Privacy Notice

Institute of Our Lady of Mercy CIO 

 

Privacy Notice

 

1   What is the Institute of Our Lady of Mercy?

The Institute of Our Lady of Mercy CIO is an Order of Roman Catholic Sisters of Mercy (the Congregation). We refer to it as the “Institute” in this Privacy Notice. It is one of three strands of the Mercy family in Great Britain, stemming from the first foundation of Catherine McAuley. It was formed from the union of twenty autonomous Congregations and was formally recognised by the Vatican as a Religious Congregation of Pontifical Rights in November 1983.

The work of the Sisters of Mercy in relieving poverty, nursing the sick and advancing education and religious studies is today still inspired by the Foundress, Catherine McAuley.  Under the direction of the Institute’s Trustees this work is carried on by individual Sisters acting within parish communities, in schools, care homes and in the wider community.

The Institute is registered as a charity with the Charity Commission with registered charity number 1201690.

The Institute is a “controller” of your personal data (as defined in section 3 below). This means that the Institute is responsible for handling and using your personal data in a way which complies with applicable data protection law.

This Privacy Notice sets out why and how the Institute uses your personal data and provides information about your related rights and options.

2   How to contact us

You may contact us using any of the following methods:

By post: Data Protection Officer

                  23 Cemetery Rd

                  Yeadon

                  Leeds

                  LS19 7UR

By phone: 020 4582 1982 (DPO)

By email: dataprotection@iolmercy.org.uk

3   What types of information do we collect from you?

Personal data

“Personal data” means information relating to you that allows us to identify you either directly, or in combination with other information we hold or may be able to obtain.

Special Categories of Personal Data

Certain types of personal data are given extra protection under data protection law, on the basis that they are innately more sensitive and private and that the consequences of misuse may be more severe.

The UK GDPR defines special categories of personal data as information about a person’s race and ethnicity, religious or philosophical beliefs, trade union memberships, political opinions, genetic data, biometric and health data, and information concerning a natural person’s sex life or sexual orientation.

Criminal Offence data

Criminal offence data is data relating to criminal convictions and allegations of criminal activity. This includes information disclosed by the Disclosure and Barring Service under the Government’s employment vetting scheme.

We hope that the following sections will answer any questions you have but if not, please contact us.  Contact details are shown above.

4   What personal data do we collect and use?

The personal data which we hold on you depends on the nature of our relationship with you and the types of personal data which you or others provide. In overview (and non-exhaustively), we collect the following types of personal data:

  • names and contact details
  • images (such as photographs and video obtained from our CCTV system)
  • correspondence between us (such as emails, meeting notes, and emergency contact information)
  • financial information (such as National Insurance number, bank account details, payroll records and tax status information, salary, annual leave, pension and benefits information)
  • support contact details (such as contact details for your close relatives, next of kin, representatives and emergency contact information)
  • biographical and social information (such as your opinion, interests and lifestyle, social circumstances, hobbies and interests, and any other personal information that you choose to provide)
  • recruitment information (such as references and other information included in a CV or cover letter or as part of the application process)
  • marketing and communications data (includes your preferences in receiving information from us about upcoming events)
  • staff details relevant to their employment status with us
  • use of social media relating to the Institute of Our Lady of Mercy
  • records of donations
  • records of volunteering;
  • information about our relationship with you, correspondence, meeting notes, attendance at events, details of access to our databases etc.
  • occupation, skills and professional activity, network(s) and interests where relevant to our needs;

 

Where you are resident in one of our residential care homes or receiving care services

  • Personal details including your title, full name, maiden name, marital status, date of birth, gender, contact details including address (billing address or correspondence address), telephone numbers, email addresses, contact details for next of kin, your GP and other allied health professionals.
  • Financial information including bank account information to enable payment of services.
  • Transaction data including details of payments from you for the services we have provided.
  • Information about your life, including social history, health and wellbeing, treatment, and care. This may also include information about your marital status, ethnicity and sexual orientation and details of medical treatments.
  • Notes and reports about your health and care provision including case assessments and medication provided.
  • Compliments, complaints, accidents, and incidents information.
  • Contributions to resident questionnaires and surveys.
  • Your vaccination status including the vaccination dates and vaccine name.

Where you are the relative, next of kin, attorney, or deputy to one of our residents

  • Personal details including title, full name, relationship to the resident, contact details including address, telephone numbers, email addresses.

