Privacy Statement
This public privacy notice sets out how the Social History Curators Group (SHCG) uses and protects any personal information that you give to us. This privacy notice is being issued in accordance with the UK Data Protection Act (2018) and EU GDPR, or European General Data Protection Regulation.
We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this privacy statement.
The Data Protection Act (2018) and EU GDPR aims to consolidate and strengthen the protection of personal data. It introduces improved data protection rights for individuals and places enhanced compliance, governance and accountability obligations upon organisations involved in the processing of
personal information of individuals.
This privacy notice is effective from 1st April 2021.
This policy is reviewed every two years and is next due in March 2023.
The data that we may collect
We may collect the following information:
- name and job title, place of work or study
- contact information including email address, postal address and telephone numbers
- demographic information such as postcode, preferences and interests,
- other information relevant to customer surveys and/or offers
- bank details for direct debit processing
- IP addresses via our website
- access and dietary requirements or health information
- Photography date of birth, gender, sexual orientation, ethnicity, disability and other information for monitoring diversity
Why we require this information
1. Members
For internal record keeping including membership processing, and in order to deliver your membership benefits including e.g. the jiscmail list, SHCG newsletter and SHCG Journal.
For marketing, market research, and to use the information to improve our products and services.
Legal basis for processing members’ data
We process the following data under contractual obligation as part of the information required in order for us to process your membership and deliver your benefits.
- Name
- Contact information including email address
- Bank details for direct debit processing and BACS payments
- IP address
We process the following types of data under our legitimate business interest, which is to keep our members informed and provide the best products and services we can.
• Name
• Contact information including email address.
• Job title, place of work or study
• Demographic information such as postcode, preferences and interests
• Other information relevant to customer surveys and/or offers
With your prior consent we will:
• periodically send promotional emails about events, resources, special offers or other information which we
think you may find interesting using the email address which you have provided
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail
2. Subscribers (Non-members)
For internal record keeping including processing of your subscriber status; in order to ensure that the products you subscribe to are delivered to you correctly and to inform you about the SHCG’s activities.
For marketing, market research, and to use the information to improve our products and services.
Legal basis for processing subscribers data.
We process the following data under contractual obligation as part of the information required in order for us to process your subscriptions:
• Name.
• Contact information including email address.
We process the following types of data under our legitimate business interest, which is to keep you informed and provide the best products and services we can:
• Name.
• Contact information including email address.
• Job title, place of work or study.
• Contact information including email address.
• Demographic information such as postcode, preferences and interests.
• Other information relevant to customer surveys and/or offers.
With your prior consent we will:
• periodically send promotional emails about events, resources, special offers or other information which we
think you may find interesting using the email address which you have provided and;
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail.
3. Events attendees
For internal record keeping including processing of your order
To ensure that you are correctly booked on your chosen event/s and that any preferences e.g. access and dietary requirements, are correctly recorded,
To inform you about SHCG’s activities, online meeting passwords, venue information and schedule
information.
For marketing, market research, and to use the information to improve our products and services.
To meet the legal requirements for processing personal data
We process the following data under contractual obligation as part of the information required in order for us to correctly record your attendance at events:
• Name.
• Contact information including email address.
• Bank details for payment processing.
We process the following types of data under our legitimate business interest, which is to keep you
informed and provide the best products and services we can:
• Name.
• Contact information including email address.
• Job title, place of work or study
• Demographic information such as postcode, preferences and interests
• Other information relevant to customer surveys and/or offers
With your prior consent we will:
• periodically send promotional emails about new products, special offers or other information which we
think you may find interesting using the email address which you have provided
• contact you from time to time, for market research purposes. We may contact you by email, phone, or mail
Sensitive data with consent and under the special condition of explicit consent:
• dietary requirements, access requirements, health information where relevant
4. Contributors, speakers, reviewers
For internal record keeping relating to your contribution to workshops, seminars, SHCG annual conference, SHCG Journal, SHCG Newsletter.
Legal basis for acknowledging rights holders.
We process the following data under our legal obligation to you as a copyright holder and intellectual property rights holder.
• Name
• Signature
• Contact information including postal address and email address.
