Personal Information Charter

Contents 

1. Introduction

2. What personal data we collect about you

3. How we collect personal data

4. How and why we use personal data

5. Newsletter

6. Cookies

7. Drones

8. International transfer of personal data

9. How we protect your personal data

10. How long we hold your personal data for

11. How you can contact us

12. How to lodge a complaint to the regulator

13. How we update or change this privacy policy

1. Introduction

East West Railway Company Limited ("EWR", "we", "us" and "our") is a limited company registered in England and our address is One Grafton Mews, Midsummer Boulevard, Milton Keynes, England, MK9 1FB (Registration no. 11072935).

We were set up by the Government to deliver the East West Rail project – a new rail link between Cambridge and Oxford (known as the "Project").

Your privacy matters and you’re in the right place to find out more about your rights and how we gather, use, and share your personal data.

When we say "you" we mean:

(a)  individuals who identify themselves as interested in the Project (e.g., those who contact us directly, local representatives)

(b)  individuals we identify as potentially interested in the Project. (e.g., certain public stakeholders, members of the media)

(c)   other individuals who interact or come into contact with us, our operations and the Project (business partners, suppliers and their personnel, visitors to our website (https://eastwestrail.co.uk/), offices and sites)

We’re classed as a "controller" of your personal data, meaning it’s our responsibility to gather, use, store and share your personal data fairly and lawfully. We’re committed to protecting your privacy and processing your data in compliance with Data Protection Laws. 

"Data Protection Laws" means all applicable laws relating to privacy or data protection the United Kingdom, including the UK GDPR and the Data Protection Act 2018. 

Where relevant, we may need to gather and use personal data about you, by which we mean any information you can be identified from, such as your name, contact details and bank details. Whether you’re based in or outside the United Kingdom (UK), your personal data is processed in the UK.

The purpose of this privacy notice is to inform you of how we’ll process your personal data and the measures and processes we’ve put in place to make sure it’s protected. 

Our website may provide links to third party websites. We’re not responsible for the conduct of third-party companies linked to this website, and you should refer to their relevant privacy notices for how they process your personal data.

2. WHAT PERSONAL DATA WE COLLECT ABOUT YOU

As we build a railway between Oxford and Cambridge, it's crucial that we understand the communities and individuals we're engaging with. That means keeping a reliable record of the interactions we've had with individuals, businesses, elected representatives, stakeholders and other interested groups, and any relevant information which might help us better understand how to deliver the Project.

We usually process the following types of personal data about you:

  • Contact Details including first name, surname, telephone numbers, home address, email addresses (personal or work), other work contact details.
  • Business Details includes industry, job role, business activities, employer, details of services/products provided.
  • Public Information such as letters published in newspapers or articles.
  • Local Government/Council Details including political affiliations, voting records and constituencies.
  • Communications Data including meeting notes, responses to surveys and other details of correspondence, responses, comments, views and opinions processed when you communicate with us.
  • Political Opinions as they relate to the Project.
  • Images and recordings including your photograph, film/video footage and recordings (which may include your voice).
  • Newsletter Data includes your preferences to receive our newsletter.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
  • Incident History includes health and safety accidents, security incidents, accident information, complaints communications, insurance claims history.
  • Social Media includes information from social media accounts you provide or link to us such as Facebook.
  • Usage Details includes information about the browser or device you used and the date and time you accessed our IT systems, other information about how you use our website, products, and services.
  • Security Data includes results from due diligence and security checks.

In some cases, you’ll need to provide us with your personal data to enable us to manage our operations, to provide services to you or your employer or to comply with our statutory obligations. In other circumstances, it will be at your discretion whether you give us your personal data or not. However, if you choose not to share any of the personal data we request, it might mean that we’re unable to maintain or provide services or products to you or your employer.

We make every effort to maintain the accuracy and completeness of your personal data which we store, and to ensure all of your personal data is up to date. However, you can help by getting in touch if there are any changes to your personal data or if you become aware that we have inaccurate personal data relating to you (see Section  11 below). We will not be responsible for any losses from inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.

Special Category Personal Data

Special categories of personal data are particularly sensitive and require higher levels of protection. This information relates to your health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation, genetic or biometric identifiers and trade union membership. The special category data which we may collect and use is information about your political opinions as they relate to the Project. Otherwise, we do not intentionally or systematically seek to collect, store or otherwise use other special categories of personal data, however, we may collect special category personal data where it is volunteered by you in your communications with us.

