Skip to main content.

Privacy Policy

Introduction

Who is responsible for the personal information that we collect about you?

What personal information do we hold about you?

How we will use personal information we hold about you?

Who we may disclose your personal information to

How we protect your personal information

Where we will transfer your personal information

How long we will keep your personal information for

Your rights and choices in relation to your personal information

Website cookies and third party links

Changes to our privacy notice and your duty to inform us of changes

Contact us

Introduction

We take your right to privacy seriously and want you to feel comfortable when using our services. Should we ask you to provide certain information by which you can be identified you can be assured that it will only be used in accordance with this privacy notice and only for the reasons you are aware of.

About this privacy notice:

  • References to we, us or our means Network Rail Limited, Network Rail Infrastructure Limited, Network Rail Consulting Limited, Network Rail (High Speed) Limited and Network Rail Pension Trustee Limited.
  • References to you or your means the person accessing and using the website (as defined below) or the person who otherwise provides their personal information to us or about whom we otherwise collect personal information as explained in this privacy notice.
  • References to the website means the Network Rail website found at www.carsconsultation.com
  • Personal information is information that is about you and which identifies you.
  • We have a separate privacy notice which applies to the personal information that Network Rail collects about employees.
  • The website is not intended for children and we do not knowingly collect data relating to children.

It is important that you read this privacy notice together with any other privacy notice or fair processing notices we may provide on specific occasions when we are collecting or processing personal information about you so that you are fully aware of how and why we are using your personal information. This privacy notice supplements the other notices and is not intended to override them.

Top of the page

Who is responsible for the personal information that we collect?

We are the data controller for the purpose of data protection law, in respect of your personal information collected or obtained as outlined with this privacy notice. This is because we dictate the purpose for which your personal information is used and how we use your personal information.

If you have any questions regarding this privacy notice or the way we use your personal information, you can contact our Data Protection Officer.

What personal information do we hold about you?

We may collect and process the following categories of information about you for different reasons, depending on why you are in touch:

Customers, website users, social media users, members of the public

  • Personal contact details
  • Name, title, home address, personal email address, home telephone number, personal mobile number.
  • Business contact details
  • Name, company email address, place of work, company telephone number, company mobile number, company fax number.
  • Social media contact details
  • Social media name and contact details.
  • Comments you make
  • Your views, opinions, feedback, comments and any complaints.
  • Website technical information
  • Through your internet browser or electronic device, certain information is collected by most websites or automatically through your electronic device, such as your IP address (ie, your computer’s address on the internet), screen resolution, operating system type (Windows or Mac) and version, internet browser type and version, electronic device manufacturer and model, language, time of the visit and pages visited.
  • Through Cookies. Cookies allow us to recognise your device and to collect information such as IP address, internet browser type, time spent using the website and the pages visited.
  • Website usage data
  • Information about how you use our website and our services.
  • Video and photo images
  • Video and photo images of you captured on CCTV if you attend any of our premises or occasionally during our regular maintenance of our rail infrastructure via our maintenance support fleet (including by our mobile maintenance train or air operations) where you or your property are within the vicinity of our rail infrastructure at the time.
  • Marketing preferences and marketing activities
  • Your marketing preferences, including services, topics, activities and events you are interested in; activities, meetings or events you have attended; and your preferred method of communication. To improve our marketing communications we may collect information about your interaction with, and responses to our marketing communications.

This information may be provided:

  • In the course of communications between you and us (including by phone, email, post or otherwise, including when making a freedom of information request).
  • When you complete surveys or respond to consultations.
  • Via Network Rail’s 24 Helpline.
  • Via your internet browser or electronic device.
  • Via cookies.
  • Via our website, our social media pages, other social media content, tools and applications including live chat or in the case of some FOI requests through whatdotheyknow.com
  • Via CCTV, our mobile maintenance trains, drones, helicopters or airplanes.

Information we receive from other sources

We may receive the personal information about you from the following sources:

  • Information we obtain from publically available sources such as other websites, Facebook, LinkedIn, Twitter, What Do They Know, Companies House or HM Land Registry.
  • Direct from a third party, eg from an employee (such as information about their family members), your employer, other parties and their advisors involved in transactions with us, other parties involved in delivering services with us.
  • A third party with your consent, eg your bank or building society, or an advisor, consultant or other professional.
  • Our information technology systems, eg document management systems; booking and event systems; door entry and reception logs; CCTV and access control systems; communications systems, including email, voicemail and instant messaging systems.
  • Automated monitoring of our website and other technical systems, such as our computer networks and connections.

