Fair, accountable and safe
Network Rail’s reputation and ability to run, maintain and enhance a safe and secure railway depends on us all maintaining the highest standards of business behaviour and acting with integrity in everything we do. That includes handling personal information in a fair, accountable and safe way.
The General Data Protection Regulation will come into effect in May 2018, and introduces changes to how we all handle personal information.
So all Network Rail employees will need to complete our e-learning training (search “data protection” on e-business), and comply with our policies and guidance, which are designed to support you in handling personal information in the right way.
What is data protection?
Data protection helps us handle people’s personal information fairly and safely.
“Information is one of our greatest assets; it’s critical that we know how to look after it. To deliver as a high-performing organisation, we must know what information we have and where, we must keep it safely, and we must ensure fairness, transparency and accountability.”
Chief executive, Network Rail
What is personal information?
Personal information (or personal data as it’s sometimes called) is any information relating to someone you can or could identify.
It’s important to remember that someone can be identified not just by their name, but also by things like reference numbers and location data. Personal information includes a wide variety of information – for example a rota, next of kin details, a list of birthdays that you hold for your team, HR records, or contact details of your customers and suppliers.
What should we do differently?
- Only keep personal information for the purpose for which you have it
- Keep it in a safe place and only allow people who need to access it. If you become aware of a breach, you should follow our data breach guidance and contact the data protection team
- Keep it up to date and dispose of it securely when you no longer require it
- Make sure we can access personal information easily in case someone asks for it. Known as a Subject Access request, if you receive a request for personal information you should contact the data protection team who will make sure its dealt with properly
- Challenge our suppliers, contractors and third parties to make sure they’re doing the same
- In areas that handle personal information as part of their day to day activities we should keep a record of what systems we use, what information we put on them and for what purposes, and who has responsibility for them, so we are clear about who is accountable.