We process the following types of data under our legitimate business interest, which is to keep you
informed and provide the best products and services we can:
- Name
- Contact information including email address
- Job title, place of work or study
- Bank details for expenses processing.
With your prior consent we will:
- Contact you from time to time regarding your submissions and contributions, and future opportunities to contribute to SHCG activities.
4. Website users
For internal record keeping in order to monitor the number of users the website receives to maintain user settings and preferences.
We process the following types of data under our legitimate business interest, to make our websites work
more efficiently and conveniently, as well as monitoring web traffic.
- Cookies related to maintaining user settings as you move from page to page during a session of browsing.
- Google analytics to help monitor visitor traffic to the site.
5. FirstBASE contributors
For internal record keeping relating to your contributions to the FirstBASE database.
Legal basis for acknowledging rights holders.
We process the following data under our legal obligation to you as a copyright holder and intellectual property rights holder.
• Name.
• Contact information including email address.
We process the following types of data under our legitimate business interest, which is to keep you informed and provide the best products and services we can:
- Name
- Contact information including email address
- Job title, place of work or study
- Bank details for expenses processing.
With your prior consent we will:
Contact you from time to time regarding your submissions and contributions.
Processing of sensitive personal data
Sensitive personal data includes information relating to the following matters:
· your racial or ethnic origin
· your political opinions
· your religious or similar beliefs
· your trade union membership
· your physical or mental health or condition
· your sex life, or
· the commission or alleged commission of any offence by you
SHCG will only collect and process sensitive data primarily where it is necessary to enable the organisation to meet its legal obligations, and in particular to ensure adherence to health and safety and vulnerable groups protection legislation or for equal opportunities monitoring purposes.
Currently we may collect sensitive data for the following purposes:
Equality, Diversity and Inclusion surveys where we may collect:
• date of birth, gender, sexual orientation, ethnicity, disability with consent, and also under the special
condition of explicit consent
Events attendance where we may collect:
• dietary requirements, access requirements, health information where relevant, with consent and under the
special condition of explicit consent
SHCG will not process sensitive personal data without your consent.
Who we share your data with
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law.
Where your information is serviced, stored or collected via third party providers (such as Mailchimp) we will ensure they comply with UK Data Protection Act 2018 and EU GDPR.
We will share relevant data with external organisations, e.g. mailing houses, in order to process the mailing of the SHCG Journal and other publications, and payment processing companies, e.g. Go Cardless to process subscription payments, Eventbrite for event bookings.
Your rights around your personal data
1. Withdrawing your consent
When you become a member you can set your user preferences as to how and about what we may contact
you.
You can set your preferences and unsubscribe to our Mailchimp and Jiscmail communications.
We will require at least one method of contact to communicate with you in order to administer your
membership or other products and services.
If you have previously agreed to us using your personal information for direct marketing purposes, you may
change your mind at any time by writing to us at the address below, or emailing us at enquiryshcg@gmail.com .
The Data Controller, (c/o Chair) Social History Curators Group, St Fagan’s Museum, Cardiff CF5 6XB or via
e-mail at enquiryshcg@gmail.com .
2. How you may request the information we hold about you
You may request details of personal information which we hold about you.
If you would like a copy of the information which we hold about you, please contact us using the details above. We will send this information to you within 30 days.
You will need to provide documentation to confirm your identity, including a form of ID such as a driving license.
3. Data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
The right to data portability only applies:
• to personal data an individual has provided to a controller
• where the processing is based on the individual’s consent or for the performance of a contract
• when processing is carried out by automated means.
If required we will provide the personal data in a structured, commonly used and machine-readable form, free of charge.
You can make a request verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.
4. Disclosure of information
We will ensure that your information will not be disclosed to government institutions or authorities except if required by law or when requested to by regulatory bodies or law enforcement organisations.
5. Right to rectification and erasure
The UK Data Protection Act 2018 and EU GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
You can make a request for rectification verbally or in writing using the contact information above. We will respond to your request within 30 days.
The UK Data Protection Act 2018 and EU GDPR also introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. You can make a request for erasure verbally or in writing. However, there may be a legal basis for us to refuse the request, e.g. where we are required to hold the data, for example in relation to financial transactions.
You can make a request for erasure verbally or in writing. We will respond to your request within 30 days.
