Data Protection Policy

DATA PROTECTION POLICY

DATE 2025

REVIEW DATE 2027

Data Protection Policy

In this document, references to the General Data Protection Regulation (GDPR) are references to the original EU UK-GDPR incorporating the amendments set out in the Keeling Schedule.

  1. Introduction to the UK-GDPR

Under the United Kingdom General Data Protection Regulations (UKGDPR)Halesworth to Southwold Narrow Gauge Railway CIO (hereinafter referred to as “the Charity”) is required to comply with the UK-GDPR and undertakes to do so.

  • This policy applies to all personal data processed by the Charity.
  • The Responsible Person shall take responsibility for the Charity’s ongoing compliance with this policy.
  • This policy shall be reviewed at least every two years.
  • The Charity shall register with the Information Commissioner’s Office as an organisation that processes personal data.
  1. Definitions

The definitions of terms used in this policy are the same as the definitions of those terms detailed in Article-4 of the UKGDPR.

2.1 Data Subject

A data subject is an identifiable individual person about whom the Charity holds personal information

2.2 Contact Information

For the purposes of this Policy, “Contact Information” means any or all of the person’s: full name (including any preferences about how they like to be called); full postal address; telephone and/or mobile number(s); e-mail address(es); social media IDs/UserNames (eg: Facebook, Skype, Hangouts, WhatsApp).

  1. Principles of the UK-GDPR

The Charity will ensure that all personal data that it holds will be:

  1. a) processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. b) collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes
  3. c) in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  4. d) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  5. e) accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed,, are erased or rectified without delay.
  6. f) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK-GDPR in order to safeguard the rights and freedoms of individuals and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  7. Lawful Processing

The Charity will obtain, hold, and process all personal data in accordance with the UK-GDPR for the following lawful purposes. In all cases the information collected, held, and processed will include Contact Information (as defined in 2 above).

4.1 By Consent

People who are interested in, and wish to be kept informed of, the activities of the Charity:

  1. a) Subject to the person’s consent, this may include information selected and forwarded by the Charity on activities by other organisations which are relevant to those of the Charity.

Note: this will not involve providing the person’s personal data to another organisation.

  1. b) The information collected may additionally contain details of any areas of interest about which the person wishes to be kept informed.
  2. c) The information provided will be held and processed solely for the purpose of providing the information requested by the person.

4.2 By Contract

People who sell goods and/or services to, and/or purchase goods and/or services from the Charity. The information collected will additionally contain details of the goods/services being sold to by or purchased from the Charity:

  1. a) Bank and other details necessary and relevant to the making or receiving of payments for the goods/services being sold to or purchased from the Charity. The information provided will be held and processed solely for the purpose of managing the contract between the Charity and the person for the supply or purchase of goods/services.

4.3 By Legal Obligation

Where there is a legal obligation on the Charity to collect, process and share information with a third party – e.g., the legal obligations to collect, process and share with HM Revenue & Customs payroll information on employees of the Charity. The information provided will be held, processed, and shared with others solely for the purpose meeting the Charity’s legal obligations. Employees; Taxation; Pensions Note: Legal obligations to employees fall under the much broader “umbrella” of UK employment law, taxation law (HM Revenue & Customs) and pensions law.

4.4 By Vital Interest

The Charity undertakes no activities which require the collection, holding and/or processing of personal information for reasons of vital interest.

4.5 By Public Task

The Charity undertakes no public tasks which require the collection, holding and/or processing of personal information.

4.6 By Legitimate Interest

  1. a) Trustees In order to be able to operate effectively it is in the legitimate interests of the Charity to hold such personal information on its Trustees as will enable the Charity to communicate with its Trustees on matters relating to the operation of the charity.
  2. b) Service users – consent is only valid if it is not seen as ‘coerced’, and you still obtain the same service without giving your consent for us to store and use your information.

However, because of legal requirements surrounding helpline work, legal claims and insurance, we cannot provide the same level of service or depth of information if service users refuse to give us information. Therefore, the consent obtained would not be valid so the legitimate interest clause will be used for the lawful processing of service users.

