All of the information you give us is private and secure. We do not currently sell or rent personal data about our customers, and would not do so without asking you first. Under the UK Data Protection legislation, we follow strict security procedures in the storage and disclosure of personal data which you have given us to prevent unauthorised access. Our security procedures mean that we may occasionally request proof of identity before we are able to disclose personal data to you.
We also have separate Privacy Policies for:
If you have any questions or concerns about the personal data we hold about you, you can also contact us.
For further information on Data Protection legislation, please visit the Information Commissioner’s Office website.
1. Who we are and purpose of this policy
Imperial War Museums (IWM) is the UK’s national museum for the history of conflict involving UK and Commonwealth forces from 1914. We work to record, inform and educate on the causes, course and consequences of modern warfare.
We are funded in part by Government, but generate the majority of our own funding to enable the work we do. To help achieve this, we are supported by the IWM Trading Company Limited, which oversees the commercial aspects of our operation and fundraising.
Your personal data is, therefore, jointly held by Imperial War Museums and Imperial War Museums Trading Company Limited, a wholly owned subsidiary of IWM. Whenever we mention IWM in this policy, we mean both organisations.
- Tell you about how your personal data is used, either at the time we collect it (if we collect it directly from you) or as soon as is practical afterwards (for example, if we collect it from a third party).
- Keep it securely and make it available only to those within the organisation who need to see it. Where we share personal data with other organisations, we will tell you first wherever possible (sometimes there may be legal reasons not to).
- Where your personal data is processed by other organisations on our behalf, make sure that the processing is clearly defined, secure and governed by a contract.
- Respect your rights over your personal data.
- Inform you about major changes to this policy.
This policy is effective from 25 May 2018.
2. Who to contact with questions about how your personal data is used
IWM’s Data Protection Officer is Jon Card, the Executive Director of Collections and Governance, who manages IWM’s Information Governance team.
If you have any queries about the content of this policy, or how your personal data is managed, you can contact him and the IWM’s Information Governance team at firstname.lastname@example.org or by post at Imperial War Museum, Lambeth Road, London SE1 6HZ (marking the envelope for the attention of the Data Protection Officer). You can also contact him by phone by ringing IWM’s main switchboard on (020) 7416 5000.
3. Your rights over your personal data
You have the right to:
- Have a copy of the personal data IWM holds about you.
- Correct inaccurate personal data or have incomplete personal data completed.
- Have your personal data erased (‘right to be forgotten or ‘right to erasure’) in certain circumstances.
- Restrict the processing of your personal data in certain circumstances.
- Data portability – have your personal data supplied in a commonly used format and transmitted to another organization in certain circumstances.
- Object to the processing of your personal data .
- Object to any automated decision making or profiling.
Further information on these rights can be obtained from the Information Commissioner’s website at: https://ico.org.uk/
You can exercise these rights by contacting the IWM’s Data Protection Officer as detailed in Section 2 above.
If you are unhappy about the response you receive from IWM, you can contact the Information Commissioner’s office by writing to the Information Commissioner at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or via their website at https://ico.org.uk/
4. The personal data we collect and how it is used
We only require you to supply the personal data we need. So for example, if you buy something from us, we will only require you to supply the personal data we need to complete the transaction, such as your name, contact details and delivery address. Anything else will be optional and clearly marked as such.
We do not collect any payment card details from online transactions – these are processed by external companies on our behalf. Occasionally we will take credit card payments by telephone, but this personal data is stored securely and in accordance with Payment Card Industry (PCI) regulations, which can be found here: https://www.pcisecuritystandards.org/.
Under Data Protection law, when we acquire and use your personal data, we need to meet a legal basis for doing so. The legal bases we use are either:
- You have given your consent to your personal data being used. You can withdraw your consent to the use of your personal data at any time.
- We need your personal data to fulfil a contract of sale, donation or negotiations for a sale.
- We need your personal data to fulfil our public function as a national museum (ie to provide access to collections, deal with correspondence, put on exhibitions, etc).
- There is a legal requirement to keep or share your personal data.
- We believe using your personal data meets our legitimate interests, and its use in this way is reasonable, proportional, not unexpected or unnecessarily intrusive and does not override your basic rights.
We have provided more detail regarding the legal bases we rely on in respect of our different activities in the relevant sections below.
5. Where your personal data is stored
The systems we use
We store your personal data in a number of systems, held on the IWM network and in the cloud. Much of the personal data you provide us with – for sales, bookings and enquiries, is stored in our Customer Relationship Management system.
