Data protection policy

This policy describes how personal data is collected, handled and stored to meet the Museum’s data protection standards and to comply with the law.

1. Introduction

  • The National Football Museum needs to gather and use certain information about individuals including visitors, customers, suppliers, business contacts, job applicants, employees and other people the organisation has a relationship with or may need to contact.
  • This policy describes how this personal data must be collected, handled and stored

to meet the company’s data protection standards and to comply with the law.

2. Data protection law

The General Data Protection Regulation (GDPR) applied in the UK from May 2018. On the 01/01/21 the UK’s data protection regime was set out in the UK General Data Protection Regulation (UK GDPR) after leaving the EU. The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. The ‘UK

GDPR’ sits alongside an amended version of the DPA 2018. The government has published a ‘Keeling Schedule’ for the UK GDPR, which shows the amendments.

https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data- protection-and-the-eu-in-detail/the-uk-gdpr/

The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.

As with the original 2018 legislation UK GDPR requires that personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate

technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals.

  • Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  • The Data Protection Officer shall be responsible for, and be able to demonstrate, compliance with the principles (see section 9).

3. Who we are

  • National Football Museum, Urbis, Cathedral Gardens, Manchester, M4 3BG Tel: 0161 605 8200

Email: info@nationalfootballmuseum.com Company registration number: 03070670 Charity registration number: 1050792

  • We are registered as a data controller under the Data Protection Act 1998, and our Data Protection Register number is: Z7181046.
  • Any electronic communications will be made in accordance with the Privacy and Electronic Communications (EC Directive) Regulations 2003.

4. What information do we collect?

  • We collect the personal data that may be volunteered as part of ticket bookings, online purchases, donation forms, e-newsletter sign-ups, visitor surveys and job applications.

Personal information we collect may include:

  • Name, title, gender and date of birth.
    • Postal address, email address and phone number.
    • Family and spouse/partner details, relationships to other donors.
    • Current interests and activities.
  • We will also collect and hold information about any contact individuals have with us as a visitor, customer or supporter of The National Football Museum, and may consist of details of:
  • Ticket purchase and event registration / attendance.
    • Online retail purchases.
    • Contact preferences.
    • Gift information, including Direct Debit bank details where applicable.
    • Gift Aid status.
  • Details of correspondence sent to you, or received from you.
    • Donor status and wealth assessment information.
    • Employment information and professional activities.
    • Where relevant, selected media coverage.
    • Any other information provided by yourself at the request of the Museum.
  • When we ask individuals to provide personal information we will let you know why we are asking, and how we will use your data, by directing you towards privacy notices.
  • Please note a separate CCTV policy and Data Protection Impact Assessment details data protection in this instance.

5. What we do with personal information

Depending on the relationship with the National Football Museum, and the preferences individuals have indicated, data we hold may be used by us for the following purposes:

  • To send promotional, marketing or fundraising information by post, telephone or electronic means. These types of communications can include informing individuals of news and updates or other products, services or events related to the Museum, such as exhibitions, events, or retail offers.
  • Information on our fundraising operations, including occasional targeted requests to ask individuals to consider giving financial support to the Museum, or to consider supporting us in other ways.
  • Other relevant communications based upon individual relationships with the Museum.
  • Data screening and cleansing.
  • Wealth screening and research, to help us understand our donors and potential donors, including gathering information from publicly available resources to give an insight into an individual’s philanthropic interests and ability to support the Museum.
  • To send surveys, and for market research purposes.
  • Tools may be used to monitor the effectiveness of our communications, including email tracking, which records when an e-newsletter from us is opened and/or how many links are clicked within the message. The data from this tracking is used in an aggregated and anonymised form.
  • Individuals can opt out of any / all of our communications at any point simply by contacting info@nationalfootballmuseum.com. Individuals can also unsubscribe

from museum newsletters simply by following the link featured at the bottom of every newsletter.

