Privacy

Employees and Trustees have different Privacy Notices, as part of the organisation’s compliance with GDPR.

We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value your privacy and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

Overview

The Road Safety Trust is a company registered in England under company number 08837451 and charity registered under charity number 1156300. We are an independent charitable trust dedicated to supporting projects and research aimed at making the UK roads safer for all road users. We are data controllers for the purposes of the GDPR and are registered with the Information Commissioners Office.

Registered address: Colwyn Chambers, York Street, Manchester M2 3BA

Data Protection email address: dataprotection@roadsafetytrust.org.uk

What does this notice cover?

The Road Safety Trust has a legal responsibility to comply with the UK version of the General Data Protection Regulation (UK GDPR) and Data Protection Act 18 (DPA 18). One of the requirements of the UK GDPR is to provide individuals with information on how we use your personal data. This privacy notice aims to meet that legal requirement.

Terminology

This privacy notice uses terminology that is defined in the UK GDPR. Examples include ‘personal data’, ‘processing’, ‘data subject’, etc.

‘We’ or ‘us’ refers to The Road Safety Trust. ‘You’ or ‘your’ refers to the reader, the intended audience of this privacy notice (external data subjects of The Road Safety Trust such as Recruitment Candidates, Suppliers, Grant Applicants, etc.).

Scope

This Privacy Notice provides information on The Road Safety Trust’s external data subjects, e.g., Recruitment Candidates, Suppliers, Expert Advisors, Grant Applicants, Grantees, Email Subscribers & Interested Parties, Website Visitors, and the General Public. It does not cover The Road Safety Trust’s internal data subjects; Employees, Ex-Employees, Trustees, or Ex-Trustees. The Employee Privacy Notice is available for employees to reference in the RST shared drive, the Trustee Privacy Notice is available in the Trustee portal.

Data Processing Details

Purpose of Processing and Lawful Basis

The Road Safety Trust may use your personal data for a variety of purposes. Below is a list of the processing activities that occur on a regular or frequent basis. The brackets indicate the most applicable UK-GDPR Article 6 lawful basis that The Road Safety Trust relies on for this processing activity. Not all processing activities will apply to all individuals.  

The sub-headings and descriptions for each section are indicative (not exhaustive) of the types of individual whose data may be used in the processing activities.

Recruitment candidates

This section applies to any individual who participates in The Road Safety Trust’s recruitment activities.

• Recruitment (Contract) - Recruitment of new employees or Trustees, including the collection of CVs, interviews, and role offers.

Suppliers

This section applies to any supplier, contractor, or associate of The Road Safety Trust.

• Accounts Payable (Contract) - Management and payment of employee expenses, and supplier invoices (particularly where suppliers are sole traders).

• Grant Webinars (Consent) - Conducting live webinars that predominantly focus on how to apply to grants at RST. RST manages attendee lists of these events and keeps recordings of the webinar. RST also analyses data to track the effectiveness of these webinars.

• Account (ID) Management (Legitimate Interests) - The enrolment and management of Road Safety Trust IT accounts, including access control. This includes access to file storage systems, instant messaging systems and email management.

• Interaction Data & Security Logs (Legitimate Interests) - Recording and storage of interaction data for the purposes of security management. This includes log in dates and times, files and systems accessed, etc.

• IT Service Desk (Legitimate Interests) - Managing and actioning any IT service tickets that have been submitted.

Potential Grant applicants, Grant Applicants, and Grantees

This section applies to individuals who have engaged in our grant processes, either as an interested party, an applicant, a successful grantee, or a third-party expert advisor.

• Grant Webinars (Consent) - Conducting live webinars which predominantly focus on how to apply to grants at RST. RST manages attendee lists of these events and keeps recordings of the webinar. RST also analyses data to track the effectiveness of these webinars.

• Grant Surgeries (Consent) - Conducting 1-to-1 appointments with potential grant applicants to discuss their applications. This process records brief notes of discussions with individuals and their potential projects.  

• Grant Applications (Legitimate Interests) - Managing the personal data associated with grant applications. This includes signing up to the grant application portal, answering initial eligibility checks, and applying for and submitting grant proposals.

• Grant Reviews and Decisions (Legitimate Interests) - The process of receiving, assessing and writing up reviews of grant applications. These reviews are provided to The Road Safety Trust Board and Committees for decision.

• Grant Terms and Conditions (Contract) - Once a grant has been approved, terms and conditions are issued to the grantee. This process manages personal data associated with this.

• Grant Reporting (Legitimate Interests) - The receipt, storage and review of reports created by grantees. These reports contain updates on the progress of grant projects.

• Grant Payments (Legitimate Interests) - Managing personal data and financial data associated with sending grant payments to organisations.

• Grant Application Questionnaire (Consent) - The creation and issuing of grant application questionnaires, including the collection and analysis of the subsequent responses.

