General Data Protection Regulations

 Click the relevant tab to see our policies on your privacy, your data and your phone calls.


In summary
The Blue Lamp Trust (‘we’, ‘us’, and ‘our’) take data protection very seriously and we are committed to protecting your personal information.

This explains what information we gather about you, what we use that information for, and who we give that information to. It also sets out your rights in relation to your information, how long we keep it and who you can contact for more information.

It is our policy to collect only the minimum information required from you. If you believe we have collected excessive information about you, please contact us: or telephone 03007770157 to raise any concerns you may have.

Although you do not have to provide any of your personal information to us, if we ask you to do so and you refuse, we may be unable to provide you with the information, goods or services you want from us.

What is personal information?
Personal information is anything that enables you to be identified or identifiable, such as your:

  • First and last names
  • Postal and email addresses
  • Telephone numbers
  • Identity documents (e.g. passports & driving licence)
  • Identity numbers (e.g. National Insurance and Bank accounts)
  • Career & educational documents (e.g. CVs & qualifications)

Contact information

Your personal information is sometimes called “personal data”. We collectively refer to handling, collecting, protecting or storing your personal information as ‘processing’.

Collecting personal information
Below are just some examples of how you may provide personal information to us:

  •  Asking us to provide goods or services to you or someone else
  • Through our Bobby Scheme service
  • When undertaking a taxi driving assessment or using our driver training services
  • Contacting us
  • Searching and browsing our website
  • Accessing our online publications
  • Registering for or attending our events
  • Submitting CVs or work history information to us
  • Providing us with business cards or other contact information

Using personal information
When you provide personal information to us, we may use it for any of the purposes described below or as stated at the point we collect it from you (or as may be obvious to you from the context of collection), including:

1. To provide services to you that you have requested
2. To develop our businesses and services
3. To consider whether to offer someone employment with us
4. To administer and manage our website including;

  • To personalise and enrich your browsing experience by displaying content that is more likely to be relevant and of interest to you
  • To sort and analyse user data (such as determining how many users from the same organisation have subscribed to or are using the website)
  • To understand how people, use the features and functions of our website in order to improve the user experience

5. To conduct quality and risk management reviews
6. Any other purposes for which personal information has been provided to us, including any of the purposes given in the ‘collecting personal information’ section above.

We do not collect personally identifying information for sale to third parties.

Legal grounds for processing personal information
We rely on one or more of the following processing conditions:

  • To perform our contractual obligations to you; and/or
  • To satisfy any legal and regulatory obligations to which we are subject; and/or
  • To satisfy our legitimate interests in the effective delivery of information and services to you and in the effective and lawful operation of our businesses (where this does not interfere with your rights); and/or
  • When you have agreed to us processing your personal information

Security of personal information
We have implemented generally accepted standards of technology and operational security in order to protect personally identifiable information from loss, misuse, alteration or destruction.

Only authorised persons are provided access to personally identifiable information we have collected, and such individuals have agreed to maintain the confidentiality of this information.

Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure.

We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to or by us.

Sharing personal information
We may transfer, share or disclose the personal data we collect from you to third parties (other organisations or individuals) for:

  • The purposes for which the information has been submitted
  • The purposes listed above under ‘Use of personal information’
  • The administration and maintenance of our website and/or
  • Other internal or administrative purposes

We also may transfer share or disclose personal data to third party service providers of identity management, website hosting and management, data analysis, data backup, security and storage services.

These third party providers may use their own third party subcontractors that have access to personal data (sub-processors). It is our policy to use only third party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by us, and to flow those same obligations down to their sub-processors.

Other disclosures
We may also disclose personal information to third parties under the following circumstances:

  • When explicitly requested by you
  • When required to deliver goods or services requested by you, e.g. as part of the Bobby Scheme or for assessment / training service
  • When required to facilitate our conferences or events that you have asked to attend which are hosted by a third party
  • As otherwise set out in this privacy policy.

We may also disclose your personal information to law enforcement, regulatory and other government agencies and to professional bodies and other third parties, as required by and/or in accordance with applicable law or regulation.  The third parties we may transfer, share or disclose the personal data we collect from you to are (as appropriate):

  • Taxi Driving Assessors
  • Driver Trainers
  • Bobby Fitters
  • Cyber Advisors
  • Local Authority Licensing Departments
  • The police (where required by law or on your request)
  • Fire and Rescue Services (where required by law or on your request)

International transfers of personal information
Your personal information will not be transferred by us outside the UK.

