The Data Protection Act 1998 (DPA) aims to ensure the privacy of personal information by placing responsibilities and obligations on organisations, such as Network Rail, that process this information, and giving individuals rights over that information.
When processing personal information we must comply with the following principles:
- personal data shall be processed fairly and lawfully
- personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes
- personal data shall be adequate, relevant and not excessive
- personal data shall be accurate and, where necessary, kept up to date
- personal data shall not be kept for longer than is necessary
- personal data shall be processed in accordance with the rights of data subjects
- appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection.
Network Rail, through the appropriate application of managerial and operational controls, will:
- only process personal information fairly and lawfully and fully observe all required conditions in the fair collection and use of personal information
- at all times specify the purpose(s) for which personal information is being used and all processing of personal data undertaken is notified to the Information Commissioner's Office
- only collect the personal information that is necessary to fulfil the operational needs of any service provided or to comply with legislative requirements
- take steps to ensure the quality and integrity of personal information used
- put in place the appropriate measures to ensure that personal data is only retained for as long as it is needed for the purpose(s) it was obtained for or to meet legal requirements
- ensure that the rights if every individual whose personal data is processed by Network Rail provides the Council with personal data is supported
- provide the appropriate technical and organisation security measures that will safeguard personal data against unauthorised or unlawful processing, accidental loss, destruction or damage
- ensure that personal data is not transferred outside the European Economic Area without the appropriate safeguards.
In addition to the above, Network Rail will endeavour, through the distribution of guidance material and training, to ensure that:
- all employees managing and handling personal data are aware and understand their responsibilities under the Act
- every employee handling personal data is appropriately trained to do so
- every employee understands the purpose(s) for which they are processing personal data and also under what circumstances further processing may take place
- every employee handling personal data understands the rights of the data subject.
The DPA gives a number of rights to data subjects e.g. Network Rail employees, authorised level crossing users, Network Rail tenants, managed station users etc. All individuals have the following rights.
Right of Subject Access
You have the right to request access to your personal data. This request must be made in writing and, once received, depending on a limited number of exemptions, the organisation is required to provide the following information:
- a description of the personal data, the purposes for which it is processed, and those to whom the data may be disclosed. The organisation should also supply details of the source of the data, except where that would identify another individual
- all the information that forms the personal data record
- where a decision is taken by automated means, the logic employed in coming to the decision.
The requested information must be provided within 40 days.
If you wish to make a request to access your information please complete our SAR - Subject Access Request form following the guidance attached to the form on where to send it.
Right to prevent processing likely to cause damage or distress
You have the right to request, in writing, that Network Rail does not process personal data that is likely to cause substantial damage or distress to you or another person and the damage or distress is or would be unwarranted. You must specify the reasons why the processing is, or will, cause damage and distress. This right only applies where processing is not necessary for fulfilling a contract with you or legal obligation of Network Rail or for protecting your vital interests.
We must reply in writing within 21 days from receipt of the your written notice stating either:
- we have complied or intend to comply with your notice; or
- we regard part or all of your notice as unjustified and the extent to which we have complied or intend to comply with it.
If you believe Network Rail is processing your data, and this is likely to or will cause you or another person damage or distress, you should write to the data protection officer.
Right to prevent processing for the purpose of direct marketing
You have the right to request, in writing, that Network Rail does not process your personal data for the purposes of direct marketing. There is no provision within the act that allows us to challenge the notice.
If you wish to stop us processing your personal data for direct marketing purpose you should write to the data protection officer.
Right in relation to automatic decision taking
You have the right to request, in writing, that Network Rail ensures that any decision the significantly affects you is not solely based on processing by automatic means. If you have been notified that an automated decision has been taken, you have the right to request that Network Rail reconsider the decision or take a new decision based on a non-automated basis.
Right to compensation
If you feel that you have suffered damage or distress due to the failure of Network Rail to comply with the requirements of the DPA, you can apply to the courts for compensation.
Right to the rectification, blocking, erasure and destruction
If you think that Network Rail is processing inaccurate information about you, you can apply to the courts for an order requiring Network Rail to rectify block, erase, or destroy the inaccurate data. Please contact the data protection officer if you believe any information we hold out you is incorrect.
Right to request an assessment
If you feel that you have been directly affected by Network Rail’s processing of personal data you can request an assessment be made of our organisation by the Information Commissioner. The assessment will determine whether or not processing has been undertaken in accordance with the provisions of the Act.
The Data Protection Act 1998 (DPA) entitles you to request and receive a copy of any personal information that Network Rail may hold about you. This is known as a ‘Subject Access Request’ (SAR).
The process for obtaining your personal information from Network is detailed below:
If you are requesting information relating to a level crossing, to find the correct route to send your request to check our route map.
Please read the guidance on completing a SAR to ensure you provide all documentation and the correct fee required to avoid any delays. Once we receive your request accompanying documents and the fee (currently £10) we will process your request. In order to locate the correct information within Network Rail, we may need to ask you to provide more information regarding what you require.
The information provided in response to your request will be the information that Network Rail holds at the time we received you request (subject to any exemptions). The DPA does allow routine updating and maintenance of the information to continue between the date on which the request is received and the date when the reply is dispatched. This means that the information provided may differ from that which was held at the time your request was received, but only as a result of normal processing.
We may contact third parties mentioned within the file in order to obtain consent to the disclosure of information that relates to them. Where consent cannot be obtained or is denied we will consider the reasons and Network Rail’s duty of care to both parties, as specified in the DPA, in order to decide whether or not to disclose the information. We will aim to deal with all requests within the specified 40 calendar days of the receipt of a completed request.
The information will be dispatched to you as soon as the above process is complete.
If you have any queries regarding the above you can contact the Data Protection Officer:
Data Protection Officer
Transparency Ethics & Data Protection
1st Floor Willen,
Or email: firstname.lastname@example.org