All of the information you give us is private and secure. We do not currently sell or rent personal data about our customers, and would not do so without asking you first. Under the UK Data Protection legislation, we follow strict security procedures in the storage and disclosure of personal data which you have given us to prevent unauthorised access. Our security procedures mean that we may occasionally request proof of identity before we are able to disclose personal data to you.
If you have any questions or concerns about the personal data we hold about you, you can also contact us.
For further information on Data Protection legislation, please visit the Information Commissioner’s Office website.
1. Who we are
Imperial War Museums (IWM) is the UK’s national museum for the history of conflict involving UK and Commonwealth forces from 1914. We work to record, inform and educate on the causes, course and consequences of modern warfare.
We are funded in part by Government but generate the majority of our own funding to enable the work we do. To help achieve this, we are supported by the IWM Trading Company Limited, which oversees the commercial aspects of our operation and fundraising.
Your data is, therefore, jointly held by Imperial War Museums and Imperial War Museums Trading Company Limited, a wholly owned subsidiary of IWM. Whenever we mention IWM in this policy, we mean both organisations.
However, for all personal information we hold we undertake to:
- Tell you about how your data is used, either at the time we collect it (if we collect it from you) or as soon as is practical afterwards (if we collect it from a third party).
- Keep it securely and make it available only to those within the organisation who need to see it. Where we share data with other organisations, we will tell you first wherever possible (sometimes there may be legal or operational reasons not to).
- Where your data is processed by other organisations on our behalf, make sure that the processing is clearly defined, secure and governed by a contract.
- Respect your rights over your personal data.
- Inform you about major changes to this policy.
This policy is effective from 13.11.2023.
2. The type of personal data we collect and where we collect it from
As a general rule we only collect data that is directly relevant to our needs. We currently collect and process the following information:
Information collected directly from you, either as part of a transaction, marketing sign up, enquiry or other interaction with us:
- Personal details, such as name, email address, telephone number, postal address, date of birth, and nationality
- Information about the transactions you have had with IWM, such as details of ticket or shop purchases, Membership, donations or loans to our collections, financial donations, enquiries, and bookings for the Research Room
- Your image, via our CCTV cameras, body worn cameras operated by security staff, or via our in-house photographers
- Your opinions, likes and dislikes, and research interests
- Gift Aid and tax status information
- Information on relatives or friends who might be visiting IWM with you, mentioned in your correspondence with us or included in any collections you deposit with us
- Next of kin information
- Information that will help you to access IWM sites or services, for example information about accessibility requirements or diet. This type of health information is classed as special category data and has a higher level of protection
- Information relating to monitoring equality of opportunity, for example information about your ethnic origin, religion, sexual identity or other factors. This is also classed as special category data.
Information we may collect from other sources about you:
- Information in historical material (such as letters, diaries, sound recordings, film, photographs or other archival material) that are deposited with us for inclusion in the IWM collection
- Relevant information from publicly available sources, such as annual reports or newspaper articles, to help us identify potential donors. This can include occupation and professional activity, financial information and potential giving activity, interests where relevant to our needs, network(s), philanthropic interests, and giving history
- Information from social media platforms which we use for monitoring, research, and analysis
We do not:
- Collect any payment card details from online transactions – these are processed by external companies on our behalf. Occasionally we will take credit card payments by telephone, but this information is stored securely and in accordance with Payment Card Industry (PCI) regulations, which can be found here: https://www.pcisecuritystandards.org/
- Knowingly collect data from children (under 13 years old) without the consent of a parent or guardian. If you have any concerns about potential data collection from children, please contact us at [email protected]
3. How we use your personal data
When we collect personal data from you we will tell what we will use it for (usually in a short statement on the form or an information sheet) and provide a link to this policy.
Data we collect is generally used for the following purposes:
- For general administration of our activities, exhibitions, collections, and finances
- For commercial and business transactions, including ticket and shop sales and membership
- For collections and loan management, including acquisitions, access, loans and disposals
- To allow visitors to book advance tickets for our free branches if they wish to do so
- To support our charitable aims (including fundraising and due diligence checks)
- To promote the Museum (including via direct marketing)
- To collect feedback and carry out customer research, via surveys, direct emails or other forms of communication
- To review and update our services and operation
- To monitor or implement equality of opportunity of access to IWM sites, collections or services
- To organise and administer events and services, including conferences, learning days, exhibition openings, loan boxes and other initiatives.
