Privacy Policy for IOLM

The Institute of Our Lady of Mercy
Protecting your privacy

1. Introduction
The Institute of Our Lady of Mercy is committed to protecting the privacy and security of personal data.
This Privacy Notice explains the types of personal data we may collect about you when you interact with us. It also explains how we store and handle that data and keep it safe.
“Personal data” is information relating to you as a living, identifiable individual.
“Processing” your data includes various operations that may be carried out on your data, including collecting, recording, organising, using, disclosing, storing and deleting it.
The law requires us:
• To process your data in a lawful, fair and transparent way;
• To only collect your data for explicit and legitimate purposes;
• To only collect data that is relevant, and limited to the purpose(s) we have told you about;
• To ensure that your data is accurate and up to date;
• To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
• To ensure that appropriate security measures are used to protect your data.
The following sections will answer any questions you have but if not, please contact us. Contact details are shown below.
It is likely that we will need to update this Privacy Notice from time to time, and you are welcome to come back and check this at any time or contact us by any of the means shown below.

2. What is The Institute of Our Lady of Mercy?
The Institute of Our Lady of Mercy is an Order of Roman Catholic Sisters of Mercy (the Congregation). It is one of three strands of the Mercy family in Great Britain, stemming from the first foundation of Catherine McAuley. It was formed from the union of twenty autonomous Congregations and was formally recognised by the Vatican as a Religious Congregation of Pontifical
Rights in November 1983. The Charity is registered with the Charity Commission with registered number 290544.

3. Explaining the legal bases we rely on
The law on data protection sets out a number of different reasons or conditions for which an organisation may collect and process your personal data. When collecting your personal data, we will always make clear to you which data is necessary for each purpose or type of data. Most commonly, we will process your data on the following lawful grounds:
Consent
In specific situations, we can collect and process your data with your consent.
This may include when you agree to receive an email about ways you can support us or to receive information about The Institute of Our Lady of Mercy or our facilities. When you make an enquiry, we may collect your implied consent to enable us to send information you have requested.
Contractual obligations;
In certain circumstances, we need your personal data to comply with our contractual obligations.
Legal compliance;
If the law requires it, we may need to collect and process your data.
This will include sharing with law enforcement agencies details of people involved in fraud or other criminal activity affecting The Institute of Our Lady of Mercy.
Legitimate interest
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected when we pursue our aims and objectives as an organisation, and which does not materially impact your rights, freedom or interests.
The work of the Sisters of Mercy in relieving poverty, nursing the sick and advancing education and religious studies is today still inspired by the Foundress, Catherine McAuley. Under the direction of the Institute’s Trustees this work is carried on by individual Sisters acting within parish communities, in schools, care homes and in the wider community.
We may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. In a small number of cases where other lawful bases do not apply, we will process your data on the basis of your consent. If you are aged under 16, we may ask your parent or guardian for their consent also.
Special category data
“Special categories” of particularly sensitive personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. We aim to collect and process special category data as little as possible. The Institute of Our Lady of Mercy will document all incidents of its processing of special category data in our Information Asset Register and will be preparing a separate document itemising all of these, with reasons, having conducted assessment on each occasion.
Special Categories of personal data consist of data revealing:
• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership.
They also consist of the processing of:
• genetic data;
• biometric data (e.g. fingerprints) for the purpose of uniquely identifying someone;
• data concerning health;
• data concerning someone’s sex life or sexual orientation.
We may process special categories of personal data in the following circumstances:
• With your explicit written consent; or
• Where it is necessary in the substantial public interest, and further conditions are met;
• Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards for your fundamental rights and interests specified in law;
• Where there is a legal obligation.
Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “special categories” referred to above.

4. When we collect your personal data:
These occasions will include, but are not limited to:
• When you are a student at a school managed by The Institute of Our Lady of Mercy;
• When you apply for a job at The Institute of Our Lady of Mercy or request information;
• When you are a supporter of The Institute of Our Lady of Mercy;
• When you are a staff member of The Institute of Our Lady of Mercy;
• When you are employed by The Institute of Our Lady of Mercy as a contractor;
• When you visit The Institute of Our Lady of Mercy as a guest of an event or a student;
• When you are a tenant of The Institute of Our Lady of Mercy;
• When you communicate or engage with The Institute of Our Lady of Mercy by letter, email or other means, including social media;
• When your image or vehicle number plate is recorded on our CCTV system; and
• When you access or engage with our website.

