Our alumni and supporters are extremely important to us, and this Privacy Statement explains how the Al-Mahdi Institute (AMI) collects, stores, manages and protects alumni, donor and stakeholder data. It outlines the types of data that we hold and how we use them to provide services to our alumni and supporters. We aim to be clear when we collect your personal information, and not do anything you wouldn’t reasonably expect.


AMI supports its objectives through engaging with alumni, students, supporters and stakeholders of the Institute. We do this by offering a range of academic, research and outreach events and by providing access to the Institute’s library resources and other services. We also fundraise to support the Institute’s students, teaching, and research and capital projects.

Fundraising is a key part AMI’s work, and we are committed to working in a transparent, ethical, responsible and honest way.

We value our relationship with you and we use your personal data to ensure we communicate with you in the most appropriate way, to improve our services and to ensure we work efficiently and effectively. In order to do this, we have a database that contains personal data collected by the Institute during the course of our relationship with our students, alumni, donors and stakeholders.


Until 24 May the Data Protection Act 1998 governed your rights to your data and provided the relevant guidance for AMI to process your personal data. As of 24 May 2018 your rights and the way in which data is processed is governed by the General Data Protection Regulation (the “GDPR”).

The GDPR has been introduced to unify the differing laws and regulations across the EU in order to provide a primary source for your data protection rights and the basis for the processing of your data.

  • References to “AMI”, “Institute”, “we”, “our” and “us” refers to Al-Mahdi Institute.
  • References to “you” and “your” refers to the alumni, donors and stakeholders of AMI.
  • The Data Protection Act 1998 shall be referred to as “DPA”.
  • The General Data Protection Regulations will be referred to as “GDPR”.
  • “Personal data” is any information that identifies you. It can also include expressions of opinions about an individual.
  • “Sensitive personal data” is any information that identifies racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • A “Data subject”, is you – if we hold personal data about you.

As part of our work we process and store personal data on our students, staff, alumni, donors and potential supporters and friends of the Institute. We take our responsibilities under the GDPR seriously and ensure that the personal data that we obtain is held, used, transferred and processed in accordance with the applicable data protection laws.



AMI lawfully processes your personal data under the following circumstances:

  1. Processing is necessary for the purposes of the legitimate interests
  2. You have specifically given consent to AMI to use your data


Under the GDPR the Institute considers that the legal basis for processing your personal data, for the purposes of alumni engagement and/or fundraising, is legitimate interests.

AMI’s core mission is to advance education, knowledge and learning through teaching and research. Now more than ever, with changes in the way higher education is funded, our students (past, present and future) and our communities, have an expectation that we will work in partnership with them to enable them succeed academically, but also to champion social, cultural and economic growth and secure our future sustainability. We do this through a variety of teaching, student, research, community and capital projects, which our alumni engagement and fundraising activities are designed to support. As such, we have a legitimate interest in engaging with our alumni, donors and potential supporters to enable us achieve these goals.

Alumni engagement and fundraising are not new to AMI. Since we were founded, we have been shaped by the generosity, support and friendship of individual donors, stakeholders and charitable organisations. The funds raised and relationships built with alumni, donors and friends enable us achieve these goals. Without them, our mission of providing a social, cultural and academic education throughout a lifelong relationship with our alumni, could not be achieved.

The processing of your data is therefore necessary in order to allow us achieve these goals. However, we always ensure that we balance these objectives against your rights and freedoms as an individual, by reviewing our activities regularly for compliance with our ethical and legal obligations.

If you do not agree with us processing your data in this way, then you can request that AMI removes your information and does not process your data for alumni engagement and fundraising related activities. If this is the case, please consider the below section on your rights and how to contact us.

We have then set out exactly how your data is used and why we use it in this way. The full details of this can be found under the exactly how we use your data section.


For alumni, donors and supporters, there are a number of purposes for which we process your data. The reason we do not rely solely on consent to process your data is that due to the wide variety of different services and communications involved, this would mean we would need to constantly send you emails and letters to gain your consent. Therefore, we will rely on the legitimate interest for processing your data in the first instance. However, we may also ask for you to consent to other types of communication or to get involved in additional areas.

In order for you to receive alumni and fundraising emails and telephone calls, we need your informed consent. Consent under GDPR needs to be a positive action, so if you have given us your email address in response to a request for alumni details, and/or you have responded to a particular campaign and said you would be interested in similar information, then we may also consider this to be consent. You have the right to withdraw your consent any time.

In order to be completely transparent we provide a detailed list of all the information that we may have collected from you.

We have then set out exactly how this data is used and why we use it in this way. The full details of this can be found under the exactly how we use your data section.

A more general overview of the information we provide can be found under what personal data we collect.


