Privacy policy

Red squirrel

The privacy and security of your personal information is extremely important to us. This privacy policy explains how and why we use your personal data, to make sure you stay informed and can be confident about giving us your information.  

We’ll keep this page updated to show you all the things we do with your personal data. This policy applies if you’re a supporter of the Trust (member, donor, volunteer, tenant, customer, employee) or use any of our services, visit our website, use our mobile app, email, call or write to us. In certain circumstances we may also provide an extra privacy notice, which will always refer to this page.

We’ll never sell your personal data and will only share it with organisations we work with when it’s necessary and the privacy and security of your data is assured. 

Who are ‘we’?

In this policy, whenever you see the words ‘we’, ‘us’, ‘our’, ‘National Trust, it refers to The National Trust for the Preservation of Historical Places or Natural Beauty and its wholly owned subsidiary The National Trust (Enterprises) Limited. (Our ICO registration number is Z5945928).

The National Trust for Places of Historic Interest or Natural Beauty (Reg. Charity number 205846) is a charitable organisation with the aim to look after special places throughout England, Wales and Northern Ireland for ever, for everyone. 

The National Trust (Enterprises) Limited (Reg. Co. number 10831105) carries on a range of commercial trading activities to generate income for the National Trust including sale of gifts and souvenirs at shops located in over 200 properties and online, income from commercial partnerships including sponsorship, affinity marketing and product licensing, raffles, and commercial activities that are deemed outside the charitable purposes of the National Trust. These activities include events, campsites, holidays, and access to properties for filming rights and advertising revenues. 

If you have any questions in relation to this privacy policy or how we use your personal data they should be sent to dpo@nationaltrust.org.uk or addressed to the Data Protection Officer, National Trust, Heelis, Kemble Drive, , Swindon, SN2 2NA.

What personal data do we collect?

Your personal data (any information which identifies you, or which can be identified as relating to you personally for example, name, address, phone number, email address) will be collected and used by us. We’ll only collect the personal data that we need. 

We collect personal data in connection with specific activities such as registration or membership requests, placing an order, booking holidays, donations, volunteering, conducting research, ordering an image, employment etc. 

You can give us your personal data by filling in forms on our website, by registering to use our website, participate in discussion boards, subscribing to take part in research on our website or other social media functions on our website, entering a competition, promotion or survey or by corresponding with us (by phone, email or by joining as a member/supporter/customer). 

This personal data you give us may include name, title, address, date of birth, age, gender, employment status, demographic information, email address, telephone numbers, personal description, photographs, CCTV images, attitudes, opinions, usernames and passwords).

Personal data provided by you

This includes information you give when interacting with us, for example joining or registering, placing an order or communicating with us. For example:

  • Personal details (name, date of birth, email, address, telephone, and so on) when you join as a member or supporter
  • Financial information (payment information such as credit or debit card or direct debit details, and whether donations are gift-aided)
  • Your opinions and attitudes about the National Trust, activities and interests, and your experiences of the National Trust

If you buy membership as a gift or are the parent of one of our junior supporters, including volunteers, your details will be recorded and your association with that relationship will be recorded. 
We  may automatically collect the following information:

  • Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and if you access our website via your mobile device we will collect your unique phone identifier
  • Information about your visit, including, but not limited to the full Uniform Resource Locators (URL) and query string, clickstream to, through and from our website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as but not limited to,scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our customer service number
  • Information about your puchases including but not limited to revenue figures, the types of products purchased, membership application ID, purchase ID, Holiday booking ID, and Renewal ID.
  • The terms that you use to search our website

Please note that certain services on our website won’t be available to you until you’ve registered to use our website.

Personal data created by your involvement with us

Your activities and involvement with us will result in personal data being created. This could include details of how you’ve helped us by volunteering or being involved with our campaigns and activities. If you decide to donate to us then we’ll keep records of when and how much you give to a particular cause.  

Information we generate

We conduct research and analysis on the information we hold, which can in turn generate personal data. For example, by analysing your interests and involvement with our work we may be able to build a profile which helps us decide which of our communications are likely to interest you. The sections Research and Profiling gives more detail about how we use information for profiling and targeted advertising, including giving you more relevant digital content.

