Privacy
    The Keep Military Museum > Privacy

Privacy Policy

Governing Body: The Dorchester Keep Military Museum Trust

Address: The Keep Military Museum, Barrack Road, Dorchester, Dorset, DT1 1RN

Charity Number: 1200607

Date when this policy was approved by governing body to take effect: 8th June 2024

Date when this policy is due for review: 8th June 2029

Contact point re this Privacy Policy: info@keepmilitarymuseum.org

1 Introduction
This Policy is in response to the General Data Protection Regulation (GDPR) applicable in the United
Kingdom. It sets out the criteria for the use of personal data provided to, used by, or retained by The
Dorchester Keep Military Museum Trust (DKMMT). Furthermore, it sets out the rights of those providing
potentially sensitive personal information and how these rights will be respected.
2 The Policy
The GDPR is applicable to all visitors, contractors, volunteers, staff and trustees. It applies to all potentially
sensitive personal information whatever their relationship to the Trust and The Dorchester Keep Military
Museum. It includes personal records of staff, volunteers and trustees and to those visiting The Keep
Museum, either in person or virtually (i.e. online). The Trust will ensure the GDPR requirements are
regarded as a minimum standard and additional protection measures might be included that are ‘over and
above’ those required in law.
The Trust is the primary controller of personal information, and the Policy explains from whom it collects
data, how it is used, where and with whom it is stored and retained.
3 Glossary of Terms
This section describes the terminology to be found within GDPR literature and how the Board of Trustees
has decided that it applies to all those who come into contact with the Trust.
(a) Data Subject
This is any person who is known to the organisation and is uniquely identified. The Trust classifies Data
Subjects into distinct groups, although individuals often belong to more than one group. These groups are:
• trustees;
• staff;
• volunteers;
• Association of ‘Keep Friends’;
• external contacts;
• visitors;
2 | DKMMT HR-S2 GDRP and Privacy Policy Issue 1
• Donors of legacies and other funds to DKMMT;
• Donors and lenders of artefacts to DKMMT.
(b) Personal Data
Any information which identifies and describes a Data Subject. It may be held electronically or as
hardcopy. It may range from simple contact details (such as name, postal address and email address) to
more specific, or sensitive, “Special Category” data (such as ethnicity, religious belief and bank account
details).
(c) Data Controller of The Museum
The organisation ultimately responsible for strategy relating to the storage and use of personal data is The
Dorchester Keep Military Museum Trust. The main contact is the Director of The Dorchester Keep Military
Museum.
(d) Data Processor
Any organisation that uses data on behalf of the Data Controller. The Trust is both Data Controller and
Data Processor. No data management is outsourced.
(e) Lawful Use
The Data Controller is entitled to process personal data for lawful use. The legislation includes a short list
of instances of Lawful Use one of which, for GDPR purposes, must be clearly identified and stated for each
application of the data. In the case of DKMMT, the use of the “Legitimate Interest” criterion is that which is
deemed relevant in most cases.
(f) Legitimate Interest
Legitimate Use is where the storage and use of personal data is considered necessary by the Data
Controller for the effective operation of the Trust, and which is deemed beneficial to both the Data
Controller and the Data Subject. This is provided that the interests or fundamental rights and freedoms of
the Data Subject are not overriding (taking into consideration the reasonable expectations of Data Subjects
based on their relationship with the Data Controller). The main exception to this is where the Data Subject
is a child (being a person under the age of 13). The Trust’s policy is not to record any data relating to a
child.
Legitimate Interest represents an appropriate alternative to a “Consent-based” protocol (where Data
Subjects must opt into the use of their personal data by clearly giving their consent). When relying on
