We recognise that your privacy is important, and we are committed to protecting the Personal Data that we collect from you. The Bluebell Railway comprises the Bluebell Railway Preservation Society (BRPS), Bluebell Railway plc, the Bluebell Railway Trust (reg’d. Charity no. 292497) and their subsidiary supporting groups, all being at Sheffield Park Station, Nr. Uckfield, East Sussex TN22 3QL, tel. (01825 720800).
Personal Data is managed in accordance with the UK Data Protection Act 2018, the General Data Protection Regulations (GDPR) and the Privacy and Electronic Communications Regulations (PECR).
COLLECTION OF PERSONAL DATA
The Bluebell Railway will only collect and hold Personal Data about you that is reasonably necessary to undertake our normal activities and functions, or as otherwise permitted by law.
Why we collect Personal Data
We may collect your Personal Data for one or more of the reasons outlined below. We will use Legitimate Interest as the legal basis for so doing, excepting where under GDPR we are required to seek your express consent.
- Providing our membership services to you including newsletters, and information about events and fundraising.
- To assist with your queries.
- Processing a booking or application that you have made.
- Acting as your agent if you request us to do so.
- For appropriate surveys, direct marketing, promotions or competitions.
- Facilitating our internal operations including the fulfilment of any legal or regulatory requirements.
- Analysing our services and member/ customer needs with a view to developing new and/or improved products and services.
- For Bluebell Railway employees, volunteers, contractors and suppliers, as is reasonably and/or legally necessary.
How we collect your Personal Data
We generally collect Personal Data directly from you, through the use of any of our standard forms, over the internet, via email or through a telephone conversation with you. We may also collect Personal Data from third party contractors or agents who provide our products and services on our behalf.
What kinds of Personal Data we collect
You are under no legal obligation to provide your Personal Data. The types of Personal Data that we collect may include your name, address, email address, social media address or other contact details and such other information that is relevant for us to provide our products and services to you in the manner that you have requested, or to comply with the law.
We do not generally collect sensitive information from you. However, if you provide such information to us, we will only collect that information with your express consent and only where such information is reasonably required in order for us to provide our products or services to you (such as special access or an assistance requirement due to a health condition). We shall not disclose sensitive data to any other party beyond necessary third-party contractors or agents without your consent. We will hold your Personal Data as current for up to two years after its last active use or to legally required timescales (whichever is the longer), after which your Personal Data will be archived and not used or maintained, unless you contact us further.
If you access our websites or any mobile applications (“apps”), we may collect additional Personal Data about you including:
- Server address/ IP address
- Date and time of visit
- Pages visited
- Documents downloaded
- The site you visited prior to visiting our website
- The browser that you are using to access our website
- If you have visited our website before
- Tracking user preferences
- Location data
Our website automatically deploys a cookie on your computer when you arrive at our website, provided cookies are not blocked by your browser. The main purpose of cookies is to monitor usage of our websites and apps to prepare customised web pages so that we may serve you more effectively. This is anonymised and cookies are not used to collect personal information. You may wish to configure your browser so that it does not accept cookies, however you may not be able to access some functions on our websites or apps if they are disabled.
We use Google Analytics, a third party service, to collect standard anonymised internet log information and details of visitor behaviour patterns. We do this to monitor activities such as the number of visitors to various parts of our website. This information is only processed in a way which does not identify website visitors. This anonymised data is kept indefinitely. For more information about Google Analytics see www.google.com/policies/privacy/partners/, or any other URL Google may provide from time to time.
Where social media channels are used, the platform providers’ terms, privacy and cookie arrangements will apply.
You might also want to visit www.aboutcookies.org which provides instructions on how to block cookies on all the major browsers. This site also explains how you can delete cookies that have already been stored on your computer as well as general information about cookies.
Failure to provide Personal Data
If the Personal Data you provide to us is incomplete and/or inaccurate, or you chose not to provide us with the Personal Data that we have requested, it may affect our ability to provide you with our products and services.
DEALING WITH PERSONAL DATA
We will use Legitimate Interest as the legal basis for holding and processing your Personal Data, where this is assessed to be appropriate under the terms of the General Data Protection Regulations. In other instances, and for all ‘new’ individuals’ Personal Data from 25 May 2018 onwards, we will require positive consent before holding and processing such data.
Use and Disclosure
In order to provide products and services to you we may disclose your Personal Data to:
- Between the Bluebell Railway entities, being Bluebell Railway Preservation Society, Bluebell Railway plc, The Bluebell Railway Trust, and their subsidiary supporting groups. This will include updating your details where held (e.g. for change of address)
- providers, contractors, agents or other appropriate partners who assist us in providing our products and services to you
- External providers of services where you have engaged us to act as your agent
- Other service providers, who provide the various services that you have requested and we have arranged
- Where we are required to disclose such information under law
- Other parties with your consent and direction.
We will only provide such Personal Data to those third parties as required to provide our products or services, unless otherwise authorised by you or required under law. Your Personal Data will not be used for automated decision-making, profiling or screening.
Handling your Personal Data overseas (where necessary)
CCTV and webcams
We employ CCTV at some of our stations and workshops in order to:
- prevent, deter and detect crime
- apprehend and prosecute offenders, and provide evidence to take civil action in the courts
- help provide a safer environment for our staff
- protect public safety
- help to provide improved customer service, for example by enabling staff to see customers requiring assistance
- monitor operational and safety related incidents
- assist with the verification of claims
You have the right to make a Subject Access Request for CCTV images of yourself and to ask for a copy of them. You will need to complete an application form provided by us in order for us to establish your identity as the person in the pictures and assist us in finding the images in our system. See ‘Access and Correction’ below.
We reserve the right to withhold information where permissible by the General Data Protection Regulations and we will only retain CCTV images for a reasonable period or as long as is required by law. In certain circumstances we may need to disclose CCTV images for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to the GDPR.
We have installed webcams at our stations and other sites of interest, for viewing and enjoyment via our website by the general public. The fixed cameras do not ’track’ individuals, and the images are not recorded or stored.
INTEGRITY OF PERSONAL DATA
The security of your Personal Data is important to us. We may store your Personal Data in different ways, including in paper form, electronic form, telephone recordings and utilising secure document retention services (including those located offsite). We take all reasonable measures to ensure that your Personal Data is stored safely to protect it from misuse, loss, unauthorised access, modification or disclosure, including electronic (firewalls and access controls) and physical security measures.
Links to other websites
Our websites or apps may contain links to other websites. We are not responsible for the security or privacy of any information collected by third party websites or other services. You should exercise caution and review the privacy statements applicable to the third-party websites and services you use.
ACCESS AND CORRECTION
Correction and Erasure
Where you notify us that your Personal Data is inaccurate or incomplete, out of date, should be erased, should be transferred to a third party at your request (Data Portability), or you with withdraw your Consent, we will take reasonable steps to correct or process the data unless we are authorised not to do so by law. Should we decline your request to correct your Personal Data we will provide you with a written explanation setting out the legal reasons for doing so.
CONTACTING THE BLUEBELL RAILWAY
Tel: 01825 720800
The Data Protection Officer
Sheffield Park Station
East Sussex TN22 3QL
If you are unhappy with a response that you have received from the Bluebell Railway, you have the right to direct your complaint to the Information Commissioner’s Office, at ico.org.uk or tel. 0303 123 1113 (local rate) or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
6th May 2018 (updated 22 Feb 2021 re 1) Cookies and 2) webcams).