Privacy Policy

Endorsed by Committee of Management

2. Scope

2.1 Purpose

This privacy policy describes the kinds of personal information the Museum collects and holds, how it is used and how it is secured.

It also outlines how a person may access information about themselves or seek correction of that information and how an individual may complain about a breach of an Australian Privacy Principle (APP).

2.2 Definitions

2.2.1 Personal Information

Personal information is defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

2.2.2 Sensitive Information

Sensitive information is a subset of personal information. The Museum has a higher degree of responsibility when it comes to the collection and use of sensitive information.  Sensitive information includes information about an individual’s: 

  • health (including predictive genetic information)
  • racial or ethnic origin
  • political opinions
  • membership of a political association, professional or trade association or trade union
  • religious beliefs or affiliations
  • philosophical beliefs
  • sexual orientation or practices
  • criminal record
  • biometric information that is to be used for certain purposes
  • biometric templates

2.3 Who should read this policy?

  • PAMM employees and volunteers;
  • contractors, consultants, suppliers or vendors of goods or services to the Museum;
  • applicants to the Museum for information under the Freedom of Information Act 1982; and
  • individuals whose personal information may be collected, held, used or disclosed by the Museum. 

2.4 Monitoring

This policy will be monitored by the Committee of Management and reviewed on an annual basis.

3. Principles

3.1 Information collection purposes

The Museum collect information for a range of purposes that support our functions. This would include:

  • a customer of the Museum which requires personal information. Such as the Store for online purchases,  Membership, group tours, or donations to the Museum;
  • photographs, opinions and comments posted on the Museum’s official social media platforms;
  • username and password for interactions with the Museum’s website ; 
  • records of payments made, bank or credit card details for the purpose of payment and history of donations made;
  • personal information including photo ID, employment history, curriculum vitae and education information if applying for a position with the Museum;
  • certain health information; for example, food allergies or other medical needs such as access to facilities or events hosted by the Museum or medical certifications for activity or volunteering participation;
  • photographic identification for staff, contractors and volunteers;
  • conference registration information (including dietary requirements);
  • CCTV footage in areas where CCTV signage is located;
  • personal views and opinions about products and services through the form of feedback.

The Museum will disclose at the time of collection how personal information will be used and handled. 

3.1.1 Museum visitor and client information

3.1.1.1 Museum customer relationship management system

The Museum maintains a database with contact details of individuals who regularly engage with the Museum or who wish to receive information about particular Museum activities. This includes donors, members or people with a business-related interest in the Museum (for example, school teachers, people working in other cultural institutions, in the media or in tourism). The information is usually collected directly from the people who are interested in receiving the information or from a representative of their organisation. In the case of memberships, name and date of birth information relating to minors is collected from their parent or guardian. 

Personal information in our relationship database is used to:

  • distribute information about Museum events and activities;
  • maintain membership lists;
  • retain details of object and cash donors, and (with their consent) to publicly acknowledge those donors;
  • maintain a record of respondents providing feedback about their Museum experience;
  • generate invitation lists for Museum events. 
3.1.1.2 Email marketing and promotional activities

The Museum uses a secure, external online database service provider to send emails on behalf of the Museum about its exhibitions, events, programs, special promotional offers and surveys.

People sign up to receive this information in a number of ways such as via the Museum website, through a booking system such as Eventbrite, or by completing hard copy forms.  Email marketing and e-news is delivered on our marketing platform MailChimp; an American based company that stores information on servers in the United States.  Further information is available in MailChimp’s privacy policy

Individuals can choose to opt-out of receiving communications from the Museum at any point. 

3.1.1.3 Bookings information

Bookings for functions, conferences, school visits and guided tours are regularly taken by the Museum. Only a limited amount of personal information will be required to manage the booking – such as first and last name, address and email address. The purpose of collecting this information is to ensure that an event or visit is properly coordinated. This information is not used for any other purpose (such as unsolicited marketing) without the consent of the individual concerned; however, the information may be used to generate broad demographic data. 

The Museum uses Eventbrite as its primary online booking system for events. The personal information provided by a customer to Eventbrite (excluding any billing or credit card information) is disclosed by Eventbrite to the Museum. The purpose of collecting this information is to ensure that an event or tickets are properly coordinated and accounted for. Eventbrite and its servers are located in the United States and a person’s use of Eventbrite is governed by the laws in that country and Eventbrite’s privacy policy. Eventbrite may disclose the personal information it collects to overseas recipients in certain situations. If it does, the Australian Privacy Principles relating to overseas disclosure under the Privacy Act will not apply. Further information is available in Eventbrite’s privacy policy.

