CHELSEA PHYSIC GARDEN

PRIVACY POLICY

Date: September 2020

Review due: September 2021

This is the privacy policy for Chelsea Physic Garden. A large print version of this policy is available on request from [email protected]

Chelsea Physic Garden is the former garden of the Worshipful Society of Apothecaries, established in 1673 to grow medicinal plants and train apprentices in their identification and use.  It is open to the public as an historic botanic garden with exhibitions and educational activities. There are a café and shop on site and the Garden undertakes other activities to raise funds to support their work.

Chelsea Physic Garden Company is a registered charity (charity number 286513) and company (company number 1690871).  CPG Enterprises Limited (company number 03140004) is a wholly owned subsidiary company responsible for the commercial activities of the charity and the company.  Under this policy, ‘we’ and ‘Chelsea Physic Garden’ refer to both Chelsea Physic Garden Company and CPG Enterprises Limited.

We are committed to protecting your privacy and ensuring the confidentiality of the personal information we collect.

  1. Introduction

This privacy notice sets out the way we process your information and details our privacy policy. We will always refer to this privacy policy when we ask you for your consent. We’ll keep this policy updated on our webpage to show you all the things we do with your personal information so that you can be confident when sharing your information with us that it will be only used for what we say here.

  1. Your Personal Data

We collect 'personal data', which is information that identifies a living person, or which can be identified as relating to a living person.

When we talk about 'you' or 'your' in this policy we mean any living person whose personal data we collect.

When we talk about 'Members' and 'Membership' we are referring to subscribing Members of the Chelsea Physic Garden Friends.

When we talk about “Patrons” we are referring to subscribing members of the Grandiflora Patrons programme.

  1. Personal data we hold

3.1 We collect data you provide to us. This includes information you give when you communicate with us, apply for Membership, purchase tickets, products or services, sign up to receive communications from us, make a donation, apply for employment, volunteer or enter into a contract with us. For example, we may hold:

  • personal details (name, gender, date of birth, email, address, telephone etc.)
  • family and spouse/partner or next of kin details
  • financial information (such as credit/debit card or direct debit details, and whether your donations are gift-aided)
  • your response to a Chelsea Physic Garden event or your intention to meet a member of our staff
  • details of the ways in which you wish to be contacted by us
  • if you purchase Friends membership as a gift for someone, join as a family or if you're the parent or guardian of a child attending one of our events your details will be recorded (as will the recipient's) and your relationship to that person will be recorded.
  • if you attend a private event at the Garden your details will be recorded as will the details of your relationship to the person who has hired the Garden.

3.2 Personal data generated by your involvement with the Garden

Your activities and involvement with the Garden will result in personal data being generated. This could include:

  • details of your areas of interest in the Garden and its collections
  • your visits to our library
  • your attendance at events
  • where you have asked us for information or written to us
  • your visits to our websites
  • images of you captured by our CCTV systems
  • your use of our public wifi and our audio guides
  • your online purchasing history
  • how you have helped us by volunteering or by donating money or something of material value to us
  • where you have applied for a job with us

3.3 Personal data from third parties

We sometimes receive personal data about you from third parties, for example, if we're partnering with another organisation or where we may use third parties to help us conduct research and analysis about you to determine the success of our public offer and to help us provide you with a better experience (and this can result in new personal data being created).

We may collect information from social media about you, or if you post on any of our social media pages.

Occasionally, we may collect personal data about you (for example if you're particularly well known or influential) from the media and other publicly available sources. This may come from public databases (such as Companies House), news or other media. The sort of information we obtain from these sources might include details of other charities you may support and indicators of your leisure interests and financial status such as house value or post code.

3.4. Special category ('sensitive') personal data

We do not normally collect or store special categories of personal data. However, there are some situations where we may need to do so. These may include, for example, if you work or volunteer with us or apply to do so, or if we need to know about any access, medical or dietary requirements you, or someone in your care, may have.

  1. How we use personal information

4.1 General use

We only ever use your personal data with your consent, or where it's necessary in order to:

  • enter into, or perform, a contract with you
  • comply with a legal duty
  • protect your vital interests
  • carry out a task in the public interest
  • for our own (or for a third party's) legitimate interests, provided your rights don't override these interests

In any event, we'll only use your personal data for the purpose or purposes for which it was obtained.

4.2 Marketing

Where we have your consent or where there is a legitimate interest to do so we use your personal data to communicate with you in order to promote the activities and events of Chelsea Physic Garden including activities, learning events, fundraising and information about our Friends and Patrons programmes as well as any other ways that you might be able to provide help and support to the Garden.