 

When you visit one of our care homes

  • Name of the visitor, purpose of their visit and car registration details if car parking was used.
  • Information relating to the prevention and detection of crime and the safety of residents and workers including CCTV recording.
  • Transaction details you provide to us for the fulfilment of your orders; and
  • Information provided in the surveys we may ask you to complete.

Special categories of personal data:

 

Non-exhaustively, the Institute may collect and use the following types of special category personal data:

  • Information about your religious beliefs (given the nature of the Institute as a religious organisation).
  • Information about any medical conditions you may have as may be relevant to the services we provide to you as a care home resident.
  • Medical information as relevant to our working relationship with you (for example in case of staff sickness absence management).
  • Trade union membership information (to the extent relevant to your working relationship with us).

 

We may collect and use information about criminal offences (such as information about criminal convictions or allegations) but only where the law permits, for example where we are required by law to carry out pre-employment checks and DBS checks.

5   Where do we get your personal data from?

We collect your personal information from you in the following ways:

  • From you directly: This will include any information that you provide us with, for example when you complete a form, make an enquiry via email or telephone or provide information when you visit one of our care homes.
  • From you indirectly: For example, information collected from certain third parties such as an employment agency or referrals from professionals that you may be involved with.

We will continue to collect your personal data throughout the period that you are involved with the Institute of Our Lady of Mercy.  For example, through our interactions and correspondence, when you share or update your contact details and through your use of our communications and other systems.

6   Why and How do we use your personal data?

We collect personal data in order to manage our functions across our many activities and locations. The way in which we use your personal data will depend on your relationship that you have with the Institute. Generally, your personal data is processed for the following reasons:

  • To provide you with the information or services that you have requested
  • To improve our communications and make our website better suited to your needs
  • To send you relevant and personalised communications
  • To make informed management decisions and for administration purposes
  • To assess the quality of our services
  • To assess enquiries and respond to them in an appropriate manner
  • For regulatory record-keeping / compliance purposes
  • For legal and regulatory purposes and to comply with our legal obligations and duties of care

More specifically, if your relationship falls within the following categories then your personal data will also be processed for the following reasons:

  • Staff (prospective and employed)
    • We collect personal data on our employees as part of the administration, management and promotion of our business activities
    • Where an individual is applying to work for the Institute, personal data is collected through the application process. Data is often collected through the CVs that are submitted to us
    • To assess your suitability for a given role
    • To assist in the running of the Institute of Our Lady of Mercy
    • To administer our working relationship and allow you to carry out the duties of your role
    • To develop and improve our recruitment processes
    • We may also use your personal data to make informed management decisions and for administration purposes
    • Please see our Staff Handbook for more information about how we collect and process staff personal data
  • Donors
    • To attract and process donations
  • Visitors
    • To allow you to make your desired visit to one of our care homes
  • Residents
    • To safeguard your health and wellbeing
    • To provide you with our care home and care services
    • To communicate with you about our services and activities

Examples of when we will collect your personal data include, but are not limited to:

When you apply for a job at the Institute of Our Lady of Mercy or request information;

  • When you are a supporter of the Institute of Our Lady of Mercy;
  • When you are a staff member of the Institute of Our Lady of Mercy;
  • When you are employed by the Institute of Our Lady of Mercy as a contractor;
  • When you visit the Institute of Our Lady of Mercy as a guest of an event or a student;
  • When you are a tenant of the Institute of Our Lady of Mercy;
  • When you communicate or engage with the Institute of Our Lady of Mercy by letter, email or other means, including social media;
  • When your image or vehicle number plate is recorded on our CCTV system; and
  • When you access or engage with our website.
  • When you visit one of our Care Homes

7   Lawful basis to process personal data

Whenever we use your personal data, we must always have a “lawful basis” to do so under applicable data protection law. A “lawful basis” is a reason for using your personal data which is recognised and accepted by applicable data protection law. The lawful bases available are set out in Article 6 UK GDPR. Those which apply to the Institute’s use of personal data are as follows:

  • Where we have your consent to do so (for example when we ask for your consent to send you email marketing and fundraising information)
  • Where necessary to enter into or perform a contract with you (for example for the purposes of your role with the Institute)
  • Where necessary for the Institute to comply with a legal obligation which applies to it (for example for formal tax and accountancy purposes or to disclose information where compelled to do so by a court or law enforcement)
  • Where necessary in situations of genuine emergency
  • Where it is in the Institute’s – or a third party’s – legitimate interests that we do so.