Retention of personal information
We will retain your personal information only for as long as we need it, given the purposes for which it was collected, or as required to do so by law.

Normally, this means we will retain the personal information of Bobby Scheme and Cyber Bobby clients for 5 years, and for customers of Taxi Driver Services and Driver Training for 2 years. For more information please contact us and request to see our retention policy: or call us on 03007770157.

We do not undertake any form of direct marketing activity and will only contact you when we are confident that you want us to do so, e.g. following a referral to us or following your approach to us for information.

Rights in relation to your information
You have certain rights in relation to the personal information we hold about you. In particular, you have the right to:

  • Request a copy of personal information we hold about you;
  • Ask that we update the personal information we hold about you, or correct such personal information that you think is incorrect or incomplete;
  • Ask that we delete personal information that we hold about you, or restrict the way in which we use such personal information;
  • Object to our processing of your personal information; and/or
  • Withdraw your consent to our processing of your personal information (to the extent such processing is based on consent and consent is the only permissible basis for processing).

If you would like to exercise these rights or understand if these rights apply to you, please contact us at or by calling 03007770157.

Automated decision making
We will not use your personal information for automated decision making or profiling.

We understand the importance of protecting children’s privacy and we never knowingly collect personal information about individuals under the age of 16. We adhere to laws regarding marketing to children.

Our website
Our Website may link to third-party sites not controlled by us and which do not operate under our privacy practices. When you link to third-party sites, our privacy practices no longer apply. We encourage you to review each third-party site’s privacy policy before disclosing any personally identifiable information.

We do not intend to collect special category (also known as sensitive) personal information through our website (unless we are legally required to do so). Examples of special category information are: race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and criminal records.

We ask that you do not provide us with special category personal information when using our website.

Will be added when created

Contact us
If you have any questions or complaints about the way your personal information is processed by us, or would like to exercise one of your rights set out above, please contact us by one of the following means:


The General Manager
The Blue Lamp Trust
Police and Fire HQ
Leigh Road
SO50 9SJ

You also have the right to lodge a complaint with your local data protection regulator, which in the UK is the Information Commissioner Office (ICO). The ICO can be contacted by the following means:


Telephone: 0303 123 1113 (local rate calls to this number cost the same as calls to 01 or 02 numbers). If you’re calling from outside the UK please call +44 1625 545 700.
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire

We may update this Privacy notice at any time by publishing an updated version here. So that you know when we make changes to this Privacy statement, we will amend the revision date at the top of this page. The new modified or amended Privacy notice will apply from that revision date. Therefore, we encourage you to review this Privacy notice periodically to be informed about how we are protecting your information.

Reviewed July 2023

Policy statement
The Blue Lamp Trust (‘we’, ‘us’, and ‘our’) is committed to fully complying with all the requirements of the General Data Protection Regulation (GDPR).


This data protection policy explains how we will comply with our responsibilities and obligations under the GDPR and applies to:

  • All personal data whose use is controlled by us, whether kept on paper or electronically (i.e. Computers)
  • All our staff and any of our data processors

NB: This policy should be read and used in conjunction with our other following policies

  • Privacy
  • Retention
  • Remote working
  • Acceptable Usage (IT)
  • Clear desk

The objective of this policy is to:

  • Ensure we follow the principles of personal data
  • Ensure personal data is processed in a consistent manner throughout the organisation at all times
  • Clarify responsibilities for implementing, complying and monitoring this policy
  • Give guidance to staff and data processors about how to identify and minimise the risks of breaching the GDPR as well as the possible consequences of doing so

Personal data means any information relating to an identified or identifiable person (‘data subject’) such as a name, postal/email address or an identification number.

  • Examples of personal data typically processed by us are:
  • First and last names
  • Postal and email addresses
  • Telephone numbers
  • Identity documents (e.g. passports & driving licence)
  • Identity numbers (e.g. National Insurance and Bank accounts)
  • Career & educational documents (e.g. CVs & qualifications)
  • Any contact information

Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation and data concerning criminal convictions or offences

Examples of special category personal data typically processed by us are:

  • Health & medical information (including whether a person has a disability)
  • Staff sickness records
  • Next of kin or emergency contact information for staff

Data subject means any individual whose personal data is processed by us.

