When you purchase goods from us (for example, books, memorabilia, or event tickets) we will collect your contact details, delivery information, and payment details. We will use your information to provide you with the goods that you have purchased (e.g. in the performance of a contract with you). We will also use your contact information in order to supply you with relevant transactional documentation such as order confirmations, invoices, delivery notes, and tickets; if you have consented to receive marketing communications from the Library we may also use this information to provide you with special offers and other useful information, such as checkout abandonment reminders.
We may also use this data (and other data relating to your use of our Services such as audit trails) for the purpose of analysis in support of Service improvement, IT security, or other legitimate interests of the Library.
Online payments by credit or debit cards for some Services provided by the Library are processed under contract using specialist Data Processors, and in line with the Payment Card Industry Data Security Standard. When a payment is processed by Data Processor acting on our behalf, card details are collected over a secure link and protected by industry standard software which encrypts your information. We do not collect any payment card account details ourselves, and they are not made available to us. Our service provider will use the information you provide to process your payment or to refund any monies due to you. Please refer to the terms and conditions for the relevant Service for further details. In particular, we use the following systems to process your information:
We will retain your commercial account information for as long as it remains current. Transactional information will be retained for the year in which the transaction took place, and then for a further six years in order to comply with tax and accounting rules.
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we have been mandated by law to collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing. The legal basis for the collection of this information is therefore 'a legal obligation to which the Library is subject'.
By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.
As a customer/visitor of the Library you will be asked to provide some basic information and contact details. The following information will be collected:
- the names of all customers or visitors
- a contact phone number for each customer or visitor
- date of visit and arrival time and departure time
In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.
The Library, as the data controller for the collection of your personal data, will be responsible for compliance with data protection legislation for the period of time it holds this information. If that information is requested by the NHS Test and Trace service, the service will at that point become responsible for compliance with data protection legislation in relation to this personal data.
The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational, and administrative security measures to protect your personal information that it receives from the Library from loss, misuse, and unauthorised access, disclosure, alteration, and destruction.
NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.
For example, if another customer at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).
We may require you to pre-book appointments for visits or to complete a form on arrival in order to facilitate the collection of this data.
The information that we collect to support this requirement contains personal data which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and will be destroyed by us 21 days after the date of your visit.