Please read this privacy notice carefully, together with any other privacy policies or notices we may provide on our websites or any specific occasions when we are collecting or processing personal data about you so that you are informed about how and why we are using your data. This privacy policy supplements other such notices and privacy policies, it is not intended to override them. 

In this privacy notice 'personal data' / 'personal information' is any information about a living individual which allows them to be identified from the data (for example a name, photographs, videos, email address, or address). Identification can be by the information alone or in conjunction with any other information. It does not include data where the identity has been removed (anonymous data).

The processing of personal data is governed by the Data Protection Act 2018, the UK General Data Protection Regulation ('UK GDPR') and other legislation relating to personal data and rights such as the Human Rights Act 1998 (together the 'data protection legislation').  Rail Safety and Standards Board Limited ('RSSB', 'we', 'us' or 'our') is the controller for your personal data (ICO registration number Z8378773). Information about RSSB membership can be found here.

RSSB Subsidiaries

The Railway Industry Supplier Qualification Scheme ('RISQS') is owned and operated by RSSB and RSSB is also the controller for your personal data collected and used by RISQS as set out in this privacy notice.  A reference to RSSB, 'we', 'us', 'our' or the 'controller' includes RISQS and a reference to 'site' or 'sites' includes RSSB and RISQS websites, portals and apps. References to 'you' are to individuals who are using the RSSB and / or RISQS sites or otherwise with whom we have contact or other dealings (whether on behalf of themselves, or their business or another individual or organisation).  Information about RISQS membership can be found here.

The Rail Industry Supplier Approval Scheme ('RISAS') is owned and operated by RSSB and RSSB is also the controller for your personal data collected and used by RISAS as set out in this privacy notice.  A reference to RSSB, 'we', 'us', 'our' or the 'controller' includes RISAS and a reference to 'site' or 'sites' includes RSSB and RISAS websites, portals and apps. References to 'you' are to individuals who are using the RSSB and / or RISAS sites or otherwise with whom we have contact or other dealings (whether on behalf of themselves, or their business or another individual or organisation).  Information about RISAS membership can be found here.

The Confidential Incident Reporting & Analysis Service Limited ('CIRAS') is a separate legal entity and it is independently responsible for the personal data or information that you may share with it. Except where we and CIRAS are joint controllers, we do not share personal data with CIRAS and CIRAS does not share personal data with us. Where we are joint controllers, personal data is shared by us and CIRAS in accordance with the terms of our data sharing agreement. CIRAS's privacy notice can be found here.

Railway Documentation and Drawing Services Limited ('RDDS') is a separate legal entity and it is independently responsible for the personal data or information that you may share with it Provision of documents to railway industry organisations with access rights, and to other parties, is managed on behalf of RDDS by Serco Raildata. Please refer to Serco privacy notice.

Please refer to the Glossary in section 15 to understand the meanings of some other terms used in this privacy notice.

Whilst we will make every effort to ensure your privacy, it may be possible to identify you from the information you provide to us or other third-party information. The purpose of this privacy notice is to inform you about how we will deal with your personal data in the event that you can be directly or indirectly identified.

It is important that the information we hold about you is accurate and current. Please inform us if any of your personal data changes (see section 12).

Our sites may include links to third party websites or applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When leaving our sites, we encourage you to read the privacy notice of every website or application you visit.

1 How we collect your personal information

We process personal information that is provided to us directly by you, or when it is shared with us. 

The circumstances by which we may collect personal data about you includes when:

