Aims of Policy
This policy contains important information about who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and how to contact us and supervisory authorities, in the event of your having a complaint.
The Polish Institute and Sikorski Museum (PISM) needs to keep certain information on its members, employees, volunteers, benefactors, service users / customers and trustees, to carry out its day to day operations, to meet its objectives and to comply with legal obligations.
PISM is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998 and the 2018 General Data Protection Regulation (GDPR) requirements. To comply with the law, personal information will be collected and used fairly, stored safely for as long as required and not disclosed to any other person unlawfully.
PISM, as mentioned above, will only collect such necessary personal data as to enable it to function.
Using the supplied information PISM may, from time to time, send emails, post or in other ways, contact the person whose data it holds. However, the person always has the right to say no or opt-out. PISM will never sell or give away any personal information to any third party.
This policy ensures that:
1. Everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures.
2. To make it clear to all concerned what type of information PISM retains, how it will be used and what rights to information the giver has.
3. It also highlights key data protection procedures within the organisation.
This policy covers volunteers, employed staff, trustees, customers and visitors.
Any questions should be referred to the Chairman or in his absence, any of the other Trustees.
Who are we?
PISM is a Company Limited by Guarantee, Registered in England, number 401816 and a registered charity number 312168. Our Registered Office is at 20 Prince’s Gate, London, SW7 1PT.
We have existed since 1945 and some of our main purposes are:
• To serve as a national, intellectual and cultural centre of the Polish Community in the United Kingdom.
• To maintain, in a spirit of academic freedom, intellectual co-operation and cultural exchanges between the people of Poland and of Great Britain…..
• To collect and keep in safe custody all available documentation pertaining to the participation and contribution of Poland and the Polish Armed Forces in the Second World War…..
• To collect and preserve the colours and relics of the Polish Armed Forces and the Polish Home Army and to collect and preserve any other objects, testimonials and records relating to the struggle of the Polish nation for independence.
• To establish contacts with British institutions working in the same field, and to contribute by lecture, publications, courses and all other appropriate means to the exchange of ideas and information between persons of British and Polish nationality.
Reasons why we can collect and how we use your personal information
We rely on the ‘legitimate interests’ test under Article 6(1)(f) of the GDPR as the lawful basis on which we collect and use your personal data. Our legitimate interests are that the personal data collected from you, is necessary to enable us to efficiently function. We use your personal information to, amongst others:
• Inform you of events of potential interest to you
• Inform you of other ways in which you may wish to show your support for the Charitable purposes of the Polish Institute and Sikorski Museum
• Keep records of any donations that you have made (both financial and in terms of exhibits)
• Keep records of any projects that you are completing which are using our material
• Keep records of any of our materials which you have used and any charges that you have paid
• Keep employee records to enable us to function as a responsible employer
• To inform you, as a supporter / customer / visitor, of activities relating to PISM
Types of Personal information collected by us
We collect and process the following types of personal information (this is not an exhaustive list):
Title and /or Rank
Honours / Decorations
Telephone number (residential and/or mobile)
Details of our material accessed by you
Bank / credit / debit card details
• Information on applicants for vacancies, including, inter alia, contact details, date of birth, gender, references, medical / health requirements, education and qualifications, details of previous employers, driving licence, criminal convictions etc.
• Employee information – as above plus – bank account details, national insurance and payroll information, pension details, expenses, supervision and appraisal notes, records of leave taken, check in and check out times, disciplinary record, courses, training, events attended, details of motor vehicles used or owned (including details of insurance and MOTs) and any other records to enable PISM to function as an employer etc.
• Volunteers / Trustees – as above
• Members – contact details, bank details, criminal convictions (full members).
• Users / customers – including inter alia contact details, date of birth, gender, references, details of person and or organization introducing, project undertaken, material used, fees paid, bank details etc.
• Benefactors – contact details, gift aid declarations, bank details etc.
• Any requirements relating to PISM’s obligation to make reasonable adjustments to accommodate a disability or otherwise meet specific needs
How Does PISM Keep Personal Information Secure
PISM is committed to keeping all personal information and data secure by making sure that it has information security measures in place. It has put in place physical, electronic and operational procedures intended to safeguard and secure all information collected. In general, personal information is kept securely in the following forms, however other forms and measures might also be used when deemed appropriate:
1. Paper – stored in locked cupboards.
2. Computer including any images – password protected.
Only those who need to, will have access to and /or process personal information. This includes Trustees, paid employees and volunteers. However, particular consideration is given to sensitive personal information such as physical or mental health, criminal convictions etc, which will be accessible only to, or with the explicit authority of, the Trustees.
