IRO Privacy Policy.

The Institution of Railway Operators (IRO) has always taken great care to protect members’ data and is an organisation that has always been run with its members at its heart. As a result data protection has never been just about complying with the law, data protection has always been about keeping personal data safe and being fair in how it works with individuals and the IRO will continue to operate this way.

Therefore, the IRO takes your trust and right to privacy very seriously and is committed to ensuring that whenever we process personal information we do this fairly, lawfully and in a transparent manner. We comply fully with all of our obligations under the data protection laws. These laws include the Data Protection Act 1998 (DPA), and any statutory modification or re-enactment thereof, and the EU General Data Protection Regulation (GDPR).

Data Protection Act

The Data Protection Act 1998 (DPA) was enacted to ensure the fair and lawful processing of personal data. The DPA governs how organisations can collect and process information about individuals. It explains the rights of individuals (data subjects) and the responsibilities of the organisations (data controllers) which collect and process personal data. It also details the requirements of any third party organisations (data processors) which process personal data on behalf of data controllers. The DPA is regulated and enforced by the UK Information Commissioner’s Office (ICO).

General Data Protection Regulation

The new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which strengthens and unifies data protection for individuals within the European Union, will come into force on 25 May 2018. The Regulation has been designed to harmonise data privacy laws across Europe, to protect and empower all citizens’ data privacy and to reshape the way organisations across the EU approach data privacy. The IRO is working in collaboration with our partners to implement the Regulation and to ensure that all of our policies and operations are compliant with it.

Data Protection in the IRO

The IRO regards the fair, lawful, and transparent treatment of personal information as integral function of our business operations and to maintaining the confidence of our members and stakeholders. As a member of the IRO your consent to process your data, in order to administer your membership, is given by you at the time of your application.

The IRO collects members’ data in order to effectively communicate with members and to administer IRO membership in a proper, timely, cost effective and secure manner.

The IRO has a designated member of the management team who has specific responsibility for data protection within the organisation – the Quality Assurance and Standards Manager. They are responsible for monitoring and auditing compliance with the data protection laws, ensuring IRO members of staff understand and comply with their obligations, and assessing the risks associated with the processing of personal data.

The registration number of the Institution of Railway Operators entry in the ICO Register of data controllers is ZA281660.

This website is operated by the IRO and this policy applies to all public web domains and sub domains operated by the IRO:

Please note, we will not process or store the personal information of individuals under 16 years of age, unless consent is given or authorised by the holder of parental responsibility.

Privacy Notices

The IRO uses privacy notices to inform you about the collection and use of your personal data and what to expect whenever we collect and process personal information. More information can be found in the Privacy Notice section of this website.

The IRO does not process your personal data for marketing purposes and the IRO does not carry out any automated individual decision-making (making a decision solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain things about an individual).

If at any time you feel that we are not being transparent enough about how we process your personal data or you would like more information then please let us know using the contact information below.

Your Rights

You have the following rights which you can exercise at any time by contacting us at info@railwayoperators.co.uk.  You have the right:

  • To access your personal data – IRO members can access their personal record on line at anytime by logging in at https://iro.mkmapps.com/Account/Login or a formal subject access request may be made – see Subject Access Requests below
  • To ask for the information we hold about you to be rectified if it is inaccurate or incomplete – IRO members can access and update their personal record on line at anytime by logging in at https://iro.mkmapps.com/Account/Login or by contacting the office
  • To ask for data to be erased provided that the personal data is no longer necessary for the purposes for which it was collected
  • To ask us not to process your personal data where you have a particular reason for wanting the restriction
  • To data portability – IRO members are able to obtain and reuse their personal data for their own purposes and can access their personal record on line at anytime by logging in at https://iro.mkmapps.com/Account/Login
  • To object to stop your data from being used for direct marketing – the IRO does not process your personal data for marketing purposes. However, should we ever intend to use your data for such purposes in the future we will inform you in advance.
    Details about the collection and use of your personal data can be found in the Privacy Notice section of this website

Subject Access Requests

The DPA and the GDPR give data subjects a legal right to access the personal information the IRO holds about them. These requests are known as subject access requests and we will process them within 30 days. We will also provide you with information about any processing of your personal data that is being carried out, the retention periods which apply to your personal data, and any rights to rectification, erasure, or restriction of processing that may exist.

Subject access requests must be submitted in writing and anyone making an oral request will be invited to complete our Subject Access Request Form. More information about making a subject access request is available in the form.

Right to complain

Should you have any issues, concerns or problems in relation to your data, or wish to notify us of data which is inaccurate, please let us know by contacting us using the contact details below. In the event that you are not satisfied with our processing of your personal data, you have the right to lodge a complaint with the relevant supervisory authority.  Therefore, should you feel that the IRO is handling your data unfairly or unlawfully, you can report your concern to the Information Commissioner’s Office (ICO). For more information visit the ICO website.

Contact Information

Liz Walker
Quality Assurance and Standards Manager
Institution of Railway Operators
The Moat House
133 Newport Road
Stafford
ST16 2EZ

Tel: 03333 440523

Email: info@railwayoperators.co.uk