Privacy Policy


Privacy Notice June 2023

1      What is The Institute of Our Lady of Mercy?

The Institute of Our Lady of Mercy is an Order of Roman Catholic Sisters of Mercy (the Congregation). It is one of three strands of the Mercy family in Great Britain, stemming from the first foundation of Catherine McAuley. It was formed from the union of twenty autonomous Congregations and was formally recognised by the Vatican as a Religious Congregation of Pontifical Rights in November 1983.

The work of the Sisters of Mercy in relieving poverty, nursing the sick and advancing education and religious studies is today still inspired by the Foundress, Catherine McAuley.  Under the direction of the Institute’s Trustees this work is carried on by individual Sisters acting within parish communities, in schools, care homes and in the wider community.

The Charity is registered with the Charity Commission with registered number 290544.


2      What types of information do we collect from you?

Personal data

In this Privacy Notice, the term “personal data”, means information relating to you that allows us to identify you either directly, or in combination with other information we hold.

When you contact us by email, telephone or via our website, we will collect your personal data including your name, postal address, telephone number and date of birth (where relevant).

Special Categories of Personal Data

The UK GDPR defines special categories of personal data as information about a person’s race and ethnicity, religious or philosophical beliefs, trade union memberships, political opinions, genetic data, biometric and health data, and information concerning a natural person’s sex life or sexual orientation.

Criminal Offence data

Criminal offence data is data relating to criminal convictions and allegations of criminal activity. This includes information disclosed by the Disclosure and Barring Service under the Government’s employment vetting scheme.

The following sections will answer any questions you have but if not, please contact us.  Contact details are shown below.

3      What lawful basis do we use to process your personal data?

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever personal data is to be processed:

  1. Consent: we collect and process your data with your consent. This may include when you agree to receive an email about ways you can support us or to receive information about us or our facilities.
  2. Contract performance: the processing is necessary for the performance of a contract you have with us, which had asked you to take specific steps before entering into a contract.
  3. Compliance with legal obligation: the processing is necessary for us to comply with the law for tax, social security, and employment purposes. This will include sharing with law enforcement agencies details of people involved in fraud or other criminal activity affecting the Institute of Our Lady of Mercy.
  4. Protection of vital interests: the processing is vital to an individual’s survival.
  5. Public interest: the processing is necessary to perform a task that is in the public interest or for its official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for our legitimate interests, or the legitimate interests of a third-party, unless there is a good reason to protect the individual’s personal data that overrides those legitimate interests.

4      Conditions to process special category personal data?

We rely on the following conditions (as appropriate) under Article 9 of the UK GDPR to process special categories of personal data:

  1. Explicit consent
  2. Employment, social security and social protection (if authorised by law)
  3. Vital interests
  4. Not-for-profit bodies
  5. Made public by the data subject
  6. Legal claims or judicial acts
  7. Reasons of substantial public interest (with a basis in law)
  8. Health or social care (with a basis in law)
  9. Public health (with a basis in law)
  10. Archiving, research, and statistics (with a basis in law)

We aim to collect the least amount of special category personal data as possible.

The processing of special category personal data is covered by relevant policies and procedures and all processing activities involving the processing of special categories of personal data are listed in our ‘Record of Processing Activity’.

Further legal controls are applied to the processing of criminal offence data. Such data is processed under the substantial public interest conditions listed in Schedule 1, DPA 2018.

5     The data processing principles

The law requires us:

  • To process your data in a lawful, fair and transparent way;
  • To only collect your data for explicit and legitimate purposes;
  • To only collect data that is relevant, and limited to the purpose(s) we have told you about;
  • To ensure that your data is accurate and up to date;
  • To ensure that your data is only kept as long as necessary for the purpose(s) we have told you about;
  • To ensure that appropriate security measures are used to protect your data.

6      Personal data we collect

We collect your information when you complete our forms, email us, or contact us via our website or social media. This includes information provided at the time of registering with us, to use our website, to become a member of staff, to enter into a contract for our services, to support or subscribe to our services, to request materials or to request further services, when you respond to a survey and/or when you report a problem with any of our communication channels or services.

Examples of the sorts of personal data that we collect include, but are not limited to:

  • Name(s) and address(es), email, phone number(s) and other relevant personal details (e.g. age group, interests, subscriptions, and etc.);
  • Staff details relevant to their employment status with us;
  • Use of social media relating to the Institute of Our Lady of Mercy;
  • Records of donations;
  • Records of volunteering;
  • Photographs and video through our CCTV system;
  • Information about our relationship with you, correspondence, meeting notes, attendance at events, details of access to our databases etc.;
  • Occupation, skills and professional activity, network(s) and interests where relevant to our needs;

Where you are resident in one of our residential care homes or receiving care services

  • Personal details including your title, full name, maiden name, marital status, date of birth, gender, contact details including address (billing address or correspondence address), telephone numbers, email addresses, contact details for next of kin, your GP and other allied health professionals.
  • Financial information including bank account information to enable payment of services.
  • Transaction data including details of payments from you for the services we have provided.
  • Information about your life, including social history, health and wellbeing, treatment, and care. This may also include information about your marital status, ethnicity and sexual orientation and details of medical treatments.
  • Notes and reports about your health and care provision including case assessments and medication provided.
  • Compliments, complaints, accidents, and incidents information.
  • Contributions to resident questionnaires and surveys.
  • Your vaccination status including the vaccination dates and vaccine name.