3.1.1.4 Visitor information and feedback

In order to improve its services, the Museum collects information from visitors about its programs. This information may be solicited (for example, through visitor surveys) or unsolicited (such as letters or emails from members of the public). The majority of evaluation that is initiated by the Museum allows people to respond on an anonymous basis.  Visitor surveys, which the Museum regularly uses to seek feedback from visitors, do not involve the collection of information that could lead to a person being identified, although more generic information such as age and city of residence may be collected for demographical analysis.  Respondents have the option of providing their personal information to the Museum if they wish to join the Membership program or subscribe to a mailing list.

Where members of the public provide their personal information to the Museum in the course of making an enquiry or comment, that information will only be used by the Museum to deal with the person’s enquiry or comment. Personal information in the form of photographs of visitors is collected only with the consent of the person or their parent/guardian. The consent forms for photography include the name of the person in the photograph and their contact details. 

3.1.2 Historical collection, exhibition and research information

The Museum collects personal information relating to objects in its collections and on loan to the Museum. This information includes details about an object’s history, including its current and previous owners and other people connected with the object. The purpose of collecting this information is to assess an object’s ownership and provenance prior to acquisition or loan. 

Personal information about an object is obtained from a range of sources including from the donor/vendor and from historical records. The nature of this research is such that personal information is not always collected directly from the person to whom the information relates but from other sources such as third party oral or written histories or newspaper or magazine articles. Personal information may also be collected in the course of historical research conducted by the Museum and for the purposes of exhibition. Such information may not necessarily relate to an object in the Museum’s collection. This information is maintained in a range of forms, for example in writing, as video or sound recordings, or photographs.

The Museum may collect limited personal information for the following purposes:

  • to facilitate the management (eg transportation and insurance) of an object; 
  • to arrange physical access to the collection by researchers, family members, Indigenous community members or special interest groups;
  • to respond to enquiries for historical information received from members of the public
  • to meet obligations under legislation, such as the Firearms Act or the Poisons and Therapeutic Goods Act.

There is an exception in the Privacy Act for materials kept in a library, art gallery, or museum for the purposes of reference, study or exhibition.  Examples include photographs of individuals used in an exhibition or letters containing personal information kept in the Museum’s collection. The Museum will, where possible, provide advice regarding this exception during the accessioning process. 

3.1.3 Personnel and administrative records 

The Museum collects personal information about its volunteers, trainees, contractors, and committee members. The purpose of collecting this information is to properly administer matters relating to a person’s legal responsibilities or duties at the Museum.

Prospective volunteers will require to provide the Museum with personal details (such as full name, address, email address and contact details), employment history, curriculum vitae and professional references if requested. The Museum does not store personnel information electronically on any system but hard copy records are kept in the safe.  The Museum must provide personal details to the Australian Charities and Non Profit Commission and Consumer Affairs Department of Committee Members and Office Bearers.  Some of this information is provided publicly per their Regulations.  

Employee records usually include personal details (such as full name, addresses, email address, contact number and next of kin details), bank account details, tax file number, employment history, medical checks, police checks, leave, salary and superannuation records. Records may also be kept in relation to rehabilitation or worker’s compensation claims, discipline or code of conduct matters, and performance management. This information is kept and stored in the Museum’s personnel information management system in hard copy and is only accessible to authorised staff.

Volunteers provide the Museum with their personal details (such as full name, addresses, email address, contact number and next of kin details), employment history, curriculum vitae and a copy of their driver’s licence. This information is used to assess the suitability of people to become Museum volunteers which may include medical checks and police checks (with permission). This information is kept and stored in hard copy in the Museum’s personnel information management system and is only accessible to authorised staff.

Some personal information relating to suppliers and contractors is also collected. This may include information about catering, security and cleaning staff employed under a contract between the Museum and the service provider; performers; IT suppliers; consultants/advisors; and suppliers of products for the Museum shop. This personal information (such as full name, contact number and next of kin – where applicable) is collected and used for the purposes of managing the Museum’s relationship with the contractor and for security. This information is kept and stored in the Museum’s personnel information management system and is only accessible to authorised staff.

Contractors who come to the Museum to operate machinery or perform specialised tasks will be required to provide their specialised license and personal identification (for example, their Drivers’ License). This will be photocopied and safely stored in Security records. This information will be securely destroyed a few days after the contractor is no longer required on site. 