To ensure safety and for the prevention and detection of crime, CCTV is in operation in our premises.
With whom is your personal information shared
PISM will never sell, give away or share any personal information to any third party. In the event of anyone seeking contact with you, their request will be forwarded to you and it will be for you to decide whether or not you wish to respond to them.
However, subject to data protection law, to protect the security and / or integrity of PISM, its staff, members and customers, if we are requested by the police or any other regulatory or government authority investigating suspected illegal activities to provide CCTV images of individuals or any other personal information relating to any individual that we hold we are obliged do so. Equally, to comply with legal requirements we may have to share personal information with the courts and for the administration of justice. Finally, in case of emergency, to protect individuals’ vital interests, personal data may be released to bodies such as the Ambulance Service, Fire Service etc.
How long will your personal information be kept?
Whenever PISM collects or processes personal data, it only keeps it for as long as is necessary for the purpose for which it was collected or the law requires.
Financial records such as bank statements, receipts, bills, invoices, details of remuneration, expenses etc will generally be retained for a period of seven years, after which they will be confidentially destroyed, unless any individual piece of information is deemed important enough to warrant a further seven year retention period, after which it will be subject to a further review.
Once paid staff, volunteers and trustees leave, any details regarding pay, bank account, appraisal, disciplinary and health information will also be retained for a period of seven years after which they will be confidentially destroyed, unless any individual piece of information is deemed important enough to warrant a further seven year retention period, after which it will be subject to a further review.
PISM, being a historical academic institution, will generally retain certain information (such as name, address, images, material used, publications written etc) about staff, volunteers, trustees, benefactors and customers for an indefinite period of time. However, after leaving PISM, staff financial, health etc information will be subject to the seven year retention / review policy as described above.
Under the GDPR you have a number of important rights. In summary, those include rights to:
• Fair processing of information and transparency over how we use your personal information
• Access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address
• Require us to correct any mistakes in your information which we hold
• Require the erasure of personal information concerning you in certain circumstances
• Receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit data to a third party in certain circumstances
• Object at any time to processing of personal information concerning you for direct marketing
• Object or restrict, in certain other situations, to our continued processing of your personal information
If you would like to exercise any of these rights, please e-mail, call or write to us at:
Telephone: 0207 589 9249
The Polish Institute and Sikorski Museum
20, Prince’s Gate
To meet its responsibilities all of PISM’s paid staff, volunteers and trustees will:
• Ensure any personal data is collected in a fair and lawful way
• Ensure that any personal data is obtained for a specific and lawful purpose
• Explain why it is needed at the start
• Ensure that only the minimum relevant amount of information needed is collected and used
• Ensure the information used is up to date and accurate
• Review the length of time information is held
• Ensure it is kept safely
• Ensure the rights people have in relation to their personal data can be exercised and be provided with a copy of the information held, if requested
The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. PISM will seek to abide by this code in relation to all the personal data it processes, i.e.
• Accountability: those handling personal data will follow publicised data principles to help gain public trust and will safeguard any personal data obtained.
• Visibility: Data subjects have access to the information about themselves that PISM holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
• Consent: The collection and use of personal data will be fair and lawful and in accordance with the Data Protection legislation protection principles. Personal data will only be collected and used for the purposes agreed by the data subject. PISM will not generally share personal data with third parties. However, other than in the case of sharing with the police or any other regulatory or government authority investigating suspected illegal activities, if it was to be shared with any other third party or used for another purpose, the data subject’s consent shall be explicitly obtained.
• Access: Everyone has the right to know the roles and groups of people within PISM who have access to their personal data and who has used this data. Except for the potentially rare occasion when access may have to be granted to the police or other government authority, only PISM volunteers, employed staff and trustees will have access to the data.
• Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.
The Trustee Directors will ensure that:
• Everyone managing and handling personal information is trained to do so
• Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do
• Any disclosure of personal data will be in line with our procedures
• Queries about handling personal information will be dealt with swiftly and politely
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
However, if you remain dissatisfied, the GDPR also gives you the right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone 0303 123 1113.
The Polish Institute and Sikorski Museum
1st January 2022