Where you are the relative, next of kin, attorney, or deputy to one of our residents

  • Personal details including title, full name, relationship to the resident, contact details including address, telephone numbers, email addresses.

When you visit one of our care homes

  • Name of the visitor, purpose of their visit and car registration details if car parking was used.
  • Information relating to the prevention and detection of crime and the safety of residents and workers including CCTV recording.
  • Transaction details you provide to us for the fulfilment of your orders; and
  • Information provided in the surveys we may ask you to complete.

7      How we use the information about you?

We collect personal data in order to manage our functions across our many activities and locations including, but limited to, the following:

  • Name of the visitor, purpose of their visit and car registration details if car parking was used.
  • To provide you with the services you have requested;
  • To comply with the Act and the UK GDPR;
  • For administrative purposes;
  • To assess enquiries; and
  • To provide you with information about us and our services.

Examples of when we will collect your personal data include, but are not limited to:

  • When you are a student at a school managed by the Institute of Our Lady of Mercy;
  • When you apply for a job at the Institute of Our Lady of Mercy or request information;
  • When you are a supporter of the Institute of Our Lady of Mercy;
  • When you are a staff member of the Institute of Our Lady of Mercy;
  • When you are employed by the Institute of Our Lady of Mercy as a contractor;
  • When you visit the Institute of Our Lady of Mercy as a guest of an event or a student;
  • When you are a tenant of the Institute of Our Lady of Mercy;
  • When you communicate or engage with the Institute of Our Lady of Mercy by letter, email or other means, including social media;
  • When your image or vehicle number plate is recorded on our CCTV system; and
  • When you access or engage with our website.
  • When you visit one of our Care Homes

We will only use your personal data for the purpose it was collected at the point at which it is collected. The data we collect could be in an electronic or paper format. If we believe your data is no longer needed for this purpose, we will not process your data any further.

Where necessary or appropriate, we share your personal data with licenced law firms for the purposes of ​obtaining appropriate advice from registered legal practitioners and for fulfilling our responsibilities to the Religious Life Safeguarding Service.

We may also share data with our auditors for the purposes of meeting our statutory financial obligations. When we interact with you, we may also collect notes from our conversations with you, and the details of any complaints or comments you make. We may also collect your social media username if you interact with us through those channels in order to help us respond to your comments, questions and feedback. The data privacy law allows this as part of our legitimate interest in understanding our audience.

We may send you relevant and personalised communications by post. We will do this on the basis of our legitimate interest but only after certain risk assessments have been undertaken. You are free to opt out of hearing from us by any channels at any time.


We collect personal data on our employees as part of the administration, management and promotion of our business activities. Where an individual is applying to work for the Institute, personal data is collected through the application process. Data is often collected through the CVs that are submitted to us. There are several purposes that personal data for applicants are collected.

Employment. We process an applicant’s personal data to assess their potential employment at the Institute.

Administration and management. We may also use your personal data to make informed management decisions and for administration purposes.

Personal data collected for applicants is held for as long as necessary to fulfil the purpose for which it was collected, or for a maximum of two years where those purposes no longer become necessary.

Our Staff Handbook further explains how we process the personal data we collect from our staff and partners.

Covid-19. In order to comply with current Covid-19 regulations, everyone working in our care homes, volunteers, job candidates, visiting professionals, CQC staff, tradespeople, hairdressers etc. and family and friends visiting the residents of our Care Homes may be asked for their Covid-19 testing status/results.

9      Surveys and Service Messages

Sometimes we are required to inform you about certain changes. These service messages will not include any fundraising or marketing content and do not require prior consent when sent by email. This ensures that we are compliant with our legal obligations.

We may use your data to send you a survey and feedback requests to help improve the way we communicate. These messages will not include any fundraising requests or marketing and they do not require prior consent when sent by email. We have a legitimate interest to do so as this helps improve our services and make them more relevant to you. Of course, you are free to opt out of receiving any of these communications.

Surveys help us to improve our services and make them more relevant to you. They are sent using the lawful basis of legitimate interest and you can opt out of receiving survey requests if you do not wish to participate.

Service messages or messages relating to requesting feedback will not include any marketing or fundraising requests. You do not have to respond to either form of contact.

10      Our use of Cookies and other technologies

When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information.  This information is used solely for web server monitoring and to deliver the best visitor experience.

We may use technology such as cookies to help us deliver relevant and interesting content in our communications in the future. We may profile you to find out more about you but in the least intrusive way. We may use information we collect to display the most interesting content to you on our website. We may use data we hold about your previous visits (please see our Cookie Policy here).

