Responsible data management: keeping your Museum on the right side of the law and ethical considerations

In any cultural establishment, the collection of data must remain responsible and consensual at all times

We’re all aware of the importance of data protection when it comes to the management of any business, and that includes the running of museums and other cultural venues. Museum leaders must continually ask themselves what ethical considerations are involved in managing, storing and using data in order to stay within guidelines and ensure they are practising responsible data handling.

But it’s understandable for GDPR and data management to feel like a minefield. A long term plan is vital in order to counteract the volatile nature of cybersecurity and data usage, ensuring that the storage and processing of data remains in line with General Data Protection Regulations. This should involve working with IT departments and infosec experts to ensure the right policies are put in place.

But what are the consequences of irresponsible data management, and what does an ethical data management plan look like for cultural organisations?

Museums and their GDPR obligations

There are many reasons why museums might collect the data of their visitors and online audience, from newsletter mailing and fundraising appeals, to volunteer management, gift aid and events. However, GDPR guidelines state that “personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).”

This means museums, like other organisations, have a duty to only collect data which is useful, and avoid storing extraneous information. What’s more data should only be kept for as long as it is required.

GDPR requires museums to practice good security measures both in terms of physical documentation and digital information – supported by clear, constructive policies and procedures. It also reminds museums that everyone has the right to request access to the data held at any time, so it must be stored securely and clearly.

Data is only as secure as its collection points. These differ from organisation to organisation, but some of the most common options are:

• Reception desks
• Friends groups
• Online donations
• Newsletter sign ups
• Commercial hire
• Retail
• Events
• Volunteer management systems
• Gift Aid data

Organisations of all kinds must be consistent and ethical in their approach to gaining consent, aligning processes across the venue’s physical and digital spaces to ensure best practice throughout.

The consequences of bad data management can be catastrophic

Gone are the days when cybersecurity felt like an abstract concept. Organisations across all industries, including arts and culture, are feeling the pressure to bolster their data protection efforts, as even the biggest museum names fall victim to breaches and hacks.

Back in 2016, New York’s American Museum of Natural History was one such victim, losing almost $3 million in a phishing scandal, which started with a single employee believing a scam email was genuine. Likewise, in 2015, an entire program’s worth of data at Nature Conservancy Australia became encrypted after a member of staff was fooled into clicking a single link.

Meanwhile, in 2019, four of London’s major tourist attractions were targeted by hackers. As consequence of this, the Natural History Museum, the Imperial War Museum, Kew Gardens and the Tate recorded tens of millions of attacks between them.

What does a data management plan look like?

Before a plan can be created, a data security audit is often advised in order to clarify the journey data takes from visitor to storage. This can highlight any weak spots or areas of concern, while also getting everyone up to speed on the way data management does and should work within the museum space. Common risk points could be forms left unsupervised on the welcome desk, or data spreadsheets being accessible to every member of staff, despite only being used by upper management.

Only when museums have a clear idea of where they currently stand in terms of data protection can they take the steps required to improve their position. This may involve working collaboratively with IT departments and outsourced infosec experts to put together a realistic plan to keep the venue in line with GDPR, as well as investing in the necessary infrastructures for protection and prevention, creating a privacy policy and ensuring all members of staff are on the same page when it comes to data management.