  • the personal data has been submitted to us by you. For example, when you visit our offices, register to use our sites, register for events, request a standard or other document, make an enquiry, subscribe to an e-newsletter or request that marketing be sent to you, participate in an online survey, or correspond with us by post, phone, email or otherwise. When we collect this type of information, we will notify you of the reason we are asking for information and how this information will be used.
  • the personal data is collected by us or on our behalf in the normal course of our relationship with you. For example, when you book on a course, make enquiries, or purchase our services.
  • the personal data has been made public by you. For example, when you contact us via a social media platform. Please note when you have provided content to RISQS and RISAS for uploading to any of our websites and that content or material contains personal data about another person, you must only do so with that person's permission. You should not include information of a sensitive, non-professional nature (e.g. personal email addresses, phone numbers, health information) (see also Section 8).
  • the personal data has been provided to us by your employer or the organisation you represent. For example, when they nominate you to attend an event or to be their designated contact or representative.
  • The personal data has been provided to us by our members, including passenger train operators, freight and other non-passenger train operators, infrastructure managers and owners, rolling stock owners and leasing companies, infrastructure contractors and suppliers and rolling stock manufacturers. 
  • the personal data has been provided by our suppliers and partners including service providers, contractors, regulators, and other industry bodies. This includes receipt of publicly available data gathered by Dun & Bradstreet, their Privacy Notice can be found here.
  • the personal data is available from publicly available sources such as Companies House.
  • the personal data is collected via our IT systems, including our CCTV systems or our website.
  • the personal data is created by us, such as records of your communications with us.
  • the personal data is collected when we record a meeting or event in which you take part either at our offices or remotely, e.g., using Teams. If a recording is taking place, you will be informed by the organiser. If you take part, you may have the option to share your video and / or audio during the meeting or event. If you choose to do so, this will be captured in the recording. 

2 What personal information do we process?

Personal information that may be collected or shared with us includes:

  • Personal Details: such as names, titles, aliases and photographs. Where relevant, or where you (or your employer or the organisation you represent) provide them to us, we may process demographic information such as gender, age, date of birth, marital status, nationality, education, or work histories, academic or professional qualifications, hobbies, family composition, and dependants. 
  • Contact Data / Employment and Business Details: such as job role / title, company details, telephone numbers, addresses, email addresses, details of services / products provided.
  • Financial Data: including information required for processing any transactions or financial payments, such as account details, or credit card or billing information.
  • Technical Data / System Use Details: including information about your computer's unique identifier (e.g., the IP address), information about your use of our information, IT and communications systems including the browser or device you used to access our sites, information processed by cookies when you use our sites or apps, in accordance with our Cookies Policy. This can include click data, timing, and frequency of site visit. For more information, see our RISQS Cookie Policy page.
  • Usage and Profile Data: including your username and password, purchases or orders made by you, your interests, preferences, feedback, how you use our sites, products, and services and survey responses. 
  • Training Records: such as programme related records, information about your training, including records of performance, results, certificates, and any training work submitted by you.
  • Identifying or Identifiable Data: such as social media handles, photographs, video recordings i.e., CCTV (identifying physical characteristics).
  • Communications Data: such as social media postings, responses, comments, feedback, and opinions when you communicate with us, for instance when making a complaint.
  • Preferences: such as consents, permissions, or preferences that you have specified or agree to our terms and conditions.
  • Research Data: including data collected as part of research, including internal analysis, or in relation to maintaining and managing standards.
  • Incident History: such as health and safety accidents, security incidents, accident information, complaints communications.

Special categories or sensitive personal data

We do not systematically seek to collect, store, or otherwise use information about you classed as 'special categories of data' or 'sensitive data' (for example, information related to your ethnic origin, health or sexual orientation, criminal history).  

We will consider that you have given us your consent to hold your special category of data where you have voluntarily provided such information in your communications with us or provided information we have marked as optional. We will only use the information for the purpose for which it was received unless required by applicable law.

3 How do we process your personal information and what is the legal basis?

When we process your personal information, we are required to have a legal basis for the processing. The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it. Most of our data is processed because it we require it to comply with our contractual obligations or it is necessary for our legitimate interests, or the legitimate interests of a third party (such as another controller). We will always take into account your interests, rights, and freedoms.

We will comply with all legal obligations to keep personal data up to date; to store and destroy it securely; to not collect or retain excessive amounts of data; to keep personal data secure, and to protect personal data from loss, misuse, unauthorised access, and disclosure and to ensure that appropriate technical measures are in place to protect personal data.

Some of our processing is necessary for compliance with a legal obligation. For example, we are required to maintain certain records by law such as health and safety records. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. 

We use your personal data for some, or all of the following purposes: 

Where necessary to the performance of a contract with you, or to take steps linked to a contract, for example:

  • To fulfil our contractual obligations to you.
  • To exercise our legal rights with respect to our contract with you.
  • To process any transactions or financial payments required for products for services (also required to comply with a legal obligation).
  • To work with our members to create a safer, sustainable, more efficient railway (it may also be required our legitimate interest).
  • To provide our members and stakeholders with tools and models, consultancy and support, guidance, industry systems, reports, training, standards, networks, groups and conferences, research, and news (it may also be required for our legitimate interest).

