Fancy joining us on our voyage? We’re recruiting – click here to find out more. 

Data Protection and Privacy




We may have to collect and use information about people with whom we work.  These may include members, current, past and prospective employees, clients, and suppliers.  This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there are safeguards within the Data Protection Act 1998 to ensure this.


We regard the lawful and correct treatment of personal information as very important to our successful operation and to maintaining confidence between us and those with whom we carry out business.  We will ensure that we treat personal information lawfully and correctly.


To this end we fully endorse and adhere to the Principles of Data Protection as set out in the Data Protection Act 1998.


The principles of data protection

The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable.


The Principles require that personal information:

  1. a) shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;
  2. b) shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
  3. c) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
  4. d) shall be accurate and where necessary, kept up to date;
  5. e) shall not be kept for longer than is necessary for that purpose or those purposes;
  6. f) shall be processed in accordance with the rights of data subjects under the Act;
  7. g) shall be kept secure i.e. protected by an appropriate degree of security;
  8. h) shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.


The Act provides conditions for the processing of any personal data.  It also makes a distinction between personal data and “sensitive” personal data.


Personal data is defined as data relating to a living individual who can be identified from:

  1. a) that data;
  2. b) that data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.


Sensitive personal data is defined as personal data consisting of information as to:

  1. racial or ethnic origin;
  2. religion or other beliefs;
  3. trade union membership;
  4. physical or mental health or condition;
  5. sexual life;
  6. criminal proceedings or convictions.

Handling of personal/sensitive information

We will, through appropriate management and the use of strict criteria and controls,:

  1. a) observe fully conditions regarding the fair collection and use of personal information;
  2. b) meet our legal obligations to specify the purpose for which information is used;
  3. c) collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
  4. d) ensure the quality of information used;
  5. e) apply strict checks to determine the length of time information is held;
  6. f) shall be accurate and where necessary, kept up to date;
  7. g) shall not be kept for longer than is necessary for that purpose or those purposes;
  8. h) shall be processed in accordance with the rights of data subjects under the Act;
  9. i) shall be kept secure i.e. protected by an appropriate degree of security;


In addition, we will ensure that:

  1. a) everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
  2. b) methods of handling personal information are regularly assessed and evaluated;


All members of staff are to be made fully aware of this policy and of their duties and responsibilities under the Act.


All managers and staff must take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:

  1. a) paper files and other records or documents containing personal/sensitive data are kept in a secure environment;
  2. b) personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
  3. c) individual passwords should be such that they are not easily compromised.


All contractors, consultants, partners or Directors must:

  1. a) ensure that they and all of their staff who have access to personal data held or processed for or on behalf of us, are aware of this policy and are fully aware of their duties and responsibilities under the Act. Any breach of any provision of the Act will be deemed as being a breach of any contract between the Company and that individual, company, partner or firm;
  2. b) allow data protection audits by us of data held on our behalf (if requested);
  3. c) indemnify us against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.


All contractors who are users of personal information supplied by us will be required to confirm that they will abide by the requirements of the Act with regard to information supplied by us.



The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis.  Failure to do so is a criminal offence.


Donor privacy and confidentiality

The Story Museum is committed to respecting the privacy of donors and prospective donors. We collect and maintain donor and prospective donor information as follows.

  • Contact information: name, address, telephone number and email address
  • Giving information
  • Information on interactions (e.g. events attended, publications sent, letters received)
  • Information provided by the donor in the form of comments and suggestions
  • Information gathered from publically available resources


We maintain and use this information for the purposes of:

  • Gift aiding and administration
  • Gift aid claims
  • Understanding a person’s interests and building a relationship
  • Communicating our plans and activities
  • On-going fundraising operations
  • Reporting to applicable government agencies as required by law

For further information, please refer to our ‘Donor Privacy and Confidentiality Policy’.




The Story Museum reserves the right to amend policies and procedures without prior notice to reflect changes in legislation or significant changes in operational strategy.  All policies will be reviewed every 5 years.

Reviewed:       November 2016