Top of the page

How we will use personal information we hold about you

We will only use your personal information when there is a legal basis for us to do so. Most commonly, we will use your personal information in the following circumstances:

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (for our legitimate interests or for a third party’s legitimate interests).
  • Where we need to comply with a legal or regulatory obligation (to comply with our legal obligations).
  • Where we or another person need to do so as part of carrying out a task in the public interest or carrying our public functions which are laid down in law, for example exercising statutory rights and carrying out our legal duties under our network and station licences to operate and maintain the national railway infrastructure) (for the performance of public functions).
  • Where you provide us with your express or explicit consent (with your consent).

Your personal information may be used by us, our employees, service providers, and disclosed to third parties for a number of different purposes which we have set out below. For each of these purposes, we have set out the legal basis we rely on to do so.

Please note: We may process your personal information on more than one legal basis depending on the specific purposes for which we are using your personal information. Please contact our Data Protection Officer if you need details about the specific legal basis we are relying on to process your personal information where more than one legal basis has been identified below.

To communicate with you and other individuals

Legal basis:

  • To comply with our legal obligations.
  • For the performance of a contract with you.
  • For our legitimate interests (namely, fulfilling requests and managing our relationships with individuals).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

To manage and respond to requests for information, including freedom of information requests

Legal basis:

  • To comply with our legal obligations.
  • For our legitimate interests (namely, transparency in relation to our business).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

To manage enquiries, comments, complaints, feedback and requests

Legal basis:

  • For the performance of a contract with you.
  • For our legitimate interests (namely, fulfilling requests and managing our customer, contractor, supplier, landlord and tenant, stakeholder, regulatory and business relationships).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

To carry out market research and analysis

Legal basis:

  • For our legitimate interests (namely to understand how our customers, contractors, suppliers, tenants, stakeholders, regulators, business contacts and member of the public use and consider our services, to grow and improve our business, and to develop and inform our services, strategies and business plans).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).
To carry out surveys and consultations
  • For our legitimate interests (namely to understand how our customers, contractors, suppliers, tenants, stakeholders, regulators, business contacts and member of the public use and consider our services, to grow and improve our business, and to develop and inform our services, strategies and business plans).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

To provide you with information about services, topics, activities and events you are interested in, in accordance with your marketing preferences

Legal basis: For our legitimate interests (namely, marketing and promoting our business and managing and developing our relationship with you).

To comply with any legal or regulatory obligations (including in connection with a court order)

Legal basis: To comply with our legal obligations.

For the prevention or detection of crime or apprehension of prosecution of offenders

Legal basis:

  • To comply with our legal obligations.
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure) or the performance of a third party’s public functions (namely law enforcement functions).

For fraud prevention

Legal basis:

  • To comply with our legal obligations.
  • For our legitimate interests (namely ensuring we are not the victim of fraud) and the legitimate interests of third parties (namely ensuring they are not the victim of fraud).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure) or the performance of a third party’s public functions (namely law enforcement functions).

To operate, maintain, repair and manage our facilities, properties, assets, equipment and infrastructure, including the national railway infrastructure

Legal basis:

  • To comply with our legal obligations.
  • For the performance of a contract with you.
  • For our legitimate interests (namely managing our facilities, properties, assets, equipment and infrastructure).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

To investigate concerns raised with and reports made on our Chat feature, Online Survey or Network Rail’s 24 Helpline.

Legal basis:

  • To comply with our legal obligations.
  • For our legitimate interests (namely managing and protecting our staff, assets and running our business).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

For operational reasons, such as improving the performance of our public functions, our business and services, efficiency, training and quality control

Legal basis:

  • For our legitimate interests (namely managing and developing our business).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

For insurance purposes, including handling and administering insurance claims

Legal basis:

  • To comply with our legal obligations.
  • For the performance of a contract with you.
  • For our legitimate interests (namely protecting, repairing and replacing our assets, complying with our contractual obligations and defending legal claims).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

To ensure the safety and security of our property, premises, assets, equipment and infrastructure

Legal basis:

  • For our legitimate interests (ensuring safety and security and preventing and detecting crime).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

For the health and safety of our staff, visitors, contractors, suppliers and members of the public

Legal basis:

  • To comply with our legal obligations.
  • For our legitimate interests (ensuring health and safety and security and preventing and detecting crime).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

Equal opportunities monitoring

Legal basis:

  • For our legitimate interests (namely monitoring equality, accessibility and diversity in the way we provide our services, operate our business and perform our public functions).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure)

To administer and protect our business records, IT systems and our websites

Legal basis:

  • To comply with our legal obligations.
  • For the performance of a contract with you.
  • For our legitimate interests (namely managing and protecting our staff, assets and running our business).
  • For the performance of our public functions (namely operating and maintaining the national railway infrastructure).