When you give us consent, for example:

  • To seek views or comments, including inviting you to participate in surveys or consultations (where appropriate, we may rely on our legitimate interests for this purpose).
  • For marketing purposes, we may provide you with information on our activities and / or our products or services (including the activities and / or products and services of RSSB) or the activities, products and services of our group companies (such as CIRAS) which may be relevant or of interest to you, including training courses, consulting services relevant to the rail industry and / or your specific business role or affiliated services. (Where it is appropriate to so, we may alternatively rely on our legitimate interests for this purpose).f you no longer wish to be contacted by us for marketing purposes, you can unsubscribe at any time (see section 11).
  • On occasions we may ask you for consent, we will use the data for the purposes which we explain at the time.

To comply with a legal obligation, for purposes which are required by law, for example:

  • To enable us to meet all legal and statutory obligations, such as in the framework of tax control and reporting obligations.
  • For prevention, detection, or investigation of fraud or security incidents (also required for our legitimate interests).
  • In response to requests from government law enforcement authorities, government agencies and departments, such as British Transport Police. 
  • In response to requests from government law enforcement authorities, government agencies and departments, such as Rail Accident Investigation Branch (RAIB) and Office of Rail and Road (ORR), British Transport Police. 
  • Our processing also includes the use of CCTV systems for the prevention and prosecution of crime (also required for our legitimate interests).
  • To process any transactions or financial payments required for products for services (also required for our performance of a contract).

Where necessary for our legitimate interests and where our interests are not overridden by your data protection rights such as:

  • To manage and facilitate the provision of our services to you.
  • To support business and administrative functions of our business.
  • To enhance, modify, personalise, or otherwise improve our sites, products, and services.
  • To seek views or comments, including inviting you to participate in surveys or consultations.
  • To use data analytics for statistical and analytical purposes, to improve our sites, products, and services, to improve our relationship with members and stakeholders and their and your experience of our sites, products, and services.
  • To use software and tools containing artificial intelligence (AI) for business efficiency and analytical purposes. AI may be used to analyse emails / content you have provided to RSSB such as suggesting responses we provide to customers and to help with managing the content internally such as providing a summary of an email. Where used, all responses are viewable by RSSB prior to being issued and personal data is only used in line with the original purposes for which it was provided and/or processed in accordance with this notice. 
  • For some research, we may use AI tools for analysing and processing data. If inputting any personal data (where necessary) in connection with such AI tools we will ensure compliance with data protection legislation. Any data generated by the AI will be anonymised.
  • For marketing and business development purposes, we may provide you with information on our activities and / or our products or services (including the activities and / or products and services of RSSB) or the activities, products and services of RSSB group companies (such as CIRAS) which may be relevant or of interest to you, including training courses, consulting services relevant to the rail industry and / or your specific business role or affiliated services. If you no longer wish to be contacted by us for marketing purposes, you can unsubscribe at any time (see section 11).
  • To work with our members and stakeholders to create a safer, sustainable, more efficient railway (this is also required for our performance of a contract).
  • To provide our members and stakeholders with tools and models, consultancy and support, guidance, industry systems, reports, training, standards, networks, groups and conferences, research, and news (this is also required for our performance of a contract).
  • To administer and protect our business and our sites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
  • For security purposes, including the security of our networks and property, managing access to the sites, materials, authenticating your identity and recording visits to our premises (for example through monitoring our web platform and IT systems, and use of CCTV).
  • To maintain our own accounts and records, to manage our relationship with you which will include notifying you about changes to our privacy notices and our terms and conditions.
  • To contact you and manage any enquiries, complaints, and feedback.
  • For risk management purposes.
  • For health and safety purposes.
  • For quality assurance and staff training purposes.
  • Where you have agreed to take part in a meeting, either at our offices or remotely, e.g. using Teams. AI may be used to help with summarising and analysing the tone of meetings.
  • To publish RISQS Supplier Member contact information to RISQS Buyer Members organisational administrators on the RISQS portal and / or to publish RISAS Supplier Member contact information to RISAS Buyer Members organisational administrators on the RISAS portal (also required for our performance of a contract). (See section 6 for further information).
  • For prevention, detection, investigation and reporting of fraud, crime or security incidents or other related matters (also required to comply with law).
  • Our processing also includes the use of CCTV systems for the prevention and prosecution of crime (for legitimate interests and / or to comply with law).
  • In connection with a business transaction such as a merger, restructuring or sale of the business.
  • We will use personal information in connection with legal claims, compliance, and regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation).