Information from third parties

We buy anonymous external data (e.g. census data, Experian MOSAIC, TGI) and combine it with your personal data at an aggregated level to build profiles which help us work out what you’re most likely to want to hear from us about and how.

Sensitive personal data

At times we’ll collect sensitive personal data for Equal Opportunities monitoring, as well as researching whether we deliver great experiences for everyone, but this is only ever analysed at an aggregate level.

Volunteer

If you’re a volunteer then we may collect extra information about you (e.g. references, criminal records checks, details of emergency contacts, medical conditions etc.). This information will be retained for legal or contractual reasons, to protect us (including in the event of an insurance or legal claim) and for safeguarding purposes.

Children’s personal data

Family membership

Children aged under18 are included on family memberships and are members of the National Trust. We collect their names and dates of birth to ensure their right to free admission at our places. We don’t ask children on family memberships for consent to marketing communications, so they don’t receive them unless they’ve asked for them through our online service MyNationalTrust, which is only available to people aged 13 and over. If a young person has done this, we’ll carry over this information, including their marketing consents, when they turn 18.

Junior and Young Person membership

Junior membership is available to everyone under the age of 18. Under 13s can have their membership bought for them as a gift by an adult, while those aged between 13 and 17 can buy membership online, by phone or at our of our places. Young Person membership is available from the age of 17.  

When a Junior or Young Person member becomes 18, we’ll carry over their marketing consents if they have made them.

Marketing to young people and fundraising

We won’t send marketing emails, letters or make calls to people under the age of 13.  We will not send any marketing communications requesting donations to young people aged between 13 and 17 and won’t profile anyone under the age of 18.

Our magazines may sometimes include competitions or ideas about how to raise money, but they are a member benefit. Most magazine content is about our work, conservation and ideas to help you make the most of your membership.

How we use your personal data

We’ll only use your personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation (from 25 May 2018)/UK Data Protection Act and Privacy of Electronic Communication Regulation.

Personal data provided to us will be used for the purpose or purposes outlined in any fair processing notice in a transparent manner at the time of collection or registration where appropriate, in accordance with any preferences you express. If asked by the police, or any other regulatory or government authority investigating suspected illegal activities, we may need to provide your personal data.

Your personal data may be collected and used to help us deliver our charitable activities, help us raise funds, or complete your order or request. Below are the main uses of your data which depend on the nature of our relationship with you and how you interact with our various services, websites and activities. 

Marketing communications 

Your privacy is important to us, so we’ll always keep your details secure. We’d like to use your details to keep in touch about things that may matter to you. 

If you choose to hear from us we may send you information based on what is most relevant to you or things you’ve told us you like. We may also show you relevant content online. This might be about visiting our places, volunteering with us, membership, events, conservation work, fundraising, our shops and holidays. 

We’ll only send these to you if you agree to receive them and we will never share your information with companies outside the National Trust for inclusion in their marketing. (We may however share cookie data with third parties to help with our own advertising targeting).If you agree to receive marketing information from us you can change your mind at a later date. 

However, if you tell us you don’t want to receive marketing communications, then you may not hear about events or other work we do that may be of interest to you.

Personal data provided to us may also be profiled to help us with advertising targeting. For example, your membership data may be used to ensure we don’t serve you online membership advertisements. Or we may use your personal data to find online users with a similar profile to yourself who may be interested in our products or services.

We may sometimes use third parties to capture some of our data on our behalf, but only where we are confident that the third party will treat your data securely, in accordance with our terms and inline with the requirements set out in  the GDPR.

We’ll always act upon your choice of how you want to receive communications (for example, by email, post or phone). However, there are some communications that we need to send. These are essential to fulfil our promises to you as a member, volunteer, donor or buyer of goods or services from the Trust. Examples are:

  • Transaction messaging, such as Direct Debit schedules, shop purchase confirmations and holiday booking confirmations
  • Membership-related mailings such as renewal reminders, National Trust Magazines and notice of our Annual General Meeting

Membership including newsletters and magazines 

We use the personal data you provide as a member provide to service your membership.  This includes sending renewal information to annual members by mail and email, sending National Trust magazines and Handbooks and information about our Annual General Meeting. It’s also used to verify you when you contact our Supporter Services Centre or sign up for a My National Trust account to manage your membership online.

