Privacy Policy

1. General

Preservation of your privacy is important to the Norfolk Archives and Heritage Development Foundation (‘NORAH’) and we are committed to letting you know how we use your personal information and to making only responsible use of your data. Under data protection legislation, including the General Data Protection Regulation, we have a legal duty to protect any information we collect from you.

NORAH is a charity registered in England and Wales, registered charity number: 1167279 and is Data Controller for all of the data it collects during its day-to-day activities.

NORAH has contracted the Norfolk Record Office (‘NRO’) to process personal data on its behalf in accordance with the General Data Protection Regulation and UK data protection legislation. It will not be used by the NRO for any of their administrative purposes. NORAH has contracted other agencies to process data on its behalf. In each case, a contract exists between NORAH and the data processor in accordance with the General Data Protection Regulation. The agencies concerned are Tsohost which is used by NORAH to host its website and BT MyDonate which is used by NORAH to collect donations and process Gift Aid.

Any queries regarding NORAH’s handling of personal data, including subject access requests, should be directed to Mr Gary Tuson, Authorised Official of NORAH, The Archive Centre, Martineau Lane, Norwich, NR1 2DQ.


2. NORAH’s Mailing List

NORAH maintains a mailing list for the purpose of fundraising and promoting its interests. NORAH uses the mailing list to tell people about its activities, including fundraising campaigns. NORAH will only add someone to the mailing list if that person has agreed. The personal data processed for this purpose is name, contact details and location. NORAH’s legal basis for adding someone to its mailing list is therefore consent. An individual can withdraw their consent at any time without detriment. NORAH will not share an individual’s details with anyone else, without first getting that individual’s permission.


3. When Else Do We Collect Personal Information

There are occasions when NORAH processes personal information. It processes information relating to its trustees and authorised officers in order to operate as a charity. The legal basis for doing so is legal obligation under charity and fiscal legislation, except in the case of a trustees’ or authorised officers’ financial information, for which the legal basis is legitimate interest. Name, contact details and financial information of trustees and authorised officers may be passed to HM Revenue and Customs and The Charity Commission of England and Wales. Correspondence with donors as well as advisers and representatives of other organisations, which contain names and contact details, is processed on the basis of legitimate interest. Payment details of customers and donors are processed on the basis of legal obligation and in the case of donors, details may be passed to HM Revenue and Customs. Name and contact details of customers are processed on the legal basis of contract.

Records relating to the successful appointment of trustees are retained for six years after an individual stops acting as a trustee.

NORAH retains records containing personal information for various durations. Trustee declarations are kept for four years after the year when that individual stops acting as a trustee. Personal information relating to unsuccessful applicants for the post of trustee are retained for one year after their application. Finance records are kept for seven years. Administrative records are kept for four years after the year in which they were received or created, the exception being Invitation lists for events which are retained for three months after the event. Records retained for the legal purpose of contract are retained for a maximum of six months after the end of the customer relationship. Evidence of an individual’s consent to join NORAH’s mailing list is destroyed when they are removed from the mailing list.

Under Article 89 of the GDPR and the provisions of the Data Protection Act 2018, NORAH will retain the register of trustees and trustee meeting minutes on a permanent basis for archiving purposes in the public interest.


4. Security

We take all reasonable precautions to prevent the loss, misuse or alteration of information you give us. NORAH uses MailChimp to distribute emails to people on its mailing list. MailChimp is an American company, and consequently, data is held on secure servers in the United States as well as secure servers in the United Kingdom. Any physical records which contain personal information are kept in a secure office environment and then in locked cabinets.


5. Website

NORAH uses Secure Socket Layer (SSL) encryption technology whenever personal information is entered on the NORAH website, such as booking a talk. Where NORAH uses data processors, via its website, namely MailChimp and BT MyDonate, these agencies use encryption technology to protect personal data.

NORAH uses cookies on its website. A cookie is a text file sent to your browser and stored there. This enables the web server to recognise your computer when you revisit our website. We use cookies for things like collecting website usage data (via Google Analytics) which helps us to display more relevant content. Our website content management system, WordPress, also uses cookies for various purposes including authentication when users log on to the site or when someone leaves a comment. Similarly, MailChimp, which we use to deliver email marketing, uses cookies in order to help us send relevant content. Most browsers allow you to refuse to accept cookies. More information about cookies, including how to block them or delete them, can be found at


6. Version Control

This document was revised on 30 May 2018 (version 3.0).