Privacy Notice
Identity and contact details of the data controller
The data controller for the Archives Card reader’s ticket scheme (‘the scheme’) is ARA Commercial Limited (‘The ARA’). The ARA is registered as a data controller with the Information Commissioner’s Office.
The ARA’s postal address and contact details are:
The Keep
Creech Castle
Taunton
TA1 2DX
01823 327 077 select option 1
aracommercial@archives.org.uk
Categories of personal data held by the scheme
(a) Information you provide to us
The personal data we hold as part of the scheme will have been provided directly by you when you register for the card. These categories of data are: name, address, telephone number, email address, a passport-style photograph and your date of registration/date of renewal of registration.
(b) Information we collect about you
Additionally, when you use your card in participating archives which require you to scan it on entry, the scheme will capture and record the location, date and time of your visit to that archive. We would not use such data for any other purpose than the investigation of loss or damage to an archive collection.
We do not collect any sensitive personal (also known as special category) data from you as part of this scheme. On registration, you will be asked if you would be willing to complete a short diversity monitoring form. The data collected by this process is completely anonymous and not in any way associated with your registration.
The purpose of the processing
The purpose of the processing is to enhance the security of the collections of all participating archives by ensuring that all cardholders provide adequate verification of their identity before accessing original documents in the archives.
Additionally, the processing creates a record of individual use of the card which is stored in case of an investigation into loss or damage to an archive collection.
For the cardholder, the scheme permits access to the collections of all the participating archives once they have completed registration, without any further need to prove their identity.
Anonymised data is created as a result of the processing which is used for statistical analysis only, for example to assess levels of membership of the scheme across different local areas.
Conditions for processing
The legal basis for our data processing (conditions for processing) is the performance of a contract between the ARA as data controller and you as the data subject. The contract we have with you allows you access to original archive material in all the participating archives in return for you adequately verifying your identity upon registration.
The processing is carried out on a not-for-profit basis and relates only to the membership of the scheme.
For technical reasons, the ARA uses iFinity PLC, a data processor, to process your data. This arrangement is subject to a data processing agreement which requires our processor to keep your personal data secure and to process it in accordance with our instructions. The data is processed within the UK and is not transferred outside this jurisdiction for any reason. If we need to transfer your data outside of the UK in the future, you will be notified prior to the transfer and we will ensure there are appropriate security measures in place to protect the transfer of your personal data.
Beyond the data processor, the ARA does not share the data you provide with any third parties except for the scheme’s participating archives. The participating archives have limited and restricted access to the dataset, only to those elements which they need in order to run the scheme properly and hence be able to provide you with access to their original archive material when you visit them.
Where you give your explicit consent at the time of registration to receive occasional marketing and promotional material from us, we will contact you from time to time with news and upcoming events that we consider will be of interest to you according to your chosen preferences for receiving national and/or local news about archives. If you subsequently wish to withdraw your consent to receiving promotional material, you can edit your preferences at any time using the ‘unsubscribe’ facility. This withdrawal of consent in no way affects your membership of the scheme.
How long we keep your data
The data you supply during the registration process is kept while you are a member of the scheme. Your Archives Card must be renewed every five years. In order to renew your card, you must verify once again your identity and current address at a participating archive.
Should your membership expire and not be renewed, we will keep your data for ten years. This is for security reasons in the case of an investigation into loss or damage to an archive collection.
Should you start but not complete your registration, we will keep your data for a period of three months following which it will be destroyed.
Your data rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. If you wish to exercise any of the rights set out below, please contact the Data Protection Officer at aracommercial@archives.org.uk using the subject heading Subject Access Request.
1. The right to be informed: We are obliged to be open and transparent in the way we handle your data. Our privacy notice is one of the ways we try and let you know how your data is handled.
2. The right of access: You have the right to request a copy of the personal information you provided on registration and subsequent records of your archive visits by submitting a Subject Access Request to the ARA. For more information on this, please visit https://ico.org.uk/for-the-public/personal-information/
3. The right to rectification: You have the right to request the rectification or updating without undue delay of inaccurate personal data. Where the rectification involves the updating of your postal address, you are asked to provide adequate evidence of change of address along with your request.
4. The right to restrict processing: You can ask for there to be a restriction of processing such as where the accuracy of the personal data is contested. This means that we may only store the personal data and not further process it except in limited circumstances.
5. The right to object: You can object to certain types of processing such as direct marketing. The right to object also applies to other types of processing such as processing for scientific, historical research or statistical purposes (although processing may still be carried out for reasons of public interest).
6. Rights on automated decision making and profiling: The law provides safeguards for you against the risk that a potentially damaging decision is taken without human intervention. The ARA does not undertake any such automated decision making or profiling.
7. The right to data portability: Where personal data is processed on the basis of consent and by automated means, you have the right to have your personal data transmitted directly from one data controller to another where this is technically possible.
8. The right to erasure: You can request the erasure of your personal data when the personal data is no longer necessary in relation to the purposes for which it was collected and the relevant period of retention as outlined above has expired. Such personal data is however automatically deleted on its expiry.
9. The right to complain about data handling: ARA sets very high standards for the collection and appropriate use of personal data. We therefore take any complaints about data handling very seriously. We encourage you to bring to our attention where the use of data is unfair, misleading or inappropriate and we also welcome suggestions for improvement.
In the first instance we would ask that you try and resolve data handling issues directly with us. We are committed to handling data appropriately and are confident that we can resolve most issues informally.
If you remain dissatisfied following a response to your complaint, you can lodge a further complaint with the Information Commissioner’s Office. The Information Commissioner regulates data handling by organisations in the UK and works to uphold the data rights of citizens. Their website provides more information on the rights available to you: https://ico.org.uk/for-the-public/
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances in which case you will be notified.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Law relating to this policy
This notice is not intended to form a contract or to create any legal obligations not already contained in current legislation. It has been prepared in line with the following legislation: General Data Protection Regulation 2016 (2016/679 EU) as enacted in domestic legislation and the Data Protection Act 2018.
Changes to this document
We may change this notice and policy from time to time by posting the changed version on our website or sending it to clients and other third parties who we deal with.
Effective date
This notice will apply on and from 01/09/2019.