Business Policy Documents
Your privacy is important to the Scottish Railway Preservation Society. We are committed to safeguarding the privacy of your personal data; this privacy statement sets out how we will treat your personal information.
We will keep this page updated to show you all the things we do with your personal data. This policy applies if you are a supporter of the SRPS (member, donor, volunteer, customer, employee) or use any of our services, provide us with services, visit our website, email, call or write to us. In certain circumstances we may also provide additional privacy information, which will refer to this page.
Except as provided in this privacy statement, we will not provide your information to third parties.
2 Who are ‘we’?
In this policy, whenever you see the words ‘we’, ‘us’, ‘our’, ‘SRPS’, it refers to The Scottish Railway Preservation Society and its related companies.
The SRPS is a Charitable Company (Scottish Charity No. SC002375) limited by guarantee registered in Scotland (Reg. No. 55533). The SRPS is the operator of the Bo’ness & Kinneil Railway between Bo’ness and Manuel, and the Museum of Scottish Railways at Bo’ness.
SRPS Railtours (Reg. Co. No. 158474) carries on a range of commercial trading activities to generate income for the SRPS including operation of charter trains on the national rail network, and sale of gifts and souvenirs at the Bo’ness station shop and on charter trains, and commercial activities that are deemed outside the charitable purposes of the SRPS.
The Bo’ness & Kinneil Railway Co Ltd (Reg. Co. No. 58707) holds title to the land comprised in the heritage railway between Kinneil and Manuel. The Company has entered into a lease of that land to the SRPS. Otherwise, the Company has not traded.
The Scottish Railway Museum Collections Trust (aka SRMCT) is a separately constituted charitable trust (Scottish Charity NO. SC020611) which holds title to the Museum Collection, the day to day management of which is undertaken by the Society in terms of the Management Agreement entered into between the two bodies.
The Scottish Railway Museum Trust (aka SRMT) is a separately constituted charitable trust (Scottish Charity No. SC032072), a subsidiary of the Society by virtue of the Society’s control of the Trustees. The SRMT is currently inactive, but is intended to operate as a fund-raising mechanism for Museum activities and acquisitions.
3 What Personal Data do We Collect?
Your personal data (any information which identifies you, or which can be identified as relating to you personally for example, name, address, phone number, email address) will be collected and used by us. We will only collect the personal data that we need.
We collect personal data in connection with specific activities such as employment, membership enquiries and applications, placing an order, booking train travel, donating money or items, volunteering, entering competitions, participating in events or railway research.
You can give us your personal data by filling in forms on our websites, by registering to use our websites, interacting with social media functions on our websites, entering a competition, completing a survey form, participating in oral research, being photographed, joining as a member, supporter, customer or employee, completing timesheet records or signing-in sheets, attending training courses, being assessed as competent to undertake duties, donating money or goods and services, or by corresponding with us (by mail, phone, email).
4 Personal Data Provided by You
The SRPS may collect, store and use the following kinds of personal information:
- Personal Information that you provide to us for the purpose of membership of the SRPS, or working and volunteering with the SRPS;
- Personal Information that you provide to us for the purchase of goods and services (such as tickets for trains and events);
- Financial information (such as credit or debit card or direct debit details, bank account details, and whether donations are gift-aided);
- Your competence to undertake specific duties for the SRPS (such as competence you have been awarded by other heritage railways or third party assessors).
- For Family Members, your relationship with other Members of the same family.
- Any other information that you choose to send to us such as enquiries through our website;
- Information about your computer and about your visits to and use of our website.
5 Personal Data Created by your Involvement with Us
Your activities and involvement with us will result in personal data being created. This could include information about your competency, rostered duties, investigation into railway incidents, and details of how you’ve helped us by volunteering or being involved with our events and activities.
If you undertake railway duties (as either a volunteer or paid staff) we will collect extra information about you (such as details of emergency contacts, medical status or restrictions, competency references, criminal records checks). This information will be retained for legal or contractual reasons, to protect us (including in the event of an insurance or legal claim) and for safeguarding purposes.
If you decide to donate to us then we’ll keep records of when and what you give to a particular cause (including money, items or services).
6 Information Collection and Use on our Website
Please note that certain services on our websites won’t be available to you until you’ve registered to use our website. We collect personal information about your website visit as follows.
- You can choose to complete a Feedback Form, which will disclose online contact information (e-mail address), and if you wish, disclose additional contact information, such as your phone number. We use and retain this information until your query or transaction is complete, which is an indeterminate period of time.
- You can choose to join our electronic Mailing List. If you decide to opt-in to our Mailing List, you will receive e-mails that may include news and details of forthcoming events. If at any time you would like to unsubscribe from receiving future e-mails, we include detailed unsubscribe instructions at the bottom of each e-mail.
