Privacy Policy
AREAS OF APPLICABILITY
This policy applies to the holding and use of personal information (e.g. name, contact details, personal characteristics).
EXAMPLES OF APPLICABILITY TO ABBEY LINE CRP ACTIVITIES
Some examples of activities that this policy is applicable to are listed below, but it should be noted that there will be other activities covered by the policy:
- Database of contact details.
- E-mail communications.
POLICY
Compliance with GDPR
The Abbey Line Community Rail Partnership will adhere to the principles set out in the General Data Protection Regulation (GDPR):
a) processed lawfully, fairly and in a transparent manner in relation to individuals
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Data Controller
The CRP Officer is nominated as the Data Controller, and has the responsibility for ensuring that everyone who acts on behalf of ALCRP is aware of the data protection rules.
Data Audit
The CRP will maintain a record of all databases that it holds that contain personal information. Databases include, but are not limited to, computer files, written records and contact lists on mobile phones.
The record of databases will be reviewed at least annually.
Databases
All reasonable efforts will be undertaken to ensure that access to databases containing personal information will only be available to those undertaking authorised ALCRP activities. This will include password protection on computer files and ensuring that any written files are stored in a locked facility.
Information that is out of date or no longer required will be destroyed. All people on the database will be asked for their continued consent to retain their data on an annual basis.
Opt-In
Provision will be made so that people actively opt-in to the storage of their personal data. ALCRP will not store any personal data where the opt-in has not been received.
The use which will be made of the data will be clearly set out before people opt-in. Clear provision will also be made for people to opt-out at any future date.
Privacy Notice
A privacy notice will be set out on the ALCRP website and on any printed materials where people can sign up to receive communications from ALCRP.
Sharing of Information
Personal information will not be shared with any third party, including other individuals on the database, unless there is express permission to do so. This includes the sharing of e-mail addresses – all mail outs will use ‘bcc’ rather than ‘to’ or ‘cc’.
RESPONSIBILITY
Day-to-day responsibility rests with the CRP Officer.
In addition, there is a named individual on the CRP Steering Group who is the data protection champion.
USEFUL REFERENCES
Further advice on data protection can be found in the ACoRP guidance available at https://communityrail.org.uk/resources-ideas/reports-resources-tools/