To deliver relevant and effective website content for you and your electronic devices

Legal basis: For our legitimate interests (namely developing and delivering our services, keeping our websites updated and relevant and running our business).

To use data analytics to improve our website, services, marketing, customer relationships and experiences.

Legal basis: For our legitimate interests (namely developing and delivering our services, keeping our websites updated and relevant, developing our business and informing our marketing strategy).

Failure to provide us with your personal information

We may be required to obtain your personal information to comply with our legal obligations or for the performance of our contract with you or to fulfill a request you have made. If you do not provide the relevant personal information to us, we may not be able to enter into the contract with you or properly perform our obligations under it. We may also be unable to fulfill your request.

Where your failure to provide information breaches a legal obligation we may be required to report this to regulators or law enforcement bodies. We will generally notify of the consequences of failing to provide us with required information at the time.

Automated decision making

We do not undertake any processing of your personal information by automated means in order to make decisions about you.

Top of the page

Who we may we disclose your personal information to

We may share your personal information with:

  • Our group companies
  • Other companies and entities within the group of Network Rail Group, which we are a member of.
  • Our service providers
  • Our business partners, suppliers, contractors and their sub-contractors for the performance of any contract we enter into with you or for the performance of any contract we enter into with them which relates to our business and under which they deliver works and services to us, including works and services which may involve processing personal information on our behalf such as IT service providers.
  • Third parties involved in engineering and maintenance works and other aspects of railway business
  • Including train operating companies and third party contractors.
  • Our banks, insurers, professional advisers and agents
  • Including our banks, accountants, lawyers, insurers, brokers, agents, consultants and other professional advisers that assist us in carrying out our business activities and public functions.
  • Governmental, regulatory and legal authorities and third parties involved in legal action
  • Government departments, governmental agencies, regulatory organisations and justice agencies (including the courts, tribunals, police, security services, Her Majesty’s Revenue and Customs, local authorities, the Home Office, the Office of Rail Regulation, the Information Commissioner, the Health and Safety Executive, and other regulators and law enforcement bodies.
  • Prospective sellers or buyers of our business and assets or our corporate group
  • In the event that we sell or buy any part of our business or assets we will disclose your personal information to the prospective seller or buyer of such business or assets. If we or substantially all of our assets are acquired by a third party (or are subject to a reorganisation within our corporate group), personal information held by us will be one of the transferred assets.
  • Health professionals and emergency services
  • In the event of an emergency we may disclose personal information to health and medical professionals and emergency services where the health, safety or security of a person is at risk.

Top of the page

How we protect your personal information

We have put in place appropriate technical and organisational security measures to prevent your personal information from being accidentally lost, altered, used, disclosed or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to access this only and who are subject to a duty of confidentiality. In the case of third party data processors, they will only process your personal information on our instructions and have their own legal obligations under data protection law to protect your personal information and keep it secure.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Top of the page

Where we will transfer your personal information

To deliver services to you, it is sometimes necessary for us to share your personal information outside the European Economic Area (EEA), eg:

  • With companies within the Network Rail Group with offices outside the EEA
  • With your and our service providers located outside the EEA
  • If you are based outside the EEA
  • Where members of our staff needs to access your personal information remotely while they are travelling outside the EEA

These transfers are subject to special rules under European and UK data protection law. In those circumstances, we undertake an assessment of the level of protection in light of the circumstances surrounding the transfer. We will make sure that any transfers are limited to the minimum amount of personal information possible and will always take steps to ensure that your personal information is adequately protected. In certain circumstances we may need to seek your consent unless there is an overriding legal need to transfer the personal information.

Where necessary we have entered into standard European Commission approved model data protection clauses with [other companies within the Network Rail Group which have offices located outside of the EEA] and with our external service providers and business partners in relation to the services they provide which may involve processing personal information for which we are the data controller from locations outside the EEA.

Our IT support is provided from across the world and when support is provided remotely, your personal information may be accessed from and therefore transferred to that country. If we transfer personal information outside the European Economic Area (EEA), we will implement appropriate and suitable safeguards to ensure that such data will be protected as required by applicable data protection law.

Top of the page

How long we will keep your personal information for

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information we hold, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal personal information (and whether we can achieve those purposes through other means), and the applicable legal requirements.

In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Top of the page

Your rights and choices in relation to your personal information

You have certain rights with respect to your personal information. The rights may only apply in certain circumstances and are subject to certain exemptions. Please see the information below for a summary of your rights. You can exercise these rights by contacting the Data Protection Officer.

Right of access to your personal information

You have the right to receive a copy of your personal information that we hold about you, subject to certain exemptions.