  • There are some communications that we are required to send regardless of contact preferences. These are essential communications, deemed necessary to fulfil our contractual obligations such as on-line retail purchases and pre-booked ticket purchases. This could also include Direct Debit confirmations and thank you letters, Gift Aid confirmation letters and querying returned mail or bounced Direct Debit payments with you.

6. How we update, screen and analyse information

  • We continuously review records of supporters to ensure data is as accurate as possible. We may consult alternative sources in order to undertake these checks, such as:
  • Royal Mail National Change of Address database (NCOA).
  • BT Operator Services Information System (OSIS);
    • Reviewing employment information that individuals have made publicly available via social media.
    • Newspaper articles, publications and company websites.
    • Companies House and other company information databases.
    • Charity Commission register.
    • Any other publicly available sources.
  • Where we appoint an external party to undertake a screening of information, any such arrangements will be subject to a formal agreement between The National Football Museum and that organisation, to protect the security of data.
  • We may segment the information we hold about individuals in our database based on a proprietary score. These scores are calculated using personal data, as well as how engaged with us individuals have previously been, and indicators of future engagement. Analysis of this helps us understand our Members, donors and potential donors to ensure we are efficient and that only relevant communications are sent.
  • individuals can opt-out of their data being utilised for wealth screening, data cleaning or analysis, (with the aims of targeting communications with individuals appropriately, or finding up to date contact information in the case of gone away mail), simply by contacting us.

7. Who we might share information with

  • We do not disclose personal data to any third parties or external organisations, other than data processors carrying out work on our behalf. Examples of such data processors would be bulk email distribution services.
  • Any such companies are acting as approved data processors for The National Football Museum, and we retain full responsibility for individual personal data. Data processors will act only on our instructions and information will not be shared with other organisations or individuals.
  • We may occasionally need to transfer personal information overseas, for instance to our bulk email distributor. Where this is necessary, this may be to countries or territories around the world.
  • We are required to ensure any transfers of data will be done securely, in accordance with best practice, and in compliance with the General Data Protection Act (GDPR) 2018.
  • Individual data will never be sold or passed to any third party for any other purpose.

8. How we keep information secure

  • We have implemented security procedures, rules and technical measures to protect the personal data that we have under our control from:
  • Unauthorised access.
    • Improper use or disclosure.
    • Unauthorised modification.
  • All our employees and data processors, who have access to, and are associated with the processing of personal data, are legally obliged to respect the confidentiality of our visitors’ and supporters’ personal data.

9. Data Protection Officer

The Museum’s Data Protection Officer (DPO) is Anthony Willder as of the date of this document. The tasks of the DPO are:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

10. How can I access individual information, and correct individual information?

  • Individuals can ask us if we are keeping any personal data about them and can also request to receive a copy of that personal data – this is called a Subject Access Request.
  • To make a Subject Access Request, individuals need to provide adequate proof of identity such as a copy of their passport, birth certificate or driving licence before the request can be processed (unless employed by or volunteering for the NFM).
  • A copy of an individual’s personal data will be provided for free, we may charge for additional copies. If the request is ‘manifestly unfounded or excessive’ we may ask for a reasonable fee for administrative costs associated with the request.
  • Individuals are asked to be as clear as possible about the information they are seeking.
  • Once we have received a Subject Access Request the individual will receive a response from us within 1 month and will be able to get copies of any information we hold on them. However, exemptions to disclosure may apply in some circumstances. In certain circumstances we may need extra time to consider a request and can take up to an extra two months. If we are going to do this, we will let the individual know within one month that it needs more time and why.
    1. Subject Access Requests should be sent to: Data Protection Officer

The National Football Museum Cathedral Gardens, Manchester

M4 3BG

dataprotection@nationalfootballmuseum.com

  • At any time individuals may request that we delete or correct their personal information. To do so, they should contact:

dataprotection@nationalfootballmuseum.com

11. Changes to our privacy notices and how to contact us

  • We regularly review our privacy notices and may make changes time to time. Any changes made will be posted and will apply from the time we post them on our website.

or write to us at:

Data Protection Officer National Football Museum Cathedral Gardens Manchester

M4 3BG