Please note: The Royal British Legion’s annual Poppy Shop will NOT be open at NIWM this year. For wreaths and crosses contact Darren on 075 4092 9690

Privacy Policy

Privacy Policy

Name of museum Northern Ireland War Memorial (NIWM)

Name of governing body The Council of the Northern Ireland War Memorial Incorporated

Date policy was approved 17th January 2019

Review Procedure Annually or as required

1. Introduction

The NIWM is committed to protecting the privacy and security of its visitors. The NIWM considers the museum’s visitors to be people who visit the museum physically, online and people who avail of the museum’s outreach programme and other services. This Privacy Policy explains how and why the NIWM collects and uses personal data in line with the General Data Protection Regulations (GDPR) and in doing so ensures that visitors remain informed and in control of their information.

This policy is reviewed annually or as required and is available to read online at where updates are published.

2. About NIWM

The NIWM is an accredited museum situated in the heart of Belfast’s Cathedral Quarter. The museum tells the story of Northern Ireland’s role in the Second World War focusing on the story of the Belfast Blitz in 1941, the Ulster Home Guard, the role played by women in the war and the presence of US Forces from 1941.

The Council of the Northern Ireland War Memorial (Incorporated) is a registered charity in Northern Ireland (NIC 103635) and registered as a company limited by guarantee (NI 002888).

3. GDPR definitions

Data: information which is being processed or recorded.

Personal data: any information relating to an identified or identifiable natural person (identifiers include name, identification number, genetic identity etc.)

Data subject: a living individual to whom personal data relates.

Data Processing: any operation or set of operations which is performed on personal data or on sets of personal data, manually or by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller: the organisation which determines the purposes and means of the processing of personal data.

Data Processor: any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

4. The NIWM’s commitment to data protection

As a controller of data, the NIWM is aware of and is compliant with the 6 data protection principles under GDPR.

The NIWM collects, stores and processes data:

• In a fair, lawful and transparent way

• For specified, explicit and legitimate purposes (‘purpose limitation’)

• Adequately and relevant and limited to what is necessary (‘data minimisation’)

• Accurately (keeping data up to date)

• No longer than necessary

• With integrity and confidentially by taking security measures against unlawful processing, damage or destruction

The NIWM collects, stores and processes data on the following grounds:

• Necessary for the performance of a contract

• Legal obligation

• Legitimate interests

The NIWM has made its suppliers who act as Data Processors aware of the changes to the Data Processing Schedule. The NIWM has specific Data Protection agreements in place with its Data Processors where necessary.

5. What data does the NIWM collect, store and process from the public?

The NIWM collects personal information in order to understand its users’ needs and provide them with the service they expect to receive.

The main reasons the NIWM collects data:

• To maintain internal records and statistics which are reported to stakeholders (visitor figures and feedback etc.).

• To provide past and potential visitors with information on upcoming events and projects that may be of interest.

• To gather feedback which informs our strategic planning.

• To send email alerts to users who have requested them.

• To improve our service and our website according to the user’s preferences.

• To answer research enquiries or to provide information on other organisations that may be of interest.

• To complete the documentation procedure for new objects and stories added to the museum collection, ensuring transfer of title to the NIWM and compliance with the Museum Accreditation standard.

Data subject Types of data Grounds for processing Purpose of processing Retention period and criteria


(people who visit the museum and complete comment cards about their museum experience) Name, country of residence

Legitimate interests

Consent Strategic planning

Complaint resolution 5 years

CCTV footage Legitimate interests

Consent Health and Safety

Security Two weeks or until the footage overwrites

Use of CCTV is communicated with signage

CCTV System is password protected

Photographs Consent Marketing

To fulfil grant criteria

To maintain an image archive of events at NIWM A photography notice will be displayed

Written consent will be obtained

NIWM will store photographs and data securely in an image library for no longer than five years.

Consent to utilise photographs will automatically expire after 5 years at which stage data will be deleted, however the photograph(s) will be retained in our archive indefinitely.

Mailing list

(People on our public mailing list about NIWM events and projects) Name, address, email address and subscription preferences Legitimate interests

Consent Marketing 5 years with opt out available at any time


(People who donate objects and stories to the NIWM collection) Name, address, email address Legal obligation

Consent To prove the transfer of title to NIWM

To give provenance to objects and collections Indefinitely


(People who make research enquires, comments or provide feedback about the museum on our website, through email and by post) Name, address, email address and comment/query Legitimate interests

Consent To provide a service

To improve our service

Strategic planning

Complaint resolution 5 years

Website users

(People who use the NIWM website) Internet Protocol (IP) address and information on how they use our website Legitimate interests

Consent To improve our service

Strategic planning

5 years

Staff, volunteers and job applicants

(see section 6 below) Staff and volunteer data will be retained for 2 years from termination of contract with option to join general mailing list

Job application and equality monitoring data retained for successful candidates who become employees for the duration of their contract plus 2 years.

NIWW will also retain job applicant and equally monitoring data for applicants placed on a reserve list for 1 year (with their consent)

Interview notes and applicant data for unsuccessful candidates to be retained for 1 year to allow the NIWM to provide interview feedback

6. Data relating to Staff, Volunteers and Job Applicants

The NIWM collects, stores and processes personal information about prospective, current and former staff, including applicants, employees (and former employees) and including agency, casual and contracted staff, volunteers and those carrying out work experience.