4.3 Administration

We use your personal data for administrative purposes including:

  • receiving donations (for example, Direct Debits or gift-aid instructions)
  • maintaining databases of our Friends, Patrons and other supporters
  • processing Friends and Patrons subscriptions
  • performing our obligations under Friends and Patrons contracts and other supporters' agreements
  • managing custody of our collection including our intellectual property rights
  • carrying out due diligence to meet our compliance duties (for example, before making any acquisition into our collections, accepting financial support, or making agreements for the supply of goods and services)
  • processing enquiries and requests for information
  • managing feedback, comments, and complaints we receive
  • fulfilling orders for tickets, goods, or services (whether placed online, over the phone or in person)
  • helping us respect your choices and preferences
  • recruitment and staff management including pay, tax, and pensions administration
  • management of suppliers of goods and services
  • managing your visit to Chelsea Physic Garden (for example, health and safety, security, lost property, cloakroom, and incident management)

4.4 Internal research and profiling

We carry out research and analysis on our visitors, Friends, Patrons and other supporters to determine the success of our public offer and programmes and other activities in the public interest and to help us provide you with a better experience (for example so that you only receive communications about areas of our activities or research you're mostly likely to be interested in).

We may evaluate, categorise and profile your personal data in order to tailor materials, services and communications (including targeted advertising) to your needs and your preferences and to help us to understand our audiences. For example, we may keep track of the amount, frequency and value of your support including your philanthropic involvement elsewhere. This information helps us to ensure communications are relevant, timely and in the best interest of our charitable purposes.

4.5 COVID-19: NHS Test and Trace

Chelsea Physic Garden is committed to ensuring the safety of its visitors, employees and contractors. As part of that commitment we are participating in NHS Test and Trace(Opens in new window) to assist the NHS in coordinating its response to local COVID-19 outbreaks. This means that we may share some of your personal data with NHS Test and Trace if we are requested to do so. For further information on how NHS Test and Trace processes your personal data once it has been collected, please see the NHS Test and Trace Privacy Policy(Opens in new window).

4.5.1 Collection of Visitor data

The Government requires that venues keep a record of visitors to the Garden for the purposes of Test and Trace. Visitors will therefore need to provide the Name and telephone number of one person per party. This data will be kept for 21 days and will not be used for any purpose other than participation on the Government’s Test and Trace Programme, except where we have another legal basis for the collection and retention of the data.

The legal basis for the collection and retention of this data is the fulfilment of a “Public Task”.

4.5.2 Collection of Friends and Patrons’ data

If you are a Friend or Grandiflora Patron of the Garden you will not need to provide us with this information as we will record it either when you make an online booking via our ticketing partner “See Tickets” or when your card is checked upon entry to the Garden . We will use this existing data to fulfil the requirements of Test and Trace but please note that it will not be deleted after 21 days as it is used to administer your membership and is collected under the legal basis of fulfilment of a contract, legitimate interest and consent.

4.5.3 Collection of data for those booking online

If you book your ticket online you will not need to provide us with this information when you arrive as it will have been recorded by our ticketing partner “See Tickets”. We will use this existing data to fulfil the requirements of Test and Trace but please note it will not be deleted after 21 days. We retain this data for research and statistical analysis and process it under the legal basis of legitimate interest and consent.

4.5.4 Which personal data will be collected and shared with NHS Test and Trace

  • Your full name
  • Your contact telephone number (or email address if you do not have a telephone number)
  • The date and time of your visit to Chelsea Physic Garden

4.5.5 How we will share your data

We will only share your personal data with NHS Test and Trace if a request is received from NHS contact tracing staff within 21 days following your visit and you have not previously told us that you wish to opt out of the service.

The Data Protection Officer (or the Health and Safety Manager if the Data Protection Officer is not available) will be solely responsible for sharing your personal data with NHS Test and Trace and for ensuring that any opt out requests have been noted and actioned. 

4.5.6 How to opt out of NHS Test and Trace

You can opt out of NHS Test and Trace at any time, both before or after your visit to the Garden, by emailing the Data Protection Officer at [email protected] with the subject line “FAO Data Protection Officer) . (If you have not received an email confirmation of your opt out request within two working days, please contact us again as it may indicate that your email has not been received).  

If you are asked to complete a Test and Trace form when you arrive at the Garden, you can also exercise your right to opt out by informing the member of staff concerned that you do not wish to provide your Test and Trace data.

Please note that opting out of Test and Trace may mean you are unable to visit the Garden even if you have a pre-booked ticket.

4.5.7 Updates

Please note that this information may be subject to further updates where necessary to comply with any new guidance on NHS Test and Trace issues by the Department of Health and Social Care.

  1. Disclosing and sharing your personal data

We'll never sell your personal data.

If you've opted-in to marketing or are a Friend or Patron, we may contact you with information about our selected partners. These communications will always come from us and will usually be incorporated into our own marketing.

We may share your personal data with contractors or suppliers who provide us with services. For example, we may use a mailing house for the distribution of renewal notices; we use Direct Debit processors for the handling of payments and email providers for our marketing communications. Information is transferred to data processors securely, and we retain full responsibility for your personal data as the data controller. These activities are carried out under a contract which imposes strict requirements on our suppliers to keep your personal data confidential and secure.

Occasionally, we arrange events with other organisations, for example The Chelsea History Festival. We may share your personal data with such organisations, for example where you register to attend a jointly organised event. We will only share information when necessary.