Please contact us using the details above.
6. Right to object
The UK Data Protection Act 2018and EU GDPR gives individuals the right to object to the processing of their personal data in certain circumstances, for example you have an absolute right to stop your data being used for direct marketing.
You can make a request verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.
7. Complaints procedure
If you have a concern about the way SHCG is handling your personal information – perhaps we hold information about you that is incorrect, we have held it for too long, or we are not keeping it securely - you can make a complaint verbally or in writing. We will respond to your request within 30 days. Please contact us using the details above.
You may also wish to raise your concerns with the ICO (the Information Commissioner’s Office), particularly
if you do not feel that SHCG’s response has not been adequate.
If the ICO think the organisation has not complied with its obligations it can give the organisation advice
and ask it to solve the problem. They do not award compensation. Their main aim is to improve the
information rights practices of organisations. You can raise a complaint with the ICO here: https://ico.org.uk/concerns
What information security we have in place
We are committed to ensuring that your information is secure.
In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.
All our trustees that have access to and are associated with the processing of your personal information are obliged to respect the confidentiality of your information.
We regularly review policies, data management processes and procedures to ensure they are compliant with the UK Data Protection Act (2018)and EU GDPR. All trustees who process your data will be required to familiarise themselves with these policies and agree to abide by them.
Please be aware that communications over the internet, such as emails/webmails, are not secure unless they have been encrypted. Your communications may route through a number of countries before being delivered - this is the nature of the world wide web/internet. SHCG cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.
What we will do in the event of a data breach
SHCG ensures that sufficient policies, processes and procedures are in place to detect, report and investigate a personal data breach.
We will notify the ICO (and where required individuals or organisations) of a breach where it is likely to result in a risk to the rights and freedoms of individuals – for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
How we will update our contracts or agreements with data controllers and data third parties:
Third party data controllers and processers are other organisations (or individuals) which control and/or process information on our behalf.
Under the Data Protection Act (2018) and EU GDPR, our contracts or agreements with data controllers and data processors need to contain certain minimum provisions, such as a description of the scope, nature and purpose of processing.
We are reviewing and updating our agreements and contracts with third parties to ensure they have appropriate policies and security measures in place to comply with the Data Protection Act (2018) and EU GDPR and safeguard the personal data we hold.
When we appoint new third parties to act as data controllers and data processors on our behalf, we will ensure that there are appropriate provisions in relation to their own compliance with the Data Protection Act and EU GDPR and other relevant matters such as compliance, monitoring and reporting.
Links to other websites
Our website may contain links to enable you to easily visit other websites of interest to museum professionals. Once you have used these links to leave our site however, you should note that we do not have any control over that external website.
We cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. You should exercise caution and look at the privacy policy applicable to the website in question.
Data Retention
Data will only be processed in accordance with the purpose or purposes that it was originally collected for
and will only be kept for as long as necessary. We will review at regular intervals the length of time we keep
personal data.
We will consider the purpose or purposes we hold the information for in deciding whether (and for how long) to retain it.
We will securely delete information that is no longer needed for this purpose or these purposes and update,
archive or securely delete information if it goes out of date.
Transfer of data to outside the UK and EU
The EU GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by GDPR is not undermined.
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the EU GDPR.
Currently the list of countries outside the EEA recognised by the European Commission as having adequate protection are:
Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
In the future SHCG may need to collect or send some personal information outside of the European Economic Area – for example to arrange conferences or administer membership benefits through sub-processors (i.e. Mailchimp). If SHCG transfer personal information to countries or jurisdictions that may not be subject to an adequacy decision granted by the European Commission, we will take measures to comply with our legal obligations and all reasonable steps to ensure that personal information is treated securely for example SHCG will enter into standard contractual clauses that have been approved by the European Commission.
How we use cookies on the SHCG and FirstBASE websites:
A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree,
the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site.
Cookies allow web applications to respond to you as an individual. The web application can tailor its
operations to your needs, likes and dislikes by gathering and remembering information about your
preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web
page traffic and improve our website in order to tailor it to customer needs. We only use this information for
statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find
useful and which you do not. A cookie in no way gives us access to your computer or any information about
you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you
can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking
full advantage of the website.