- You can choose to purchase items from our website, such as train tickets. You will receive mail that may include news and details of forthcoming events. If at any time you would like to unsubscribe from receiving future mailings, we include detailed unsubscribe instructions within each mailing.
- We automatically collect and store information for statistical purposes which does not identify you personally. This information helps us to monitor how visitors use our website. This information may include your browser software (such as Internet Explorer), your operating system (such as MS Windows and Apple MAC), the name and domain of your Internet Service Provider and the Internet Protocol (IP) address of the computer you are using.
7 How We Update, Screen or Analyse Your Data
We periodically review records of members and staff to ensure your data is as accurate as possible. We may contact you to request confirmation of your records. We may search publicly available registers to confirm your contact details, such as the Royal Mail website.
We analyse the contribution made by our staff and volunteers in order to provide aggregate level statistics to regulatory bodies (such as the ORR) and in support of applications to external funding bodies (such as the Lottery).
8 Information from Third Parties
We contract medical practitioners to confirm that you are fit to undertake your relevant railway duties. Only the medical practitioners know about your medical details – we merely record the outcome i.e. whether you have been assessed as either ‘fit’ or ‘unfit’ for duty.
We contract third parties to assess your competence to operate specific items of plant or to undertake specific activities in support of your railway duties. We record the outcome of their assessments and retain copies of certificates or assessments papers issued by the third parties.
For a limited number of volunteers whose railway duties involve working with young people, we seek their approval to obtain a criminal record check from Disclosure Scotland. We review and securely destroy the report, and merely record that a check has been undertaken.
9 Children’s Personal Data
Family Membership: Children aged under 18 years of age are included on family memberships and are members of the SRPS. We collect their names and dates of birth to ensure they are appropriately supervised when participating in railway events or duties.
Junior Membership: Junior membership is available to young people between 12 and 17 years of age. Junior members under 16 years of age volunteer through the Youth Group or are directly supervised by their Guardians. Junior members between 17 and 18 years of age can volunteer without supervision of the Youth Group or Guardians.
Contact Details for Juniors: We use the contact details of their Guardians for junior members under 16 years of age.
10 How We Use Your Personal Data
We will only use your personal data on relevant lawful grounds as permitted by the General Data Protection Regulation (effective from 25 May 2018) and the Privacy of Electronic Communication Regulation.
Personal data provided to us will be used for the purpose or purposes outlined in this document, in accordance with any preferences you express. If asked by the police, or any other regulatory or government authority investigating suspected illegal activities, we may need to provide your personal data.
Your personal data will be collected and used to help us deliver our charitable activities, safely operate our heritage railway, museum and main line charter trains, help us raise funds, or complete your order or request. Below are the main uses of your data which depend on the nature of our relationship with you and how you interact with our various services, websites and activities.
We will not rent, swap or sell your personal information to other organisations for them to use in their own marketing or other activities. The legal basis that we rely on for processing your data will depend on the circumstances in which it is being collected and used, but in most cases will fall into one of the following categories:
- Where the processing is necessary to carry out the performance of a contract with you, such as your purchase of tickets for an event.
- Where the processing is necessary in order for us to comply with a legal or regulatory obligation, such as investigation of incidents by the RAIB, returns to HMRC and Companies House.
- Where it is in our legitimate interests to perform our functions, for example to administer your membership, to safely operate our railway or charter trains, and to preserve Scotland’s railway heritage.
- Where you have provided your consent to allow us to use your data in a certain way, such as marketing events.
11 Marketing Communications
We’d like to use your details to keep in touch about things that may matter to you. Your privacy is important to us, so we’ll always keep your details secure. If you choose to hear from us we may send you information based on what is most relevant to you or things you’ve told us you like.
When you purchase items from us, such as tickets for an event or to travel on a train, you may subsequently receive mail or email information about future similar events or trains. You can also contact us to be included in any such future communications even when you haven’t purchased items from us.
We’ll only send these marketing communications to you if you agree to receive them and we will never share your information with companies outside the SRPS for inclusion in their marketing. If you agree to receive marketing information from us you can change your mind at a later date.
However, if you tell us you don’t want to receive marketing communications, then you may not hear about events or other work we do that may be of interest to you.
12 Membership Including Newsletters and Magazines
We use the personal data you provide as a member to service your membership. This includes sending renewal information to annual members by mail and email, sending magazines & supplements and information about our Annual General Meeting.
Most magazine content is about our work, railway preservation and ideas to help you make the most of your support of the SRPS either as a member or supporter. Our membership magazines and supplements may sometimes include competitions or ideas about how to raise money, but they are a member/supporter benefit.
You may inform the Membership Secretary at any time that you do not wish to receive our regular magazines and supplements. However you will continue to receive regulatory notices concerning your membership such as notification of AGMs and invitations to renew your annual membership.