Legitimate Interest as a Lawful Use criterion, the Data Controller must inform the individual of their right to
object to such processing. This opportunity to object will be given to the Data Subject at the point of data
collection. As required by the GDPR, the Trust has carried out and recorded a Legitimate Interests
Assessment balancing the right to process the personal data against the data protection rights of the
individual.
3 | DKMMT HR-S2 GDRP and Privacy Policy Issue 1
(g) Privacy Notice
This is a statement of intent by the Data Controller to the Data Subject. It describes the personal data
being retained and how it will be used. It often includes a request for consent but such consent is not
required if the chosen Lawful Use of the personal data is deemed a Legitimate Interest as here.
4 Personal Data for Trustees
The personal data held by the Data Controller comprises exactly the same data as is required to be
provided to it by the Charity Commissioners, including signatures, for each trustee.
5 Personal Data for Staff
The personal data held by the Data Controller is that which is reasonably expected to be submitted by a
member of staff of any business. The data recorded is for the purposes of staff management, performance
assessment, training, payment of salary and expenses, personal tax and National Insurance contributions
and safety.
The Data Controller believes that this constitutes Legitimate Interest and accordingly there is no need to
request the consent from, nor to issue a Privacy Notice to any Trustee. The data will never be shared with
any other party or person without specific consent of the Data Subject.
6 Personal Data for Volunteers
The personal data held by the Data Controller comprises little more than contact details (covering almost
exclusively the extent of any data processing). In addition, there is a paper ‘Volunteer Details’ form
containing, inter alia, information such as health conditions and criminal convictions. Operational
communication with Volunteers is conducted primarily by email, and quite frequently by telephone, which
necessitates the sharing of key contact details. When volunteers sign on and complete the ‘Volunteer
Details’ form, they confirm contact details may be shared with other volunteers and so it is possible to verify
where permission has been granted.
If any contact data is required to be displayed on noticeboards the Data Controller first verifies that
permission has been granted by the Data Subject(s) concerned. It is the policy of the Trust that no
personal data is shared without the express permission of the individual Data Subject concerned. Hard
copy personal details of volunteers are retained in a locked cabinet in The DKMM offices and electronic
copies are stored in a password-protected file on a single laptop.
The Data Controller believes that this constitutes Legitimate Interest. It feels no need to request consent,
and ensures that all volunteers are made aware of exactly how their own personal data will be processed,
as well as how they should take due care of each other's personal data.
7 Personal Data for ‘Keep Friends’
The ‘Keep Friends’ are not constituted as part of the Trust in any legal or other formal manner but are
linked informally as a result of their support to DKMM. As such, GDPR registration does not cover them.
The Data Controller does hold personal data relating to some members and it comprises contact details
that enabling this group of Data Subjects to receive a regular newsletter and other occasional
4 | DKMMT HR-S2 GDRP and Privacy Policy Issue 1
communications, including statutory notice of meetings. The Data Controller believes that this constitutes
Legitimate Interest and accordingly it has no need to request consent. In addition, as a courtesy to all
‘Keep Friends’, the Trust informs them of exactly how their personal data will be processed.
8 Personal Data for External Contacts
Other than suppliers and providers of services to the Trust, there are very few External Contacts. The
unique identifiers of these contacts are typically email addresses that are stored on personal computers
and smartphones, or as telephone numbers in personal telephones and address books. The data is held
for convenience purposes and only used for business purposes.