5. How and why we collect your personal data
The Institute of Our Lady of Mercy collects personal data in order to manage its functions across its many activities and locations. The data collection could be in electronic or paper format.
When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience. We may use technology such as cookies to help us deliver relevant and interesting content in our communications in the future. We may profile you to find out more about you but in the least intrusive way. We may use information we collect to display the most interesting content to you on our website. We may use data we hold about your previous visits.
We may also collect your social media username if you interact with us through those channels in order to help us respond to your comments, questions and feedback. The data privacy law allows this as part of our legitimate interest in understanding our audience.
For your security, we use all appropriate organisational and technical security controls to safeguard your data.
When we interact with you, we may also collect notes from our conversations with you, and details of any complaints or comments you make. We may record your age or identity where the law requires this.
We will only ask for and use your personal data collected for the purpose stated at the point at which it is collected. If we believe your data is no longer needed for this purpose, we will not process your data further.

6. Personal Data we process on staff / through the recruitment process
We collect personal data on our employees as part of the administration, management and promotion of our business activities.
Our staff handbook explains further how personal data is held for our staff and partners.
Where an individual is applying to work for the Institute, personal data is collected through the application process. Data is often collected through CVs being submitted or emailed to us.
There are several purposes that personal data for applicants are collected.
 Employment. We process an applicant’s personal data in order to assess their potential employment at the Institute.
 Administration and management. We may also use this personal data in order to make informed management decisions and for administration purposes.
Personal data collected for applicants is held for as long as necessary in order to fulfil the purpose for which it was collected, or for a maximum of two years where those purposes no longer become necessary.

7. What are your rights over your personal data?
You have the right of access to the personal information we may hold about you. This is free of charge and will be supplied to you within one month of your request.
You may object to our processing of your personal information.
If you have given consent for The Institute of Our Lady of Mercy to collect and process your personal data, you have the right to change your mind at any time and to withdraw that consent.
You have the right to challenge automated decisions we make about you. You may ask for these to be assessed by contacting The Institute of Our Lady of Mercy.
You have the right to request a copy of any information about you that The Institute of Our Lady of Mercy may hold at any time to check whether it is accurate. To ask for that information, please contact us.
To protect the confidentiality of your information and the interests of The Institute of Our Lady of Mercy, we will ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.
We may send you relevant and personalised communications by post. We will do this on the basis of our legitimate interest but only after certain risk assessments have been undertaken. You are free to opt out of hearing from us by any channels at any time.
Sometimes we are required to inform you about certain changes, including updates to this Privacy Notice and where we have a legal obligation such as a duty of care or safeguarding. These administrative messages will not include any fundraising or marketing content and do not require prior consent when sent by email. This ensures that we are compliant with our legal obligations.
We may use your data to send you a survey and feedback requests to help improve the way we communicate. These messages will not include any fundraising requests or marketing and do not require prior consent when sent by email. We have a legitimate interest to do so as this helps improve our services and make them more relevant to you. Of course, you are free to opt out of receiving any of these communications.

8. Data retention
Whenever we collect or process your personal data, we will only keep it for as long as is necessary for the purpose for which it was collected. The Information Asset Register includes retention periods and this Register will indicate the types of data which are archived for historical or statistical purposes. Annual reviews will ensure that retention schedules are followed. At the end of the retention period, your data will either be deleted completely, put beyond use or anonymised. In some cases, personal data will be kept in perpetuity.

9. Protecting your data outside the EEA;
Occasionally we will need to share your personal data with third parties and suppliers outside the European Economic Area (EEA). The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
We may transfer personal data that we collect from you to third-party data processors in countries that are outside the EEA, such as the USA. For example, this might be required when we store data in a Cloud Service. If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA, and we will treat the information under the guiding principles of this Privacy Notice.

10. Stopping us from using your data in the future
You can stop communications from The Institute of Our Lady of Mercy by contacting us using the information below.
Remember, some administrative communications cannot be stopped.

11. How to complain about our processing of your data
If you feel that your data has been handled incorrectly, or you are unhappy with the way we have dealt with your query regarding the way we use your personal data, you have the right to complain to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK.
You can call them on 0303 123 1113 or go online to www.ico.org.uk/concerns
If you are based outside the UK, you have the right to complain to the relevant data protection supervisory authority in your country.
If you would like to discuss any aspect of this policy or the way The Institute of Our Lady of Mercy processes your information, please contact;
The Data Protection Officer; dataprotection@iolmercy.org.uk
By Post – The Institute of Our Lady of Mercy, 23 Cemetery Road, Yeadon, Leeds, LS19 7UR
By Email – dataprotection@iolmercy.org.uk
By Telephone – 0113 250 0253