13 Membership Website and Notification Emails
Should you wish to register to access the Member’s area of our website, you can optionally register to receive information by email, such as details of forthcoming events and notification of deaths of members. These notifications are a member/supporter benefit.
You can withdraw this registration at any time on the Member’s area of our website at http://members.srps.org.uk/user.php
14 Railway Management Website and Emails
When you undertake duties as a volunteer or staff, you will receive email communications regarding your duties including details of rostered turns, competency, rules & regulations, safety notices, and details of railway events and training courses organised by the SRPS and occasionally by third parties. These communications are essential to safely operate our railway, museum and charter trains.
15 Fundraising, Donations and Legacy Pledges
Where we have your permission, we may invite you to support vital conservation work by making a donation, buying a raffle ticket, getting involved in fundraising activities or leaving a gift in your will.
Occasionally, we may invite some supporters to attend special events to find out more about the ways in which donations and gifts in wills can make a difference to specific projects and to our cause. We’ll also send you updates on the impact that you make by supporting us in this way, unless you tell us not to.
If you make a donation, we’ll use any personal information you give us to record the nature and amount of your gift, claim gift aid where you’ve told us you’re eligible and thank you for your gift. If you interact or have a conversation with us, we’ll note anything relevant and store this on our systems.
If you tell us you want to fundraise to support our cause, we’ll use the personal information you give us to record your plans and contact you to support your fundraising efforts.
If you’ve told us that you’re planning to, or thinking about, leaving us a gift in your will, we’ll use the information you give us to keep a record of this – including the purpose of your gift, if you let us know this.
If we have a conversation or interaction with you (or with someone who contacts us in relation to your will, for example your solicitor), we’ll note these interactions throughout your relationship with us, as this helps to ensure your gift is directed as you wanted.
16 Prospective volunteers
We need to use your personal data to manage your volunteering, from the moment you enquire to the time you decide to stop volunteering with us. This could include contacting you about a role you’ve applied for or we think you might be interested in, induction that you’ve attended, expense claims you’ve made, training you’ve attended, competency you’ve been awarded, turns you’ve booked and to recognise your contribution.
17 Research and Surveys
We carry out research with our supporters, customers, staff and volunteers to get feedback on their experience with us. We use this feedback to improve the experiences that we offer and ensure we know what is relevant and interesting to you.
If you choose to take part in research or a survey, we’ll tell you when you start what data we will collect, why and how we’ll use it. All the research we conduct is optional and you can choose not to take part. We only use this information at an aggregate level for reporting and improvements to our services and facilities.
18 Recruitment and Employment
In order to comply with our contractual, statutory, and management obligations and responsibilities, we process personal data, including ‘sensitive’ personal data, from job applicants and employees.
Such data can include, but isn’t limited to, information relating to health, racial or ethnic origin, and criminal convictions. In certain circumstances, we may process personal data or sensitive personal data, without explicit consent. Further information on what data is collected and why it’s processed is given below.
Contractual responsibilities: Our contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay, leave, maternity pay, pension and emergency contacts.
Statutory responsibilities: Our statutory responsibilities are those imposed through law on the organisation as an employer. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring.
Management responsibilities: Our management responsibilities are those necessary for the organisational functioning of the organisation. The data processed to meet management responsibilities includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters, e-mail address and telephone number.
19 Sensitive Personal Data of Employees
The Act defines ‘sensitive personal data’ as information about racial or ethnic origin, political opinions, religious beliefs or other similar beliefs, trade union membership, physical or mental health, sexual life, and criminal allegations, proceedings or convictions.
In certain limited circumstances, we may legally collect and process sensitive personal data without requiring the explicit consent of an employee.
- We will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and, where necessary, consent.
- We will process data about, but not limited to, an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for the purpose of monitoring and upholding our equal opportunities policies and related provisions.
- Data about an employee’s criminal convictions will be held as necessary.
20 Disclosure of Employee Data to Other Bodies
In order to carry out our contractual and management responsibilities, we may, from time to time, need to share an employee’s personal data with one or more third party supplier.
To meet the employment contract, we are required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs.
In order to fulfil our statutory responsibilities, we’re required to give some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.
21 Updating Your Data and Marketing Preferences
You can help us keep our records up to date by telling us when your contact details and other personal information changes. We want you to remain in control of your personal data. If, at any time, you want to update or amend your personal data or marketing preferences please contact us in one of the following ways, quoting the current and the new details:
Amend your SRPS Employment details:
- By email to finance ‘at’ srps.org.uk
- Or write to The Finance Team, The Scottish Railway Preservation Society, 17-19 North Street, Bo’ness EH51 0QA
Amend your SRPS Membership or Volunteer details:
- By email to membership ‘at’ srps.org.uk
- Or write to The Membership Secretary, The Scottish Railway Preservation Society, 17-19 North Street, Bo’ness EH51 0QA
Amend your SRPS Railtour customer or marketing details:
- By email to railtours ‘at’ srps.org.uk
- Or write to SRPS Railtours, The Scottish Railway Preservation Society, 17-19 North Street, Bo’ness EH51 0QA
Amend your SRPS customer or marketing details:
- By email to enquiries ‘at’ srps.org.uk
- Or write to SRPS Office, The Scottish Railway Preservation Society, 17-19 North Street, Bo’ness EH51 0QA
22 Personal Data Security
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. The personal data is stored on servers and personal computers.