Visitors who come on to the Museum’s premise may choose to write in our Visitors book.  That is at their discretion with the full knowledge that other comments are fully visible.  Whilst the contents of the Visitors Book will not be released publicly in any identifiable manner, no actions will be taken by the museum to secure details in the Visitors Book beyond our normal building security. 

3.1.4 The Museum’s website

The Museum has a number of websites and Museum-identified spaces on blogs and social networking sites such as Flickr, Twitter, Facebook and YouTube. Please refer to the PAMM website for the latest list of official social media platforms. 

The Museum’s website refers to this privacy policy and conditions of use statement. The website provides online services requiring users to provide personal information: the submission of volunteer applications, purchases made at the online shop, subscription to our e-newsletter and username and password for members. Personal details are maintained on secure servers. Sometimes the Museum also invites people to submit comments, photos or stories via forms on the website. Although users are encouraged not to identify people, the stories may include some personal information. Whenever the Museum collects such stories, individuals are informed about the purposes for which their stories will be used (for example, for publication on the website).

The Museum’s website uses cookies for the purpose of collecting statistical data. This will help the Museum determine if you have visited the website in the past. The Museum will also collect data such as IP addresses, date and time of visitation and which website you have explored. The Museum will not attempt to identify anyone browsing the website unless they are logged into an account they have created with the Museum. 

The Museum Blog is run on the WordPress platform. Comments on the blog require a wordpress login. This is not accessed or retained by the Museum. Further information is available in WordPress.org’s Privacy Policy.

3.1.5 Security records (including CCTV)

The Museum maintains security records in order to manage access to Museum premises, assets and information. Identification photos may be used used for security and access control purposes. These records relate to staff, volunteers, visiting researchers and contractors, and may include police record checks. These records are stored in a secure environment, and access to these records is limited to authorised office bearers only.

The Museum uses closed circuit television (CCTV) systems to monitor and record activity in a range of publicly accessible locations at the Museum. The purpose of this monitoring is to provide a safe and secure environment for Museum volunteersf and visitors and to protect the Museum’s collections and exhibits from damage, theft or loss. 

The images recorded by the cameras may include identifiable images of people visiting the Museum. These images are stored in a secure environment, and access to these recordings is limited to authorised committee members only. CCTV footage is held on a 3-month rolling basis. 

Where an incident has occurred warranting further investigation, the Museum will allow the recording to be viewed by people responsible for investigating the incident, both within the Museum and/or external investigative bodies or law enforcement agencies (such as Police Vic).

Signs have been placed at all public entrances to the Museum advising that the cameras are in operation.

3.1.6 The Museum retail store

The Museum uses a third party provider, Wix, to collect personal information when purchases are made via the Museum’s online shop. Customers may also leave their details in order to purchase items by mail order while at the retail store. This is stored directly into Wix’s database. Personal information is collected for the purposes of fulfilling the order and, if the purchaser has asked to receive newsletters or other information about the Museum, to provide them with that information. Further information is available in Wix’s Privacy Policy

Personal information may be disclosed to Australia Post or another couriering company for the purposes of delivering an order. The Museum also retains order details (excluding credit card details) in our third party application, Wix to help manage any returns, refunds or exchanges. Where a refund is required, The Museum will contact their bank merchant to authorise this refund back to the customer account. 
Customers may also leave their details in order to have items placed on hold. This information is destroyed immediately once claimed at the retail shop.

3.1.7 Collection and storage of sensitive information

Sensitive information may be collected in relation to some employees and volunteers. For example, employees or volunteers may formally identify as a person of ethnic descent, or as having a disability. Health information (for example medical reports or certificates) may also be collected by the Museum where there is a workers’ compensation or other health-related matter affecting an employee or volunteer, as well as to conduct pre-employment medical checks.    

National police history checks may be conducted on prospective staff members, volunteers, interns, visiting researchers and contractors. The individual’s written consent must be obtained before a check is submitted and processed, and access to relevant personal information is strictly limited to authorised Museum Committee members. 

Incident reports are required to be completed when a security incident, an injury or hazard has occurred or been identified. These reports may contain information, some of a medical nature, about visitors, volunteers and staff. 

The Museum may hold information about a staff member’s union membership if that person has authorised a deduction from pay for their union dues. There may be other records, which would identify union members such as right of entry permits, email communication between union members, or where union delegates are represented on Museum committees.

