top of page

Document Control

1. The content of this document is derived from the EU General Data Protection Regulations (GDPR) and any changes to these Regulations will incorporated into this Policy. Otherwise the Policy is to be reviewed annually or on any significant change to security or working practices

Policy Purpose

2. The purpose of the Military Intelligence Museum (MIM) Privacy Policy is to ensure that all people we deal with, either as prospective customers, customers, suppliers or employees, are made fully aware of the museum’s commitment to fulfil its legal obligations under the GDPR legislation that is relevant to the museum and the services it provides.


3. Published on the website. Available by request - use the Contact Us page for details.

The Policy

4. The 2018 General Data Protection Regulations (GDPR) require all companies (including the MIM) to treat personal information collected or handled securely and to maintain accurate records as to how this information is collected, stored, used and destroyed.

5. The MIM recognises that your privacy is important. This policy applies to our website, our use of emails and text messages, our social media presence and any other methods we use for collecting information. It covers what we collect and why, what we do with the information, what we won’t do with the information, and what rights you have.

6. MIM will comply in full with GDPR which requires that personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals;

  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

How We Collect Personal Information

7. The MIM collects personal information via the following means:

  • During the arrangement of visits to the museum via telephone, letter, text, email or use of the on-line enquiry form.

  • During the making of enquiries via telephone, letter, text, email or use of the on-line enquiry form.

  • During the taking of orders for the Intelligence Corps Association (ICA) shop.

  • General Anonymous Browsing Data (Google Analytics)

The Type of Personal Information We Collect

8. Visits

  • The museum is situated on a working MOD base and is entirely reliant on the site granting access to visitors. It is a security requirement that identification data is collected prior to all visits and shared by the museum with the MOD guard staff and site security managers. Visits can not be authorised unless this requirement is met.

  • For visits to the museum, the information collected includes:

    • Name, photographic ID details (Passport / Drivers’ Licence / other), email address, telephone number.

    • Also collected will be details of any vehicles needing to enter the base, by manufacturer, model, colour and registration number.

  • Visitors may be required to complete a visitor form detailing the required information. This form contains a space for visitors to indicate that they agree to their personal information being shared with the museum staff and guides (names only), the MOD guard and security managers.

  • In the case of group visits, the museum has no means to contact every member of the group to obtain consent so it will be the responsibility of the visiting group leader to explain the need to share the collected information as described above and then to indicate on the form that they have done so or otherwise during telephone contact.

9. Enquiries

  • In order for us to respond to enquiries, the following information will be collected:

    • Name, email address, telephone number, details of the enquiry (which may include family / genealogical information etc). Other items of personal information, such as addresses, may be collected if they are necessary to process an enquiry.

  • It is possible that an enquiry will need to be passed to MIM volunteers (Senior Researcher) or the Medmenham Collection researcher and in this case enquirers will be asked for their consent for their personal information to be passed on with the enquiry if it is considered necessary for the enquiry to be answered. Enquiries will not be passed beyond this limited group without the express permission of the enquirer.

10. ICA Shop

  • Purchases made through the ICA shop, either on-line or by telephone call, will require the following personal information to be collected.

    • Name, address, email address, telephone number, card details (telephone only).

How We Use Personal Information

11. The MIM employs a “need to know” policy of sharing information between its employees, agents or subcontractors and will only disclose sufficient information to allow our employees, agents or subcontractors to complete their objectives and as such these parties will be obligated to use that personal information in accordance with the terms of this privacy statement.

12. In addition to the uses described above, the MIM may disclose your personal information to the extent that it is required to do so by law, in connection with any legal proceedings or prospective legal proceedings, and in order to establish, exercise or defend its legal rights. Such information is also necessary for charity financial records, such as for Gift Aid donations. In these cases, personal data will be retained in accordance with the legal requirements of the process in question.

How we ensure your personal information is kept secure

13. The MIM will take all reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.

What we will do in the event of data being compromised

14. If in any event we become aware of, or are informed that data has been compromised, lost or stolen we will immediately inform all interested parties and take immediate action to mitigate the compromise.