Email Subscribers and Interested Parties

This section applies to individuals who have subscribed to our emails, or individuals who have engaged in The Road Safety Trust’s events.

• Stakeholder Surveys (Legitimate Interests) - The creation and issuing of various surveys, including the collection and analysis of the subsequent responses. Surveys are sent to external stakeholders.

• Event Organisation (Consent) - Organising and planning events for RST.

• Event Data Management (Consent) - The collection and storage of contact data belonging to individuals who RST meet at marketing and engagement events. This includes events that we attend and events that RST have hosted.

• e-Bulletin (Consent) - Distributing marketing and engagement material to individuals who have subscribed to RST correspondence. The marketing material relates to the latest news from RST.

All

This section could potentially apply to any individual.

• General Enquiries (Legitimate Interests) - Receiving and responding to enquiries from the general public about road safety matters. Correspondence is received into a central shared email inbox. 

• Data Subject Requests (Legal Obligation) - The management of any personal data related to Data Subject Requests.

• Incident Logs (Legal Obligation) - Records of security incidents, following the incident management standard, collection of evidence (forensic and manual), and related investigations.

Transfers of Personal Data

As part of The Road Safety Trust’s standard business operations, we may transfer your personal data to third parties. Depending on the third party that data is transferred to, your information may be sent outside of the UK. In these instances, The Road Safety Trust will ensure that the appropriate safeguards have been applied to this transfer of data, including insuring that any relevant contracts are UK-GDPR complaint.

Depending on your specific circumstances, your personal data may be sent to the following third parties or categories of third party:

• UK Road Offender Education (UKROEd)

• Microsoft 365

• Financial & accounting management platforms and tools

• Accountants & Auditors

• Banks

• Event Management & Event Planning Companies

• Video conferencing & communication platforms

• Buzzacott (Blackbaud Grant Making) and other tools which allow us to manage grant applications

• Third party expert advisors who assist us with grant reviews.

• Document management systems

• Survey management platforms and tools

• Market research agencies

• Various event and conference venues

• Third parties that manage information security

• Third parties that control cookies on The Road Safety Trust’s website

If you need more specific information on these transfers, please contact us. 

Retention Periods

The Road Safety Trust has set retention schedules that state how long we will keep personal data for. The majority of our data processing activities fall within the below categories; however, for some less frequent data processing activities we may have different retention schedules set. For more information on these other retention schedules, please contact us.

• Default Retention Schedule – For data which does not fit into another category, data is kept for 7 years after the data entry was created, at which point it is reviewed for further retention, deletion, or archiving.

• Unsuccessful Recruitment Candidate Data – For candidates who are unsuccessful in their employment or Trustee application, personal data is kept for 6 months after the date of last action, at which point, data is deleted.

• Financial Records – For any financial data relating to employees, suppliers or grantees, data is kept for 7 years after the end of the relevant financial year, at which point, the data is deleted.

• Pre-Grant Application – For individuals who have participated in pre-grant application events (e.g. surveys, webinars, or grant surgeries), personal data is kept for 1 year after the date of the event, at which point all personal data is deleted. Anonymous data relating to the project application is retained.

• Successful Grant Applicants – For any data relating to individuals who have applied for a grant, and have been successful with their application, the personal data is kept for 7 years after the date of the project completion, at which point, all personal data is deleted and anonymous statistics and project descriptions are retained.

• Unsuccessful Grant Applicants – For any data relating to individuals who have applied for a grant, but have been unsuccessful with their application, personal data is kept for 3 years after the receipt of application, at which point, any personal data is deleted and anonymous statistics and project descriptions are retained.

• Communications Data – For any individual who has signed up to our mailing list, personal data is kept for 5 years after the date of signup. At this point, an email will be sent to you requesting your consent to remain on our mailing list. If you provide your consent, this retention period will reset, if we do not hear from you, your personal data will be deleted.

• Event Hosting Data – For individuals who have participated in an Road Safety Trust event, personal data is kept for 1 year after the date of the event, at which point, personal data is deleted.

• Prize Draw for Questionnaire – For individuals who have participated in one of our survey prize draws, personal data is kept for 6 months after the submission of your questionnaire, at which point, all personal data is deleted.

• Account (ID) Management – For suppliers, contractors, or associates who have been given a Road Safety Trust IT account, your personal data will be kept for 90 days after your contract with The Road Safety Trust has been terminated. At this point, the data in your OneDrive will be reviewed for further retention or deletion, your emails will be reviewed for further retention or deletion, and the personal data associated with your user account will be deleted.

• Shared Email Accounts – For any data stored in shared email inboxes '****@roadsafetytrust.org.uk' (e.g. hr, info, IT support, privacy, etc.), personal data is kept for 10 years after the creation date of the email or event, at which point, the data is deleted.

• Teams Messages – For any chat messages sent via Microsoft Teams, personal data is kept for 30 days after the message is sent or received, at which point, the data is automatically deleted.