We also keep personal data relating to our collections, and items loaned to us for exhibition, in our collections management system on the IWM network, in other electronic storage and in physical storage.
Where the systems are located
Most of the personal data IWM holds is stored in the UK, European Economic Area (that is the European Union plus Norway, Iceland and Liechtenstein), on its own network or by external companies. Some is stored by companies outside the UK and EEA, either in countries approved by the UK as having an adequate level of protection for personal data (such as Canada) or under approved personal data storage frameworks such as the EU/US Privacy Shield or authorized contractual clauses.
If your personal data is stored on IWM’s behalf by an external company, it will always be protected by a contract that sets out how the personal data is to be managed – and that contract will comply with Data Protection legislation to protect your personal data.
More details regarding adequacy protections that are put in place to enable the transfer of personal data to third countries can be found on the ICO website here.
6. How we use your personal data for direct marketing
IWM processes personal data for direct marketing purposes, that is, using individual contact details to send further information about its services, products, events and initiatives). Most of IWM’s direct marketing is carried out by email.
The personal data we collect for direct marketing and how we collect it:
We collect your name and contact details for direct marketing as follows:
- If you are an individual, we collect if from forms where you have actively given your consent to be contacted with marketing information. This usually means ticking a box to show you agree.
- If you are an individual who has bought something from us, we may add you to our mailing list unless you tick a box to show you object. We do this because we believe it meets our legitimate interests - that is, it helps us to promote our exhibitions, events, products and services (such as licensing) while not using your personal data in an unexpected or intrusive way.
- If you work for a company (ie have a business email address), we may collect the personal data when you purchase goods or services from us. We do this because we believe it meets our legitimate interests - that is, it helps us to promote our exhibitions, events, products and services (such as licensing) while not using your personal data in an unexpected or intrusive way.
You can always stop your personal data being used for direct marketing by clicking on the ‘unsubscribe’ link in any marketing email you receive. You can also contact us direct, using the details in Section 2.
How we use your personal data for direct marketing
We use your personal data to contact you, to promote IWM goods and services, or as part of our fundraising activities (further information on fundraising can be found in Section 8).
How long we keep your personal data for direct marketing/Objecting to direct marketing
Your personal data (ie your contact details) is kept for as long as you want to receive marketing from us. If you do not wish to receive any further marketing information from us you can:
- Click on the unsubscribe link if it is an email message (all our marketing emails contain an unsubscribe option).
- Contact us direct at email@example.com giving your name, email address and if possible sending a copy of the last communication received (this will help us identify you).
- If you have access to an online account with us, logging on and changing your preferences, including unsubscribing to marketing emails.
We will need to retain a small amount of personal data about you (usually name and email address) to add to our ‘stop list’. When we send marketing mailings, we run the recipients against this list to ensure those who have objected are not contacted.
7. How we use your data for sales
Commercial aspects of IWM’s operation are managed jointly by IWM and the IWM Trading Company, a wholly owned subsidiary of IWM.
How we collect your information for sales
- When you buy something from our online shop or open an account with us.
- When you buy a ticket for an event, or admission to IWM branches at Duxford, HMS Belfast or the Churchill War Rooms.
- When you buy or licence copies of Collections items, such as film or photographs.
- When you book for other services such a Learning sessions or ‘Kip in a Ship’ on HMS Belfast.
- All debit and credit card payments made online or over the telephone are processed in
accordance with the Payment Card Industry Data Security Standards (PCI DSS). Your debit and credit card payments are processed by an approved PCI DSS payment provider and IWM does not store or have access to any card information that you provide. Further details on PCI DSS can be found at: https://www.pcisecuritystandards.org/security_standards
How we use your information for sales:
- We mainly use your information to complete our contract of sale with you – we need your details to provide the service or goods, or to advise you about anything that will affect the service or goods you are buying.
However, we also use your information to:
- Research sales activity – for example looking into where our customers are based and what products are the most popular. In most cases, the information we need is statistical, rather than focused on individuals, so we ensure that it cannot be traced back to you.
- Improve our products and the service we give you. If you receive an email from us asking about the service you have received, you can ask not to receive such emails in future and we will make sure you don’t.
We do this because we believe it is in our legitimate interests to do so. As a business, we need to be able to use sales information to see how well our products sell, and assess how good our service is, so we can plan what we do more effectively. This is particularly important as revenue from our commercial activity makes up a significant proportion of our income.
- Send you further information about future, similar products or services. We only do this if you are a business customer (see Section 6 on Marketing).
