top of page

Data Protection Policy – Tickets2Train

 

Family: Operations
Line Manager Responsible: Principal
Approval Date: [Insert Date]
Issue Date: [Insert Date]
Review Date: [Insert Date]

 

1. Introduction

Tickets2Train is committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines our approach to protecting the rights and freedoms of individuals whose data we collect and process, including learners, staff, contractors, employers, volunteers, suppliers, and others.

We recognise the importance of handling personal data correctly and lawfully—whether recorded on paper, electronically, or by any other means.

This policy applies to:

  • All manual and electronic records

  • Our response to data breaches

  • The personal data of current and former learners, employees, job applicants, contractors, volunteers, and placement students

 

2. Definitions

  • Data Controller – The organisation that determines how and why personal data is processed (Tickets2Train).

  • Data Subject – A living individual whose personal data is processed.

  • Processing – Any operation performed on personal data (e.g. collection, use, storage, sharing).

  • Personal Data – Information that identifies a person (e.g. name, address, email, phone, IP address).

  • Special Categories of Data – Sensitive data including race, religion, health, sexual orientation, and biometric/genetic data.

  • Processor – A third party that processes data on behalf of the controller.

  • ICO – Information Commissioner’s Office, the UK’s data protection authority.

  • DSAR – Data Subject Access Request.

 

3. Personnel Obligations

All Tickets2Train staff, contractors, and volunteers with access to personal data must:

  • Maintain data confidentiality

  • Only access data they are authorised to use

  • Never disclose data without authorisation

  • Follow Tickets2Train’s data security procedures

  • Report any breaches or concerns to the Data Protection Officer (DPO)

 

4. Data Protection Principles

In line with GDPR, all data processed by Tickets2Train will be:

  • Lawfully, fairly and transparently processed

  • Collected for specific, legitimate purposes

  • Relevant, limited and not excessive

  • Accurate and kept up to date

  • Stored only as long as necessary

  • Securely maintained

  • Handled in compliance with international data transfer regulations

 

5. Lawful Bases of Processing

We only process data where there is a lawful basis:

  • Performance of a contract

  • Compliance with a legal obligation

  • Protection of vital interests

  • Public interest or official authority

  • Legitimate interests

  • Consent (only when strictly necessary and freely given)

 

6. Types of Data Held

We hold a range of personal data depending on the individual’s role. This includes:

  • Contact and identification details

  • Employment, education and financial records

  • Health or disability information (if applicable)

  • Criminal conviction data (where relevant)

  • Equality monitoring data
    Detailed breakdowns are available in our privacy notices.

 

7. Individual Rights

Under GDPR, individuals have the right to:

  • Be informed about how their data is used

  • Access their data

  • Correct inaccuracies (rectification)

  • Request deletion (erasure)

  • Restrict processing

  • Data portability

  • Object to processing

  • Object to automated decision-making/profiling

Full procedures for these rights are outlined in our Rights of Individuals Policy.

 

8. Access to Data

Individuals can request access to their data via a Subject Access Request (DSAR). We aim to respond within one month unless legally extended. Requests are free of charge unless deemed excessive or unfounded.

 

9. Data Disclosures

We may share data in specific scenarios, such as:

  • With benefit providers or insurers

  • To comply with health and safety requirements

  • For HR/payroll purposes

  • With legal or regulatory authorities (e.g. tax, crime prevention)

Disclosures will only be made when necessary and legally justified.

 

10. Marketing and Consent

Marketing communications (email, SMS, calls) will only be sent when:

  • The individual has opted in via clear, unambiguous consent

  • Or under “soft opt-in” rules (e.g. for similar services to a prior engagement)

All marketing will comply with the Privacy and Electronic Communications Regulations (PECR).

 

11. Third Party Processing

Any third party handling data on our behalf will have a signed Data Processing Agreement. They must implement security measures in line with GDPR and Tickets2Train’s data protection standards.

 

12. Automated Decision-Making and Profiling

Tickets2Train does not currently use personal data for automated decision-making or profiling.

If such processing is introduced, it will only be done with approval from the Data Protection Officer and in full compliance with GDPR.

 

13. International Data Transfers

Personal data will not be transferred outside the UK or EEA unless:

  • Approved by the Data Protection Officer

  • Appropriate safeguards are in place (e.g. Standard Contractual Clauses)

 

14. Data Security

All staff are trained to handle personal data securely, including:

  • Locking physical files away

  • Encrypting digital files and using password protection

  • Not storing data on unprotected USBs or personal devices

  • Not sharing logins or passwords

Failure to follow security procedures may result in disciplinary action.

 

15. Data Breach Notification

A data breach includes any:

  • Unauthorised access

  • Loss or destruction of data

  • Accidental disclosure

All breaches must be reported immediately to the Data Protection Officer. Significant breaches will be reported to the ICO within 72 hours and to affected individuals where necessary.

 

16. Training

All employees will receive data protection training during induction and at regular intervals thereafter. Training includes:

  • Principles of GDPR

  • Identifying and reporting breaches

  • Data handling and secure storage

 

17. Records and Retention

Tickets2Train maintains a Data Processing Register. Personal data is not retained longer than necessary. When no longer needed, it is securely deleted or destroyed.

Questions about retention periods or individual cases should be referred to the Data Protection Officer.

 

18. Data Protection Compliance

Data Protection Officer (DPO):
Email: info@tickets2train.co.uk
Phone: 07931254647
Organisation: Tickets2Train

bottom of page