Personal Information Charter
East West Railway Company Limited ("we", "us", "our") is a non-departmental arm’s length body set up by the Government to deliver the East West Rail project – a new rail link between Cambridge and Oxford (the "Project").
This Personal Information Charter (“our Charter”) explains what data we collect and what we do with it. It also sets out your rights and who you can contact for more information.
"Data Protection Legislation" means the EU General Data Protection Regulation 2016/679, the Data Protection Act 2018 together with all other applicable legislation relating to privacy or data protection.
Why do we collect personal information?
As we work to build a railway between Oxford and Cambridge, it’s vital that we understand the communities and individuals we’re engaging with. That means keeping a reliable record of the interactions we’ve had with individuals, businesses, elected representatives and stakeholders and other interested groups, and any relevant information which may help us better understand how to deliver the Project.
What personal information do we collect?
The personal information we collect and process may include:
- your name;
- your contact information such as your postal address, email address and telephone number;
- your gender;
- your consultation feedback and response;
- any organisations foundations, associations, not-for-profit bodies and/or political parties that you represent or that you may be affiliated with;
- your IP address, your browser type and language;
- information about your visit to our website, including cookies; and
- any other information and/or opinions that you give to us, for example when making an enquiry in relation to the Project or participating in or responding to a consultation.
The personal data that we collect may also include special categories of personal data, for example about your political opinion, disabilities, trade union membership and your health and lifestyle only where it will help us better understand how to deliver the Project.
If you give us personal information about other people you must first make sure that the person knows that you might disclose information about them and that you have obtained all necessary consents from that person for you to pass this information on to us.
How do we collect personal information?
We collect, record and use information in both physical and electronic form and we process the data in accordance with the Data Protection Legislation and as set out in this Charter.
- From information that you give to us. By communicating with us in person, by phone, e-mail or otherwise. It includes information that you provide when you use our website and when you participate in any of our consultation processes;
- From our website. By the information that you give to us if you make a General or Media enquiry. Additionally, some personal information is collected automatically when you use our website, for example your IP address;
- From publicly available sources. This is information which is available to the general public in publicly available sources, for example the minutes or attendee lists of meetings which are posted publicly online; and
- From social media websites. Depending on your settings or the privacy policies for social media and messaging services such as Facebook, LinkedIn and Instagram you might give us permission to access information from those accounts or services.
How do we use your information?
As stated above, it’s vital that we understand the communities and individuals we’re engaging with, which means keeping a reliable record of the interactions we’ve had with individuals, businesses, elected representatives and stakeholders and other interested groups, and any relevant information which may help us better understand how to deliver the Project.
This means using your personal information in a number of ways including:
- to communicate with you when appropriate, providing updates and information about the Project;
- to respond and communicate with people who participate in our consultation processes;
- to evaluate your sentiment towards the Project;
- to send you our newsletter if you have asked to receive it;
- to monitor the demographic makeup of interested parties to make sure our communications and the Project are inclusive and accessible to everyone;
- to work alongside the Government, public bodies and authorities in relation to the Project;
- to provide you with a safe, smooth, efficient, and customised experience;
- to ensure that content from our website is presented in the most effective manner for you and for your computer;
- to administer our website and for internal operations, including troubleshooting, data analysis, testing, statistical, and security purposes; and
- for any other reason in connection with our legitimate interests.
What are our legal grounds for using your personal information?
There are a number of legal grounds under which we might collect, store, process or otherwise use your personal information:
- the processing is necessary for the purposes of our legitimate interests, for example to work alongside, communicate with or respond to individuals, businesses, elected representatives, government, parliament, other stakeholders and interested groups in relation to the Project, to keep you updated with the latest news about East West Rail, to run and administer our website, to discharge our legal obligations, to store and disclose information where necessary and to evaluate, develop and improve the Project;
- the processing is necessary to comply with our legal obligations;
- the processing is necessary to exercise our legal powers, or to perform a specific task in the public interest; and/or
- you have explicitly agreed to us processing your information for a specific reason or purpose.
The law permits us to process special categories of personal data where:
- you have given your explicit consent;
- processing relates to personal data which is clearly made public by the data subject;
- processing is necessary for the establishment, exercise or defence of legal claims;
- processing is necessary for reasons of substantial public interest; and/or
- processing is necessary for archiving purposes in the public interest.
Will we ever sell your personal information?
Why might we share your personal information?
From time to time, we need to share personal information with third parties, this could include:
- relevant public bodies in order to comply with our legal obligations;
- third parties working with us on the Project (for example organisations helping us run public consultations, organisations we work with to send out Project information, organisations supporting our stakeholder management IT systems);
- other limited circumstances (for example if required by a court order or regulatory authority, or if we believe it’s necessary to prevent fraud or cyber-crime or to protect our website, our technology assets or the rights, property or personal safety of any person); and
- in the event of a liquidation or administration of East West Railway Company.
Neither us or our third parties will use personal data for marketing.
Links to other websites
We are not responsible for the privacy policies of third party websites we link to from eastwestrail.co.uk. You should check the privacy policies on these sites before providing any personal information.
How we protect your information
We take your online security seriously and have implemented generally accepted standards of technology and operational security to protect your personal information from loss, misuse, alteration or destruction.
We fully comply with Data Protection Legislation when we collect and use your personal information, and our team are required to keep personal information confidential. Only authorised team members have access to personal information.
However, transmitting information over the internet is not completely secure and we cannot guarantee the security of your personal information transmitted to us or provided though the website.
How long will we keep your information?
We will review our systems & files to make sure information is accurate, up-to-date and still required. If we no longer think you’re your personal information is required to help us understand how to deliver the Project, we will delete it.
What happens if there’s a data breach?
We do everything we can to keep your personal data secure. But if, despite this, a breach occurs which creates a risk to your rights and freedoms (for example, financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), we will inform the Information Commissioner’s Office: no longer than 72 hours after we have become aware of the breach.
Where we think there might be a high risk to you we will get in touch quickly, detailing:
- our contact details;
- the likely consequences of the breach; and
- exactly what we’re doing – and plan to do – to deal with the breach.
What happens with data transferred outside of the EEA?
We, or third parties working with us, might need to transfer or store Personal information outside of the European Economic Area ("EEA") which is not deemed to provide adequate protection of your information by the European Commission. If that happens, we will have contractual obligations in place which makes sure the data is protected to the same standard as if it were stored inside the EEA.
What are your rights?
At any time, you have the right:
- to be informed about how we’re processing your personal information (i.e. for what purposes, what types, who is has been shared with, how long it’s stored for, how we collect it, confirmation of whether we undertake automated decision-making, including profiling, and the logic, significance and possible consequences);
- to receive a copy of any personal information we hold about you;
- to correct any personal information if you believe it is not accurate;
- to ask us to delete your personal information if you believe that we do not have the right to hold it;
- to withdraw consent to our processing of your personal information, where consent was previously given;
- to restrict processing of your personal information;
- to “data portability” (moving some of your personal information elsewhere) in certain circumstances; and
- to object to your personal information being processed in certain circumstances
If you would like a copy of your personal information please put your request in writing, either by email or letter, and we will reply within one month, though whenever possible we will reply to you sooner.