The Chartered Institution of Railway Operators (CIRO) has always taken great care to protect personal data and is an organisation that has always been run with its members, students, learners, apprentices and customers at its heart. As a result, data protection has never just been about complying with the law, data protection has always been about keeping personal data safe and being fair in how it works with individuals and CIRO will continue to operate in this way.

Therefore, CIRO takes your trust and right to privacy very seriously and is committed to ensuring that whenever we process personal data, we do this fairly, lawfully and in a transparent manner. We fully comply with all our obligations under the data protection laws. These General Data Protection Regulation (Regulation (EU) 2016/679) and all applicable laws relating to the collection and use of personal data and privacy and any applicable codes of practice issued by a regulator including in the UK, the Data Protection Act 2018.

Data Protection Act

The Data Protection Act 1998 (DPA) was enacted to ensure the fair and lawful processing of personal data. The DPA governs how organisations can collect and process information about individuals. It explains the rights of individuals (data subjects) and the responsibilities of the organisations (data controllers) which collect and process personal data. It also details the requirements of any third party organisations (data processors) which process personal data on behalf of data controllers. The DPA is regulated and enforced by the UK Information Commissioner’s Office (ICO).

General Data Protection Regulation

The new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which strengthens and unifies data protection for individuals within the European Union, will come into force on 25 May 2018. The Regulation has been designed to harmonise data privacy laws across Europe, to protect and empower all citizens’ data privacy and to reshape the way organisations across the EU approach data privacy. The CIRO is working in collaboration with our partners to implement the Regulation and to ensure that all of our policies and operations are compliant with it.

Data Protection in the CIRO

The CIRO regards the fair, lawful, and transparent treatment of personal information as integral function of our business operations and to maintaining the confidence of our members and stakeholders. As a member of the CIRO your consent to process your data, in order to administer your membership, is given by you at the time of your application.

The CIRO collects members’ data in order to effectively communicate with members and to administer CIRO membership in a proper, timely, cost effective and secure manner.

The CIRO has a designated member of the management team who has specific responsibility for data protection within the organisation – the Quality Assurance and Standards Manager. They are responsible for monitoring and auditing compliance with the data protection laws, ensuring CIRO members of staff understand and comply with their obligations, and assessing the risks associated with the processing of personal data.

The registration number of the Chartered Institution of Railway Operators entry in the ICO Register of data controllers is ZA281660.

This website is operated by the CIRO and this policy applies to all public web domains and sub domains operated by the CIRO:

Please note, we will not process or store the personal information of individuals under 16 years of age, unless consent is given or authorised by the holder of parental responsibility.

Privacy Notices

The CIRO uses privacy notices to inform you about the collection and use of your personal data and what to expect whenever we collect and process personal information. More information can be found in the Privacy Notice section of this website.

The CIRO does not process your personal data for marketing purposes and the CIRO does not carry out any automated individual decision-making (making a decision solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain things about an individual).

If at any time you feel that we are not being transparent enough about how we process your personal data or you would like more information then please let us know using the contact information below.

Your Rights

You have the following rights which you can exercise at any time by contacting us at  You have the right:

  • To access your personal data – CIRO members can access their personal record on line at anytime by logging in at or a formal subject access request may be made – see Subject Access Requests below
  • To ask for the information we hold about you to be rectified if it is inaccurate or incomplete – CIRO members can access and update their personal record on line at anytime by logging in at or by contacting the office
  • To ask for data to be erased provided that the personal data is no longer necessary for the purposes for which it was collected
  • To ask us not to process your personal data where you have a particular reason for wanting the restriction
  • To data portability – CIRO members are able to obtain and reuse their personal data for their own purposes and can access their personal record on line at anytime by logging in at
  • To object to stop your data from being used for direct marketing – the CIRO does not process your personal data for marketing purposes. However, should we ever intend to use your data for such purposes in the future we will inform you in advance.
    Details about the collection and use of your personal data can be found in the Privacy Notice section of this website

Subject Access Requests

The DPA and the GDPR give data subjects a legal right to access the personal information the CIRO holds about them. These requests are known as subject access requests and we will process them within 30 days. We will also provide you with information about any processing of your personal data that is being carried out, the retention periods which apply to your personal data, and any rights to rectification, erasure, or restriction of processing that may exist.

Subject access requests can be submitted by email, telephone or writing.

Right to complain

Should you have any issues, concerns or problems in relation to your data, or wish to notify us of data which is inaccurate, please let us know by contacting us using the contact details below. In the event that you are not satisfied with our processing of your personal data, you have the right to lodge a complaint with the relevant supervisory authority.  Therefore, should you feel that the CIRO is handling your data unfairly or unlawfully, you can report your concern to the Information Commissioner’s Office (ICO). For more information visit the ICO website.

Contact Information

Gemma Brice

Central Services Executive
Beacon Building Second Floor
Stafford Enterprise Park
Weston Road
ST18 0BF

Tel: 03333 440523