DATA PROTECTION POLICY
INTRODUCTION
1. This policy sets out the Royal Air Force Museum’s policy concerning its handling of personal data, as defined by the Data Protection Act 1998 (the Act), and outlines the steps which are to be taken to ensure that the Museum complies with the requirements of the Act.
SCOPE
1. The Act applies to personal data which is held in any system - whether computerised or manual - which provides access to information relating to a particular person.
2. The eight Data Protection Principles set out in the Act are listed in Appendix A.
DEFINITIONS
1. Data Controller - a person who (either alone or jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or will be, processed.
2. Data Subject - an individual about whom personal data are held.
3. Notification - the process by which a data controller’s details are added to the register (maintained by the Information Commissioner) which is available to the public for inspection.
4. Personal Data - Information from which a living person can be identified.
5. Sensitive Information - Data relating to a person’s:
a) Racial or ethnic origin;
b) Political opinions;
c) Religious or other beliefs of a similar nature;
d) Trade union membership;
e) Physical or mental health or condition;
f) Sexual life;
g) Offences (including alleged offences);
h) Criminal proceedings, outcomes and sentence.
RESPONSIBILITY FOR DATA PROTECTION ISSUES
1. The Director General will appoint a Data Protection Officer, who will be responsible for:
a) Ensuring that the Museum’s registration with the Information Commission is kept up to date;
b) Advising Senior Management, departments and staff about Data Protection issues;
c) Co-ordinating the Museum’s response to requests from members of the public for access to records relating to them, correction of such data, etc.
2. Individual managers are responsible for ensuring that their staff comply with this policy, and are to draw up and issue written procedures in consultation with the Data Protection Officer.
DATA SECURITY
1. The Museum will take steps to protect personal data from loss and unauthorised access. Such measures will include:
a) Backing up computerised records;
b) Using passwords to control access to records held on computers;
c) Locking sensitive records in secure containers when not in use;
d) Disaster planning;
e) Restricting access to CCTV monitors and tapes;
f) Secure disposal of documents and tapes by approved contractors.
2. The existing swipe-card system controls public access to office areas at Hendon [no comparable measures are in place at Cosford]. Records containing personal data are not to be left unattended in public areas at any time.
3. The Museum will investigate any apparent breach of data security and take appropriate action.
GATHERING DATA
1. Data must be collected and processed only for specified purposes: a list of the purposes notified to the Information Commissioner is given in Appendix B.
2. The data collected should be no more than is necessary for the purpose for which it is collected. Data must be kept up to date, and destroyed when it is no longer needed.
3. Where someone is required to provide personal information to the Museum they should be informed of the reason(s) for its collection, and they should be given the opportunity to agree to its use for other purposes, such as news of future events arranged by the Museum.
DIVULGING DATA
1. A data subject is entitled:
a) To be told whether the Museum is processing any personal data relating to him/her, to be given a description of such data, the purposes for which it is being processed, and to whom the data is or may be disclosed;
b) To receive copies of the data and information relating to its source;
c) In certain circumstances, to be told the reasons for decisions made on the basis of the data.
2. Data may be divulged to the data subject, on receipt of a request in writing and any fee that may be charged.
3. Information relating to living individuals will normally only be released to third parties where:
a) It is already available from published sources (for example a biography, a medal citation from the London Gazette, or an entry in Who’s Who).
b) Disclosure is required by or under enactment, or by any rule of law or by a court order.
c) The information is to be used only for historical research purposes - see paragraph 21 below.
4. Addresses will not be divulged, but Museum staff may agree to forward a letter to the data subject.
COLLECTIONS MANAGEMENT AND DATA PROTECTION
1. Personal data recorded for the purposes of managing the Museum’s collections (such as details of people donating objects) will not be divulged to third parties (including Royal Air Force Museum Enterprises Ltd) without the express consent of the data subject.
PERSONAL INFORMATION AND HISTORICAL RESEARCH
1. Records which are processed only for historical research purposes may be kept indefinitely and therefore are exempt from the fifth data protection principle.
TRANSFER OF DATA BETWEEN THE ROYAL AIR FORCE MUSEUM AND ROYAL AIR FORCE MUSEUM ENTERPRISES LTD (RAFMEL)
1. The Museum will only pass personal data to RAFMEL if the data subject has agreed to such transfer, for example by asking to be placed on a mailing list.
TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
1. Personal data may be transferred for historical research purposes.
2. Personal data may be transferred to the Royal Air Force Museum American Foundation for fundraising purposes, subject to:
a) the Foundation’s agreement not to pass details to any other party, and
b) the data subject’s permission.
3. Data must not be transferred for any other purpose unless the country in question ensures an adequate level of protection for data subjects. The Data Protection Officer’s approval is required for any proposed data transfer.
DATA PROTECTION POLICY
APPENDIX A
DATA PROTECTION PRINCIPLES
1. Personal data shall be processed fairly and lawfully.
2. Data shall be obtained for specific purposes and only processed in accordance with those purposes.
3. Personal data shall be adequate, relevant and not excessive.
4. The data shall be accurate and up to date.
5. Data shall be kept only as long as is necessary for the specified purposes.
6. Data shall be processed in accordance with the data subjects’ rights under the new Act.
7. Data shall be kept secure.
8. Data shall be transferred outside the European Economic Area only when the country in question ensures an adequate level of protection for Data Subjects.
DATA PROTECTION POLICY
APPENDIX B
PURPOSES NOTIFIED TO THE INFORMATION COMMISSIONER
Registration No. Z6070157
1. Staff administration.
2. Administration of membership records.
3. Fundraising.
4. Realising the objectives of a charitable organisation or voluntary body.
5. Accounts and records.
6. Advertising, marketing, & public relations.
7. Consultancy (in the context of advice given on curatorial or historical matters, etc.).
8. Crime prevention and prosecution of offenders (notably CCTV records, but including information passed to the police and similar organisation).
9. Education.
10. Information and databank administration (to cover data on persons recorded in the Collections Management System).
11. Property management.
12. Personal information held in records in the Museum’s collections.
13. Research.