Right to rectify your personal information

You have the right to ask us to correct your personal information that we hold where it is incorrect or incomplete.

Right to erasure of your personal information

  • Where your personal information is no longer necessary in relation to the purposes for which they were collected or otherwise used.
  • If you withdraw your consent and there is no other legal ground which we rely on for the continued use of your personal information.
  • If you object to the use of your personal information (as set out below).
  • If we have used your personal information unlawfully.
  • if your personal information needs to be erased to comply with a legal obligation.

Right to restrict the use of your personal information

You have the right to suspend our use of your personal information in certain circumstances. For example:

  • Where you think your personal information is inaccurate and only for such period to enable us to verify the accuracy of your personal information.
  • The use of your personal information is unlawful and you oppose the erasure of your personal information and request that it is suspended instead.
  • We no longer need your personal information, but your personal information is required by you for the establishment, exercise or defence of legal claims.
  • You have objected to the use of your personal information and we are verifying whether our grounds for the use of your personal information override your objection.

Right to data portability

You have the right to obtain personal information that you have provided to us in a structured, commonly used and machine-readable format and for it to be transferred to you or another organisation, where it is technically feasible. The right only applies where the use of the personal information you provided was with your consent or for the performance of a contract with you, and when the use of your personal information is carried out by automated (ie, electronic) means.

Right to object to the use of your personal information

You have the right to object to the use of your personal information in certain circumstances:

  • Where you have grounds relating to your particular situation and we use your personal information for our legitimate interests (or those of a third party) or for our public functions, including for profiling.
  • If you object to the use of your personal information for direct marketing purposes.

Right to withdraw consent

You have the right to withdraw your consent at any time where we rely on your consent to use your personal information.

Right to complain to the relevant data protection authority

You have the right to complain to the Information Commissioner where you think we have not used your personal information in accordance with data protection law.

We aim to resolve any concerns you have and would ask that you contact us via our Data Protection Officer in the first instance. However if you are not satisfied with the outcome of your complaint to us, you can take a complaint to the Information Commissioner’s Office

Information Commissioner’s Office
Wycliff House
Water Lane
Wilmslow
Cheshire
SK9 5AF

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated of our timescales.

Top of the page

Website cookies and third party links

A cookie is a small text file that’s stored on your computer or mobile device when you visit a website.

We use cookies to:

  • Remember your preferences.
  • Tailor our sites and services to your interests.

You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However in a few cases some of our website features may not function as a result.

Information about deleting and controlling cookies can be found at www.aboutcookies.org

You can find more information about the cookies used on our site and the reasons why in the table below.

Cookies used on this website

Here are the details for the cookies used on this website

NameUseExpiry
_cfduidThe cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.4 weeks
__zlcidThis cookie is installed by Zendesk. This cookie is used for Zendesk’s live chat plugin.Valid until deleted
__zlcmid
This cookie is installed by Zendesk. It is used to store the Live Chat ID used to identify a visitor across visits.
1 year
__zlcstoreThis cookie is installed by Zendesk. This cookie is used for Zendesk’s live chat plugin.Valid until deleted
_gaThis cookie is installed by Google Analytics. Used to throttle the request rate – limiting the collection of data on high traffic sites.2 years
_gatThis cookie is installed by Google Analytics. Used to throttle the request rate – limiting the collection of data on high traffic sites.1 minute
_gidThis cookie is installed by Google Analytics. User journey – it groups the user behaviour together for each user.1 day
OptanonConsentThis cookie is set by the cookie compliance solution from OneTrust. It stores information about the categories of cookies the site uses and whether visitors have given or withdrawn consent for the use of each category. This enables site owners to prevent cookies in each category from being set in the users browser, when consent is not given. The cookie has a normal lifespan of one year, so that returning visitors to the site will have their preferences remembered. It contains no information that can identify the site visitor.1 year
_gat_gtag_xxxThis is a targeting cookie installed by Google Analytics.1 minute
vuidThis is a functional cookie set by Vimeo.2 years

Third party links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for how they handle your personal information. When you leave our website, we encourage you to read the privacy notice or policy of every website you visit.

Top of the page

Changes to our privacy notice and your duty to inform us of changes

This privacy notice was last updated in May 2020.

Any changes we make to this privacy notice in the future will be posted on this page and, where appropriate, notified to you by email. The updated privacy notice will take effect as soon as it has been updated or otherwise communicated to you.

Please keep us informed if your personal information changes during your relationship with us.

Contact

Questions, comments and requests regarding data protection matters are welcomed and should be addressed to the Data Protection Officer

Data Protection Officer
Network Rail
The Quadrant, Elder Gate
Milton Keynes
MK9 1EN