The Chartered Institution of Railway Operators (CIRO) has always taken great care to protect members’ data and is an organisation that has always been run with its members at its heart. As a result data protection has never been just about complying with the law, data protection has always been about keeping personal data safe and being fair in how it works with individuals and the CIRO will continue to operate this way.
Therefore, the CIRO takes your trust and right to privacy very seriously and is committed to ensuring that whenever we process personal information we do this fairly, lawfully and in a transparent manner. We comply fully with all of our obligations under the data protection laws. These laws include the Data Protection Act 1998 (DPA), and any statutory modification or re-enactment thereof, and the EU General Data Protection Regulation (GDPR).
Data Protection Act
The Data Protection Act 1998 (DPA) was enacted to ensure the fair and lawful processing of personal data. The DPA governs how organisations can collect and process information about individuals. It explains the rights of individuals (data subjects) and the responsibilities of the organisations (data controllers) which collect and process personal data. It also details the requirements of any third party organisations (data processors) which process personal data on behalf of data controllers. The DPA is regulated and enforced by the UK Information Commissioner’s Office (ICO).
General Data Protection Regulation
The new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which strengthens and unifies data protection for individuals within the European Union, will come into force on 25 May 2018. The Regulation has been designed to harmonise data privacy laws across Europe, to protect and empower all citizens’ data privacy and to reshape the way organisations across the EU approach data privacy. The CIRO is working in collaboration with our partners to implement the Regulation and to ensure that all of our policies and operations are compliant with it.
Data Protection in the CIRO
The CIRO regards the fair, lawful, and transparent treatment of personal information as integral function of our business operations and to maintaining the confidence of our members and stakeholders. As a member of the CIRO your consent to process your data, in order to administer your membership, is given by you at the time of your application.
The CIRO collects members’ data in order to effectively communicate with members and to administer CIRO membership in a proper, timely, cost effective and secure manner.
The CIRO has a designated member of the management team who has specific responsibility for data protection within the organisation – the Quality Assurance and Standards Manager. They are responsible for monitoring and auditing compliance with the data protection laws, ensuring CIRO members of staff understand and comply with their obligations, and assessing the risks associated with the processing of personal data.
The registration number of the Chartered Institution of Railway Operators entry in the ICO Register of data controllers is ZA281660.
This website is operated by the CIRO and this policy applies to all public web domains and sub domains operated by the CIRO:
Please note, we will not process or store the personal information of individuals under 16 years of age, unless consent is given or authorised by the holder of parental responsibility.
The CIRO uses privacy notices to inform you about the collection and use of your personal data and what to expect whenever we collect and process personal information. More information can be found in the Privacy Notice section of this website.
The CIRO does not process your personal data for marketing purposes and the CIRO does not carry out any automated individual decision-making (making a decision solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain things about an individual).
If at any time you feel that we are not being transparent enough about how we process your personal data or you would like more information then please let us know using the contact information below.
You have the following rights which you can exercise at any time by contacting us at firstname.lastname@example.org. You have the right:
Subject Access Requests
The DPA and the GDPR give data subjects a legal right to access the personal information the CIRO holds about them. These requests are known as subject access requests and we will process them within 30 days. We will also provide you with information about any processing of your personal data that is being carried out, the retention periods which apply to your personal data, and any rights to rectification, erasure, or restriction of processing that may exist.
Subject access requests must be submitted in writing and anyone making an oral request will be invited to complete our Subject Access Request Form. More information about making a subject access request is available in the form.
Right to complain
Should you have any issues, concerns or problems in relation to your data, or wish to notify us of data which is inaccurate, please let us know by contacting us using the contact details below. In the event that you are not satisfied with our processing of your personal data, you have the right to lodge a complaint with the relevant supervisory authority. Therefore, should you feel that the CIRO is handling your data unfairly or unlawfully, you can report your concern to the Information Commissioner’s Office (ICO). For more information visit the ICO website.
Quality Assurance and Standards Manager
Chartered Institution of Railway Operators
The Moat House
133 Newport Road
Tel: 03333 440523