Privacy Notices - STEAM - learning and engagement programme and bookings Privacy Notice


We are STEAM – Museum of the Great Western Railway and this Privacy Notice gives you information as to when and why we collect personal information from you, how we keep it secure and how we use it.

This Privacy Notice is relevant to you if you are making enquiries (by phone or online) or booking (by email) any of the services offered through the Learning and Engagement Programme at STEAM.

What is a Privacy Notice?

A Privacy Notice is a statement issued by an organisation which explains how personal and confidential data about individuals is collected, used and shared.

Who is collecting and using your personal data?

This notice sets out the basis on which STEAM – Museum of the Great Western Railway collects and uses the personal data of our Learning and Engagement customers.

STEAM – Museum of the Great Western Railway is run by Swindon Borough Council.

Swindon Borough Council will act as a “Data Controller” for any personal data that you provide to us.  We will ensure that the data given to us is processed in line with our Data Protection Act 2018 (DPA 18) and the EU General Data Protection Regulations. (GDPR)

To find out more about Swindon Borough Council’s data protection policies please contact our Data Protection Officer. or in writing to Data Protection Officer, Civic Offices, Euclid Street, Swindon, Wiltshire, SN1 2JH.

Please note that not providing your personal data may lead to you being unable to utilise services provided by STEAM – Museum of the Great Western Railway.

This Privacy Notice was last updated in December 2020.

Your personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of data is governed by the General Data Protection Regulation 2016/679 (the “GDPR”).

What personal data do we collect?

We may collect (and process) the following data about you when you enquire about the Learning and Engagement Programme at STEAM (by phone or email) or when you make a booking (by email) for any of our Learning and Engagement Programme services at STEAM:

  • Name of purchaser
  • School contact details of organiser and finance officer (address including postcode, email address, telephone number/s)
  • Contact details of purchaser (address including postcode, email address, telephone number/s) for home educators or other non- school groups
  • Accessibility information, for example, hearing/visual impairment, requirement for a wheelchair/scooter

We collect most of the personal information we hold about you:

  • Via booking forms and email
  • Via World Pay chip and PIN (as the data controller) and BACS with SBC
  • During your interactions with us, such as your contact by telephone, email or post
  • During your visits to us
  • In the course of providing our services to you
How do we process your personal data?

Examples of the situations in which we will process your personal information are listed above.

Why do we need your personal information?

We use the information we hold about you for a number of purposes, including to provide a service or goods or support you have requested from us, to request additional information from you, to develop and improve our services and otherwise operate our Museum.

These are some general examples of why we need your personal information. It is not an exhaustive list:

  • To take or request payment for the Learning and Engagement Programme services we provide to you
  • To give you access to the Museum building
  • To provide you with access to our events, products and activities
  • To investigate and respond to your enquiries, complaints and compliments
  • To contact you with information relevant to or arising from your visit to the Museum
  • To ensure we are providing educational services that are relevant to you
  • To identify patterns of usage and the reach of our service by destination

These are some specific examples of why we need your personal information. It is not an exhaustive list:

Learning and Engagement Programme Bookings

  • To send you an email confirmation for your booking
  • To identify you on the day of your visit
  • To ensure your admission to the Museum if your email confirmation is lost
  • To advise you if a booked activity or event is cancelled or its timings or location are changed
  • To administer refunds for and amendments to online bookings
  • To send you an invoice after your visit
  • To adapt your visit to the individual needs of your group e.g. hearing/visual impairments, and/ or to meet requirements for wheelchairs/scooters

Discovery Box Loans

  • To identify and deliver in person the Loan Box you are borrowing
  • To resolve your queries before, during and after the loan period
  • To administer refunds/cancellation
How the law allows us to use your information?

We collect and process your personal information to provide, deliver, administer and manage our Learning and Engagement Programme services and support to you. 

The processing is necessary for a contract that you have with us or because you have asked us to take specific steps. For example, you enter into a contract with us when you make a booking for a service provided by STEAM Learning and Engagement (by email).

Who do we share your information with?

Your data may be shared internally for the purpose of delivering and managing our Learning and Engagement Programme services to you. This includes staff at STEAM – Museum of the GWR. Your data may also be shared within Swindon Borough Council, who have access to our IT networks and systems.

In addition, we also use some third party providers to help deliver our services to you, who collect the data directly from you (as a data controller) and then share it with us.

Our EPOS system stores personal information. The provider of our EPOS system (Merac) has access to the stored information in order to provide ongoing technical support to us for the system. It is part of our contract with Merac that the organisation complies with data protection legislation.

We will not share your data with any other third parties without ensuring that you are advised through changes to this Privacy Notice.

How do we protect your information?

We will do what we can to make sure we hold records about you (on paper and electronically) in a secure way. We have internal policies and controls in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal information to those employees and third parties (named above) who have a business need to know when providing services to STEAM – Museum of the GWR.

All third party processors will only process your information on our instructions and in accordance with obligations under the DPA 2018.

Your personal data will be stored in a range of different places, including on the back office till system of our EPOS system (Merac), and on other IT systems (including databases and email). Any paper based documentation is kept in safe, locked offices and/or filing cabinets with limited access, and is destroyed in confidential waste.

Examples of our security include:

  • controlling access to systems (e.g. Merac), locations (for example,. safe, office spaces & filing cabinets), and IT networks and systems, allows us to stop people who are not allowed to view your personal information from getting access to it
  • training for our staff which allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • use of encryption and passwords where appropriate
How long do we keep your personal information?

Payment information:

All information relating to financial transactions is held for up to 7 years in line with Swindon Borough Council’s Retention Policy.

This includes but is not limited to:

  • the payee name and sort code of cheques, banking slips, and credit/debit card merchant receipts (for Learning and Engagement Programme services sales in person/ by post)
  • invoices

Other personal information for example, details of who we provided our Learning and Engagement Programme services to. This is held for up to 7 years in line with the associated financial transaction.

This includes but is not limited to:

  • details stored on our EPOS system (Merac)
  • booking forms
What you can do with your information?

The law gives you a number of rights to control what personal information is used by us and how it is used by us.

  • You can ask for access to the information we hold on you
  • You can ask to change information you think is inaccurate
  • You can ask to delete information (right to be forgotten)
  • You can ask us to limit what we use your personal data for
  • You can ask to have your information moved to another provider (data portability)

Should you wish to exercise any of your rights, you should contact our Data Protection Officer at

Your right to complain

If you believe that the Council has not complied with your data protection rights, you should write to the Data Protection Officer and clearly outline your case. Your complaint will then be investigated in accordance with our customer complaint procedure.

If you remain dissatisfied with the way your personal data has been handled, you have the right to complain to the Information Commissioner’s Office at You may refer the matter to the Information Commissioner’s Office whose contact details are below:

Information Commissioner’s Office
Wycliffe House
Water Lane


What if you do not provide personal data?

You are under no statutory obligation to provide personal data to Swindon Borough Council when purchasing tickets or retail products from STEAM. However, if you do not provide the data, we may be unable to provide our service to you properly or at all.

How will we ensure compliance?

A yearly audit will take place on personal data to ensure we remain legally compliant in accordance with current data protection legislation.

Main privacy notice

You are viewing the Privacy Notice for STEAM – learning and engagement programme and bookings.

Read the main Privacy Notice