Privacy and Trust in Canadian Museums

Privacy
Written By AB

Museums are more than institutions. They’re trusted spaces. Studies of GLAMs (galleries, libraries, archives, museums) have shown that for every dollar invested in Canada’s non-profit cultural sector, society gets nearly four dollars back. That kind of return comes from public goodwill. Taking care of personal data is one way museums can help protect that trust.

Museums hold artefacts, but they also hold personal information about visitors, donors, members and staff. That comes with a responsibility not only to collect, use and share it appropriately, but also to protect it. Cyber incidents are on the rise and museums are not immune.

  • In 2024, the Walters Art Museum in Baltimore reported a breach that exposed highly sensitive personal information for thousands, including Social Security numbers and bank account details.

  • In 2023, Germany’s Museum für Naturkunde confirmed that a cyber-attack led to stolen personal data being publicly leaked.

  • Even the National Gallery of Canada was hit by ransomware in 2023. Ticketing and membership systems went offline, though there is no indication that personal information was affected.

Canadian museums have so far largely escaped scrutiny from privacy regulators, even when incidents occur. That’s a signal that trust is intact. The goal? Keep it that way. Here are 12 areas for museums to think about in terms of privacy protection.

  1. Cybersecurity to protect personal data: Cyberattacks are increasingly common. Best practices in 2025 include keeping systems updated, using endpoint protection, running regular vulnerability scans, segmenting networks and requiring multi-factor authentication. These measures reduce the risk of breaches.

  2. Know your data: Create an inventory of the personal information the museum holds. Record what it is, why it was collected, who uses it and how it is stored. Review this regularly with departments so you can identify unnecessary data and minimize collection creep.

  3. Limit to what is necessary: Collect only the personal information that is essential for the museum’s purpose and explain why it is needed at the point of collection. Take steps to prevent people from oversharing when they interact with your museum, such as by designing forms with only the fields you require.

  4. Ticketing and membership systems: Choose systems that support data minimization, encryption, audit trails and strong access controls. Make sure accounts can be quickly disabled when staff or volunteers leave.

  5. Donor management: Donor records often contain sensitive details. Limit access, anonymize data when analyzing trends and review permissions often to make sure only the right people can see donor information.

  6. Transparency in privacy practices: Your privacy notice should explain all the ways your museum collects, uses and shares personal information. It should not be limited to website practices. At every point of collection, be clear with people about what is being collected and why.

  7. Procurement and RFPs: You remain accountable for personal information vendors handle on your behalf. So when you acquire new tools or systems, include privacy requirements from the start. Specify in your RFPs and then in your contracts that vendors must meet the same privacy and security standards as your museum, notify you promptly about any breach, use the data only for the agreed purpose and delete or return the data once the service ends.

  8. Retention and secure disposal: Set retention schedules for personal information. When information is no longer needed, securely dispose of it or anonymize it properly so it cannot be re-identified if you intend to keep it for research. This helps prevent accidental exposure later.

  9. Visitor imagery, video and surveillance: Where video or photography is used it needs to be justified and appropriate. Follow best practices such as having a written policy, limiting camera placement, restricting access to recordings, setting retention periods and posting visible signs to inform visitors.

  10. Access and correction rights: People have the right to see and correct their personal information. Museums should have a process for responding quickly and accurately to requests, including requests related to people’s images captured by video and donor and member information.

  11. E-marketing and CASL Compliance: Only send promotional emails if you have consent and keep up to date records of consents given. Every message must clearly identify the museum and include a simple unsubscribe option.

  12. Artefacts that contain personal information: Museum artefacts can often contain personal information. If people are living or only recently deceased, consider limiting access, redacting details or seeking consent from families. Indigenous or community-related materials should involve consultation. Even when privacy rights have lapsed, sensitivity to families and cultural context remains important. The aim is to share responsibly, supporting transparency and learning, while showing respect for those represented.

The bottom line: Museums are trusted in a way few organizations are, but that trust can be fragile. Good privacy practices are one of the ways you can work to protect it.

AB
Next

The Rise of Fractional Privacy and AI Counsel: A Modern Solution for Legal Departments