The personal data we store and process, the majority of which is given to us by our alumni and supporters, may include:

  • name, title, gender and date of birth;
  • contact details including postal address, email address, phone number and links to social media accounts;
  • information about your time at AMI and other academic institutions you have attended;
  • your occupation and professional activities and memberships;
  • your recreations and interests;
  • family and spouse/partner details and your relationships to other alumni, supporters and friends;
  • records of pledges, donations and Gift Aid status, where applicable (as required by HMRC);
  • records of communications sent to you AMI or received from you;
  • Details of events you attended (formal, as a speaker, at AMI events) and when;
  • media articles about you;
  • information on your engagement in AMI meetings, events, groups or networks;
  • information about your use of AMI resources or facilities (for example the Library);

Any other personal information you provide to us during communication with us may be stored in the form of notes for reference purposes. This may include sensitive personal data, but only where you provide this to us directly or is already publicly available.

AMI does not store any credit/debit card details and is fully PCI-DSS compliant.


Initially, data about students is transferred into our database from the student record system, in accordance with Hawza Application Form. After graduation, many of our alumni choose to manage and update their own details, which you can do by sending an email to [email protected] . As such, the vast majority of the information we hold is obtained directly from you.

We always aim to keep your details up to date, and we will conduct projects to check the contact details we have for you are correct, and, where appropriate, update them. We also seek new contact details for alumni with whom we are not in contact, to ensure AMI can remain in touch with as many of its alumni as possible.

As a result, some of the data may also have been obtained from publicly available sources – for example, we may find a new address for you by using the Royal Mail’s National Change of Address file (NCOA). We may also use information from publicly available sources to carry out research to assess your inclination and capacity to support the University financially or by volunteering your time.


Unless you have requested otherwise, your data is accessible to AMI, its academic and administrative departments, and processed for a full range of alumni engagement and fundraising purposes. This is however, subject to restrictions as stated under how we protect your data.

 Generally we will communicate with you about the following alumni engagement and fundraising and activities, by post, email, telephone and social media:

  • Keeping your knowledge fresh, by sending university and departmental publications;
  • Offering you access to alumni and student careers, mentoring and networking services;
  • Letting you know about alumni and university events;
  • Asking you to participate in fundraising programmes;
  • Offering you the chance to participate in academic projects and research;
  • Promoting alumni discounts and services, like access to the library, campus sports facilities and e-journals;

The GDPR expands on the rights that you received under the DPA.

AMI considers its relationship with alumni, donors and other stakeholders to be life-long, giving you access to certain services and a vast support network. We will always try to ensure that the data we hold for you are up to date, reasonable and not excessive.

This means that we will maintain a stakeholder record for you until such time as you notify us that you longer wish us to keep in touch. In this instance AMI will delete the majority of your personal data it holds, but will maintain basic personal data to ensure we do not inadvertently create a new record in the future.

The table below briefly summarises your rights and where those rights and the information on those rights can be found within the General Data Protection Regulations. We also recommend the ICO website guidance on your rights for detail.

Your Rights

  1. To see information that is held by AMI
  2. Access your own personal data
  3. Right to correct errors in personal data (rectification). You can ask for inaccurate personal data to be rectified. 4 Right to erase personal data (right to be forgotten).You can ask for your personal data to be erased completely or in parts.
  4. Right to restrict data processing You can ask for the processing of personal data to be restricted so that the data may only be held and used for limited purposes.
  5. Right to a copy of your personal data or transfer it to another controller (data portability). This is your right to receive and/or transfer personal data between data This right overlaps with the right of access, but it is not the same.
  6. Right to object to data processing
  7. Not to be subject to automated decision-making
  8. Be notified of a security breach that has a high risk to your rights and freedoms

If you wish to exercise any of the above rights, please see ‘how to contact us’, below.


A key principle of the GDPR is that AMI processes your personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’.

To ensure full compliance the AMI carries out detailed risk analysis, has instituted a number of organisational policies, in addition to physical and technical measures.


Your data is held on a database hosted on a secure server within the Institute’s network. This database is protected by multi-level authentication and access is restricted to individuals who need to see the data to carry out their duties at AMI. The rights of these individuals is also restricted so that only the data that is necessary and required to complete their role is accessible. All access is reviewed on a regular basis.


We also have measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident. We also ensure that we have appropriate processes in place to test the effectiveness of our security measures.


One of the principles in GDPR is that personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed (except in certain specific and limited instances).

When it comes to alumni, donors and supporters of AMI, we see our relationship with you as a lifelong one, which includes keeping in touch with us and those that you attended with and engaging in a mutually beneficial relationship. Therefore, information that is kept can be held indefinitely. This means that we will maintain a stakeholder record for you until such time as you notify us that you longer wish us to keep in touch. In this instance AMI will delete the majority of your personal data it holds, but will maintain basic personal data to ensure we do not inadvertently create a new record in the future.

Information that we hold on gifts and donations will be retained because of our legal obligations under the HMRC and Charity Commission.


If you wish to contact us about how we have handled your personal data you can contact the Data Protection Officer (DPO), Ms Rukhsana Bhanji. She can be contacted via e-mail at [email protected]

Or write to:

The Data Protection Officer
Al-Mahdi Institute
B29 6RB

If you wish to contact us to unsubscribe from our emails or want to update your details, click on the relevant options at the bottom of our emails or ‘email [email protected].


We hope that our Data Protection Officer can resolve any query or concern you raise about our use of your information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: [0303 123 1113].