Protecting your privacy
The Union of the Sisters of Mercy is committed to protecting your personal data and ensuring that it is only ever used in accordance with your rights and expectations.
When we refer to:
- “we”, “us” or “our”, we mean the Union of the Sisters of Mercy;
- “personal data”, we mean any information relating to an identified or identifiable living individual;
- “processing”, we mean collecting, recording, organising, storing, sharing, destroying or anonymising personal data.
Who we are
We are an order of Roman Catholic Sisters of Mercy, and one of three strands of the Mercy family in Great Britain which was founded by Catherine McAuley in 1831 in Dublin. We are a registered charity with charity number 288158 (in England and Wales) and SC039153 (in Scotland). The objects of the charity are the promotion of religion and education in accordance with the doctrines of the Roman Catholic Church or any other charitable purpose which shall advance the religious, educational and other charitable work carried on, directed or supported by us.
Our collection and use of your personal data
We may collect personal data about you in any of these ways:
- When you apply for a job with us;
- When you are a staff member or volunteer;
- When you are engaged by us as a contractor and supply services to us;
- When you visit one of our properties as a guest or delegate;
- When you are a resident at one of our care homes;
- When you are our tenant;
- When you are a member;
- When you are a supporter;
- When you access our website;
- When you contact us, request information or send us feedback.
We collect this personal data from you either directly (for example if you are an employee, volunteer, member or supporter) or indirectly (for example when you use our website).
We may also collect personal data about you from other sources such as:
- Former employers, if you apply to work with us;
- DBS check providers, if you are an employee or volunteer and work with adults at risk and/or children;
- Your relatives, friends or health or social care professionals, if you are a resident at a care home;
- Via our IT systems, for example, CCTV and access control systems.
The personal data we collect about you depends on how you interact with us and the particular activities carried out by us. Such data may include:
- Basic identity data including your name, date of birth, gender and photographs;
- Contact data including your address, email address and telephone numbers;
- Financial data such as your bank account and payment details, if you are an employee, purchase services from us or donate to us;
- Recruitment information or employment records, if you apply for a job or are an employee;
- Health-related data such as your health care and medical records, for example, if you are a resident at a care home;
- Data revealing religious beliefs, if you are a member or a resident at a care home;
- Information revealed through a DBS check including information about criminal convictions and offences, if you work or volunteer with children and/or adults at risk;
- Other sensitive data you may have disclosed to us such as your racial or ethnic origin, political opinions, trade union membership, sexual orientation or genetic information and biometric data;
- Feedback data including notes of any conversations with you, and details of any comments or complaints you make.
Under data protection law, health-related data, data revealing religious beliefs and the other sensitive data listed above are all considered “special categories” of personal data. This data, as well as data concerning criminal convictions and offences, requires higher levels of protection and so is subject to tighter controls.
We use your personal data to manage our functions across our various activities and locations. Depending on the circumstances, we may use your data so that we can:
- Make a decision about your recruitment or appointment;
- Perform and administer any contract we have entered into with you;
- Pay you or process any donations from you;
- Provide services to you, in our care homes or elsewhere;
- Make sure you receive the training, support or care you need;
- Carry out our religious and other charitable work;
- Communicate with you when you engage with us;
- Improve, assess and evaluate our operations;
- Investigate any complaints;
- Verify your identity;
- Customise our website and its content to your particular preferences.
- Our legal basis for processing your personal data
We only use your personal data when we have a proper reason for doing so. There are various different legal bases upon which we may rely, depending on what personal data we process and why.
The legal bases we rely on most commonly to process your data include:
- contract: where our use of your personal data is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract;
- legal obligation: where our use of your personal data is necessary for us to comply with the law;
- legitimate interests: where our use of your personal data is necessary to pursue our legitimate interests in a way which might reasonably be expected (that is, to pursue our aims of promoting religious and other charitable purposes) and in a way which does not materially impact your rights, freedoms or interests.
In a small number of cases, we may also rely on the following legal bases:
- vital interests: where our use of your personal data is necessary to protect your or someone else’s life, typically in an emergency;
- consent: where you have given us clear consent for us to process your personal data for a specific purpose, where another legal basis cannot be used.
In relation to any “special category” personal data or data concerning criminal convictions and offences, we rely on different reasons to process your personal data. Most commonly these include that the processing is:
- necessary for the provision of health or social care services;
- necessary for carrying out our legal obligations relating to employment and social protection law;
- necessary in the substantial public interest, and further conditions are met;
- necessary for the establishment, exercise or defence of legal claims;
- carried out in the course of our legitimate activities and relates solely to our members or former members, and personal data is not disclosed outside of the Union of the Sisters of Mercy;
- carried out with your explicit consent.
If you have given your consent for us to process your personal data, you have the right to change your mind at any time and withdraw your consent.
Who we share your personal data with
To manage our functions, we work with carefully selected partners whom we trust to carry out work on our behalf. Depending on the circumstances, we routinely share your personal data (where the law allows us in the circumstances set out above) with:
- support companies we use to help us run our operations, for example, IT, cloud storage and backup service providers, and our payroll provider, bank, website operator and insurers;
- vetting agencies (so that vetting searches may be made about you);
- your next of kin (in case you are taken ill or have an accident);
- health and social care professionals;
- other Sisters of Mercy organisations in Great Britain and around the world, including the Mercy International Association, for use in their online newsletter (to share details of our religious and charitable work).
We will also share your personal data with third parties:
- if we are legally required to do so, for example, by a law enforcement agency or court;
- to enforce or apply any contract we have with you;
- if it is necessary to protect our rights, property or safety or to protect the rights, property or safety of others;
- for safeguarding reasons, where it is in the substantial public interest to do so, to protect children and adults at risk from neglect or physical, mental or emotional harm (including to their well-being);
- if we sell or buy any other organisation or part of it (including the Union of the Sisters of Mercy, if we are forming a new entity to replace and continue our operations or merging with another organisation), in which case we may disclose your personal data to the prospective seller or buyer so that they may continue using it in the same way.
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting or reporting requirements. Different retention periods apply for different types of data. At the end of the relevant retention period, your data will either be deleted completely, put beyond use or anonymised. Some data about members will be kept in perpetuity as a record of our history and heritage and a reflection of life at the Union of the Sisters of Mercy.
We may send you communications that promote our aims and objectives which we think may be of interest to you, where it is in our legitimate interests to do so or where we have your consent. If we have previously contacted you in this way and you wish to stop such communications, please let us know and we will update our records immediately to reflect your wishes.
We will never (without your consent) share your data with any organisation to use for their own purposes.
You have the following rights, which you can exercise free of charge and on request:
- to access the personal data we hold about you;
- to require us to update or correct the personal data we hold about you;
- to require the erasure of your personal data in certain circumstances;
- to receive the personal data we hold about you in a structured, commonly used and machine-readable format, and to transmit it to a third party in certain situations;
- to object at any time to the processing of your personal data for direct marketing purposes;
- to challenge any automated decisions we make about you.
If you wish to exercise any of these rights, please contact the PA to the Trustees at email@example.com or on 020 7723 2527, and let us have enough information to identify you.
If you request the information that we hold about you, we will respond within one month (unless the complexity and number of requests mean that we need more time).
Keeping your personal data secure
We have appropriate security measures in place to prevent personal data from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine need to know it. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality.
How to complain
We hope that we can resolve any query or concern you raise about our use of your personal data. If you remain dissatisfied after raising your concern with us, you have the right to complain to the Information Commissioner Office (ICO), the UK supervisory authority for data protection issues. The ICO can be contacted at https://ico.org.uk/concerns/ or on 0303 123 1113.
How to contact us