How long we keep your information for sales
Your information is kept for six years after your last purchase: for audit and accounting purposes, in case of complaint for faulty goods or services, or if you buy something else from us.
Licences for images are kept until the expiry of the licence plus 6 years, or in the case of broadcast material, long term. This is so we can ensure IWM material is being used in accordance with licensing arrangements, or so that licences can be easily renewed.
8. How we use your information for fundraising
How we collect your information for fundraising
Our fundraising team collect information in three ways:
- Direct from you when you make a donation or enquiry
- From other bodies such as the Charities Aid Foundation (CAF), Just Giving or the Imperial War Museum Foundation when you make an donation to IWM through them
- From publicly available sources, such as annual reports or newspaper articles to help us identify potential donors.
What information we collect
- Name(s) and address(es), email(s), phone number(s) and other relevant contact details and preferences
- Records of donations to IWM
- Information about our relationship with you, correspondence, meeting notes, attendance at events etc.
- Occupation and professional activity, network(s) and interests where relevant to our needs.
- Philanthropic interests and giving history if relevant and only where information is publicly available.
- Financial information and potential giving capacity, only where information is publicly available.
How we use your information for fundraising
We use this information to:
- Process your donation – (to fulfil the contract we have with you to ensure your donation is recorded, auditable and is used for the right project).
- Send details of any Gift Aid claim to HMRC in line with our legal obligation to do so
- Retain a historic record of significant donations as part of the IWM archive, in line with our public purpose as a national museum
- Ensure that you and/or the organisation you represent meet with our Donor, Supporter and Sponsor Relationships Policy
- Contact you with further information about the progress of the project you have supported (you can opt out of this at any time)
- Contact you with information on relevant IWM fundraising activities and events (you can opt out of this at any time)
- Plan and implement fundraising strategy, including reporting on results and planning future campaigns
- Carry out targeted prospect research into potential donors who have an affinity with IWM and/or our subject matter. Prospect research involves collating information on specified individuals, including their interests, suitability and likelihood to donate to IWM. We only carry this out using publicly available sources or information that you have provided. This activity assists us in understanding the background of the people who support us and helps us to make appropriate requests to supporters who may have the interest and means to give. We may also use this information to contact you, if you have a business address.
We carry out the last four activities because we believe it is in our legitimate interests to do so. Over half of IWM’s funding is now self-generated and our funding agreement with the Department for Digital, Media, Culture and Sport (DCMS) specifically requires us to generate income through fundraising. A significant way of doing this is through prospect research. We balance this out by ensuring that the information we collect and use is strictly limited to what is already widely known about that individual (see section on ‘What Information we collect’ above).
How long we keep your information for fundraising
- Donation information is kept for six years after your last donation, for audit and accounting purposes, including Gift Aid requirements. In the case of major donations (defined as cumulative gifts of over £500), we will keep details of your donation for longer, as part of IWM’s historical record or in case you decide to donate again.
- We keep information on potential donors for two years if no further contact is intended in regards to future relevant projects. Where your information is no longer required, we will ensure it is disposed of securely.
You can ask for a copy of information about you held on our fundraising database and for it to be amended or deleted, by contacting the IWM’s Data Protection Officer as detailed in Section 2.
9. How we use your personal information for enquiries, general correspondence and Research Room bookings
We collect information about you when you write to us with an enquiry, or book a place in our Research Room to view Collections items.
How we use your information for enquiries, general correspondence and Research Room bookings
- We use this information to answer your enquiry, or to book your place in the Research Room.
- We also use this information to measure enquiry rates and response times, and to see how many bookings are received for the Research Room, and the types of materials requested. This helps us plan our services. This information is anonymised wherever possible.
We believe that using your information in these ways fulfils our public function as a national museum – that is to provide access to the national collection on the history of conflict.
- We may also use your information for marketing, but only where you have consented to this (please see Section 6 on Marketing).
How long we keep your information for enquiries, general correspondence and Research Room bookings
We keep information on enquiries and bookings for two years – in case you follow up on your original enquiry, and so we have a good pool of data in order to assist with planning our services, as outlined above.
We keep reader registration forms for the Research Room for 6 years, for security purposes (so we can track missing and misfiled items) and for copyright purposes (as the form contains a copyright declaration).