  1. Individual Rights

The following clauses are taken primarily from the guidance provided by the Office of the Information Commissioner, https://ico.org.uk/for-organisations/guide-to-the-general-dataprotection-regulation-gdpr/individual-rights/right-to-be-informed/

5.1 The right to be informed

When collecting personal information, the Charity will provide to the data subject free of charge, a Privacy Policy written in clear and plain language which is concise, transparent, and easily accessible.

A privacy notice should identify who the data controller is and how to contact them. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

5.2 The right of access

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to his/her personal data and the information detailed in the Charity’s relevant Privacy Policy.

5.3 The right to rectification

The data subject shall have the right to require the controller without undue delay to rectify any inaccurate or incomplete personal data concerning him/her.

5.4 The right to erase also known as the right to be forgotten

Except where the data are held for purposes of legal obligation or public task (4.3 or 4.5) the data subject shall have the right to require the controller without undue delay to erase any personal data concerning him/her.

Note: This provision is also known as “The right to be forgotten.”

5.5 The right to restrict processing

Where there is a dispute between the data subject and the Controller about the accuracy, validity or legality of data held by the Charity, the data subject shall have the right to require the Controller to cease processing the data for a reasonable period to allow the dispute to be resolved.

5.6 The right to data portability

Where data are held for purposes of consent or contract (4.1 or 4.2) the data subject shall have the right to require the Controller to provide him/her with a copy in a structured, commonly used, and machine-readable format of the data which he/she has provided to the Controller and have the right to transmit those data to another Controller without hindrance.

5.7 The right to object

  1. a) The data subject shall have the right to object, on grounds relating to his or her situation, at any time to processing of personal data concerning him/her which is based on Public Task or Legitimate Interest (4.5 or 4.6), including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defence of legal claims.
  2. b) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  3. c) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

5.8 Rights in relation to automated decision making and profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly affects him or her. Except where it is:

  1. a) based on the data subject’s explicit consent, or
  2. b) necessary for entering into, or performance of, a contract between the data subject and a Data Controller
  3. Operational Policies & Procedures

The Trustees understand and accept their responsibility under the UK General Data Protection Regulation (UK-GDPR) to hold all personal data securely and use it only for legitimate purposes with the knowledge and approval of the data subjects. Through operational policies and procedures, the Trustees undertake to uphold the principles and requirements of the UK-GDPR in a manner which is proportionate to the nature of the personal data being held by the Charity. The policies are based on the Trustees’ assessment, in good faith, of the potential impacts on both the Charity and its data subjects of the personal data held by the Charity being stolen, abused, corrupted or lost.

  1. Personnel

7.1 Data Protection Officer

In the considered opinion of the Trustees the scope and nature of the personal data held by the Charity is not sufficient to warrant the appointment of a Data Protection Officer Accordingly, no Data Protection Officer is appointed.

7.2 Data Controller

The Trustee appointed by the Trustees is the Data Controller for the Charity.

7.3 Data Processor

The Charity is the data processor and will not knowingly outsource its data processing to any third party except as provided for in the section “Third Party Access to Data.”

7.4 Access to Data

Except where necessary to pursue the legitimate purposes of the Charity, only the Data Processors shall have access to the personal data held by the Charity.

7.5 Training

All staff will complete annual training commensurate with the scale and nature of the personal data that the Charity holds and processes under the UK-GDPR.

  1. Collecting & Processing Personal Data
  • The Charity collects a variety of personal data commensurate with the variety of purposes for which the data are required in the pursuit of its charitable objects. All personal data will be collected, held and processed in accordance with the relevant Data Privacy Notice provided to data subjects as part of the process of collecting the data. A Data Privacy Notice will be provided provided to data subjects as part of the process of collecting the data. A Data Privacy Notice will be provided, or otherwise made accessible, to all persons on whom the Charity collects, holds and processes data covered by the UK-GDPR. The Data Privacy Notice provided to data subjects will detail the nature of the data being collected, the purpose(s) for which the data are being collected and the subject’s rights in relation to the Charity’s use of the data and other relevant information in compliance with the prevailing UK-GDPR requirements.

information in compliance with the prevailing UK-GDPR requirements.

