Privacy Notices - STEAM ticket and retail sales Privacy Notice


We are STEAM – Museum of the Great Western Railway and this Privacy Notice gives you information as to when and why we collect personal information from you, how we keep it secure and how we use it.

This Privacy Notice is relevant to you if you are purchasing any type of admission ticket to STEAM (in person or online), including for general admission, activities, events, tours or group visits; or any retail product from STEAM (in person or online).

What is a Privacy Notice?

A Privacy Notice is a statement issued by an organisation which explains how personal and confidential data about individuals is collected, used and shared.

Who is collecting and using your personal data?

This notice sets out the basis on which STEAM – Museum of the Great Western Railway collects and uses the personal data of our ticketing and retail customers.

STEAM – Museum of the Great Western Railway is run by Swindon Borough Council.

Swindon Borough Council will act as a “Data Controller” for any personal data that you provide to us.  We will ensure that the data given to us is processed in line with our Data Protection Act 2018 (DPA 18) and the EU General Data Protection Regulations. (GDPR)

To find out more about Swindon Borough Council’s data protection policies please contact our Data Protection Officer. or in writing to Data Protection Officer, Civic Offices, Euclid Street, Swindon, Wiltshire, SN1 2JH.

Please note that not providing your personal data may lead to you being unable to utilise services provided by STEAM – Museum of the Great Western Railway.

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).

What personal data do we collect?

We may collect (and process) the following data about you when you purchase any type of admission ticket to STEAM (in person or online), or any retail product from STEAM (in person or online):

  • Name of purchaser
  • Contact details of purchaser (address including postcode, email address, telephone number/s)
  • The above may also be collected for any recipient of a gift from the purchaser e.g. a gift of a season ticket (where the details of the recipient/user are required by us); a gift of STEAM vouchers or of a retail product (where the product needs to be sent to the recipient by us)
  • Payment card or cheque details and financial transactions
  • Date of birth
  • Prefix
  • Your photograph (season ticket holders only)
  • Accessibility information e.g. hearing/visual impairment, requirement for a wheelchair/scooter
  • IP address (online purchases)
  • Whether or not you have a disability for which the Council needs to make reasonable adjustments

Details and history of your visits to and interactions with us, such as:

  • Events & activities attended by you
  • Details of goods and services purchased by you
  • Dates and frequency of your visits to the Museum
  • Your Group name (Group and Tour bookings only)
  • Your Season Ticket number, type & number of renewals

We collect most of the personal information we hold about you:

  • In person at our Ticket and Retail Desks
  • Via our Point of Sale Systems, in person and online
How do we process your personal data?

Examples of the situations in which we will process your personal information are listed below:

  • Via email payment confirmations from 3rd party payment providers, including World Pay, in person, online (as a data processor), and chip and PIN (as the data controller)
  • Via application forms,  such as manual season ticket applications
  • During your interactions with us, such as your contact by telephone, email or post
  • During your visits to us
  • In the course of providing our services to you
Why do we need your personal information?

We use the information we hold about you for a number of purposes, including to provide a service or goods or support you have requested from us, to request additional information from you, to develop and improve our services, and otherwise operate our Museum.

These are some general examples of why we need your personal information. It is not an exhaustive list:

  • To take or request payment for the ticketing and retail services we provide to you
  • To give you access to the Museum building
  • To provide you with access to our events, products and activities
  • To investigate and respond to your enquiries, complaints and compliments
  • To contact you with information relevant to or arising from your visit to the Museum or purchase of a product from us
  • To keep track of performance of our ticketing and retail services
  • To ensure we are providing ticketing and retails services that are relevant to you
  • To identify patterns of usage and the reach of our service by destination

These are some specific examples of why we need your personal information. It is not an exhaustive list:

Season ticket holders:

  • To identify you as a current season ticket holder
  • To prevent unauthorised use of a season ticket
  • To replace your season ticket if it is lost or stolen
  • To deliver by post the season ticket that you have purchased for yourself or as a gift for someone else
  • To ensure you purchase the correct type of season ticket, for example, senior, family
  • To monitor usage of our Museum by season ticket holders
  • To identify patterns of take up of season tickets
  • To monitor customer satisfaction levels

Ticket sales online:

  • To send you an email confirmation and reference number for your online ticket
  • To identify you as a ticket holder on the day of your visit
  • To ensure your admission to the Museum if your email confirmation and reference number are lost
  • To advise you if a booked activity or event is cancelled or its timings or location are changed
  • To administer refunds for and amendments to online bookings

Group and tour bookings:

  • To send you an invoice after your visit
  • To adapt your tour to the individual needs of your group e.g. hearing/visual impairments, and/or to meet requirements for wheelchairs or scooters
How the law allows us to use your information?