We scan membership cards to check entitlement to free entry or free parking , to understand how and when our members visit and to help us send you more relevant communications. We may contact you for feedback on your visit. 

Fundraising, donations and legacy pledges 

Where we have your permission, we may invite you to support vital conservation work by making a donation, buying a raffle ticket, getting involved in fundraising activities or leaving a gift in your will. 

Occasionally, we may invite some supporters to attend special events to find out more about the ways in which donations and gifts in wills can make a difference to specific projects and to our cause. We’ll also send you updates on the impact that you make by supporting us in this way, unless you tell us not to.

If you make a donation, we’ll use any personal information you give us to record the nature and amount of your gift, claim gift aid where you’ve told us you’re eligible and thank you for your gift. If you interact or have a conversation with us, we’ll note anything relevant and store this securely on our systems.

If you tell us you want to fundraise to support our cause, we’ll use the personal information you give us to record your plans and contact you to support your fundraising efforts.

If you’ve told us that you’re planning to, or thinking about, leaving us a gift in your will, we’ll use the information you give us to keep a record of this – including the purpose of your gift, if you let us know this. 

If we have a conversation or interaction with you (or with someone who contacts us in relation to your will, for example your solicitor), we’ll note these interactions throughout your relationship with us, as this helps to ensure your gift is directed as you wanted.

Charity Commission rules require us to be assured of the provenance of funds and any conditions attached to them. We follow a due diligence process which involves researching the financial soundness, credibility, reputation and ethical principles of donors who’ve made, or are likely to make, a significant donation to the National Trust.

As part of this process we’ll carry out research using publicly available information and professional resources. If this applies to you, we’ll remind you about the process when you make your donation.

Major donors

If you’re a current or prospective major donor, we’ll give you a bespoke privacy notice with further details of how we look after your data. 

Management of volunteers 

We need to use your personal data to manage your volunteering, from the moment you enquire to the time you decide to stop volunteering with us. This could include: contacting you about a role you’ve applied for or we think you might be interested in, expense claims you’ve made, shifts you’ve booked and to recognise your contribution.

It could also include information from local property teams about things happening where you volunteer and about your volunteering, including asking for your opinions on your volunteering experience. 

We may also share this with funders to help them monitor how their funding is making a difference. 

Retail sales, holidays and events management 

We process customer data in order to fulfil holiday bookings and retail activities. Your data will be used to communicate with you throughout the process, including to confirm we’ve received your order and payment, to confirm dispatch, to clarify where we might need more detail to fulfil an order or booking, or to resolve issues that might arise with your order or booking. Properties may also hold dietary requirements for weddings and events. 

Research 

We carry out research with our supporters, customers, staff and volunteers to get feedback on their experience with us. We use this feedback to improve the experiences that we offer and ensure we know what is relevant and interesting to you.  

If you choose to take part in research, we’ll tell you when you start what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part. For some of our research we may ask you to provide sensitive personal data (e.g. ethnicity). You don’t have to provide this data and we also provide a ‘prefer not to say’ option. We only use it at an aggregate level for reporting (e.g. equal opportunities monitoring).  

We may give some of your personal data (e.g. contact information) to a research agency who will carry out research on our behalf.  

Profiling 

We know it’s important to our supporters to use our resources in a responsible and cost-effective way. So we use automated profiling and targeting to help us understand our supporters and make sure that:

  • our communications (e.g. emails) and services (e.g. our website) are relevant, personalised and interesting to you
  • our services meet the needs of our supporters
  • we only ask for further support and help from you if it’s appropriate
  • we use our resources responsibly and keep our costs down

To do this we’ll analyse how you interact with us (e.g. on our website, places you visit through use of data from membership card scanning, etc) and use both geographic and demographic information to let you know what’s happening in your local area and understand your interests.

We use specific tools to profile how you interact with us online, for example, Adobe Analytics, Google Analytics and Double Click for Advertisers. We use Adobe Analytics to collect information on the use of the National Trust website. Much of the information we collect is aggregated, however we may also collect some personal data for the use of personalising your experience, optimising our marketing campaigns, and to ensure the site is functioning as intended.

