Crossrail International is committed to ensuring that your privacy is protected.
This policy explains how Crossrail International will, as a data controller, comply with the Data Protection Act 2018 and associated legislation, including the General Data Protection Regulation (GDPR) concerning data protection.
We know how important it is to protect your privacy. If we need to collect, store or otherwise use your personal data, we will comply with the principles and other provisions of data protection law.
When do we collect your personal data?
We collect personal data about you if:
- you visit and interact with this website
- you enquire about, or engage Crossrail International to provide services
- you apply for a position with Crossrail International
- you contact us with any other enquiry or complaint
Personal data means any data relating to a person that enables them to be identified either directly, or indirectly. Personal data that we hold about you may include your:
- Job title
- Company name
- Email address
- Telephone number
- Source of your enquiry
We will take steps to ensure that the personal data we store is accurate and up-to-date.
Where your personal data was sent to us by a third party, we will tell you who that third party was and, where relevant, will provide you with the above information. We will normally do that within one month.
GDPR gives individuals a number of rights in relation to their personal data. The most commonly used right is subject access, which allows you to request a copy of any data we might hold on you. For a full description of your rights and how they might apply to the way we use your personal data, please visit the Information Commissioner’s Office website. Crossrail International will uphold your rights to the extent that they apply to the way we process your personal data.
If you wish to exercise any of your rights, including accessing a copy of your personal data, please contact firstname.lastname@example.org. If you are unknown to us, we will need you to provide proof of identity before we can start processing your request.
Our privacy information notice
The purposes for which we process personal data include:
- responding to requests that you may have submitted via our website and to deal with ongoing matters relating to such requests
- offering our services in a personalised way
- maintaining our accounts and records
- answering queries or resolving a complaint
- corporate administration
- the support and management of our staff
When we share information
We may share personal data within our organisation or with other bodies where we are permitted to do so by law. There are some cases where we can pass on your data without telling you – for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally, we will comply with data protection law.
When you write to Crossrail International, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a public authority to be accountable and transparent about the functions and policies that we are responsible for.
In the case of requests for information that are handled under the Freedom of Information Act 2000, Crossrail International will use your personal data as necessary to comply with those laws. We may need to consult with other public authorities in central Government where a coordinated response is required. Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded.
A record of your correspondence will be held by us for at least three years and then, under normal circumstances, deleted. It will only be kept for longer where it is necessary in connection with an ongoing issue.
Our Data Protection Officer
Our Data Protection Officer (DPO) informs and advises us on how to comply with data protection law, and provides assurance that we are doing so. Crossrail International’s designated DPO is part of the Department for Transport’s data protection team.
Our DPO can be contacted at:
Data Protection Officer
Department for Transport
One Priory Square
When contacting our DPO, please make clear that your correspondence is about Crossrail International.
The steps we take to keep your data secure
We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We ensure that staff who routinely access personal data as part of their jobs receive appropriate training in how to protect it, and we carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the government’s security standards and industry good practice. We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework on GOV.UK sets out the government’s approach to protective security.
Data breach notification
Crossrail International will do everything it can to keep your personal data secure. If, despite this, a breach occurs which creates a risk to your rights and freedoms, we will ensure that the Information Commissioner’s Office is informed without delay, and in any event within 72 hours after we have become aware of it.
Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:
- the contact details of the department’s Data Protection Officer
- the likely consequences of the breach
- details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects
How to make a complaint
If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to our Data Protection Officer using the details provided above.
We will acknowledge your complaint within five (5) working days and send you a full response within 20 working days. If we can’t respond fully in this time, we will write and let you know why and tell you when you should get a full response.
If you remain dissatisfied, or if you require independent advice about data protection, privacy and data sharing issues, contact:
Changes to this policy