Data protection compliance statement
Please note this is a data protection compliance statement largely aimed at National Museums Liverpool staff – if you’re a member of the public who would like to know how your data is being captured, stored, and used, please refer to our privacy notice.
National Museums Liverpool (NML) is required by law to comply with all relevant Data Protection Laws when processing personal data. It is our commitment to ensure that every employee complies with these laws, to ensure the confidentiality of any personal data held by the organisation, and protect the individual's right of access to that data.
Data Protection Laws means the Data Protection Act currently in force in the UK at the relevant time, the EU General Data Protection Regulation (GDPR), and all other mandatory laws of the UK and EU applicable to the processing of personal data by NML.
We need to keep certain information about employees, donors and other users of our facilities to allow us to monitor performance achievements, and health and safety, for example. We also need to keep information on individuals who are the subject of research projects. To comply with the law, the information must be collected and used fairly, stored safely, and not disclosed to any other person unlawfully. To do this we must comply with the data protection principles specified in the GDPR. Personal data is processed in accordance with these principles so that the data is
- processed fairly, lawfully, and transparently and only if there is a valid ‘legal basis’ for doing so
- processed only for specified, explicit and legitimate purposes
- adequate, relevant, and limited
- accurate (and rectified if inaccurate)
- not kept for longer than necessary
- processed securely – to preserve the confidentiality, integrity, and availability, of the personal data
Staff or others who process or use any personal information, must ensure that they follow these principles at all times. In order to ensure that this happens, we have developed this Data Protection Compliance Statement.
The Data Protection Officer
National Museums Liverpool as a body corporate, is the 'Data Controller' under the Data Protection Law, and the Data Protection Officer is ultimately responsible for implementation. The Data Protection Officer, who is the named contact with the Information Commissioner, is the Secretary to the Board. The Data Protection Officer will ensure that National Museums Liverpool's Data Protection Registration is kept up to date. NML’s registration number is Z5845809.
Each Department is responsible for ensuring that the personal data held by them is kept securely and used properly. They are also responsible for informing the Data Protection Officer of the types of personal data held in their department, and any changes or new holdings. The Data Protection Officer will inform the staff of any changes to this document and/or procedure.
Notification of Data Held and Processed
All staff and other users must only process personal data in accordance with the requirements of Data Protection Law, and in particular following the principles that it contains, including:
- Fair processing – ensuring that individuals consent to their data being used and know what it will be used for, and that data is not subsequently used for something else.
- Data Security – ensuring any personal data held is always kept and disposed of securely (taking into account any cyber security considerations)
- Non-disclosure – ensuring personal data is not disclosed except to authorised people
- Awareness – familiarising themselves with the guidance and other information published within NML and following it at all times
- When working remotely or using a mobile device to store data – following the IS protocol for doing so
- Data protection by design – seeking advice whenever a new form of processing personal data is contemplated, or if any data protection related concerns arise
Staff Guidelines for Data Protection Law
Please refer to the Staff Privacy Notice, section: rights of access, correction, erasure and restriction, which can be found on the intranet and NML website.
Staff whose work includes responsibility for supervision of volunteers or students please refer to the Staff Privacy Notice.
Staff should ensure that they are familiar with the Staff Privacy Notice, which will form part of the Staff Handbook.
All staff are responsible for ensuring that:
You destroy non-relevant paper files at regular intervals and electronic information is stored securely. Under the General Data Protection Regulation individuals have the right to the erasure of all of their data we hold. If you receive a request for the erasure of data you should forward any requests to the Data Protection Officer at email@example.com . All requests should be dealt with within 14 working days.
Incoming and Internal Mail
Items which are marked "Personal" or "Private and Confidential", or which appear to be of a personal nature, should be opened by the addressee only, or by that person's secretary/PA. Unless mail items are marked in this way, they will be considered not to contain confidential information. Staff are discouraged from using their National Museums Liverpool address for private matters.
Consent to Processing Sensitive Information
Agreement to allow the processing of some specified classes of personal data is a condition of employment for staff.
Some jobs will bring staff into contact with children, including young people between the ages of 16 and 18. We have a legal duty to ensure that such staff are suitable for the job. We also have a duty of care to all staff and visitors, and must therefore make sure that employees and those who use our facilities do not pose a threat or danger to other users. Please refer to our Safeguarding Policy on the Intranet.