Data arising from such contacts with individual suppliers and providers is held on-site at DKMM secured in
locked cabinets or is saved electronically on-site.
The Data Controller believes that this constitutes Legitimate Interest. Volunteers and staff are made aware
of their responsibilities relating to privacy when contacting Data Subjects on behalf of DKMM. Accordingly,
there are no plans to issue Privacy Notices to these Data Subjects.
9 Personal Data for Visitors
Members of the public who come as visitors to DKMM normally leave behind little or no trace of their
identity. They might choose to write a comment in the Visitors’ Book, but they decide for themselves how
much identification data to record – typically they include only their name and geographical area. The
DKMM occasionally quotes some of the comments in its own literature, but any names are always
anonymised or excluded, to prevent any possible identification of an individual.
Visitors may also voluntarily supply the Data Controller with personal information for Gift Aid purposes as
required by HM Revenue & Customs to validate the claim. Gift Aid records must be kept for six years after
the relevant accounting period to which they relate.
Online visitors automatically supply the Data Controller with contact information. This might be simply their
email address or, if ordering products from the museum, their postal address too. Any online payments are
securely managed through PayPal. Visitors may supply the Data Controller with more detailed personal
information if submitting a research enquiry and here any information provided is used solely for answering
the query or communication received. All of these data are confined to the email address book of DKMM
and the body of individual emails on the personal device of the recipient of the email and any other member
of staff or volunteer to whom the recipient has forwarded it.
When visiting the website, the visitor’s IP address, browser and version, operating system and the site the
visitor came from is stored in a log file held at DKMM. These log files do not contain any personal
information and the information is only used for statistical purposes. The host website itself does not store
any personal information submitted, e.g. such as that entered into the contact form.
Whenever the museum initiates customer or visitor surveys, it always ensures that all of the data collected
is completely anonymous.
5 | DKMMT HR-S2 GDRP and Privacy Policy Issue 1
The Data Controller believes that all of the above practices constitute Legitimate Interest. Visitors (of either
type) are never required to leave or give contact information and any subsequent correspondence
thereafter will always be initiated voluntarily by them and not by DKMM and it will be they who provide their
contact details in order for the correspondence to continue. The Data Controller advises Volunteers to be
aware of the data protection responsibilities of DKMM with regard to both the security of the data belonging
to any visitor and the need for it to be destroyed when it when no longer needed.
10 Personal Data for Donors and Lenders
The Data Controller is obliged to maintain a record of the source of all items in its collections. The Object
Entry Form, which contains the Data Subject's contact details, the gift/loan decision and signature, is
required to prove DKMM's entitlement to call the item its own, or to show how and when a loaned item
should be returned. This information is also transcribed into the hardcopy Accessions Register, which
serves a similar purpose (but does not show the donor's signature). No attempt is made to keep the
contact details current, because the requirement is to store the data as it was at the time of the acquisition.
The only data processing is storage and browsing and care is taken to ensure (via electronic permissions,
etc.) that the Data Subject details are never shown to any member of the public.
The Data Controller believes that this constitutes Legitimate Interest. The indefinite retention of the
personal data is mandated by museum standards, even though the data is never actively used in any way.
The Data Controller never checks whether the Data Subject is still alive or contactable using the data
provided. Contact details of lenders are necessary for the return of their property at the end of the loan
period.
11 General Notes
1. Some, but not all, personal data is held on DKMM computers, all of which are protected by passwords.
For operational reasons, some personal data may occasionally also be held on private computers at
home by research volunteers. All volunteers entrusted with such data are made aware of their
responsibilities with regard to the safeguarding of the data whilst in their care. Any personal data on
paper is held in securely locked cabinets at DKMM.
2. All hardcopy data is stored behind locked doors at DKMM. Where appropriate some is also held under
further lock and key within the museum building.
3. The Privacy Policy of DKMMT will be regularly reviewed on an annual basis for confirmation at the
Trustees Annual General Meeting. The Governing Body has the right to make changes to it from time to
time.
4. Under the GDPR, individuals have a number of rights that can be exercised free of charge. These can
be viewed at: www.ico.org.uk. Individuals have the right to contact DKMM at any time during its normal
opening hours to see a copy of any information held on them via a Subject Access Request. The
museum will respond to such requests within 40 days and charge a nominal fee of £10 per individual
Data Subject in relation to whom a request is submitted for processing. Such a request includes an
entitlement for the applicant individual to be (a) told if any personal data held is being processed (b) to
6 | DKMMT HR-S2 GDRP and Privacy Policy Issue 1
be given a description of the data, the reason it is being processed and whether it will be shared, and
(c) given the source of the data.
5. The DKMMT, Trustees, Staff and Volunteers are aware that despite the items specified above,
Legitimate Interest does not extend/apply at any time to the following activities i.e. (a) direct marketing
by e mail, SMS, or automated telephone calls (b) detailed research profiles created in-house or
externally sourced (c) wealth screening (d) sharing data, and that in each of these situations the
Consent of individuals is required re data capture. However, DKMMT policies and activities do not
include any of the activities listed above.



OPENING HOURS:
7 days a week, 10am - 4.30pm. Last entry 3.30pm.

The Keep Military Museum
Barrack Road
DORCHESTER
Dorset
DT1 1RN

Telephone: 07586 161 872

Contact Us
Terms and Conditions
Privacy Policy

© Copyright The Keep Military Museum 2022

The Dorchester Keep Military Museum Trust is a charity registered in England and Wales (1200607)

Website by Scoop Apps, Web & Creative