The conditions for using your personal data
Data protection law requires us to have a legal basis (or specific condition) for using your personal data. The ones we use are:
You can withdraw your consent at any time by contacting [email protected]
- Because we need your personal data to fulfil a contract with you
For example, when you buy a ticket, make a purchase from the online shop or join as a Member. In these cases we need to use your information to fulfil the contract and provide the goods or services
- We need your data to fulfil our public function as a national museum.
For example, to acquire and provide access to collections, administer loans, respond to enquiries, put on exhibitions, and maintain a record of IWM’s own history
There is a legal requirement to keep or share your data.
For example, we are required to keep financial data to comply with audit requirements and laws (such as the Companies and Charities Acts). We may also need to keep information and records relating to accidents or incidents under Health and Safety legislation
We believe using your data meets our legitimate interests, and its use in this way is reasonable, proportional, not unexpected or unnecessarily intrusive, and does not override your basic rights.
For example, we believe it is in our legitimate interests to:
- Carry out customer research via surveys and analysis of customer, visitor, and other data
- Send you emails promoting similar goods and services to ones you have bought from us (if you have not opted out).
- Remind you about incomplete transactions
- Carry out targeted prospect research and due diligence into potential donors who have an affinity with IWM and/or our subject matter. We only carry this out using publicly available sources or information that you have provided. This activity assists us in understanding the background of the people who support us and helps us to make appropriate requests to supporters who may have the interest and means to give. We may also use this information to contact you if you have a business address
- Providing you with benefits including the best customer experience we can deliver while also giving us a cost-effective way of reaching new audiences
- Allow you to prebook tickets for our free branches, if you wish to do so
IWM processes personal information for direct marketing purposes. This is using information about individuals to send them further information about its services, products, events and initiatives.
IWM direct marketing is carried out by a combination of emails and digital advertising.
We will add your email address to our marketing database, so you can receive marketing emails from us when:
- You actively sign up to our marketing list (eNews) on our website or via other channels
- You opt in to Marketing (i.e by ticking a box) when you fill in a form
- In some instances, when you buy something from us (such as items in the shop) and don’t opt out of marketing when you enter your details
- You are a business customer and you purchase goods or services from us
Marketing emails may include tracking pixels which allow us to monitor how you have interacted with a particular marketing email.
When filling in your personal details please make sure to read the marketing statement carefully and let us know what you would like to do about marketing
When you sign up for marketing via the above methods we also use your email address to create Custom Audiences on Facebook’s (Meta) platforms and other digital advertising platforms. We use these to:
- ensure those most likely to be interested in what we offer are kept up to date
- ensure existing customers do not receive advertisements for things they have already bought
This means that when you are added to our mailing list, your email address is uploaded to the platform (such as Facebook (Meta)). Your email address will be ‘hashed’, which produces a unique number that is used to match your email to your account(s) on Facebook’s (Meta) platforms. You are then shown IWM advertisements.
Lookalike Audiences are a method of reaching new people who are most likely to be interested in our events or products because they share similar characteristics to our existing customers. When you sign up for marketing via the above methods, we will also use your email address to create lookalike audiences for paid advertising. We use Facebook (Meta) lookalike audiences to ensure we can reach new customers who are most likely to be interested in our products updated with the latest communications.
Similar to Custom Audiences, when you are added to our mailing list your email address will be uploaded to Facebook (Meta), where it is ‘hashed’ and used to serve adverts to others it deems of a similar audience to yourself.
If a Lookalike Audience is used, we will never see any data of individuals and will never be able to identify individuals who may see our adverts. We use Lookalike Audience data to ensure we are reaching audiences who have a legitimate interest in IWM as a charity and help us to find new audiences who will support us.
Interest & behavioural targeting
We will use certain targeting options provided by the digital advertising platforms based on their data, such as Facebook Business Manager, to reach out to users of their platform. You could see an advert from us because you fall into a particular demographic, location, interest, or behavioural group.
To do this we have told the digital advertising provider what type of people we would like to advertise to, for example, an adult with an interest in history. They have then identified you based on the data they hold on users of their platform. We never see any of your data and are not able to identify specific individuals who may then see these adverts.