Where your information is used other than in accordance with one of these legal bases, we will inform you.

We sometimes use or process personal data relying on exemptions under applicable data protection law. Any use of processing of personal data under such exemptions will take priority over this priority notice to the extent of any inconsistency.

4 Sharing your personal data

Sharing personal data with RSSB.

RISQS and RISAS are divisions of RSSB, and are not separate legal entities. Your personal data may be shared with RSSB for the purposes of marketing and promoting to you the products and services offered from time to time by RSSB and RSSB group companies (such as CIRAS), including training courses and consulting services relevant to the rail industry and / or your specific business role or affiliated services. Please understand that you will not be offered consultancy around application for certification for either or our schemes.  If you no longer wish to be contacted by us for marketing purposes, you can unsubscribe (see section 11). 

Sharing personal data with other organisations

  • It will only be shared with other organisations where it is required for task performance, where there is a contractual obligation or where it is permitted to do so by law. On some occasions, these third parties may also be a controller of your personal data. 
  • The other organisations we may share your personal data with include:
  • Other organisations within the RSSB group of companies, such as Confidential Incident Reporting & Analysis Service Limited (CIRAS), where RSSB and CIRAS are joint controllers, and/or where such disclosure is necessary to provide you with our services and/or to manage our business.
  • Your employer or the organisation you represent, for example if you are the nominated contact for their organisation or if they have sent you on a training course.
  • Our agents, servants, and contractors. For example, banks and payment providers, third party service suppliers, such as those providing software or support needed to provide a product or service, marketing agencies, IT support service providers, analysis experts, communication platform providers etc.
  • Third parties we use to deliver our products, services, or training on our behalf.
  • Our members, affiliates and stakeholders. For example, it may be that you use a product or service where your organisation can also view your personal data such as login information to provide necessary approval or support.
  • Our professional advisers including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services.
  • HM Revenue & Customs, regulators and other authorities based in the UK.
  • Government agencies and departments, such as Rail Accident Investigation Branch (RAIB) and Office of Rail and Road (ORR). Personal data is only shared with RAIB if it is required for an investigation and only were deemed in accordance with applicable law. Reporting is provided to ORR where required such as under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR).
  • Other organisations such as the British Transport Police.
  • Government, regulatory and law enforcement bodies, where we are required in order:
    a) To comply with our legal obligations
    b) To exercise our legal rights (e.g., to pursue or defend a claim)
    c) For the prevention, detection, and investigation of a crime.
  • We may disclose your personal data to third parties in connection with a reorganisation, restructuring or merger, acquisition, sale, or transfer of assets.
  • Less commonly, we may process and share your personal data with third parties where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.

5 How long do we keep your personal data?

We will keep your personal information for as long as necessary for the purposes in which we are processing, unless the law permits or requires longer. Some records may be kept permanently if we are legally required to do so. In general, we will endeavour to keep data only for as long as we need it. Where necessary we keep records for the establishment, exercise, or defence of legal claims.

6 How will we publish contact details for organisations administrators?

Contact email addresses for Supplier Member Organisation Administrators and other key contacts are published on the RISQS portal and / or RISAS portal. This is made publicly available so that representatives of Buyer Members can contact Supplier Members. Additionally, Buyer Members may request an API feed from RISQS in relation to their direct active supply chain.   

If you are providing personal data to us for this purpose it is your responsibility to ensure that you have complied with all applicable data protection legislation requirements (including but not limited to notifying the data subject that their personal data will be shared with us and notifying them of their rights) before sharing personal data with us for publishing or sharing with Buyer Members. If you would like for your contact details to be updated or removed, please contact us (see section 12).

7 Your rights and your personal data

You have the following rights with respect to your personal data:

When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights. 

The right to access information we hold on you:

At any point you can contact us (see section 12) to request the information we hold on you as well as why we have that information, who has access to the information and where we obtained the information from. Once we have received your request, we will try to respond within one calendar month.

There are no fees or charges for the first request but additional requests for the same data may be subject to an administrative fee. 