• Interaction Data – For any interaction data relating to RST accounts, personal data is kept for 90 days after the event occurrence, at which point, the data is automatically deleted.

• Data Subject Requests – For individuals who submit a data subject request, personal data related to the request is kept for 6 months after the date of last action, at which point data is deleted. A record that you have made a request will be kept for 2 years after the date of last action, at which point, your request will be anonymised.

• Incident Logs – For any data relating to an information security incident, data is held for 6 years after the date of last action, at which point, the data is reviewed for further retention or is deleted.

• Third Party Website Cookies – Please see The Road Safety Trust cookie management system for details on the retention schedule of specific cookies.

The Road Safety Trust employs a retention schedule +1 system for management of data. We will keep data for the stated duration and then review data for deletion during an annual review of all data at some point during the following year.

Source of the Data

For the majority of cases, The Road Safety Trust will collect your personal data directly from you. In some instances, we may obtain your personal data from third parties:

• In the area of recruitment, if you applied for a job at The Road Safety Trust, we may have obtained your personal data from recruitment agencies or from job listing websites. We may have obtained your data from your public information listed on social media websites (such as LinkedIn). The data that we have been provided relates to your CV and your basic contact details. 

• For processing activities related to grants, we are provided with the personal data of individuals who will be associated with a particular project. This information is provided to us by the organisation who has submitted the grant application. This data varies depending on the project, but typically it will include a CV, details about an individuals role and responsibilities and occasionally basic contact information.

• For emergency contact data, we have been provided your data by the relevant employee.

Statutory and Contractual Obligations

For some data processing activities that The Road Safety Trust undertakes, you may have a statutory or contractual requirement to provide The Road Safety Trust with your personal data. In these instances, if you decide not to provide The Road Safety Trust with your personal data, this may have consequences. For example, it may void a contract which you have with The Road Safety Trust.

General Information

Your UK GDPR Rights

Under the UK GDPR, you have rights that you may exercise at any time. Whilst you may exercise these rights at any time, The Road Safety Trust is not always obliged to comply with your requests. Each right has requirements and exemptions that are associated with them. For further information on these requirements and exemptions, please speak with the Information Commissioner's Office (ICO) or your local Citizens Advice Bureau.

1. The Right to be Informed – You have the right to be informed about how The Road Safety Trust uses your personal data. We are required to provide you with details of our data processing activities (where they involve your personal data). Typically, The Road Safety Trust will provide this information to you in privacy notices such as this one.

2. The Right of Access – You have the right to request a copy of the personal data that The Road Safety Trust holds about you.

3. The Right to Rectification – If The Road Safety Trust holds personal data about you that is inaccurate or outdated, you have the right to request that this information is changed.

4. The Right to Erasure – You have the right to request that The Road Safety Trust deletes personal data that relates to you.

5. The Right to Restrict Processing – You have the right to request that The Road Safety Trust restricts or suppresses the further processing of your personal data.

6. The Right to Data Portability – You have the right to request that The Road Safety Trust provide a copy of your personal data to you in a commonly used digital format. 

7. The Right to Object – You have the right to object to specific processing activities that The Road Safety Trust undertakes. Specifically, you may object if The Road Safety Trust is using your data form marketing purposes, for a task carried out in the public interest, for an exercise of official authority, or where we have relied on legitimate interests as a lawful basis.

8. Rights in Relation to Automated Decision-Making Including Profiling – Where The Road Safety Trust uses IT systems to make decisions about you (with no human involvement or oversight), you have UK GDPR rights in relation to this. These rights include the ability to request for human intervention to challenge a computer made decision, or to request a check that an automated system is working as intended. Currently, The Road Safety Trust does not carry out any automated decision making or profiling.

The Right to Withdraw Consent

Where The Road Safety Trust has relied on consent as a UK GDPR Article 6 lawful basis or an Article 9 exemption, you have the right to withdraw this consent at any time. When you withdraw your consent for data processing, The Road Safety Trust will make reasonable efforts to stop the associated processing activity as soon as possible.

Right to lodge a complaint

You have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your personal information. They can be contacted via:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow, SK9 5AF

Tel: 0303 123 1113

The Road Safety Trust’s Data Protection Officer

The Road Safety Trust has appointed a Data Protection Officer. They can be contacted here:

dataprotection@roadsafetytrust.org.uk

Or alternatively:

Data Protection Officer

Colwyn Chambers,

York Street,

Manchester, M2 3BA 

Contact The Road Safety Trust

If you have any questions or comments regarding the content of this Privacy Notice, please contact:

dataprotection@roadsafetytrust.org.uk

Or alternatively:

Colwyn Chambers,

York Street,

Manchester,

M2 3BA, UK

Changes to this Privacy Notice

This notice will be reviewed every two years by the CEO, or as necessary e.g. if the law changes or if we change the way we work in a way that affects personal data protection.

Any changes will be made available on our website.

Last updated: January 2025