3. HOW WE COLLECT PERSONAL DATA

We usually collect your personal data from the information you submit during the course of your relationship with us. This will typically be via communicating with us in person, by phone, e-mail or otherwise.

We may also collect Personal Data about you from:

  • Public sources (e.g., Companies House)
  • Third party data supplier
  • Business partners
  • Other parties which have an interest in the project and your details are provided by them
  • Trusted suppliers (e.g., payment providers, marketing agencies, Mapolitical)
  • Professional advisors including external legal advisors
  • IT service providers including via the cookies on our website which you can read more about at https://eastwestrail.co.uk/cookies-policy.

4. HOW AND WHY WE USE PERSONAL DATA

Data protection and privacy laws require companies to have a “legal basis” to collect and use your personal information. For example:

  • To comply with our legal and regulatory obligations
  • For the performance of our contract with you or to take steps at your request before entering into a contract
  • As necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in EWR
  • Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests

Although less common, we may process and share this type of information where it’s needed to protect your vital interests (or someone else's vital interests) and you’re not able to give your consent, or where you’ve provided your consent or made the information public.

We also need further justification for collecting, storing, and using special categories of personal information. We may process special categories of personal data about you in the following circumstances:

  • With your explicit written consent
  • Processing relates to personal data which is clearly made public by the data subject
  • As necessary for the establishment, exercise or defence of legal claims
  • For reasons of substantial public interest
  • Archiving purposes in the public interest

We do not envisage that we will hold information about criminal convictions.

We’ll process your personal data for the following purposes supported by the following legal bases:

Purpose:

To respond and communicate with people who participate in our consultation processes

Legal basis:

Legitimate interest (Business Administration and Operations)

Explicit consent

Manifestly made public 

 

Purpose:

To communicate with you when appropriate, providing updates and information about the Project including via our newsletter 

Legal basis:

Legitimate interest (Business Administration and Operations)

Explicit consent

Manifestly made public 

 

Purpose:

To evaluate your sentiment towards the Project

Legal basis:

Legitimate interest (Business Administration and Operations)

Explicit consent

Manifestly made public 

 

Purpose:

To maintain a record of communications and consultations in relation to the Project 

Legal basis:

Legitimate interests (Business Administration and Operations)

Archiving purposes in the public interest 

 

Purpose:

To monitor the demographic makeup of interested parties to make sure our communications and the Project are inclusive and accessible to everyone 

Legal basis:

Legitimate interests (Equal Opportunities and Treatment)

 

Purpose:

To work alongside the Government, public bodies and authorities in relation to the Project 

Legal basis:

Legitimate interests (Business Administration and Operations)

 

Purpose:

To carry out money laundering, financial and credit checks and for fraud and crime prevention and detection purposes 

Legal basis:

For purposes required by law

 

Purpose:

To identify persons authorised to trade on behalf of our suppliers and/or service providers 

Legal basis:

Legitimate interests (Business Administration and Operations)

 

Purpose:

In response to requests from government law enforcement authorities investigating or in response to a court order 

Legal basis:

For purposes required by law

 

Purpose:

Security

Legal basis:

For purposes required by law

Legitimate interests (Security) 

 

Purpose:

To comply with our legal and regulatory obligations and requests anywhere in the world, including reporting to and/or being audited by national and international regulatory, enforcement or exchange bodies 

Legal basis:

For purposes required by law

 

Purpose:

For health and safety purposes

Legal basis:

For purpose required by law

In the pursuit or defence of legal claims

 

Purpose:

To investigate any incidents or wrongdoing in relation to the Project or interactions with our personnel 

Legal basis:

Legitimate interests (Investigation and Resolution of Incidents or Wrongdoing)

For purposes required by law 

 

Purpose:

For business management and analysis purposes 

Legal basis:

Legitimate interests (Business Administration and Operations)

 

Purpose:

For administrative purposes in relation to the security and access of our systems, premises, platforms and secured websites and applications 

Legal basis:

Legitimate interests (Business Administration and Operations)

 

Purpose:

To exercise and/or defend our legal rights 

Legal basis:

Legitimate interests (To Exercise and/or Defend Legal Rights)

In the pursuit or defence of legal claims 

 

Purpose:

In connection with a business transaction such as merger, restructuring or sale of the business or business strategies 

Legal basis:

Legitimate interests (Business Administration and Operations)

 

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.We will consider that you have given us your consent to hold your special category data where you have voluntarily provided such information in your communications with us or provided information we have marked as optional. For the avoidance of doubt, EWR will only use the information for the purpose for which it was received unless otherwise required by applicable law and you may withdraw your consent at any time by contacting us via the details set out in Section 12 below.