The personal information that is collect includes transactional information (i.e. order number) for Memberships, Donations, Renewals, Holidays Bookings and Online Shop Purchases. We also collect data on individual user activity when they create or log into their My National Trust account. This information take the form of an encrypted string.

If you’ve agreed that we can contact you for marketing purposes, we may also gather additional information about you from external sources, for example: updates to address and contact information, or publicly available information regarding your wealth, earnings and employment at an aggregate level. We may use this information to assess your capacity to support us and invite you to do so.

This analysis may be carried out by us or by third party organisations working for us.  We may also host encrypted personal data on third party websites (e.g. social media platforms) to ensure that you only see relevant, personalised and interesting content from those organisations. 

Recruitment and employment 

In order to comply with our contractual, statutory, and management obligations and responsibilities, we process personal data, including ‘sensitive’ personal data, from job applicants and employees.  

Such data can include, but isn’t limited to, information relating to health, racial or ethnic origin, and criminal convictions. In certain circumstances, we may process personal data or sensitive personal data, without explicit consent. Further information on what data is collected and why it’s processed is given below.

Contractual responsibilities: Our contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay; leave, maternity pay, pension and emergency contacts.

Statutory responsibilities: Our statutory responsibilities are those imposed through law on the organisation as an employer. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring.

Management responsibilities: Our management responsibilities are those necessary for the organisational functioning of the organisation. The data processed to meet management responsibilities includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters, e-mail address and telephone number.

Sensitive personal data

The Act defines ‘sensitive personal data’ as information about racial or ethnic origin, political opinions, religious beliefs or other similar beliefs, trade union membership, physical or mental health, sexual life, and criminal allegations, proceedings or convictions.  

In certain limited circumstances, we may legally collect and process sensitive personal data without requiring the explicit consent of an employee.

(a) We will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and, where necessary, consent.

(b) We will process data about, but not limited to, an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding our equal opportunities policies and related provisions.

(c) Data about an employee’s criminal convictions will be held as necessary.

Disclosure of personal data to other bodies

In order to carry out our contractual and management responsibilities, we may, from time to time, need to share an employee’s personal data with one or more third party supplier. 

To meet the employment contract, we are required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs.

In order to fulfil our statutory responsibilities, we’re required to give some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.

Use of geo-location data  

We use geo-location on both our main website, our mobile app and the MyVolunteering site. If you let your device share this information with us, we’ll use it to personalise your experience with us. Your device or web browser will usually prompt you when this is requested.

The type of things we may use your location for include:

  • Sorting search results for properties, activities or events by your location
  • Making our homepage relevant to you and your location

You can change your location settings at any time in your device or computer settings.

Updating your data and marketing preferences 

We want you to remain in control of your personal data. If, at any time, you want to update or amend your personal data or marketing preferences please contact us in one of the following ways: 

My National Trust

Amend your details using My National Trust

My Volunteering

Amend your details using MyVolunteering

Email us

Email: enquiries@nationaltrust.org.uk with your full name, full address and supporter/member number.


Call us:  

0344 800 1895 (local call rates apply). Open 9.00am - 5.30pm weekdays, 9.00am - 4.00pm weekends & bank holidays
 

Write to: 
National Trust
PO Box 574,
Manvers,
Rotherham,
S63 3FH

Verification, updating or amendment of personal data will take place within 30 days of receipt of your request.

Your data protection rights (DPO) 

Where the National Trust is using your personal data on the basis of consent, you have the right to withdraw that consent at any time. You also have the right to ask the National Trust to stop using your personal data for direct marketing purposes.

Tell us using My National Trust or contact us using the details above.

Subject access rights

If you would like further information on your rights or wish to exercise them, please write to us at The Data Protection Office, National Trust, Heelis, Kemble Drive, Swindon, SN2 2NA or email dpo@nationaltrust.org.uk.
You will be asked to provide the following details:

  • The personal information you want to access;
  • Where it is likely to be held;
  • The date range of the information you wish to access

We will also need you to provide information that will help us confirm your identity. If we hold personal information about you, we will give you a copy of the information in an understandable format together with an explanation of why we hold and use it.