In brief, legitimate interests is the broadest lawful basis available: any good and genuinely held charitable, commercial, legal or operational reason can qualify, provided that, on balance, proceeding does not pose an unduly excessive risk of adverse impact to you.

8   Conditions to process special category personal data?

We rely on the following conditions (as appropriate) under Article 9 of the UK GDPR to process special categories of personal data:

  • where we have explicit consent;
  • where necessary for reasons of social security or social protection law;
  • where necessary in emergency situations;
  • where necessary for the establishment, exercise or defence of legal claims;
  • where necessary for reasons of medical diagnosis, administration of preventive medicine, the provision of health or social care treatment;
  • for public health reasons;
  • for research and statistical purposes; and
  • where necessary for reasons of substantial public interest (such as equality of opportunity / treatment, preventing / detecting unlawful acts, exercising a protective function, supporting individuals with a particular medical condition, to provide counselling, advice or support and to safeguard individuals at risk).

9   Surveys and Service Messages

Sometimes we are required to inform you about certain changes. These service messages will not include any fundraising or marketing content and do not require prior consent when sent by email. This ensures that we are compliant with our legal obligations.

We may use your data to send you a survey and feedback requests to help improve the way we communicate. These messages will not include any fundraising requests or marketing, and they do not require prior consent when sent by email. We have a legitimate interest to do so as this helps improve our services and make them more relevant to you. Of course, you are free to opt out of receiving any of these communications.

Surveys help us to improve our services and make them more relevant to you. They are sent using the lawful basis of legitimate interest and you can opt out of receiving survey requests if you do not wish to participate.

Service messages or messages relating to requesting feedback will not include any marketing or fundraising requests. You do not have to respond to either form of contact.

10   Our use of Cookies and other technologies

When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information.  This information is used solely for web server monitoring and to deliver the best visitor experience.

We may use technology such as cookies to help us deliver relevant and interesting content in our communications in the future. We may profile you to find out more about you but in the least intrusive way. We may use information we collect to display the most interesting content to you on our website. We may use data we hold about your previous visits.

If, at any time, you do not wish to receive further information about us and our services, contact us at dataprotection@iolmercy.org.uk

11   Links to other websites

Our website may also contain links to other websites of interest.  Any third-party websites are not covered by this Privacy Notice, and we encourage our users to refer to the privacy policies on the third-party website.

12   Sharing your personal data

Where necessary and appropriate to do so, and only where justified in the circumstances and permitted by applicable law, we may share your personal data with external third parties, such as (non-exhaustively):

  • Professional advisers such as law firms and insurers
  • Where necessary to fulfil our responsibilities to the Religious Life Safeguarding Service
  • With our auditors for the purposes of meeting our statutory financial obligations
  • With police and other law enforcement bodies
  • Doctors and medical practitioners (such as occupational health services)

13   How long will we hold your personal Data?

As a general comment, we only retain your personal data as long as we have a good reason to do so. If we believe your personal data is no longer needed for any purpose for which it was collected and is held, we will not process your data any further.

As a rule of thumb, we typically retain personal data for 6 years from the point of collection (this being the usual applicable period in which a legal claim can be brought by either side).

We may keep your data for longer to establish, exercise, or defend our legal rights and yours. Where there is a need, personal data is securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it.

We are required to keep details of financial transactions, including donations, for seven years to meet accountancy and HMRC requirements. We will anonymise or delete personal data if, after a period of seven years, we have not had any contact or communication from you (this will be measured on a rolling seven-year period).

We maintain a data retention criterion to help implement this. This takes account of our legal and accounting obligations, balancing this with what would be considered reasonable.

We may anonymise your personal data (so that you can no longer be identified) for research and analysis purposes in which case we may use this information indefinitely without further notice to you.

14   Security of your personal data

We take the privacy and security of your personal data very seriously. Accordingly, in accordance with the Data Protection Act 2018 and UK GDPR, we have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

These measures include having clear internal policies and procedures and maintaining the physical security to our premises and IT security technologies to prevent the unauthorised access, damage, and loss of your data.

Additionally, we put in place appropriate security procedures and access controls to ensure the confidentiality of the special categories of personal data that we process. For instance, information relating to the religious beliefs of our residents.

It should be noted that the transmission of information via the Internet is not completely secure, and while we will do our best to protect your personal data, we cannot guarantee the security of any personal data transmitted to our site; any such transmission is at your own risk.

