore, to disciplinary proceedings.

This Policy was approved in May 2018 and will be reviewed no later than 2021.

9)  Responsibilities

The Board of Trustees of the Sir John Soane Museum is the Data Controller. The Data Controller is the legal entity who must comply with the Act and the Regulation ensures that its provisions are upheld in all processing across the Museum. 

The Archivist and Head of Library Services is the Museum’s Data Protection Officer. The Data Protection Officer is accountable and responsible for overseeing all Data Protection activities and promoting compliance throughout the Museum. 

The HR Department will ensure that appropriate guidance and training on compliance with the General Data Protection Regulation 2018 is made available to all staff engaged in the processing of personal data/sensitive personal data.

All Staff are responsible for ensuring that they understand and are compliant with the act in their area and to raise any concerns about how personal data/sensitive personal data is collected and managed in their area with the Data Protection Officer. The Museum will ensure they are given appropriate training to fulfil this responsibility. 

Staff are also responsible for:

  • checking that any information that they provide to the organisation in connection with their employment is accurate and up to date
  • informing the organisation of any changes to information that they have provided, e.g. changes of address, either at the time of appointment or subsequently. The organisation cannot be held responsible for any errors unless the employee has informed it of such changes.

10)  Breach

Breach of data protection legislation is a criminal and potentially civil offence and the Museum will regard wilful or reckless breach of this policy as a disciplinary offence and such breaches will be subject to the Museum’s disciplinary procedures.

It is the duty of all members of staff to flag immediately to their Head of Department and the Data Protection Officer any matter arising which involves, or is thought to involve, a breach of data protection legislation. Any serious breach will be reported to the Chair of the Audit Committee.

Breach of data occurring in the Museum will be reported to those whose data might have been affected by the breach, as well as to the supervisory authority (the Information Commissioner’s Office).