  • Examples of our data subjects are:
  • Bobby Scheme clients
  • Taxi driving assessment clients
  • Driver training clients
  • Staff
  • Staff next of kin
  • Job applicants
  • Suppliers of goods/service
  • Contacts

Processing means any use of personal data such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, erasure and destruction.
NB: This means that virtually anything we do with personal data will be processing.

Data controller means the organisation which decides the purposes and means of the processing of personal data

NB: We are the data controller for the purposes of this policy.

Data processor means an individual or organisation that processes personal data on behalf of a data controller.

Examples of our data processors are:

  • External payroll
  • External IT support
  • Police and or Fire HQ
  • Driving Trainers/Assessors (on road and in classroom)
  • Suppliers / fitters
  • Taxi Licensing Authorities

Personal data breach means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Staff means anyone working at or for us including:

  • Trustees
  • Permanent, interim and temporary employees
  • Trainees
  • Volunteers
  • Self-employed contractors

Principles of data protection
Personal data shall be:
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
4. Accurate and, where necessary, kept up to date (‘accuracy’)
5. Kept for no longer than is necessary (‘storage limitation’)
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

Roles and responsibilities
Our Trustees have ultimate responsibility for ensuring compliance with the GDPR, the principles of data protection and this policy.

The General Manager has responsibility to remind Trustees of their responsibility for ensuring compliance with the GDPR, the principles of data protection and this policy. They have day-today operational responsibility for ensuring we comply with the GDPR and can be contacted at:

All staff have a responsibility to comply with the GDPR, the principles of data protection and this policy when carrying out their duties.

Line managers are responsible for supporting staff’s adherence with this policy.

All data processors have a responsibility to comply with the GDPR, the principles of data protection and this policy when carrying out their contractual and statutory obligations to us.

Failure to comply with this policy may result in legal and/or disciplinary action.

Data subjects’ have the right to:

1. Be informed about the collection and use of their personal data.
2. Access their personal data
3. Rectification of inaccurate personal data
4. Erasure (deletion) of their personal data (also known as the ‘right to be forgotten) *
5. Restrict processing of their personal data*
6. Data portability – to easily move, copy or transfer their personal data
7. Object to

7.1. processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
7.2. direct marketing (including profiling); and
7.3. processing for purposes of scientific/historical research and statistics
7.4. Appropriate decision-making in relation to automated decision making and profiling

*This is not an absolute right and only applies in certain circumstances

Subject Access Requests
Any data subject may make a Subject Access Request, (‘SAR’). Any member of staff or data processor in receipt of a SAR must pass it on to the General Manager as soon as possible as a matter of urgency.

All staff and data processors are responsible for ensuring that any personal data which we are responsible for is kept securely.

Examples of keeping personal data secure are:

  • Paper files/records should be kept in locked cabinets when not in use
  • Monitors/computer screens should be visible only to those who need to see them
  • Paper files/records should not be removed from our business premises without appropriate authorisation
  • Desks should be cleared when not in use
  • Personal data no longer required for day-to-day use should be sent to secure archiving

Full details can be found in the Acceptable Usage (IT) and clear desk policies.

Disclosure (sharing)

This includes the disclosure (sharing) of personal data by:

  • Staff with other teams /departments and
  • Staff with third parties/other organisations (including out data processors)
  • Our data processors to third parties.

Personal data must not be disclosed unless the recipient is authorised to have access to that personal data (usually because we are fulfilling a contract with or providing a service to the data subject) and then only in accordance with the GDPR.

Examples of unauthorised recipients are:

  • Family members
  • Friends
  •  In certain circumstances, the police

Staff and data processors should exercise great caution when asked to disclose personal data and if in doubt should seek advice from the General Manager before doing so.

All decisions to disclose personal data must be recorded and all such disclosures must be specifically authorised by the General Manager.

Personal data must not be kept for any longer than is necessary and only in accordance with
our retention policy.

Disposal (deletion)
When it is no longer necessary to keep it, personal data must be disposed of securely. This means that:

  • Paper will be placed in the confidential waste unit for disposal off site as confidential waste
  • Electronic data will be deleted from the system
  • Computer equipment will be disposed of securely by specialist contractors

A register will be maintained to record details of the media and computer equipment that has been disposed of, when it was disposed, how it was disposed and by whom.