We collect and process your personal information to provide, deliver, administer and manage our ticketing and retail services and support to you. 

The processing is necessary for a contract that you have with us or because you have asked us to take specific steps. For example, you enter into a contract with us when you purchase any type of admission ticket to STEAM (in person or online), or any retail product or service from STEAM (in person or online).

Who do we share your information with?

Your data may be shared internally for the purpose of delivering and managing our ticketing and retail services to you. This includes staff at STEAM – Museum of the GWR. Your data may also be shared within Swindon Borough Council, who have access to our IT networks and systems.

In addition, we also use some third party providers to help deliver our services to you, who collect the data directly from you (as a data controller) and then share it with us.

If you buy tickets or retail products from us in person or online, our electronic point of sale (EPOS) system will transfer you to the payment provider World Pay. In this instance, World Pay is the data controller for your personal information. Our EPOS system stores personal information. The provider of our EPOS system (Merac) has access to the stored information in order to provide ongoing technical support to us for the system. It is part of our contract with Merac that the organisation complies with data protection legislation.

We will not share your data with any other third parties without ensuring that you are advised through changes to this Privacy Notice.

How do we protect your information?

We will do what we can to make sure we hold records about you (on paper and electronically) in a secure way. We have internal policies and controls in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal information to those employees and third parties (named above) who have a business need to know when providing services to STEAM – Museum of the GWR.

All third party processors will only process your information on our instructions and in accordance with obligations under the DPA 2018.

Your personal data will be stored in a range of different places, including on the back office till system of our EPOS system (Merac), and on other IT systems (including databases and email). Any paper based documentation is kept in a safe, locked offices and/or filing cabinets with limited access, and is destroyed in confidential waste.

Examples of our security include:

  • controlling access to systems (for example, Catalog), locations (for example, safe, office spaces & filing cabinets), and IT networks and systems, allows us to stop people who are not allowed to view your personal information from getting access to it
  • training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • encryption and passwords where appropriate
How long do we keep your personal information?

Payment information:

All information relating to financial transactions is held for up to 7 years in line with Swindon Borough Council’s Retention Policy. This includes but is not limited to:

  • payee name and sort code of cheques, banking slips, and credit/debit card merchant receipts (for ticket & retail sales in person/ by post)
  • email payment confirmations from World Pay (for ticket and retail sales online via our EPOS systems)
  • invoices (for Group and Tour bookings)

Other personal information,for example, details of who we sold tickets, products or services to:

This is held for up to 7 years in line with the associated financial transaction. This includes but is not limited to:

  • details stored on our EPOS system (Merac), purchase confirmation emails (for ticket and retail sales online, via our EPOS systems)
  • booking forms (for Group and tour bookings)

Season ticket holders:

We retain your personal information while you are a current season ticket holder, and up to one year after you cease to be a season ticket holder. The exception is where we have your consent to send you marketing information about STEAM events, services and products.

What you can do with your information?

The law gives you a number of rights to control what personal information is used by us and how it is used by us.

  • You can ask for access to the information we hold on you
  • You can ask to change information you think is inaccurate
  • You can ask to delete information (right to be forgotten)
  • You can ask us to limit what we use your personal data for
  • You can ask to have your information moved to another provider (data portability)

Should you wish to exercise any of your rights, you should contact our Data Protection Officer at

Your right to complain

If you believe that the Council has not complied with your data protection rights, you should write to the Data Protection Officer and clearly outline your case. Your complaint will then be investigated in accordance with our customer complaint procedure.

If you remain dissatisfied with the way your personal data has been handled, you have the right to complain to the Information Commissioner’s Office at You may refer the matter to the Information Commissioner’s Office whose contact details are below:

Information Commissioner’s Office
Wycliffe House
Water Lane


What if you do not provide personal data?

You are under no statutory obligation to provide personal data to Swindon Borough Council when purchasing tickets or retail products from STEAM. However, if you do not provide the data, we may unable to provide our service to you properly or at all.

How will we ensure compliance?

A yearly audit will take place on personal data to ensure we remain legally compliant in accordance with current data protection legislation.

Main privacy notice

You are viewing the Privacy Notice for STEAM ticket and retail sales.

Read the main Privacy Notice