Data Protection Policy


1. Purpose

To describe the ways in which Mercy Ships, the non-profit organization registered in the State of Texas, USA meets the requirements for data protection which govern its activities as a data controller, with reference to the personal data which it manages, processes and stores.    

This policy outlines the requirements for the processing of personal data within Mercy Ships.  In the event that any member of personnel remains unsure as to whether such data can be acquired, used, stored, disclosed or destroyed they should consult with the Data Protection Officer to seek further clarification.  

2. Scope

This Policy applies to all personal data collected, processed and stored by Mercy Ships in the course of its daily activities.  The policy covers both personal and sensitive personal data (special categories) held in relation to its data subjects by Mercy Ships. The policy applies equally to personal data held in both manual (paper) and automated (electronic) form. All personal and sensitive personal data will be treated with equal care by Mercy Ships.  Both categories will be equally referred to as personal data in this policy, unless specifically stated otherwise. 

As a Data Controller, Mercy Ships and its crew, staff and volunteers (hereafter referred-to collectively as Mercy Ships) must, at a minimum, comply with the Data Protection legislation set out by both the US Privacy Shield program and the EU General Data Protection Regulation as enforced by the United States Federal Trade Commission and the Office of Information and Data Protection Commissioner of Malta, respectively.  

As a Joint Data Controller, any personal data shared with Mercy Ships by any member of the Mercy Ships Global Association and/or an affiliated National Office will be treated with the same level of data protection as personal data lawfully processed by Mercy Ships.

2. Definitions

The following definitions apply within this Policy.


The representation of facts in either digital or physical form .

  • Automated (electronic) data means data held on computer, tablet, mobile phone or any other form of electronic means, or stored with the intention that it is processed on a computer, tablet or mobile phone.
  • Manual (paper) data means data that is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system.

Personal Data

Information that relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of Mercy Ships.

Sensitive Personal Data

Sensitive personal data is Personal Data which relates to specific aspects of one’s identity or personality, and includes information relating to ethnic or racial identity, political or ideological beliefs, religious beliefs, trade union membership, mental or physical well-being, or sexual orientation.

CCTV Closed Circuit Television, used for video surveillance, video recording or any other form of photographic observation.

Data Controller

The legal entity responsible for the acquisition, processing and use of the personal data. In the context of this policy; Mercy Ships is the data controller.

Joint Data Controller(s) The legal designation when two or more Data Controllers share the responsibility for jointly or independently processing personal data. As Joint Data Controllers, Mercy Ships operations and a National Office may often share responsibility for the personal data of a data subject whom is both a crew member on board the Africa Mercy and whom may also volunteer with the National Office while in their home country.

Data Subject

A living individual who is the subject of the personal data, i.e. to whom the data relates either directly or indirectly.

Data Processor

A person or entity (vendor) who processes personal data on behalf of Mercy Ships on the basis of a formal, written contract, but who is not personnel of Mercy Ships.

Data Protection Officer

The individual appointed by Mercy Ships to monitor compliance with the appropriate data protection legislation, to deal with Subject Access Requests, and to respond to data protection queries from the general public and members of personnel, normally the Director of Information Security.

4. Policy Statement

4.1 Mercy Ships As A Data Controller  

Mercy Ships is committed to the fair, transparent and lawful processing of all personal data which it controls. To this end, Mercy Ships works to ensure that all members of personnel have sufficient awareness of the relevant legislation in order to be able to anticipate and identify a data protection issue, should one arise. In such circumstances, members of personnel must ensure that the Data Protection Officer (DPO) is informed immediately, in order that appropriate and timely corrective action is taken.

Due to the nature of the services provided by Mercy Ships, there is a regular and active exchange of personal data between Mercy Ships and its data subjects. In addition, Mercy Ships may exchange personal data with known third parties and data processors on the data subjects’ behalf. This is consistent with Mercy Ships’ obligations under the terms of its contracts with its data processors.


4.2 Third-Party Processors (Where Applicable)

In the course of its role as data controller, Mercy Ships engages third-party service providers, or data processors, to process personal data on its behalf.

In each case, a formal, written contract is executed with the processor, outlining their obligations in relation to the personal data, the security measures that they must have in place to protect the data, the specific purpose or purposes for which they are engaged, and the understanding that they will only process the data in compliance with the Data Protection legislation.

The contract also includes reference to the fact that Mercy Ships is entitled, from time to time, to audit or inspect the data management activities of the data processor, and to ensure that they remain compliant with the relevant legislation, and with the terms of the contract.


4.3 The Eight Data Protection Principles

The following key principles are enshrined in the Data Protection legislation and are fundamental to Mercy Ships’ data protection policy.