Our lawful basis for processing this data

15. If the personal information has been collected by the MIM we will ensure that we have your permission to use the data necessary for the fulfilment of services provided.

16. If the personal information is transferred to MIM for the purposes of fulfilling a service we will obtain a statement from the transferee that they have the consent of all personnel to which the information refers before entering into a contract.

Data Retention

17. Visits

All information excepting Postcode data will be destroyed by the museum staff within 24 hrs following the conclusion of the visit. Postcode data will be retained to enable visitor demographics to be studied. The retained data will not allow ‘reverse identification’ of any visitors.

18. Enquiries

Enquiry data is retained for a period of 2 years in order to support any follow-up enquiries that may be made. It will then be destroyed.

19. ICA Shop

All ICA shop order data received from ICA will be retained for 30 days to ensure completion of postal delivery. It will then be destroyed.

Data transferred to the MIM

20. All data transferred to us by third parties (for example, ICA shop orders) will be stored in a secure area.

21. It will be held there until either the data is no longer required or the transferee has requested us to destroy the data.

Your rights

22. Anyone whose personal data is collected by the MIM has the following rights:

  • The right to be informed of the data being held

  • The right of access to the information being held – see subject data access request below

  • The right to rectification of any errors in the information being held

  • The right to obtain copy of the information being held

  • The right to have the information destroyed

  • The right to be forgotten

  • The right to restrict the use of the information.

Subject data Access Request

23. Any person may request access to and knowledge of any data held about them by the MIM. This request can be made to the museum by any means, letter, email or telephone call. Requests will be actioned within the regulation timescale which will commence as soon as positive identification of the person making the request is confirmed. The museum can not allow access to data records unless the person about whom the data is held positively identifies themselves.

Updating this statement.

24. The MIM may update this privacy policy from time to time and will ensure that the latest version is held on our web site at

25. You should check this page occasionally to ensure that you are familiar with any changes.

Cookie Policy

26. All Cookies used by this Website are used in accordance with current UK and EU Cookie Law.

27. The MIM website does not capture or store personal information, but merely logs the user's IP address which is automatically recognised by the web server. This is used to record the number of visitors to our site.

28. When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example your computer or mobile phone. These include small files known as “cookies”. They cannot be used to identify you personally.

29. These pieces of information are used to improve our services for you by, for example:

  • enabling a service to recognise your device so you don't have to give the same information several times during one task

  • recognising that you may already have given a username and password to enter a protected part of the site, so you don't need to enter this for every web page requested

  • measuring how many people are using services, so they can be made easier to use and there's enough capacity to ensure they are fast

Our use of cookies

30. Google Analytics sets cookies to help us accurately estimate the number of visitors to the website and volumes of usage. This to ensure that the service is available when you want it and fast.

31. Before the Website places Cookies on your computer, you will be presented with a message bar requesting your consent to set those Cookies. By giving your consent to the placing of Cookies, you are enabling the MIM to provide a better experience and service to you.

32. You may, if you wish, deny consent to the placing of Cookies; however, certain features of the Website may not function fully or as intended.

Contacting the MIM

33. If you have any questions about this privacy policy or personal information that the MIM holds please direct your enquiries as follows:

By email to

Making a complaint

34. If you have a concern about how the MIM fulfils its obligations under the GDPR, you should report it to the Information Commissioners’ Office (ICO) either by emailing or by accessing their web site at htttp://

The Freedom of Information Act

35. The MIM is a Charitable Trust and not a ‘public authority’ as defined under the Freedom of Information Act and therefore we will not respond to requests for information made under this Act; using the funds generously donated to us by our supporters for such activities is not in accordance with our charitable purposes.


36. Whilst the MIM will do everything in its power to ensure the security of data transmitted over the internet, we cannot guarantee that data will not be lost, corrupted, misused or altered whilst in transit over internet systems that are not controlled by the MIM. In these cases, responsibility for any loss, corruption, misused or altered will rest with the internet service on which the data is transferred.

bottom of page