Once we have all the information necessary to respond to your request we’ll provide your information to you within one month.  This timeframe may be extended by up to two months if your request is particularly complex. 

What to do if you’re not happy

In the first instance, please talk to us directly so we can resolve any problem or query. You also have the right to contact the Information Commissions Office (ICO) if you have any questions about Data Protection. You can contact them using their help line 0303 123 113 or at www.ico.org.uk.

Cookies and links to third party websites

Cookies 

Cookies are small text files stored on your computer when you visit certain websites. We use first party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience. We also use third party cookies (cookies that are set by an organisation other than the the owner of the website) for the purposes of website measurement and targeted advertising. You can control the use of cookies via your browser. Further information can be found in the National Trust's cookie policy.

Links to other websites

Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we dont accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites. This privacy policy applies solely to the personal data collected by the National Trust.  

Keeping your information

We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory legal requirements. 

How we secure your data 

Information system and data security is imperative to us to ensure that we are keeping our customers, members, volunteers, employees and contractor safe.

We operate a robust and thorough process for assessing, managing and protecting new and existing systems which ensures that they are up to date and secure against the ever changing threat landscape. In addition to this, we follow a defense in depth security model, which means that your data is protected by multiple layers of security.

Our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibilities and requirements set out in our information security policies.

When you trust is with your data we will always keep your information secure to maintain your confidentiality. By utilizing strong encryption when your information is stored or in transit we minimize the risk of unauthorized access or disclosure; when entering information on our website, you can check this by right clicking on the padlock icon in the address bar.

Disclosing and sharing information

When we allow third parties acting on behalf of the National Trust to access to your information, we will always have complete control of what they see, how long they see it for and what they are allowed to do with it.. We do not sell or share your personal information for other organisations to use.

Personal data collected and processed by us may be shared with the following groups where necessary:

  • National Trust employees and volunteers
  • Research Bods who run the market research platform on our behalf;
  • Third party cloud hosting and IT infrastructure providers who host the website and provide IT support in respect of the website;

Also, under strictly controlled conditions:

  • Contractors
  • Service Providers providing services to us
  • Advisors
  • Agents

We may also disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use or cookie policy and other agreements; or to protect the rights, property, or safety of The National Trust, our members, supporters and visitors. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

Storage of information

The National Trust operations are based in the UK and we store most of our data within the European Union (EU). Some organisations which provide services to us may transfer data outside the European Economic Area but we’ll only allow this if your data is adequately protected. Some of our systems are provided by US companies and whilst it is our policy that we prefer data hosting and processing to remain on EU-based solutions, it may be that using their products results in data transfer to the USA.  However we only allow this when we certain it will be adequately protected. (e.g. US Privacy Shield or Standard EU contractual clauses).  

Payment card Security

The National Trust has an active PCI-DSS compliance programme in place. This is the international standard for safe card payment processes. As part of our compliance to this very stringent standard, we ensure that our IT systems do not directly collect or store payment card information; for example the full 16 digit number on the front of the card or the security code on the back.

Our online payment solutions are carried out using a 'payment gateway' (e.g. Sagepay) which is a direct connection to a payment service provided by a bank. This means that when you input card data into the payment page, you are communicating directly with the bank and the bank passes your payment to us, this means that your payment card information is handled by the bank and not processed or held by us.

CCTV

Some of our locations and properties have Closed Circuit Television (CCTV) and you may be recorded when you visit them.

CCTV is used to provide security and protect both our members and visitors and the National Trust. CCTV will be only be viewed when necessary (e.g. to detect or prevent crime) and footage is stored for set period of time after which it is recorded over.  The National Trust complies with the Information Commissioner’s Office CCTV Code of Practice and we put up notices so you know when CCTV is used. 

Changes to this privacy policy

We’ll amend this privacy policy from time to time to ensure it remains up to date and reflects how and why we use your personal data and new legal requirements. Please visit our website to keep up to date with any changes. The current version will always be posted on our website. 

This privacy policy was last updated on 20 February 2018.