These records are stored in a secure environment, and access to these records is limited to authorised commitee members only.

3.1.8 Donations

The Museum has a donation box at the Reception Desk where anonymous donations are given.  If someone wishes to give a tax deductible donation, a manual receipt is provided which contains their name, address and ABN (if appropriate). A copy of the details on these receipts is retained by the museum (excluding any payment details) in the hands of the treasurer and stored in the Museum Archives. Details of any individual donations may be provided to a third party only in the case of an audit. If payment details are provided, these are securely destroyed after the payment has been processed.

3.1.9 User Generated Content

You may be able to disclose information about yourself in the course of contributing user generated content on publicly-available areas. This includes your uploaded photos or videos, full name, email address, geolocation, interests, and content that you have favorited, metadata (i.e., hashtags). Your photo or video files may also contain your narrations and captions, as well as data regarding your precise geolocation. Your content will also be shared with users of other social media services to which you have chosen to share (i.e., Facebook or Instagram), consistent with your privacy settings on those services. Such publicly announced information, may be accessed or recorded by us, and there is no expectation of privacy or confidentiality in such information. Any information, including your Personal Data you submit in the course of such activities, can be read, collected, or used by other users.

If you submit your photo, video or other content to the Museum using the relevant hashtags, this content will be published on the museum website or applications along with certain Personal Data identifying you, e.g., your username provided.

3.2 Third Party Information Collection

When the Museum uses third parties to collect personal information, they will be bound by their own privacy policies and the laws in the countries in which they are hosted. 

The information transferred and stored in the Museum’s databases will be handled in a secure environment. 

3.3 Dealing with us anonymously or pseudonymously

There are circumstances where there is an option to remain anonymous or use a pseudonym when interacting with the Museum. For example, providing feedback.

If circumstances are such that you cannot deal with the Museum anonymously or pseudonymously, an explanation will be provided, and there will be an option to opt-out of further contact. 

3.4 Usage and disclosure of personal information

Personal information will be used for the particular purpose for which it was collected. 

The Museum will not use or disclose your personal information for any other purpose unless you provide your consent or it is required, or authorised, by law. 

3.4.1 Integrity of personal information

Electronic personal information will be stored on secure systems, accessible only by volunteers and contractors with a genuine business need to access it. When personal information is kept in hard copy, it will be kept securely in locked cabinets or in secure storage when not in use. 

If personal information needs to be disposed of, the Museum will use secure methods of destruction and disposal. 

3.5 Overseas disclosure of personal information

Where necessary, the Museum may disclose or store personal information with overseas third parties, including suppliers and database hosting services. Individuals will be notified at the time of collection and may choose to opt-out of providing the Museum with their details. 

If the Museum is required to disclose personal information to an overseas third party under international law, it will ensure that this is done in accordance with the Australian Privacy Principles, and, where possible, individuals will be informed of the disclosure. 

3.6 Notification of breach

The Museum will endeavour to notify users about any kind of data breach as soon as practicable. information is available in the Museum’s “Data Breach Procedure” which can be found on PAMM’s website and Facebook Page

3.7 Complaints and Access

3.7.1 Complaints

The Museum will take reasonable steps to deal with enquiries or complaints about compliance with the Privacy Act. The Museum will acknowledge receipt of a complaint within 7 days and send a considered response to complaints or suggestions within 30 days. The Museum is committed to quick and fair resolution of complaints and will ensure that all complaints are taken seriously. The Museum may take a longer period to address a complaint where an individual has agreed to it in writing.

Complaints about the Museum’s personal information handling practices may also be made to the Office of the Australian Information Commissioner.

3.7.2 Access and Correction

Under the APP, individuals have the right to access and correct their personal information stored by the Museum. The Museum will respond to access requests within 30 days. There are no charges imposed on requests for access to personal information and correction of personal information. The Museum strives to ensure that personal information is accurate, up-to-date, complete, relevant and not misleading.

If the Museum cannot provide access to personal information, for example, if the information has been legally and securely destroyed in accordance with procedure, a written explanation will be provided. 

4. Responsibilities

4.1 Privacy Contact Officer

The Museum’s Privacy Contact Officer, appointed from the Management Committee, is responsible for maintaining this policy. The Privacy Contact Officer is also responsible for providing advice on privacy issues; acting as the point of contact for the federal Privacy Commissioner; and investigating any privacy complaints. For further information, please contact executive@portalbertmaritimemuseum.com.au