Privacy Notices - STEAM website Privacy Notice


We are STEAM – Museum of the Great Western Railway and this Privacy Notice gives you information as to when and why we collect personal information from you, how we keep it secure and how we use it.

This Privacy Notice is relevant to you if you are using the STEAM website.

What is a Privacy Notice?

A Privacy Notice is a statement issued by an organisation which explains how personal and confidential data about individuals is collected, used and shared.

Who is collecting and using your personal data?

This notice sets out the basis on which STEAM – Museum of the Great Western Railway collects and uses the personal data of website users.

STEAM – Museum of the Great Western Railway is run by Swindon Borough Council.

Swindon Borough Council will act as a “Data Controller” for any personal data that you provide to us.  We will ensure that the data given to us is processed in line with our Data Protection Act 2018 (DPA 18) and the EU General Data Protection Regulations. (GDPR)

To find out more about Swindon Borough Council’s data protection policies please contact our Data Protection Officer. or in writing to Data Protection Officer, Civic Offices, Euclid Street, Swindon, Wiltshire, SN1 2JH.

This Privacy Notice was last updated in September 2020.

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).

What personal data do we collect?

You can visit our website without giving us your personal data. We may collect personal data when you use our online forms or email us. This may include your name, address, telephone numbers, email address, social media identity, payment card details, date of birth, gender, accessibility information and IP address.

Email newsletters: (Please see our E-newsletter Privacy Policy on the Privacy Notice directory homepage).
When using our online shop or purchasing tickets online: (Please see our Ticket and Retail Sales Privacy Policy on the Privacy Notice directory homepage).

Using contact forms:
When you fill in a contact form on our website we will pass on your contact details to the relevant department at STEAM. They may keep a record of your details so that they can respond to your specific request. (Please see our individual departments’ Privacy Notices on the Privacy Notice directory homepage).

Social Media:
We use the following social media platforms:
Facebook, Trip Advisor, Instagram, Twitter and You Tube.

 We only ever use these platforms in accordance with their own terms and conditions which you will have agreed to when you signed up to having an account with them.

We use these social media platforms to interact with you as visitors and to give you information about the Museum and our events. We monitor the number of followers we have for KPIs but this does not involve the use of personal data as it is purely a number.

If you make a complaint or pay us a compliment we copy the message from the social media platform and email it to the relevant team to respond to. The information is passed on to Swindon Borough Council where it is stored on the Jadu system (Please see Swindon Borough Council’s Jadu My Account Privacy Notice).

You Tube:
We occasionally embed videos on YouTube using their privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player. YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. To find out more please visit YouTube’s embedding videos information page.

Cookies on this website:
To make this website easier to use, we sometimes place small text files on your computer or device (for example your iPad or laptop) called cookies. They improve things by:

  • remembering the things you've chosen while on our website, so you don't have to keep re-entering them whenever you visit a new page
  • remembering data you've given (for example, your address) so you don't need to keep entering it
  • measuring how you use the website so we can make sure it meets your needs

By using our website, you agree that we can place these types of cookies on your device. 

We do not use cookies on this website that collect information about what other websites you visit (often referred to as privacy intrusive cookies).

Our cookies are not used to identify you personally. They are just here to make the site work better for you. You can manage and/or delete these files as you wish.

To learn more about cookies and how to manage them, visit

Google Analytics:
We use Google Analytics to collect information about how people use this site. We do this to make sure it is meeting peoples' needs and to understand how we can make the website work better.

Google Analytics stores information about what pages on this site you visit, how long you are on the site, how you got here and what you click on while you are here.

We do not collect or store any other personal information (e.g. your name or address) so this data cannot be used to identify who you are.

We also collect data on the number of times a word is searched for and the number of failed searches. We use this information to improve access to the site and identify gaps in the content and see if it is something we should add to the site.

Unless the law allows us to, we do not:

  • share any of the data we collect about you with others
  • use this data to identify individuals
How do we process your personal data?

Examples of the situations in which we will process your personal information are listed under 'What personal data do we collect?'.

Why do we need your personal information?

Email addresses will be used :

  • to contact you to respond to your enquiry
  • to deliver newsletters, if you’ve requested them, and update you on the services we provide
  • to check the quality of services
  • to help with research and development of existing services
  • to help with research and planning of new services
How the law allows us to use your information?

We collect and process your personal information to answer your enquiries or to provide, deliver, administer and manage our ticketing and retail services. 