Website campaign cookies
The Legal Bases for Marketing
- For most email marketing we use consent, which you can withdraw at any time
- In some cases, for example email marketing where you have bought something and not opted out of marketing at the checkout, we use Legitimate Interests. It helps us promote our exhibitions, events, products, and services while not using your information in an unexpected or intrusive way.
- For business customers we also use Legitimate Interests
- For custom audiences the legal basis is Legitimate Interests. We believe processing your information in this way provides you with benefits, including the best customer experience we can provide, while also giving us a cost-effective way of reaching new audiences
IWM collects personal information via CCTV for security, safety, and crime prevention and detection. CCTV images may be passed to the police or other agencies if they are required to investigate a crime or other serious incidents. Images recorded by fixed CCTV cameras and body worn cameras are kept for 30 days and then deleted. Images relating to incidents will be kept longer, according to requirements.
Images are collected in two ways:
- All public (and some private) areas at IWM branches are covered by CCTV cameras. Notices are clearly displayed around IWM, including at the entrance
- Some of our security staff may use body worn cameras, which record images and sound. Staff using these cameras will be clearly identifiable. Body worn cameras are not in constant use; they are only activated in response to specific incidents where visitors, staff or IWM assets are at increased risk. A verbal warning is always given before the cameras are activated
6. Social media
To analyse the year-on-year performance of our social media channels, posts, and advertisements, we collect and process information from social media platforms. The data collected could include the following:
- your name, username, handle, or other identifier
- the content of the information you have published via that name, username, handle, or other identifier, including posts, comments, opinions, etc.
- your profile picture or other images or videos that you post or interact with
- We also monitor social media platforms to answer enquiries about IWM that you may post
Cookies can be necessary – i.e. they are needed for a website to function. You cannot refuse these.
Cookies can also be used for functional, performance, and advertising purposes. You will be asked whether you consent to the use of these cookies when you visit the IWM site.
The IWM website also contains third party cookies set by other organisations.
Cookies can be set for the duration of your visit to the website or for up to two years. The information collected is usually kept for two years.
Further information about how your data is collected online via cookies and other online markers, together with a list of cookies used on the IWM website, can be found here:
8. How we store your personal information
Information can be stored on IWM’s own network or by external companies (in the cloud). Most of the personal information IWM holds is stored in the UK or in countries approved by the UK as having an adequate level of data protection, such as the European Economic Area (European Union plus Norway, Iceland and Liechtenstein) or Canada. Where information is stored in countries without UK approval, we ensure that it is protected by an approved data storage framework, such as standard contractual clauses. We ensure that all personal data stored on our behalf outside the UK will have a similar level of protection as if it were stored in the UK.
If your personal information is stored on IWM’s behalf by an external company, it will always be protected by a contract that sets out how the personal information is to be managed. The contract will guarantee that the personal information will always have the same protection as if it were stored on our own systems.
9. How long we keep your personal information
We keep your information for as long as necessary to fulfil the purpose for which it was collected or to comply with a legal obligation.
Information is securely disposed of. Any digital storage media is always wiped and securely disposed of when it is replaced.
If you have any enquiries about the retention of your information, or if you wish to have your data erased (where possible), please contact us at [email protected]
10. Your data protection rights
Under data protection law you have rights, including:
- Your right of access - You have the right to ask us for copies of your personal information.
- Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
You can exercise these rights by contacting the IWM’s Data Protection Officer via [email protected] or by writing to the Data Protection Officer, Imperial War Museums, Lambeth Road, London SE1 6HZ.
11. How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at [email protected] or by writing to the Data Protection Officer, Imperial War Museums, Lambeth Road, London SE1 6HZ.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
12. Policy Updates
Main Policy Issues
This policy was agreed on the 13th September 2023 and is effective from the 13th November 2023.
It replaces the previous policy of 15 May 2018, with the main change being the introduction of a new policy template.
Revisions were made to Section 13 on 7 February 2019.
Revisions made in July 2021 to the following sections:
- Section 4: mention of information deposited with Collections
- Section 5: Changes to storage of information following Brexit
- Section 6: More information on use of personal data for digital marketing
- Section 7: Use of data for audit, legal compliance, delivery and empty basket emails
- Section 11: Use of Body Worn Cameras by Security staff