Our Trustees, Officers and data processors, who have access to, and are associated with the processing of personal data, are obliged to respect the confidentiality of your personal data.
We implement appropriate security to control access to your personal data, including passwords and role based mechanisms for electronic data and locked cabinets for paper records.
23 Payment Card Security
We have an active PCI-DSS compliance programme in place.
Our online payment solutions are carried out using a ‘payment gateway’ (Sagepay) which is a direct connection to a payment service provided by a bank. This means that when you input card data into the payment page, you are communicating directly with the bank and the bank passes your payment to us, this means that your payment card information is handled by the bank and not processed or held by us.
Some of our locations and properties have Closed Circuit Television (CCTV) and you may be recorded when you visit them.
CCTV is used to provide security and protect both our members and visitors and our property. CCTV will be only be viewed when necessary (e.g. to detect or prevent crime) and footage is stored for set period of time after which it is recorded over. We comply with the Information Commissioner’s Office CCTV Code of Practice and we put up notices so you know when CCTV is used.
25 Retention Period
We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory legal requirements.
We reserve the right to hold data for archive purposes:
- We reserve the right to hold data related to membership for archive purposes to maintain the history of this charitable organisation;
- We reserve the right to hold data related to Scotland’s Railway Heritage which will enable the charity to continue to fulfil its charitable objects.
Where necessary, we may disclose information about you to any of our Trustees, Officers and Volunteers.
We will share personal data with third party cloud hosting and IT infrastructure providers who host our databases and websites and provide IT support in respect of the databases and websites.
We may disclose your personal information to the extent that we are required to do so by law.
Except as provided in this privacy statement, we will not provide your information to third parties.
We retain the right to disclose personal data to a third party or external organisations carrying out work on our behalf such as a mailing house for the sending of our communications to our Members. Any such companies are acting as approved data processors for us, and we retain full responsibility for your personal data. Data processors will act only on our instructions.
27 Your Rights
At any time you may request that we delete or correct your personal information. You should be aware that if taking any of the above steps impacts on our ability to include you in our administration or safe operation of the railway or museum, it may result in cancellation of your membership or termination of your railway or museum activities.
You can ask us if we are keeping any personal data about you and you can also request to receive a copy of that personal data – this is called a Subject Access Request.
To make a Subject Access Request you will need to provide adequate proof of identity such as a copy of your passport, birth certificate or driving licence before your request can be processed.
Please try to be as clear as possible about the information you are seeking.
Once we have received your Subject Access Request and proof of identity, you will receive a response from us within one month and you will be able to get copies of any information we hold on you.
Requests to delete, correct or access your personal data should be sent to:
The Data Protection Officer
The Scottish Railway Preservation Society
17-19 North Street
Bo’ness EH51 0QA
Email: enquiries ‘at’ srps.org.uk
28 Making a Complaint
If you are not satisfied with our response to any query regarding our processing of your personal data in a way which is inconsistent with the law, you can complain to the Information Commissioner’s Office by telephoning 0303 1231113.
In order to make our websites easier to use and improve our service, we sometimes place small amounts of information on your computer. These are known as cookies and they are used by most major websites.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
30 Other Websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
31 Changes to Our Privacy Notice
We periodically review our privacy notice, and may make changes time to time. Any changes made will be posted to this page, and will apply from the time we post them. You should check this page occasionally to ensure you are happy with any changes. Current Version 18/5/2018
32 How to Contact Us
If you have any comments on our privacy notice, or information we hold about you, please contact us:
- By email to gen.secretary ‘at’ srps.org.uk
- By telephone to 01506 825 855
- Or write to us at The General Secretary, The Scottish Railway Preservation Society, 17-19 North Street, Bo’ness EH51 0QA
END OF DOCUMENT
“This hidden gem is only 40 minutes drive from Glasgow and Edinburgh. The staff are really friendly and looked after us as we boarded a beautiful steam train, we saw heritage diesels too. The sights, smells and sounds really took us back in time. After a browse around the excellent Museum of Scottish Railways and a bite to eat in the Station Buffet we all agreed we would recommend it to everyone and we would definitely be back.”
Mr P Gray, Falkirk
The Scottish Railway Preservation Society
Operators of Bo’ness & Kinneil Railway and Museum of Scottish Railways
Scottish Charity No. SC002375