The processing is necessary for a contract that you have with us or because you have asked us to take specific steps. For example, you enter into a contract with us when you purchase any type of admission ticket to STEAM (in person or online), or any retail product or service from STEAM (in person or online).

The law requires that we collect and record your explicit consent before providing you with our email newsletters, but you have the right to remove your consent at any time.

If you want to remove your consent, either use the unsubscribe option provided on any emailed newsletter from us, or contact and tell us which service you are using and wish to unsubscribe from, so we can deal with your request promptly.


Who do we share your information with?

Your data may be shared internally for the purpose of answering your enquiries or for delivering and managing our ticketing and retail services to you. Your data may be shared with staff at STEAM or with Swindon Borough Council who have access to our IT networks and systems.

In addition, we also use some third party providers to help deliver our services to you, who collect the data directly from you (as a data controller) and then share it with us.

If you buy tickets or retail products from us in person or online, our electronic point of sale (EPOS) system will transfer you to the payment provider World Pay. In this instance, World Pay is the data controller for your personal information.

Our newsletter service provider is ‘Mailerlite’, who provide email marketing and automation software as a service. They process your Personal Data as a Processor on behalf of Swindon Borough Council.

Our EPOS system stores personal information. The provider of our EPOS system (Merac) has access to the stored information in order to provide ongoing technical support to us for the system. It is part of our contract with Merac that the organisation complies with data protection legislation.

We will not share your data with any other third parties without ensuring that you are advised through changes to this Privacy Notice.

How do we protect your information?

We make sure that that there are managerial, physical and electronic controls in place to protect your personal information.  Our internal policies and controls prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal information to those employees and third parties (named above) who have a business need to know when providing services to STEAM – Museum of the GWR.

All third party processors will only process your information on our instructions and in accordance with obligations under the DPA 2018.

Your personal data will be stored on STEAM’s Merac E-POS system and on Swindon Borough Council’s newsletter service provider: Mailerlite.

  • We use encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password)
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
  • Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • Mailerlite’s secure data storage centre is situated within the European Economic Area (EEA) and has information storage security certification to ISO 27001 as well as a certificate of IT service management to ISO 20000
How long do we keep your personal information?

Payment information:
All information relating to financial transactions is held for up to 7 years in line with Swindon Borough Council’s Retention Policy. This includes but is not limited to:

  • payee name and sort code of cheques, banking slips, and credit/debit card merchant receipts (for ticket & retail sales in person/ by post)
  • email payment confirmations from World Pay (for ticket and retail sales online via our EPOS systems)
  • invoices (for Events and Group and Tour bookings)

Other personal information, for example, details of who we sold tickets, products or services to:
This is held for up to 7 years in line with the associated financial transaction. This includes but is not limited to:

  • details stored on our EPOS system (Merac), purchase confirmation emails (for ticket and retail sales online, via our EPOS systems)
  • booking forms (for Events and Group and Tour bookings)

Season ticket holders:
We retain your personal information while you are a current season ticket holder, and up to one year after you cease to be a season ticket holder. The exception is where we have your consent to send you marketing information about STEAM events, services and products.

E-newsletter subscribers:
Mailerlite will keep a record of your personal data for six months after last use. If you unsubscribe and remove your consent, your data will be deleted.

What you can do with your information?

The law gives you a number of rights to control what personal information is used by us and how it is used by us.

  • You can ask for access to the information we hold on you
  • You can ask to change information you think is inaccurate
  • You can ask to delete information (right to be forgotten)
  • You can ask us to limit what we use your personal data for
  • You can ask to have your information moved to another provider (data portability)

Should you wish to exercise any of your rights, you should contact our Data Protection Officer at

Your right to complain

If you believe that the Council has not complied with your data protection rights, you should write to the Data Protection Officer and clearly outline your case. Your complaint will then be investigated in accordance with our customer complaint procedure.

If you remain dissatisfied with the way your personal data has been handled, you have the right to complain to the Information Commissioner’s Office at You may refer the matter to the Information Commissioner’s Office whose contact details are below:

Information Commissioner’s Office
Wycliffe House
Water Lane


What if you do not provide personal data?

You are under no statutory obligation to provide personal data to Swindon Borough Council when purchasing tickets or retail products or signing up to receive the e-newsletter. However, if you do not provide the data, we may be unable to provide our service to you properly or at all.

How will we ensure compliance?

A six-monthly audit will take place on personal data to ensure we remain legally compliant in accordance with current data protection legislation.

Main privacy notice

You are viewing the Privacy Notice relevant to the use of the STEAM website.

Read the main Privacy Notice