Surgeons' Hall Museum, part of the Royal College of Surgeons of Edinburgh (RCSEd), is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains how and why we collect, use, and protect your personal information when you interact with us, visit our Museum, attend events, or use our services.

Surgeons' Hall Museum operates under the Royal College of Surgeons of Edinburgh, which is the data controller responsible for processing your data.

Data Controller: Royal College of Surgeons of Edinburgh
Registered with the Information Commissioner’s Office (ICO), Reg. No. Z5806303
Email: dataprotection@rcsed.ac.uk

We may collect and process the following types of personal data:

• Contact details: Name, email, phone number, address

• Transaction data: Ticket purchases, shop sales, donations

• Booking and visit information: Event registration, school and group visits

• Payment information: Handled securely by third-party providers (e.g., PayPal)

• Feedback and survey responses

• Provenance and contributor information: Details of individuals who donate or sell items to the museum, including ownership history and related correspondence

• Researcher information: Name, institutional affiliation, research topic or area of study, and project-related communications

• Loan data: Contact details of lenders, loan agreements, insurance and transport arrangements, and any relevant provenance documentation

• Photography and video: At events or exhibitions (with signage and notice)

• Special category data: Health or accessibility needs (only with explicit consent).

We collect your data when you:

• Purchase tickets or visit the museum

• Make a donation

• Contact us by email, phone, post or web form

• Register for an event, tour, or educational session

• Sign up for our newsletters or marketing

• Use Wi-Fi or browse our website

• Engage with us on social media

• Donate/sell an item to the Museum collection

• Arrange a loan of items to or from the Museum

• Participate in research, or provide us with information for research or archival purposes.

We process your personal data under one or more of the following legal bases:

• Consent: When you provide clear, informed permission (e.g. marketing emails)

• Contract: When processing is necessary to fulfil a service you requested

• Legal obligation: To meet our statutory and regulatory duties

• Legitimate interest: To manage operations and improve services (balanced with your rights).

Special category data (e.g. health) is processed only with explicit consent under Article 9(2)(a) UK GDPR or where necessary for significant public interest under Article 9(2)(g).

We use your personal information to:

• Facilitate admissions, events, and educational bookings

• Process transactions, donations, and collection acquisitions

• Record and manage provenance of collection items

• Administer and manage temporary loans to and from the Museum, including insurance, transport, condition reporting, and provenance documentation

• Respond to your queries or feedback

• Document research collaborations and track researcher usage of collections

• Send newsletters and updates (with your consent)

• Ensure safety and security on our premises

• Improve our website and services

• Meet legal and regulatory obligations.

We never sell your personal data. We may share data with trusted service providers, including:

• Payment processors (e.g. PayPal)

• Email platforms (e.g. Mailchimp)

• Web analytics services (e.g. Google Analytics)

• Event partners or facilitators (with your permission)

These providers are bound by data protection agreements and may transfer data outside the UK under approved safeguards (e.g. UK adequacy regulations, Standard Contractual Clauses).

We retain your data only as long as necessary for the purpose it was collected, including for legal, tax, or audit reasons.

• Booking and transaction data: typically, 7 years

• Donation and acquisition records (including donors/sellers of items to the Museum collection): retained permanently or as long as necessary to maintain accurate provenance, ownership, and collection management records

• Loan documentation: retained for the duration of the loan and any relevant post-loan period required for audit, insurance, or legal purposes (typically 6–10 years), and permanently if needed to demonstrate provenance or long-term exhibition history

• Researcher data: retained for the duration of the research relationship and project, and subsequently in anonymised or minimal form for historical or administrative reference, unless otherwise agreed

• Archived or anonymised data may be retained longer for research or statistical purposes.

We regularly review our data retention schedules and apply secure disposal methods when data is no longer needed.

You have rights under data protection law, including to:

• Access your data

• Correct inaccurate data

• Request erasure (where legally permissible)

• Restrict or object to processing

• Withdraw consent at any time (where processing is based on consent)

• Lodge a complaint with the ICO (www.ico.org.uk)

To exercise these rights, contact: dataprotection@rcsed.ac.uk

We take appropriate technical and organisational measures to secure your data, including:

• Secure servers and encrypted storage

• HTTPS website encryption

• Access controls and staff confidentiality training.

Our website uses cookies to improve user experience and collect anonymous analytics. You can control cookie preferences via your browser settings. For more information, please see our [Cookie Policy].

We may take photos or video during events for promotional or archival use. Signage will be in place. If you wish not to be photographed, please inform a staff member on-site.

We do not knowingly collect personal data from children under 13 without parental or guardian consent. When working with schools or youth groups, we liaise directly with the school to manage permissions.

Where new or high-risk processing is planned, we undertake DPIAs to assess and mitigate privacy risks in accordance with UK GDPR guidance.

This policy is reviewed regularly and may be updated. The latest version will always be available on our website.