 

We may share your personal data where required to do so for prevention of crime or for taxation purposes (for example, with the police, HMRC) or where otherwise required to do so by other regulators or by law (e.g. the Charity Commission, Companies House).

  1. Fundraising and marketing communications

6.1 Consent

Unless you've already given us your email address or telephone number so that we can tell you about making donations to us or about the supply of goods and services including Friends subscriptions and Patrons subscriptions, we must ask you to 'opt-in' to receive fundraising and marketing emails from us. You have the choice as to whether you want to receive or continue to receive these messages. You're also able to select how you want to receive them (post, phone, email, text) and to change your preferences at any time.

When you receive a communication from us, we may collect information about your response and this may affect how we communicate with you in future.

  1. Children and young people

7.1 Information for parents and guardians

We take great care to protect and respect the rights of individuals in relation to their personal data, especially in the case of those aged 13 or younger.

We won't use the personal data of children or young people for marketing purposes and we won't profile it.

Personal data about children and young people is only accessible by our staff on a strictly need-to-know basis.

  1. Data security

8.1 Protection

We employ a variety of physical and technical measures to protect information we hold and to prevent unauthorised access to, or use or disclosure of your personal data.

Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means). Staff receive data protection training and we maintain a set of data protection procedures which our staff are required to follow when handling personal data.

8.2. Payment security

All electronic forms that ask you for your financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.

If you use a payment card to donate, to buy Membership or to purchase something from us online, we will pass your payment card details securely to our payment provider. We comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council.

  1. CCTV

Chelsea Physic Garden premises are protected by CCTV and you may be recorded when you visit the Garden. We use CCTV to help provide a safe and secure environment for visitors, for our staff and for the collection and to prevent or detect crime.

The system is managed in accordance with our standard operating procedures and with good practice guidance issued by the Information Commissioner's Office. CCTV images will only be accessed by authorised security staff and are stored for up to 30 days, unless flagged for review.

  1. Storing your personal data

10.1. Where we store data

We're wholly based in the UK and store data within the European Economic Area. Some organisations which provide data processing services to us do so under contract and may be based outside of the EEA. We'll only allow them to do so if your data is adequately protected.

10.2. Retention of your personal data

We'll only retain your personal data for as long as it's required for the purposes for which we collected it (for example, we have a genuine and legitimate reason and we're not harming any of your rights and interests).This will depend on our legal obligations and the nature and type of information and the reason for which we collected it. For example, should you ask us not to send you marketing emails, we'll stop storing your email address for marketing purposes. However, we will need to keep a record of your preference.

 

We continually review what information we hold and will delete personal data which is no longer required.

  1. Control of personal data

11.1. Your rights

We want to ensure you remain in control of your personal data and that you understand your legal rights, which are:

  • the right to know whether we hold your personal data and, if we do so, to be sent a copy of the personal data that we hold about you (a 'subject access request') within one month, we retain the right to charge a reasonable fee for the administrative costs of complying with this request where the request is manifestly unfounded, excessive or where an individual requests further copies of their data following a request
  • the right to have your personal data erased (though this will not apply where it's necessary for us to continue to use the data for a lawful reason)
  • the right to have inaccurate personal data rectified
  • the right to object to your personal data being used for marketing or profiling
  • (where technically feasible) the right to be given a copy of personal data that you have provided to us (and which we process automatically on the basis of your consent or the performance of a contract) in a common electronic format for your re-use
  • there are some exceptions to the rights above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full
  • if you'd like further information on your rights or wish to exercise them, please contact our Data Protection Officer
  • if you would like to access your personal data held by us, please apply in writing to:  

Data Protection Officer
Chelsea Physic Garden
66 Royal Hospital Road
London SW3 4HS

A copy will be sent to you as soon as possible but this will not be later than 40 days after your request.

  • if, at any time, you want to update or amend your personal data or preferences please write to:

Data Protection Officer
Chelsea Physic Garden
66 Royal Hospital Road
London
SW3 4HS

For alternative communication methods, please check our contact us page.

Verification, updating or amendment of personal data will take place within 28 days of receipt of your request.

 

11.2. Complaints

Should you have a complaint about how we have used ('processed') your personal data, you can complain to us directly by contacting our Data Protection Officer in the first instance.

If you're not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner's Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk(Opens in new window).

  1. Cookies

Our websites use local storage (such as cookies) in order to provide you with the best possible experience and to allow you to make use of certain functionality (such as being able to shop online). Further information can be found in our Cookies policy.

  1. Links to other sites

Our websites contain links to other external websites. We're not responsible for the content or functionality of any such websites.

If a third-party website requests personal data from you (for example, in connection with an order for goods or services), the information you provide won't be covered by this privacy policy. We suggest you read the privacy notice of any other website before providing any personal information.

  1. Changes to this policy

We may amend this privacy policy from time to time to ensure it remains up-to-date and continues to reflect how and why we use your personal data. The current version of our privacy policy will always be posted on our website.

Any questions you may have in relation to this privacy policy or how we use your personal data should be sent to our Data Protection Officer Chelsea Physic Garden, 66 Royal Hospital Road, London, SW3 4HS.