If, at any time, you do not wish to receive further information about us and our services, contact us at

11      Links to other websites

Our website may also contain links to other websites of interest.  Any third-party websites are not covered by this Privacy Notice, and we encourage our users to refer to the privacy policies on the third-party website.


We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any agreements, or to protect the rights, property, or safety of the organisation, or other individuals. This includes exchanging information with other companies and organisations for the purposes of safeguarding or other statutory regulations we must comply with as well as those organisations with whom you and we have reciprocal agreements for providing services for education or professional development.

13      How long will we hold your personal Data?

We retain your personal data in a live environment for as long as necessary to fulfil the purpose(s) for which it was collected (including as required by applicable law or regulation, typically 7+ years).

We may keep your data for longer to establish, exercise, or defend our legal rights and yours. Where there is a need, personal data is securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it.

We are required to keep details of financial transactions, including donations, for seven years to meet accountancy and HMRC requirements. We will anonymise or delete personal data if, after a period of seven years, we have not had any contact or communication from you (this will be measured on a rolling seven-year period).

We maintain a data retention criterion to help implement this. This takes account of our legal and accounting obligations, balancing this with what would be considered reasonable.

We may anonymise your personal data (so that you can no longer be identified) for research and analysis purposes in which case we may use this information indefinitely without further notice to you.

14  Security of your personal data

We take the privacy and security of your personal data very seriously. Accordingly, in accordance with the Data Protection Act 2018 and UK GDPR, we have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

These measures include having clear internal policies and procedures and maintaining the physical security to our premises and IT security technologies to prevent the unauthorised access, damage, and loss of your data.

Additionally, we put in place appropriate security procedures and access controls to ensure the confidentiality of the special categories of personal data that we process. For instance, information relating to the religious beliefs of our residents.

It should be noted that the transmission of information via the Internet is not completely secure, and while we will do our best to protect your personal data, we cannot guarantee the security of any personal data transmitted to our site; any such transmission is at your own risk.

15  Locations of Processing

The personal information we collect from you is processed on our servers located in the UK. We will ensure that your personal information is provided with adequate protection if it becomes necessary to transfer your personal information to a country that has not been granted a finding of adequacy by the European Commission (EC) or the UK regulator.

Transfers of personal information outside of the European Economic Area (EEA), to a country that has not been granted a finding of adequacy either by the EC or the UK regulator, will be carried out using ‘appropriate safeguards’ i.e. Binding Corporate Rules (BCR), Standard Contract Clauses (SCC) (also known as Model Contract Clauses) supported by the UK Addendum, or an International Data Transfer Agreement (IDTA) supported by a Transfer Risk Assessment (TRA) (as required under UK law).  Alternatively, we may rely approved Codes of Conduct (once published by the UK regulator) or we will seek your consent (where appropriate), on a case-by -case basis.

16  What are my data subject rights?

We support your data subject rights in relation to the processing of your information under the Data Protection Act 2018 and the UK GDPR, including your:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making including profiling.

You can exercise any of these rights, including your right to request a copy of the information we hold about you (otherwise referred to as a Subject Access request (SAR), by contacting us using any of the methods shown below in the ‘How do I contact you?’ section. We will respond to your request as quickly as possible. Usually, this will be within one month of receiving your request.

To protect the confidentiality of your information and the interests of the Institute of Our Lady of Mercy, may sometimes ask you to verify your identity before proceeding with any request for information. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.

17  Updating my information

You may choose to correct, update, or delete your personal data by contacting us using any of the methods shown below in the ‘How do I contact you?’ section.

If you have opted-in to receiving communications form us, your preferences will remain in effect until you tell us that you want to opt-out of receiving any further communications.

You can change your mind at any time by contacting using any of the methods shown below in the ‘How do I contact you?’ section.

18  Withdrawing my consent

Where we process your information based on your consent, you may withdraw your consent at any time. You can do this by contacting us using any of the methods shown below in the ‘How do I contact you?’ section.

19  Making a complaint to us

We hope you’ll never have the need to do so, but if you do want to complain about our use of your personal data, or our facilitation of your data subject rights requests, you can contact us using any of the methods shown below in the ‘How do I contact you?’ section.

Our Data Protection Officer will investigate your complaint and provide you with an appropriate response as quickly as possible.

20  Making a complaint to the Information Commissioner

You can lodge a complaint with the Information Commissioner at any time. For instance, if you are unhappy with the way in which we are processing your information, or we have failed to facilitate your data subject rights.

The Information Commissioner can be contacted as follows:

By post: Information Commissioner’s Office

Wycliffe House

Water Lane




By phone: 0844 496 4636 (local rate)

Further information about your data subject rights and how to complain to the ICO can be found here: ICO Make a Complaint

21  How do I contact you?

You may contact us using any of the following methods:

By post: Data Protection Officer

23 Cemetery Rd



LS19 7UR

By phone: 07930 523068

By email:

22  Changes to this Privacy Notice

We continuously review the content of our Privacy Notice to ensure it accurately reflects what we do with your information.