We may ask for information about a person's criminal convictions, race, gender and family details. This is to ensure that we meet our legal obligations in terms of health, safety, and welfare, with regard to staff and the public. Please refer to the Staff Privacy Notice. Because this information is considered sensitive, all prospective staff will be asked to give signed consent to process particular types of information when an offer of employment is made
We are legally able and entitled to intercept and monitor communications including email and telephone conversations. However, National Museums Liverpool has adopted the Code of Practice, The Use of Personal Data in Employer/Employee Relationships, as issued by the Information Commissioner. We would only ever monitor for the following reasons:
- To record evidence of business transactions.
- To ensure compliance with regulatory or self-regulatory guidelines.
- To maintain effective operation of our networks and systems.
- To monitor standards of training and service.
- To prevent or detect criminal activity.
- To prevent unauthorised use of our computer and telephone systems.
- For the purposes of HR conducting grievance and/or disciplinary procedures.
As far as is possible, monitoring will be:
- Limited to data traffic rather than content of communications.
- Automated to reduce the extent to which extraneous information is made available.
- Targeted to areas of highest risk.
- In proportion to the benefits obtained.
Publication of National Museums Liverpool Information
Under the Freedom of Information Act 2000, as part of its publication scheme, NML make public as much information about the organisation as possible. In particular, the following information will be available to the public for inspection:
- Strategic Plan;
- Annual Review;
- Senior Staff List;
- Annual Report & Accounts;
- Board minutes;
- Trustees' Register of Interests.
The internal telephone list will not be a public document.
Any individual having good reason for wishing details in these lists or categories to remain confidential should contact the Data Protection Officer.
Rights to Access Information
Staff, visitors and other users of our facilities have the right to access any personal data that is being kept about them. Any person who wishes to exercise this right, should do so via the Subject Access Request Form on the NML website. The Data Protection Officer will require information from the individual as to where they believe this information is held.
We aim to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 days, unless there is a good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request, indicating when it will be possible to comply. We reserve the right to ask for proof of identity.
Retention of Data
We keep some forms of information for longer than others, in line with Financial, Legal or Archival requirements. This is permitted under GDPR. There is a danger that over cautious interpretation of the regulations may lead to the weeding, anonymising or destruction of personal data that would otherwise have been passed to the National Museums Liverpool archive. We have a right under the regulations to permanently retain personal and sensitive data for archival purposes, and our archivists can give advice on what to transfer to our archive.
Freedom of Information Act
Under the Freedom of Information Act (FoI Act), any individual, anywhere in the world, is able to make a request to National Museums Liverpool for information. An applicant is entitled to be informed in writing as to whether the information is held and have the information communicated to them. Requests must:
- be made in writing, by post or electronically;
- state the name of the applicant and an address for correspondence;
- describe the information requested.
Requests are to be treated as FoI requests if they ask for information we hold, or would be expected to hold. We are not obliged to create information if we do not hold it. Requests for opinions do not constitute requests for information for the purposes of FoI. For example, a request to provide an opinion on an object owned by a member of the public would not constitute a request under FoI but a request for a list of lost property handed in at the Walker Art Gallery over the last year would.
All information held by National Museums Liverpool is covered by the FoI Act, including paper and electronic files, emails, archives, minutes and correspondence. Information we hold which has been supplied by other public sector bodies and contractors is also subject to disclosure by National Museums Liverpool and we always consult with the supplier if we receive such requests, although the final decision on disclosure rests with National Museums Liverpool.
It is an offence to delete or dispose of information in response to a request. Requests need not state that they are made under the FoI Act. The FoI Act gives National Museums Liverpool 20 working days to either supply the information or refuse the request, should the information requested be exempt from disclosure. The clock starts ticking on the working day following receipt and does not stop even if the request was received while the recipient was on holiday, so it is not possible to delay dealing with FoI requests until it is convenient for us. Please ensure that if you are out of the office for more than 1 week, that you nominate a colleague in your department as an alternative contact in your out of office auto reply.
If you have any questions about Data Protection or Freedom of Information, please contact the Secretary to the Board on x4202. If you receive a request for CCTV footage, please contact John Fitton on x4551.
FoI requests are co-ordinated and responded to by the Secretary to the Board. If you receive an FoI request, please acknowledge the request and forward it to the Secretary to the Board as soon as it is received and he/she will co-ordinate the response.
Compliance with Data Protection Law is the responsibility of all members of National Museums Liverpool. Any breach, whether deliberate or through negligence, may lead to disciplinary action being taken, or even legal proceedings. Any questions or concerns about the interpretation or operation of this statement should be taken up with the Data Protection Officer.