The right to correct and update the information we hold on you:

If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated. 

The right to have your information erased:

If you believe that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold. 

When we receive your request, we will confirm whether the data has been deleted or the reason why it cannot be deleted (for example because we need it for our legitimate interests, legal or regulatory purpose(s)). 

The right to object to processing of your data:

You have the right to request that we stop processing your data. Upon receiving the request, we will contact you and let you know if we are able to comply or if we have legitimate grounds to continue to process your data. Even after you exercise your right to object, we may continue to hold your data to comply with our other rights or to bring or defend legal claims.

The right to data portability:

You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies where: (i) the processing is based on your consent or where we used the information to perform a contract with you; and (ii) the processing is carried out by automated means. 

You can withdraw your consent:

If your personal data is processed based solely on your consent as the legal basis, you can withdraw your consent easily by telephone, email, or by post (see sections 11 and 12). This will not affect the lawfulness of any processing carried out before you withdraw your consent. 

If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise if this is the case at the time you withdraw your consent.

The right to restrict the processing of personal data where applicable:

You have the right to restrict the processing of your data in certain circumstances. 

The right to lodge a complaint with the Information Commissioner’s Office (ICO):

Please refer to section 12 for further information.

8 Your responsiblities

If you are providing content or material to RISQS and RISAS for uploading to any of our sites which includes personal data relating to another person, you must do so only with that individual's permission. You should not include information of a sensitive, non-professional nature (e.g. personal email addresses, phone numbers, health information). 

If you are providing personal data relating to another person to us in connection with any of our other sites, it is your responsibility to ensure that you have complied with all applicable data protection legislation requirements (including but not limited to notifying the individual that their personal data will be published on our sites (as the case may be) and notifying them of their rights) before sharing the personal data with us, If you require anything to be updated or removed please contact us (see section 11).

9 Transfer of data abroad

International Transfers

Whenever we transfer personal data outside the UK or the European Economic Area, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

  • We only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data, except where we have your consent for the transfer or where there is an exemption that we are relying on for the transfer to occur.
  • We may use specific contracts or contract terms approved for use by the ICO or the European Commission which give personal data the same protection it has in the UK or the European Economic Area. 

Our website is also accessible from overseas so on occasion some personal data may be accessed from overseas.

10 Further processing or change in processing

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us (see section 11).

If we wish to use your personal data for a new purpose, not covered by this privacy notice, then we will notify you and explain the legal basis which allows us to do so. 

11 Marketing ad opt-out

If you are receiving any marketing emails and would like to unsubscribe, please use the unsubscribe link included within the communication. For any queries you can contact digital.marketing@rssb.co.uk.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us in connection with your membership, or as a result of a product or service purchase, or a product or service experience, or other transactions.

12 Contact details

Please contact us if you have any questions about this privacy notice or the information we hold about you, or to exercise all relevant rights, queries, or complaints at:

  • The Data Protection Officer, RSSB, The Helicon, 1 South Place, London EC2M 2RB
  • Email: data.protection@rssb.co.uk
  • +44 (0)20 3142 5300

EU Representative

We have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or if you have any queries in relation to your rights or general privacy matters under EU GDPR, please email our Representative at eurep@itgovernance.eu.

Please ensure to include our company name in any correspondence you send to our EU Representative.

13 How to make a complaint

If you are concerned with the way in which your personal data has been processed, you may in the first instance contact our Data Protection Officer using the contact details in section 12 above. 

If you remain dissatisfied, then you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:

  • The Information Commissioner, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF
  • Telephone: Switchboard: 01625 545 700
  • Data Protection Help Line: 01625 545 745
  • Notification Line: 01625 545 740
  • Email: mail@ico.gsi.gov.uk

14 Changes to this Privacy Notice

We may update this privacy notice from time to time. This privacy notice includes the date last updated.

15 Glossary

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). 

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. Formation of contract and subsequent contractual obligation means after accepting the Terms together with pricing information (which are available on the RISQS website) and having reviewed these, Supplier Members have expressed their interest in becoming a Supplier Member by entering the RISQS and /or RISAS Portal and this shall be deemed to constitute that supplier’s acceptance of these Terms, and shall give rise to a contract between the supplier and RSSB on the basis of these Terms (the “Contract”).

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.