  1. Data Subjects

9.1 The Rights of Data Subjects

In compliance with the UK-GDPR the Charity will give data subjects the following rights. These rights will be made clear in the relevant Data Privacy Notice provided to data subjects:

the right to be informed.

the right of access.

the right to rectification.

the right of erasure. Also referred to as “The right to be forgotten”

the right to restrictp processing.

the right to data portability.

the right to object.

the right not to be subjected to automated decision making, including profiling. The above rights are not available to data subjects when the legal basis on which the Charity is holding & processing their data are: {SC} Subject Consent; {CO} Contractual obligation {LO} Legal Obligation {LI} Legitimate Interest

  • Rights of Access, Rectification and Erasure

Data subjects will be clearly informed of their right to access their personal data and to request that any errors or omissions be corrected promptly. Such access shall be given, and the correction of errors or omissions shall be made free of charge provided that such requests are reasonable and not trivial or vexatious. There is no prescribed format for making such requests provided that:

  1. a) the request is made in writing, signed & dated by the data subject (or their legal representative).
  2. b) the data claimed to be in error or missing are clearly and unambiguously identified.
  3. c) the corrected or added data are clear and declared by the subject to be complete and accurate.

It will be explained to subjects who make a request to access their data and/or to have errors or omissions corrected, or that their data be erased, that, while their requests will be actioned as soon as is practical there may be delays where the appropriate volunteers or staff to deal with the request do not work on every normal weekday. Where a data subject requests that their data be rectified or erased the Data Controller and Data Processor will ensure that the rectifications or erasure will be applied to all copies of the subject’s personal data including those copies which are in the hands of a Third Party for authorised data processing.

9.3 Right of Portability

The Charity will only provide copies of personal data to the subject (or the subject’s legal representative) on written request. The Charity reserves the right either:

  1. a) to decline requests for portable copies of the subject’s personal data when such requests are unreasonable (ie: excessively frequent) or vexatious; or
  2. b) to make a reasonable charge for providing the copy.

9.4 Data Retention Policy

Personal data shall not be retained for longer than is necessary, the Charity shall put in place an archiving policy for each area in which personal data is processed and review this process annually. The ok archiving policy shall consider what data should/must be retained, for how long and why.

  1. Third Party Access to Data

Under no circumstance will the Charity share with, sell or otherwise make available to Third Parties any personal data except where it is necessary and unavoidable to do so in pursuit of its charitable objects as authorised by the Data Controller e.g data shared as part of a criminal investigation or safeguarding incident. Whenever possible, data subjects will be informed in advance of the necessity to share their personal data with a Third Party in pursuit of the Charity’s objects. Before sharing personal data with a Third Party the Charity will take all reasonable steps to verify that the Third Party is, itself, compliant with the provisions of the UK-GDPR and confirmed in a written contract.

The contract will specify that:

  1. The Charity is the owner of the data.
  2. The Third Party will hold and process all data shared with it exclusively as specified by the instructions of the Data Controller.
  3. The Third Party will not use the data for its own purposes
  4. The Third Party will adopt prevailing industry standard best practice to ensure that the data are held securely and protected from theft, corruption, or loss.
  5. The Third Party will be responsible for the consequences of any theft, breach, corruption, or loss of the Charity’s data (including any fines or other penalties imposed by the Information Commissioner’s Office) unless such theft, breach, corruption, or loss was a direct and unavoidable consequence of the Third Party complying with the data processing instructions of the Data Controller.
  6. The Third Party will not share the data, or the results of any analysis or other processing of the data with any other party without the explicit written permission of the Data Controller.
  7. The Third Party will securely delete all data that it holds on behalf of the Charity once the purpose of processing the data has been accomplished.
  8. Data Breach

        In the event that any data  breach comes to th attention of the Data Controller the Data Controller will notify the Chair of Trustees immediately and the       Information Commission’s Office and the Charity Commission within 72 hours. If full details of the nature and consequences of the data breach are not immediately accessible to the Data Controller’s  Office and the Charity Commission within 72 hours the Data Controller will bring that to the attention of the Information Commissioner’s Office and undertake to forward the relevant information as soon as it becomes available.

  1. Privacy Policy & Privacy Notices

The Charity will have a Privacy Policy and appropriate Privacy Notices which it will make available.