We are committed to ensuring the best standards of practice in all our activities. Members, beneficiaries and those who visit our website may be assured that we give the highest priority to protecting their privacy and treating all information about them confidentially.
All personal information is collected, held and used in strict compliance with the EU General Data Protection Regulations (GDPR). The terms of our registration may be inspected on the Information Commissioner’s website.
Who is the data controller?
Transport Benevolent Fund CIO is the data controller.
Contact details of data controller
Address: Transport Benevolent Fund CIO, Suite 2.7, The Loom, 14 Gowers Walk, LONDON, E1 8PY
Telephone number: 0300 333 2000
“Cookies” What information is being collected?
We do not collect any personal information from visitors to our website other than that knowingly and voluntarily given. Anonymous information is collected, such as the number of visitors to the website in a given period, but it is purely statistical and cannot be used to identify an individual user. Cookies are not used to collect any other information from visitors to the website.
We draw a distinction between personal data and sensitive data (special category). Sensitive data is only stored when we have received your express authority to do this and we are unable to process any requests for benefits which would require us to store sensitive data unless you sign the necessary consent form.
Keeping Data Subjects Informed
Where personal data is collected directly from you we will inform you of its purpose at the time of collection.
How will the information be used?
The information collected may be used to contact you with further details of membership, our current or future activities. We do not generally continue to contact members, beneficiaries or those who contact us for longer than necessary to deal with their enquiry, but we may do so in certain circumstances. You may ask us at any time not to contact you further.
Who will the information be shared with?
We try not to send details of requests for help outside our office. We do, however, have to ensure that our staff, health professionals and committees have access to this information to enable them to consider your enquiry or request properly.
We do not exchange information with any other organisation or individual, unless we have a legal obligation to do so. This means that we will not contact your employer, trade union or any other organisation without your express authority. Sometimes, however, a representative of your employer or trade union is our local representative and we may need to discuss your request with them. If you believe there may be a problem in this respect, we shall be happy to tell you who the relevant representatives are and to discuss any areas of concern you may have.
We endeavour to treat family members separately and not to pass information from one family member to another, but members and beneficiaries must bear in mind that this is simply not practicable in all cases.
What is the lawful basis for processing information?
We need a lawful basis to collect and use your personal data under data protection law. The law allows for six ways to process personal data (and additional ways for sensitive personal data). Please note the following relevant types of processing that we carry out at TBF. This includes information that is processed on the basis of:
A person’s consent form in relation to the help they are seeking and their signed membership subscription mandate for processing that is necessary for compliance with a legal obligation, for example accounting data, information needed to process a Gift Aid declaration.
TBF’s legitimate interests
Personal data may be legally collected and used if it is necessary for a legitimate interest of the organisation using the data, if its use is fair and does not adversely impact the rights of the individual concerned. When we use your personal information, we will always consider if it is fair and balanced to do so, and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair. Our legitimate interests include:
Charity governance: including delivery of our charitable purposes, statutory and financial reporting and other regulatory compliance purposes;
Administration and operational management: including responding to requests for help, providing information and services, and administrating recruitment processes for staff and volunteers.
Data security and integrity
We take all reasonable measures to ensure that the information we hold is accurate and we take appropriate measures to safeguard it from unauthorised access or improper use. Our electronic database is stored in a secure, password protected, location; only users authorised by us have access to this data. Electronic data is held indefinitely, while paper records are retained securely, and generally destroyed after a period not exceeding six years. The main exceptions to this are your application to join which are retained up to 100 years, the forms you give us agreeing to the storing of personal information and any records required to be stored for longer to meet statutory requirements.
Your right to access the information we hold on you
You have the right to access your personal data and supplementary information. For details, please see our policy entitled ‘General Data Protection Policy, part 13.
The right of access allows you to be aware of and verify the lawfulness of the processing.
Your right to data portability
Your right to data portability allows you to obtain and reuse your personal data for your own purposes.
Right to rectify your data
GDPR gives you the right to have personal data rectified if it is inaccurate or incomplete.
Right to object to data processing
You have the right to object to us processing your personal data based on legitimate interests. We do not process personal data for direct marketing (including profiling), scientific or historical research and statistics purposes. TBF does not use personal data for the purpose of automated decision-making processes.
Right to erase your data
Your right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in the following circumstances:
It is no longer necessary for TBF to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;
The data subject objects to TBF holding and processing their personal data and wishes to withdraw their consent (and there is no overriding legitimate interest to allow TBF to continue doing so);
The personal data has been processed unlawfully;
The personal data needs to be erased in order for TBF to comply with a particular legal obligation;
Unless TBF has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed. Any such notice of erasure shall include details of any consequences e.g. that there is no longer a record of his/her membership of TBF, or any other qualification which is normally a condition of his/her eligibility to benefit.
In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
We will not be able to erase any personal data based on the following legitimate interest i.e. we have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
Right to restrict your data
You may request that we cease processing the personal data we hold about you. If you make such a request, TBF shall retain only the amount of personal data concerning you (if any) that is necessary to ensure that the personal data in question is not processed further.
In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
Our website is not targeted at children and in any event personal information will not normally be collected from anyone under eighteen years of age unless they are a TBF CIO beneficiary.