15   Locations of Processing

The personal information we collect from you is processed on our servers located in the UK. We will ensure that your personal information is provided with adequate protection if it becomes necessary to transfer your personal information to a country that has not been granted a finding of adequacy by the European Commission (EC) or the UK regulator.

Transfers of personal information outside of the European Economic Area (EEA), to a country that has not been granted a finding of adequacy either by the EC or the UK regulator, will be carried out using ‘appropriate safeguards’ i.e. Binding Corporate Rules (BCR), Standard Contract Clauses (SCC) (also known as Model Contract Clauses) supported by the UK Addendum, or an International Data Transfer Agreement (IDTA) supported by a Transfer Risk Assessment (TRA) (as required under UK law).  Alternatively, we may rely approved Codes of Conduct (once published by the UK regulator) or we will seek your consent (where appropriate), on a case-by -case basis.

16   Automated decision making

Automated decision-making is when a computer or similar electronic system uses personal information to make decisions about people without any human involvement. Profiling involves collecting various pieces of information about a person in order to analyse or evaluate certain aspects relating to that person or to make predictions about them (for example, how that person may behave or what their preferences are). Automated decision-making does not have to involve profiling, though it often will.

We do not use your personal information via automated decision-making, including profiling (i.e. we do not create profiles or make decisions about you based solely on automated decision-making without human involvement). If that changes, we will tell you.

17   What at are my data subject rights?

We support your data subject rights in relation to the processing of your information under the Data Protection Act 2018 and the UK GDPR, including your:

  • Right of access: You can contact us to find out what personal information we hold about you, and ask for copies of the records which contain that personal information.
  • Right to rectification If you believe that any of your personal information that we hold is incorrect or incomplete, please contact us as soon as possible. We will correct any information found to be incorrect.
  • Right to erasure If you want to remove your personal information from our records, you can contact us to ask us to do so. We will remove the information as far as it is practical within our power, and where we are not legally obliged or entitled to retain it.
  • Right to restrict processing you might be able to restrict how we use your information if you have made a valid objection. You can ask us to suspend a particular use of your personal information, for example if you want us to establish its accuracy or you’re questioning our lawful basis for processing it.
  • Right to data portability you may have the right to have the personal information we hold transferred to another organisation
  • Right to object contact us if you want to formally object how we are using your personal information. This right only applies in certain circumstances.

You can exercise any of these rights, including your right to request a copy of the information we hold about you (otherwise referred to as a Subject Access request (SAR), by contacting us using any of the methods shown in the ‘How to contact us’ section. We will respond to your request as quickly as possible. Usually, this will be within one month of receiving your request.

To protect the confidentiality of your information and the interests of the Institute of Our Lady of Mercy, may sometimes ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.

Please note that some of these rights only apply in particular circumstances: not all have broad application.

18   Updating your information

You may choose to correct, update, or delete your personal data by contacting us using any of the methods shown below in the ‘How do I contact you?’ section.

If you have opted-in to receiving communications form us, your preferences will remain in effect until you tell us that you want to opt-out of receiving any further communications.

You can change your mind at any time by contacting using any of the methods shown below in the ‘How do I contact you?’ section.

19   Withdrawing your consent

Where we process your information based on your consent, you may withdraw your consent at any time. You can do this by contacting us using any of the methods shown below in the ‘How do I contact you?’ section.

20   Making a complaint to us

We hope you’ll never have the need to do so, but if you do want to complain about our use of your personal data, or our facilitation of your data subject rights requests, you can contact us using any of the methods shown below in the ‘How do I contact you?’ section.

Our Data Protection Officer will investigate your complaint and provide you with an appropriate response as quickly as possible.

21   Making a complaint to the Information Commissioner

You can lodge a complaint with the Information Commissioner at any time. For instance, if you are unhappy with the way in which we are processing your information, or we have failed to facilitate your data subject rights.

The Information Commissioner can be contacted as follows:

22   Changes to this Privacy Notice

We continuously review the content of our Privacy Notice to ensure it accurately reflects what we do with your information.

If we change this Privacy Notice, we will post any updates here for your review. If we change material terms, we will provide notice of the revised Privacy Notice for 30 days on our home page with a link back to this page.

You can print a copy of this Notice by pressing Ctrl + P on your keyboard or navigating to Print Page in your browser.

This Privacy Notice was last updated in September 2025.