last updated 22nd May 2018
Morden College, which comprises Sir John Morden’s Charity and Dame Susan Morden’s Charity, is referred to as “the Charity” throughout this policy document. The Charity is a data controller within the meaning of the General Data Protection Regulations (GDPR). Morden College is registered with the Information Commissioners Office (ICO) as the data controller (reg no: Z7074049).
Morden College is an unincorporated independent Charity (reg no: 215551) which is based in Blackheath, London. Legal title and governance rests with a Board of Trustees, and day to day management is delegated to a Clerk to the Trustees, who operates as a Chief Executive.
The Charity is what’s known as the ‘Controller’ of the personally identifiable information (PII) that you provide to us.
What is Personally Identifiable Information (PII)
Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
Why we need your data
We will need to know your basic PII in order to provide you with information and services that you have requested. We will not collect any PII from you we do not need in order to provide and oversee our service to you.
What we do with your data
All PII we process is processed by our staff in the UK, however for the purposes of IT hosting and maintaining, this information may be located on servers within the European Union. We do not transfer, store or process any PII in Third Countries.
We have a strict Data Protection regime in place to oversee the effective and secure processing of your personal data.
Lawful Basis for processing
To process any Personally Identifiable information (PII) on an individual an organisation must have a lawful basis for carrying this out.
The Charity uses the following lawful bases for processing:
Contract: the processing is necessary for a contract the Charity has with an individual, or because they have asked us to take specific steps before entering into a contract.
Consent: the individual has given clear consent for the Charity to process their data for a specific purpose.
Vital interests: the processing is necessary to protect someone’s life.
The Charity does process special category data. To lawfully process special category data under the GDPR, we must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9.
The lawful basis that we use from Article 6 is Contractual and from Article 9(2) our processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.
Where we use consent as the legal basis for processing your PII, you have the right to withdraw your consent at any time. If you wish to discuss or withdraw your consent, please contact our Data Protection Officer (DPO) whose contact details are at the end of this policy.
How long we keep your data
Your information will be kept with us for the purposes of supplying specific information as requested and for the provision of our services.
We have a Data Retention Policy which documents our protocol for retaining information for operational or regulatory compliance needs. A copy of our data retention policy can be obtained by contacting our DPO.
Some of the retention periods are governed by statute. Others are guidelines following best practice. Every effort has been made to ensure that these retention periods are compliant with the requirements of the GDPR and the Freedom of Information Act 2000.
What are your rights
The GDPR provides the following rights for individuals:
- The right to be informed:
Data Subjects must be made clear about what, why and in what way their information will be used.
- The right of access:
Data Subjects have the right to know what information we hold on them, who holds this information and why.
- The right to rectification:
Data Subjects have the right to request corrections to the information that we hold on them.
- The right to erasure:
Data Subjects can request to be forgotten.
- The right to restrict processing:
Data Subjects can ask organisations to stop processing their information.
- The right to data portability:
Data Subjects can ask for their information in a machine-readable format or to have it sent to another organisation.
- The right to object:
Data Subjects have the right to object to organisations processing their information.
- Rights in relation to automated decision making and profiling:
Data Subjects have protection against the use of profiling of their information or automated decision making.
Please note that these rights may not apply in all circumstances and exceptions exist under the GDPR or applicable national law.
If at any point you believe the information we process on you is incorrect, you can request to see this information and have it corrected or deleted by contacting our DPO.
Access to your Information / Subject access request
In accordance with the GDPR you have the right to access any information that we hold relating to you. If you wish to receive a copy of all information that we hold on you please send a Subject Access Request (SAR) to:
19 St Germans Place
Complaints or queries
Morden College tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.
This Privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of the Charities collection and use of personal information. However, we are happy to provide any additional information or explanation needed.
At Morden College we have a full time Data Protection Officer who is happy to help with any concerns you may have with regards to how the Charity processes your PII. Our DPO can be contacted using the contact details below:
The Data Protection Officer
19 St Germans Place
Tel: 0208 463 8330
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can raise your concerns with the Information Commissioner’s Office:
The Information Commissioner 0303 123 1113 or if you are outside of the UK +44 1625 545 700.
Additional information about the Information Commissioners Office can be found by visiting their website at www.ico.org.uk or by contacting them at:
The Information Commissioners Office