For candidates for employment, we process data to fulfil our legal obligations, to take steps preparatory to a contract and for legitimate interests as recruiting/prospective employers. For employees, we process data on to fulfil our responsibilities under contracts.

For volunteers we process personal data to fulfil legal obligations (for recruitment and safeguarding) and for legitimate interests in the case of expenses and training records.

Special category data is obtained and processed for employees and candidates for employment for carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law.

Types of data we process

The personal data we process in relation to employment, volunteering and training is provided to us by individuals beginning with the point of application for a role at NIWM and continuing during our continuing relationship with them as candidates for employment, employees or volunteers.

In order to carry out our activities and obligations in respect of candidates for employments, employees and/or volunteers we may handle data in relation to:

• Personal demographics (including gender, age, race, ethnicity, sexual orientation, religion)

(employees and candidates)

• Contact details such as names, addresses, telephone numbers and emergency contact(s)

(employees, candidates and volunteers)

• Employment records (including professional membership, references and proof of

eligibility to work

in the UK and security checks) (employees and candidates)

• Bank details (employees, candidates and volunteers)

• Pension details (employees only)

• Medical information (e.g. occupational health information) including physical health or mental condition (employees only)

• Information relating to health and safety (employees and volunteers only)

• Trade union membership (employees only)

• Offences (including alleged offences), criminal proceedings, outcomes and sentences,

(employees, prospective employees who have received an offer of employment and


• Employment tribunal applications, complaints, accidents, and incident details (employees,

candidates and volunteers)

• CCTV images and other photographic images used for promotion/fundraising

Purpose of processing this data

Our legal bases for processing this information are: to fulfil our contract obligations; to comply with our legal obligations; and legitimate interests.

We process your data for the following reasons:

• Staff administration and management (including payroll and performance)

• Pensions administration

• Business management and planning

• Accounting, Record keeping and Auditing

• Crime prevention (including prevention of fraud) and prosecution of offenders

• Provision of education and training

• Health administration and services

• Monitoring health and safety arrangements

• To comply with legal obligations

• Contacting next of kin in the event of an emergency

Where the provision of personal data is a statutory or contractual requirement or a requirement relating to entering into a contract, if you fail to provide that data it might affect your application for employment/engagement or continued employment/engagement.

7. Further information for visitors

When engaging with NIWM by visiting the museum, using the website, donating an object or story, joining our mailing list or making an enquiry; you are sharing information with NIWM alone. Your information will not be shared with any other organisations or third parties unless we have your permission or are required to do so by law.

Data shared with NIWM is safely and securely stored on our server and internal network. NIWM has an internal Data Protection Policy which outlines how data is stored and accessed securely by authorised staff.

Mailing list subscription

If you have subscribed to the NIWM mailing list, we will regularly contact you with updates on NIWM activities by email. Each of these emails will present you with an opportunity to make changes to the personal information we have stored about which ensures your data is kept up to date, In line with GDPR regulations. The data of mailing list subscribers will be stored securely at NIWM for 5 years. After that time data subjects will be asked to re-subscribe if they wish to continue to receive mail NIWM.

You can opt out of receiving any correspondence by clicking unsubscribe in any of our emails or by writing to us at:

Northern Ireland War Memorial

21 Talbot Street



Donating objects/stories

When donating objects or stories to the NIWM collection, we will ask the owner or depositor to complete paperwork as outlined in our Documentation Procedures Manual. This information will be retained with the object and added to our Collections Management System which allows us to account for all the objects in our care. The paperwork we complete with donors allows us to:

• capture important information about the object which provides meaning for future generations

• contact donors about future decisions regarding the object

• prove transfer of title to NIWM


When responding to general and research enquiries, we may signpost you to other organisations. We take no responsibility for those organisation’s personal views, or the service provided by them. These organisations will have their own privacy policies which you should consult. You should be cautious before you share any personal details with them.


When we photograph our events, a photography notice will be displayed explaining that photographs taken will be used solely for the activities of NIWM and may appear in promotional material, whether in printed or electronic form (website, social media, film). The notice will also explain that on occasions we may release the photographs to the media and that every effort will be made to ensure the photograph is not used outside of the context in which it was taken.

NIWM will ask people who appear in photographs to complete a photography permission form. Parents/guardians of individuals under the age of 18 will be required to sign and complete a photography permission form.

When photographing our events NIWM may collect some data about the photograph subjects (e.g. name, school name, age). NIWM respects the privacy of children and adults who take part in our learning programmes. NIWM will store photographs and data securely in an image library for no longer than five years, and your consent will automatically expire after this period. At this stage your data will be deleted, however the photograph(s) will be stored and retained in our archive indefinitely.

8. Access to Information

You have the right to access the information we hold about you at any time. The Freedom of Information Act 2000 (FOI) gives members of the public a general right of access to recorded information held about them. Alternatively, you can request a subject access request as outlined in Article 15 of the GDPR. NIWM has processes in place to ensure we respond to such requests without delay and within one month of receipt.

You can view, update, or delete any information by contacting us at the address below.

9. Safeguarding Children and Vulnerable Adults

This Privacy Policy should be read in conjunction with our Safeguarding Children and Vulnerable Adults Policy.


If you have any questions regarding this Privacy Policy you can contact us by emailing or in writing to the address below.

Subscribe To Our Mailing List For Updates