5. NEWSLETTER

We will send you newsletters where you have subscribed to receive these communications. You can tell us you no longer wish to receive newsletters by either:

  • Contacting us via the details set out in Section 12 below
  • Using the ‘unsubscribe’ link in these emails

6. COOKIES

We use cookies on our website. Cookies are small text files that are downloaded onto your device when you visit a website. For more information about our use of cookies, please go to https://eastwestrail.co.uk/cookies-policy.

7. DRONES

As part of the Project, we may use drones for site surveys and related activities. The drone footage we receive, and use will obscure the images of any individuals captured in the footage so that person is not identifiable. If you have any questions, please contact us via the details set out in Section 12 below.  

8. INTERNATIONAL TRANSFERS OF PERSONAL DATA

The personal data we collect from you may be transferred to (including accessed in or stored in) a country or territory outside the European Economic Area ("EEA"), and laws of these countries may not offer the same level of protection of personal data as within the United Kingdom.We will ensure that any such international transfers are made subject to appropriate or suitable safeguards as required by the Data Protection Laws. Copies of the relevant safeguard documents are available by contacting us via the details set out in Section 12 below.

When we may disclose your personal data

We may only disclose your personal data to the following recipients:

  • The Department for Transport who will receive statistics around the volumes of correspondence received and details of consultation responses
  • Relevant public bodies to comply with our legal obligations
  • Third parties who process your personal data on our behalf and are working for us on the Project (for example organisations helping us run public consultations, organisations we work with to send out Project information, organisations supporting our stakeholder management IT systems)
  • Third parties in other limited circumstances (for example if required by a court order or regulatory authority, or if we believe it’s necessary to prevent fraud or cyber-crime or to protect our website, our technology assets or the rights, property or personal safety of any person)
  • Any third party to whom we assign or novate any of our rights or obligations
  • Any prospective buyer in the event we sell any part of our business or assets
  • A third party in the event of administration or liquidation of EWR
  • Any government, regulatory agency, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request

9. HOW WE PROTECT YOUR PERSONAL DATA

We’re committed to safeguarding and protecting personal data and will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to protect any personal data provided to us from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

10. HOW LONG WE HOLD YOUR PERSONAL DATA FOR

We will only retain your personal data for as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.

Your rights in relation to the personal data we collect

You have the right:

  • To request access to your personal data
  • To request correction of the personal data we hold on you
  • To request we delete your personal data, which means you can ask us to erase or remove personal data in certain circumstances
  • To object to the processing of your personal data where we are relying on a legitimate interest (or the legitimate interests of a third party) to process your personal data
  • To request the restriction of processing of your personal data
  • To request the transfer of your personal data to you or to a third party
  • To request a copy, or reference to, the personal data safeguards used for transfers outside the European Union (we may redact data transfer agreements to protect commercial terms)
  • To request to withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent,

You can request this by emailing us at the address set out in Section 12 below. We endeavour to respond to such requests within a month or less, although we reserve the right to extend this period for complex requests.

  • In any of the situations listed above, we may request that you prove your identity by providing us with a copy of a valid means of identification for us to comply with our security obligations and to prevent unauthorised disclosure of data.
  • We reserve the right to charge you a reasonable administrative fee for any unfounded or excessive requests concerning your access to your personal data, and for any additional copies of the personal data you request from us.

11. HOW YOU CAN CONTACT US

If you have any queries about the contents of this privacy notice, or wish to inform us of a change or correction to your personal data, would like a copy of the data we collect on you or would like to raise a complaint or comment, please contact us by emailing [email protected].

12. HOW TO LODGE A COMPLAINT TO THE REGULATOR

You are entitled to lodge a complaint with our data protection regulator if you consider that we have breached your data protection rights. Our data protection regulator is the Information Commissioner's Office, which can be contacted at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

13. HOW WE UPDATE OR CHANGE THIS PRIVACY POLICY

We may change or update parts of this privacy notice in order to maintain our compliance with applicable law and regulation or following an update to our internal practices. We will do this by updating this privacy notice on https://eastwestrail.co.uk/personal-information-charter. You will not necessarily be directly notified of such a change. Therefore, please ensure that you regularly check this privacy notice, so you are fully aware of any changes or updates.This privacy notice was last updated June 2022.