This privacy notice sets out how CIRAS uses and protects any personal data or information that you give us. It also explains how we look after your personal data and tells you about your privacy rights and how you are protected.

Please read this privacy notice carefully, together with any other privacy policies or notices we may provide on our websites or any specific occasions when we are collecting or processing personal data about you so that you are informed about how and why we are using your data. This privacy policy supplements other such notices and privacy policies, it is not intended to override them.

In this privacy notice 'personal data' / 'personal information' is any information about a living individual which allows them to be identified from the data (for example a name, photographs, videos, email address, or address). Identification can be by the information alone or in conjunction with any other information. It does not include data where the identity has been removed (anonymous data).

The processing of personal data is governed by the Data Protection Act 2018, the UK General Data Protection Regulation ('UK GDPR') and other legislation relating to personal data and rights such as the Human Rights Act 1998 (together the 'data protection legislation'). Confidential Incident Reporting & Analysis Service Limited ('CIRAS', 'we', 'us' or 'our') is the controller for your personal data (ICO registration number ZA276499). Information about CIRAS membership can be found here.

RSSB and Subsidiaries

The parent company of CIRAS is Rail Safety and Standards Board Limited (RSSB). RSSB's privacy notice can be found here. RSSB is a separate legal entity and it is independently responsible for the personal data or information that you may share with it. Except where we and RSSB are joint controllers, we do not share personal data with RSSB and RSSB does not share personal data with us.

Where we are joint controllers, personal data is shared by us and CIRAS in accordance with the terms of our data sharing agreement.

References to 'you' are to individuals who are using the CIRAS website or otherwise with whom we have contact or other dealings (whether on behalf of themselves, or their business or another individual or organisation). Please refer to the Glossary in section 14 to understand the meanings of some other terms used in this privacy notice.

Whilst we will make every effort to ensure your privacy, it may be possible to identify you from the information you provide to us or other third-party information. The purpose of this privacy notice is to inform you about how we will deal with your personal data in the event that you can be directly or indirectly identified.

It is important that the information we hold about you is accurate and current. Please inform us if any of your personal data changes (see section 11).

Our sites may include links to third party websites or applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When leaving our sites, we encourage you to read the privacy notice of every website or application you visit.