This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data, keep it safe, and the rights of those whose data we hold.
Who we are
The Devon and Exeter Medical Heritage Trust is a charitable trust, registered with the Charity commission (no. 1190793). We care for a collection of historical medical items, create exhibitions, and put on related events such as handling sessions, in order to fulfil our charitable objects, vision and mission.
Why we collect data
Through our website, we collect, store and process personal data of users, potential users and volunteers, and other traffic for the purposes of fulfilling our contractual and legal obligations and responsibilities. We will only collect data we need to give you a better experience; to improve and deliver our services to you; and to meet our responsibilities to you. Personal data of individuals who we provide services for, or on behalf of our partners, is used to maintain our relationship and to deliver our services.
How we use personal data
If you use this website to contact us, that information is sent to our mailbox for us to reply to you. It will not be used to advertise to you. It will be keep for 6 months after your query is completed.
If you submit a volunteer interest form, that information is sent to our Coordinator’s inbox for them to reply to you and process the information. If you do not complete an induction, the information is kept for 6 months and then destroyed.
What personal data do we collect?
- For an enquiry: your name, address, email and telephone number. We keep this information for customer service purposes, but you do not use it for marketing purposes.
- Volunteer sign up: name, address, email address, date of birth, necessary medical information. This is done through Airtable, a database software.
- Questionnaires for evaluation purposes.
- Your comments and reviews.
- Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.
- Our website collects anonymous analytics data. We use standard WordPress statistics which record visitor numbers and their country of origin.
Our legal process for processing personal data
Under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, organisations are required to have a legal basis for processing personal data. The legal bases we use for processing data are:
- Legitimate interests for the purposes of fulfilling our charitable activities and the provision of our services.
- Contractual basis for the purposes of fulfilling our obligations to volunteers and clients. For example, if you have booked an event then we will need your contact details.
- Legal obligations for the purposes of fulfilling our statutory obligations.
- Consent when people opt into a mailing list. When collecting your personal data, we will make clear to you which data is necessary in connection with a particular service.
How long do we keep data?
We store and retain personal data for various periods of time in line our legal obligations, financial regulations and internal requirements. At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning. We have a Data Retention Policy to ensure that your data is not held for longer than is necessary.
How we keep data secure
We have processes, procedures, contracts and agreements in place to ensure secure collection, storage and processing of personal data. Only authorised Trustees, employees and third party data processors (e.g. those who process data on our behalf) have access to personal data we hold. Training is undertaken regularly, and checks are made to ensure data quality is maintained. We ask our partners to commit to the same.
Personal data is stored securely on our network, on encrypted devices (laptops, smart phones etc) and within third party systems (e.g. Mail chimp – a bulk email distribution platform) whose tools we use to process data.
International transfer of data
Your information is held securely in the UK. Airtable and Mailchimp are based in the USA, but complies with GDPR procedures. Prior to engaging or using third party systems to process data, such as Mailchimp, we ensure that sufficient safeguards, that all parties comply with the requirements of UK GDPR and the Data Protection Act 2018, and have completed a Data Protection Impact Assessment of the software. For example, where data may be transferred outside of the European Economic Area (EEA) to the United States (e.g. if a third party uses multiple servers to back up data), we will ensure that the third party is registered under the EU-US Privacy Shield.
Who we share data with:
We only share personal data with third parties who process our data for the purposes of providing services to you, such as email providers, digital file storage providers, Ticketsource for booking events, Airtable for feedback and volunteer sign-up, and Mailchimp.
They are only given information necessary to carry out that task or within their purview, e.g. contact details given by you for a booking.
Finally, we will share data with the appropriate authorities (e.g. police, law enforcement agencies and other parties) where we have a legal obligation. For example, for the detection and prevention of fraud, or where data is required in relation to a criminal offence.
We do not sell or share data with any other third parties other than those listed above and where we use a third party to securely process our data on our behalf.
Under the UK GDPR and the Data Protection Act 2018, you have the following rights:
- Right to be informed. This Policy provides you with information in relation to how your data is processed. This ensures that we are transparent about what we will do with the information you supply to us.
- Right to object to the processing that is likely to cause you damage or distress. Where you challenge the accuracy or lawful processing of your information, we will consider this.
- Right to receive an electronic copy of any information you have consented to us holding. You can ask us to provide you with the personal data about you we hold, securely and in a machine-readable format, so it can be moved, copied or transferred to be used across different services or for you to give to another organisation. This is called a subject access request and we will need to verify your identity before giving such information.
- Right to object. We will ensure that we have the right consents in place for sending you information. You can unsubscribe from our mailings and remove your details at any time. If you wish to stop receiving communications from us, you will be able to do so by contacting us at email@example.com
- Rights related to automated decision making. If there is additional profiling based on the information we hold, then you can object to us making decisions about you based on such processing.
- Right to correct or change the information we hold on you.
You can make a request at any point by email firstname.lastname@example.org. We will respond to a request within one month of receipt, where reasonable. However, where a request is received to erase data, we may not be able to delete all data (for example where data is linked to financial transactions that must be kept for a set period of time under financial regulations).
Links to other websites:
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
If you would like to find out more about how we process data, or if you wish to make a complaint, please contact us at email@example.com
If we are unable to resolve your complaint, you also have the right to complain to the Information Commissioner’s Office if you feel that your data has been processed in a way that is not compliant with this policy or in line with the UK GDPR and the Data Protection Act 2018. You can contact the ICO by visiting their website, http://www.ico.org.uk or by calling 0303 123 1113.
Notification of Changes:
We keep this Policy under regular review and will update this page. You should check this page from time to time to ensure that you are aware of any changes.
Last updated: September 2021