10. How we use your personal information to administer and maintain our collections and exhibitions
How we collect your personal information for collections and exhibitions
We collect information about you when:
- You give or offer an item to our collections
- You loan an item to us
- You borrow an item from us
- You make a proposal for an IWM exhibition
- You are depicted in an item donated to our collections, for example a photograph, letter, sound recording or film
- You are the recipient of an item deaccessioned from IWM’s collections
Sometimes, we also collect information about you indirectly, for example:
- you may be mentioned in a diary, photograph, film or interview acquired for our collections
- your information may be supplied by a family member to assist in due diligence research
- it may be part of the contextual information around the history and provenance of a collections item
- it may have been provided to help us arrange transport to or from IWM
How we use your personal information for collections and exhibitions
We use collections and exhibitions information for the following purposes:
- To administer our collections as we need to record the source of objects, documents, images, recordings and publications for evidential purposes – that is to record the history of the item, who owns it and where any copyright is held. Research of this nature, particularly into IWM ownership and copyright rights, can take place at the point of acquisition, or some years later. Ensuring IWM has the correct rights over an item means we can ensure we make the best use of our collections, through exhibitions, loans, digitisation and other initiatives
- We retain collections items themselves for historical purposes, as they are an important source of information for research into the history of conflict or the history if IWM itself.
- We may also use the information in an exhibition, to explain the history of items or their source. Collections donor or lender information is only published in this way with permission.
- To assess any exhibition proposal you make.
- On occasion, we may need to dispose of or deaccession items in the collection, and your information may be used when assessing whether an item is no longer required.
All of these purposes help us to fulfil our public function as a national museum - that is to provide access to the national collection on the history of conflict. Retaining and making available records about the operation of IWM itself is also a legal obligation under the Public Record Act 1958 (and subsequent legislation).
How long we keep your personal information for collections and exhibitions
This information is held permanently, as part of IWM’s official record.
How we collect your personal information via CCTV
All public (and some private) areas at IWM branches are covered by CCTV cameras. Notices are clearly displayed around IWM, at the entrance and by each camera.
How we use your personal information held on CCTV
- The information gathered is used for security and crime prevention and detection
- We believe that using CCTV in this way fulfils IWM’s public function as a national museum.
- Operating securely and protecting publicly held assets is a key part of IWM’s public purpose.
CCTV images may be passed to the police or other agencies if they are required to investigate crime.
How long we keep your information held on CCTV
Images are kept for 30 days and then deleted.
12. How we use your data for social media activities
We use your data for:
- Social media marketing, social listening and analysis. Social listening is the process of tracking conversations around specific topics, keywords, phrases, brands or industries, and leveraging insights to discover opportunities or create content for audiences.
- To respond to customer enquiries received via IWM social media channels
How we collect your information for social media marketing, social listening and analysis
We collect information for social media marketing, social listening and analytics in the following ways:
- From social media platforms such as Facebook, Twitter and Instagram
- From the social media management platform Hootsuite
- From the social listening platform Brandwatch
These social media platforms have separate Privacy Policies, which outline what data they collect, why they collect it, how they use that information, and the choices they offer users, including how to access and update information. You can find links to the Privacy Policies of the social media platforms we use below:
- Facebook: https://www.facebook.com/about/privacy
- Twitter: https://twitter.com/en/privacy
- Instagram (a Facebook Product): https://help.instagram.com/155833707900388
- Snapchat: https://www.snap.com/en-GB/privacy/privacy-policy/
- Google+: https://www.google.com/intl/en_ALL/+/policy/
- Pinterest: https://policy.pinterest.com/en-gb/privacy-policy
- YouTube (a Google Product): https://policies.google.com/privacy?hl=en-GB&gl=uk
- Hootsuite: https://hootsuite.com/legal/privacy
- Brandwatch: https://www.brandwatch.com/legal/author-privacy-policy/
How we collect your information to respond to customer enquiries received via IWM social media channels
We endeavour to respond to as many queries and comments directed to us via our social media channels as possible. This information will have been provided by the customer, or in the case of a social media username or handle, obtained from a publically available source, where the user has chosen to publish this information.
We only collect data relevant to the customer service enquiry for the purpose of assisting the customer. We encourage our customers to avoid posting any personal information publicly.
How we collect your information via the Facebook Pixel
When a user visits the IWM website and takes an action (for example, buying something), the Facebook Pixel is triggered and reports this action.