Transfer outside the EEA
The GDPR generally prohibits the transfer (sending) of personal data outside the European Economic Area (EEA) unless:

  • An ‘adequacy decision’ has been made for the destination country; or
  • The transfer is subject to appropriate safeguards; or
  • A ‘derogation’ can be relied upon, e.g.
    • Where it is necessary for the conclusion or performance of a contract that we have with the data subject or another person, or
    • It is in our legitimate interests (this will only be available to and used by us in very limited circumstances)
    • With the data subject’s explicit consent (this can only be available to and used by us in very limited circumstances)

These restrictions mean that personal data cannot be freely transferred outside the EEA and that it will be a breach of the GDPR to do so unless any such transfer can be made in accordance with the above.

The Blue Lamp Trust does not routinely send information outside the EEA. In exceptional circumstances a decision to transfer personal data outside the EEA must be specifically authorised by the General Manager.

Data protection Impact assessments
A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project.

The GDPR includes a new obligation to conduct a DPIA for types of processing likely to result in a high risk to individuals’ interests and is good practice for any major new project which requires the processing of personal data.

Any circumstances where a DPIA may be required should not be undertaken without the approval of the General Manager.

The rules about sending marketing messages, mean, in summary, that unless in legitimate business to business transactions, we should not contact individuals without being satisfied that they do not object to hearing from us and that by contacting them we are not being a nuisance to them.

Reviewed July 2018

“Thank you for calling the Blue Lamp Trust. Please be aware that this call will be recorded. If you consent to the call being recorded please stay on the line and a member of the team will be with you shortly. If you do not wish your call to be recorded, please hang up.’

GDPR Recorded Telephone Calls Policy

Rationale for Recording
The day to day business of the Blue Lamp Trust involves dealing with vulnerable and elderly clients for the Bobby Scheme as well as those who may be booking driver training or assessment through our driver training business.

In both cases it is important that the information gathered by the Blue Lamp Trust to carry out its charitable or business functions is accurate and complete. With written or on-line applications this is straightforward, but is less so with telephone calls which can be affected by technical issues as well as human misunderstanding or mishearing.

To ensure the Blue Lamp Trust has the ability to deliver any contract properly and in-line with agreements and to ensure that Bobby and business client information is accurate, the Blue Lamp Trust records all incoming telephone calls.

It is also important to ensure that the service given to callers by Blue Lamp Trust staff is of the highest standard. It is equally a responsibility of the Trust to safeguard its staff from inappropriate, threatening or verbally aggressive behaviour occasionally experienced from callers.

The calls are, therefore, recorded in line with GDPR requirements and specifically for the following permitted purposes;

  • The people in the call have offered their consent to be recorded
  • Recording is necessary for public interest purposes
  • Recording is essential for the protection of one or more participants
  • Recording is legitimately in the interest of the recorder

Data Management
All callers to the Blue Lamp Trust are greeted by a message stating that the call will be recorded, that they should only continue with the call if they agree to this and that they should terminate the call if they do not wish to be recorded.

All incoming telephone calls are recorded automatically and retained digitally within the Blue Lamp Trust’s secure telephone system.

Recordings are automatically deleted after 30 days unless they are required for one or more of the purposes shown above. Such purposes may include;

  • Doubt or disputes concerning contracts, including terms, conditions or agreements
  • Unacceptable behaviour by Blue Lamp Trust staff, contractors or clients
  • Where it is required by law including being part of a police investigation
  • Where it is needed to support or defend court proceedings or litigation

Such retained calls will only be held for the period of time necessary to fulfil the reason for its retention after which it will be deleted. If a call is to be retained, the reasons for its retention will be recorded on an electronic register held by the Business Administration Manager, and this register will also be updated to show the date the call was deleted and the reason for its deletion.

To see your rights in relation to the personal information we may hold about you, please visit the Blue Lamp Trust’s Privacy Policy available on the first tab.

Updated June 2018

The Bobby Scheme relies on donations to fund our work. Please consider helping us to protect the vulnerable and elderly in our community.

Make a donationCorporate Sponsorship
Share This