1. Processing of Personal Data: Personal data is processed fairly, transparently and lawfully:

  • Where possible, Mercy Ships will gain the freely given, informed consent of the data subject before their data is processed
  • Where it is not possible to gain consent, Mercy Ships will ensure that processing of the data is justified under one of the other lawful processing conditions
  • Mercy Ships is transparent about the intention to use the data, and gives individuals appropriate Privacy Notices when collecting their personal data
  • Where Mercy Ships intends to record activity on CCTV or video, a Fair Processing Notice is posted in full view, prior to the recording
  • Processing of the personal data is carried out only as part of Mercy Ships’ lawful activities, and it safeguards the rights and freedoms of the data subject
  • The data subject’s data is not disclosed to a third party other than to a party contracted to Mercy Ships and operating on its behalf, or where Mercy Ships is required to do so by law

2. Lawful Purposes: Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes without explicit permission of the data subject.

  • Mercy Ships obtains data for purposes which are specific, lawful and clearly stated
  • A data subject has the right to question the purpose(s) for which Mercy Ships holds their personal data, and Mercy Ships is able to clearly state that purpose or purposes

3. AdequacyPersonal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

  • Mercy Ships ensures that the personal data it processes in relation to data subjects is relevant to the purpose(s) for which the data is collected
  • Personal Data which is not relevant to such processing is not acquired or maintained

 4. Accuracy: Personal data shall be accurate and, where necessary, kept up to date.

  • Mercy Ships ensures that administrative and IT validation processes are in place to conduct regular assessments of data accuracy and/or data quality by:
    • Conducting periodic reviews and audits of Personal Data to ensure that relevant data is kept accurate and up-to-date. Mercy Ships conducts a review of sample data each year to ensure accuracy.
    • Ensuring that personnel and emergency contact details are reviewed and updated every two years, or on an ‘ad hoc’ basis where members of personnel inform the office of such changes.
    • Conducting regular assessments in order to validate the need to keep certain personal data.

5. Retention: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes

  • Mercy Ships has identified an extensive matrix of data categories, with reference to the appropriate data retention period for each category. The matrix applies to data in both a manual and automated format. This is documented in our Document Retention Schedule
  • If Personal Data is being retained indefinitely, a justification is provided
  • Once the respective retention period has elapsed, Mercy Ships undertakes to anonymise, destroy, erase or otherwise render this data no longer personally identifiable.
  • Personal Data is destroyed as per the Data Destruction Policy in place at Mercy Ships

6. Rights: Personal data shall be processed in accordance with the rights of data subjects as defined by the relevant data protection legislation

  • A Subject Access Request procedure is in place
  • A mechanism is in place to capture data subject preferences
  • When using Direct Marketing, Mercy Ships ensures Opt-ins and/or Opt-outs are used appropriately as required by the relevant and current data protection legislation
  • If using Profiling, Mercy Ships ensures the data subject is aware that they are being profiled and have the opportunity to object to such activity
  • Mercy Ships has mechanisms in place to capture communication from data subjects that refer to amending, correcting or updating their personal data
  • A mechanism is in place to address any claim for compensation which has been awarded for breach of the relevant data protection legislation

7. Security: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  • Mercy Ships uses a risk based approach to security of data. The level of security in place shall be commensurate with the level of risk to the security of the data
  • Mercy Ships employs high standards of security in order to protect the personal data under its care
  • Mercy Ships’ Password Policy and Data Retention Policy guarantee protection against unauthorised access to, or alteration, destruction or disclosure of any personal data held by Mercy Ships in its capacity as data controller
  • Access to, and management of, Personal Data is limited to those members of personnel who have appropriate authorisation and password access
  • In the event of a data security breach affecting the personal data being processed on behalf of the data controller, the relevant third party processor notifies the data controller without undue delay

8. International Transfers: Personal data shall not be transferred to a country or territory outside the country of origin unless the recipient country or territory ensures or provides a mechanism to ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

  • Mercy Ships utilises the US Privacy Shield framework to certify that an adequate level of protection is maintained for all personal data shared between the Texas based International Support Center and the Maltese flagged vessels, M/V Africa Mercy and/or M/V Global Mercy.  
  • In all cases, Mercy Ships maintains Records of Processing Activities to clearly outline the transfer of personal data to determine the risks to personal data that may arise. The organisation undertakes to mitigate those risks to an acceptable risk level prior to the transfer by a means of adequate safeguards:
    • Adequate safeguards include Model Contract Clauses, Binding Corporate Rules, or other contractual arrangements
    • Where “adequate safeguards” are established, the rights of data subjects continue to be protected even after their data has been transferred outside the country of origin
    • Additionally, the organisation assesses whether or not the data can be adequately encrypted, anonymised or pseudonymised prior to the transfer

4.4 Implementation

As a data controller, Mercy Ships ensures that any entity which processes personal data on its behalf (a data processor) does so in a manner compliant with the relevant data protection legislation through a formal Data Processor Agreement.

Regular audit trail monitoring is performed by the Data Protection Officer to ensure compliance with this Agreement by any third-party entity which processes personal data on behalf of Mercy Ships. Failure of a data processor to manage Mercy Ships’ data in a compliant manner will be viewed as a breach of contract, and will be addressed as such according to the terms of  the governing agreement between Mercy Ships and that data processor. Failure of Mercy Ships’ staff to process personal data in compliance with this policy may result in disciplinary proceedings.