We use the Facebook Pixel to:
- Understand when a customer takes an action after seeing an IWM Facebook ad
- Reach this customer again using remarketing functions available within the Facebook advertising platform
- Optimise IWM Facebook adverts so that they are more targeted to the interests of users
For information on how to opt out visit: http://optout.aboutads.info/#!/
Visit the Facebook website to learn more about Facebook Ads and manage your preferences: https://www.facebook.com/ads/about
What information we collect for social media marketing, social listening, analysis and enquiries
- In order to analyse the year-on-year performance of our social media channels, posts, and ads, we collect and process information from the social media platforms listed above. The data collected could include the following:
- your name, username, handle, or other identifier;
- the content of the information you have published via that name, username, handle, or other identifier, including posts, comments, opinions, etc.;
- your profile picture or other images or videos that you post or interact with.
Different social media platforms collect different types of data. Please see above links to the Privacy Policies of the social media platforms we use, which indicate what data they collect.
- We use social media platforms to collect information to help us identify social media users who have an affinity with IWM and/or our subject matter and may be interested in supporting IWM social media activities. This might include names, usernames, handles, or other identifiers, email addresses and interests, where actively made available by the individual online.
- The Facebook pixel collects information including:
- Information relating to actions on the website such as pages viewed;
- Connection information such as IP address; the type of computer or mobile device you are using; browser type.
Data is hashed locally on the browser before it goes to the Facebook servers for matching. This hashing process turns your data into short encrypted messages that cannot be tampered with. Facebook use these hashes to match pixel events with people on Facebook.
Visit Facebook’s advice centre for more information about Facebook ads and how to adjust your settings: https://www.facebook.com/ads/about/?entry_product=ad_preferences
How we use your information for social media marketing, social listening, analysis and enquiries
We utilise the data collected and managed by the social media platforms and Facebook pixel listed above for:
- social media marketing, to provide users with more targeted and useful advertising of IWM products and services
- social listening and analysis, that is, to analyse the performance of IWM and competitor social media channels and posts for the purposes of year-on-year reporting on reach and engagement metrics
- understanding conversion tracking, for optimisation and remarketing purposes. Conversion tracking is our assessment of your response to our advertising and marketing, that is, whether you respond by taking an action, (such as visiting our website) or do nothing
- responding to customer enquiries received via IWM social media channels. During the course of assisting with a customer enquiry, sometimes personal information, such as a name, username, handle, or other identifier, email address or phone number, will be passed on to another department in the museum that is better able to assist with the enquiry, for example the Customer Services or Curatorial departments.
- making appropriate approaches to individuals who may be interested in supporting IWM social media activities.
We use this information because we believe it is within our legitimate interests to do so, that is, it helps to promote IWM, its sites, collections, exhibitions and services, while not using your information in an unexpected or intrusive way. It helps us to reach users that may be interested in IWM activities, but who are harder to engage through more traditional methods, and improve the content we supply through social media channels.
How long we keep your information.
- In order to analyse the year-on-year reach and engagement performance of our social media channels posts, and ads, we keep information from the social media platforms listed above for five years.
- Facebook Pixel. Duration: 180 days.
- We keep information on social media users who may be interested in supporting IWM social media activities for a maximum of two years if no further contact is intended in regards to future relevant projects. Where your information is no longer required, we will ensure it is disposed of securely. Please note, that we may have to retain a skeleton record with basic details to ensure you are not researched again (as with stop lists in our Marketing section).
Enquiries about social media activities
- If you wish to query, update, object to or request the deletion of information we hold about you collected via this method, please contact us at FOI@iwm.org.uk, putting ‘Social Media, Data Subject Request’ in the subject line.
How we collect your personal information using cookies
Cookies are usually set when you visit a particular page on the IWM website, or if you take a particular action, such as filling in an online form.
The information we collect via cookies consists usually of things like IP addresses, sites visited and actions taken. We don’t use them to identify you by name, or record things like email addresses or bank details
The IWM website also contains third party cookies set by other organisations.
How we use information about you collected by cookies
IWM sets cookies on the IWM website to enable it to carry out certain functions, such as remember the information you have entered on an online form, or to ‘save’ things in your basket in the online shop.
We do this because we believe it is within our legitimate interests to do so, ie it provides us with significant benefits without using your information in an unexpected or intrusive way. We ensure that you are informed about the placing of cookies as soon as you enter the site and are provided with a link to information about how to clear your cookies and opt out in future
We comply with the Privacy and Electronic Communications Regulations by presenting a cookie banner with an opportunity to access information on opt out.
How long we keep information collected via cookies
Cookies can be set for the duration of your visit to the website or for up to two years. The information collected is usually kept for two years.
14. Policy Updates
This policy was agreed on 15 May 2018
It replaces the previous policy of 12 January 2016, to provide more detail in compliance with new Data Protection legislation.