Privacy Notice

Our privacy notice applies to the personal information that Network Rail Infrastructure Limited collects about you, or that you provide to us through your use of the TransPennine Route Upgrade (TRU) website. It explains how and why we use your personal information, who we disclose it to and how we protect your privacy.

The TRU website may provide information about the following third parties: Arup, Bam Nuttall, Amey, Volker Rail, Murphys, Siemens, Digital Railway, Alstom, Central Rail Systems Alliance, Buckingham Group Contracting, Jacobs and Sistra. Please note we do not share your personal information with these parties.

Contents

Introduction
Who is responsible for the personal information that we collect about you?
What personal information do we hold about you?
How we will use personal information we hold about you
Who we may we disclose your personal information to
How we protect your personal information
Where we will transfer your personal information
How long we will keep your personal information for
Your rights and choices in relation to your personal information
Website cookies and third party links
Changes to our privacy notice and your duty to inform us of changes
Contact

Introduction

We take your right to privacy seriously and want you to feel comfortable when using our services. Should we ask you to provide certain information by which you can be identified you can be assured that it will only be used in accordance with this privacy notice and only for the reasons you are aware of.

About this Privacy Notice:

References to we, us or our means Network Rail Infrastructure Limited.

References to you or your means the person accessing and using the website (as defined below) or the person who otherwise provides their personal information to us or about whom we otherwise collect personal information as explained in this privacy notice.

References to the website means the TRU website found atwww.thetrupgrade.co.uk.

Personal information is information that is about you and which identifies you.

The website is not intended for children and we do not knowingly collect data relating to children.

Who is responsible for the personal information that we collect about you?

We are the data controller for the purpose of UK data protection law, in respect of your personal information collected or obtained as outlined with this privacy notice. This is because we dictate the purpose for which your personal information is used and how we use your personal information.

If you have any questions regarding this privacy notice or the way we use your personal information, you can contact our Data Protection Officer or our TRU Representative (details of which can be found at the end of this privacy notice).

What personal information do we hold about you?

We may collect and process the following categories of information about you for different reasons, depending on why you are in touch:

Website technical information: Through your internet browser or electronic device, certain information is collected by most websites or automatically through your electronic device, such as your IP address (ie, your computer’s address on the internet), screen resolution, operating system type (Windows or Mac) and version, internet browser type and version, electronic device manufacturer and model, language, time of the visit and pages visited. Through Cookies. Cookies allow us to recognise your device and to collect information such as IP address, internet browser type, time spent using the website and the pages visited.
Website usage data: Information about how you use our website and our services.
Personal information: You may enter your first name, last name, email address, and additional (though not required) your mobile number and your primary station.

This information is provided:

via your internet browser or electronic device
via cookies
via our website

How we will use personal information we hold about you

We will only use your personal information when there is a legal basis for us to do so. Most commonly, we will use your personal information in the following circumstances:

Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (for our legitimate interests or for a third party’s legitimate interests).
Where you provide us with your express or explicit consent (with your consent).

We may also use your personal information in the following situations, which are likely to be rare:

Where we need to protect your interests (or someone else’s interests).
Where it is needed in the public interest.

Please note: We may process your personal information on more than one legal basis depending on the specific purposes for which we are using your personal information. Please contact our Data Protection Officer or our TRU Representative if you need details about the specific legal basis we are relying on to process your personal information where more than one legal basis has been identified in the table below.

Processing Purposes

Processing	Legal basis	Legitimate interest (where relevant)
To communicate with you and other individual	For the performance of a contract with you. Consent For the performance of our public functions (namely operating and maintaining the national railway infrastructure)	Fulfilling requests and managing our relationships with individuals
To ensure the safety and security of our property, premises, assets, equipment and infrastructure	For the performance of our public functions (namely operating and maintaining the national railway infrastructure).
To deliver relevant and effective website content for you and your electronic devices	Legitimate interests	Developing and delivering our services, keeping our websites updated and relevant and running our business
To use data analytics to improve our website, services, marketing, customer relationships and experiences	Legitimate interests	Developing and delivering our services, keeping our websites updated and relevant, developing our business and informing our marketing strategy

Failure to provide us with your personal information

We may be required to obtain your personal information to comply with our legal obligations or for the performance of our contract with you or to fulfil a request you have made. If you do not provide the relevant personal information to us, we may not be able to enter into the contract with you or properly perform our obligations under it. We may also be unable to fulfil your request.

Where your failure to provide information breaches a legal obligation we may be required to report this to regulators or law enforcement bodies. We will generally notify of the consequences of failing to provide us with required information at the time.

Automated decision making

We do not undertake any processing of your personal information by automated means in order to make decisions about you.

Who we may we disclose your personal information to

We may share your personal information with:

Prospective sellers or buyers of our business and assets or our corporate group

How we protect your personal information

We have put in place appropriate technical and organisational security measures to prevent your personal information from being accidentally lost, altered, used, disclosed or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to access this only and who are subject to a duty of confidentiality. In the case of third party data processors, they will only process your personal information on our instructions and have their own legal obligations under UK data protection law to protect your personal information and keep it secure.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Where we will transfer your personal information

To deliver services to you, it is sometimes necessary for us to share your personal information outside the United Kingdom or the European Economic Area (EEA) with our service providers located outside the EEA, including data being shared for cookies.

These transfers are subject to special rules under data protection law. In those circumstances, we undertake an assessment of the level of protection in light of the circumstances surrounding the transfer. We will make sure that any transfers are limited to the minimum amount of personal information possible and will always take steps to ensure that your personal information is adequately protected. In certain circumstances we may need to seek your consent unless there is an overriding legal need to transfer the personal information.

Where necessary we have entered into standard ICO and European Commission approved model data protection clauses with.

Our IT support is provided from across the world and when support is provided remotely, your personal information may be accessed from and therefore transferred to that country. If we transfer personal information outside the European Economic Area (EEA), we will implement appropriate and suitable safeguards to ensure that such data will be protected as required by applicable UK data protection law.

How long we will keep your personal information for

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information we hold, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information (and whether we can achieve those purposes through other means), and the applicable legal requirements.

In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Your rights and choices in relation to your personal information

You have certain rights with respect to your personal information. The rights may only apply in certain circumstances and are subject to certain exemptions. Please see the information below for a summary of your rights. You can exercise these rights by contacting the Data Protection Officer or our TRU Representative.

Right of access to your personal information
Right to rectify your personal information
Right to erasure of your personal information
Right to restrict the use of your personal information
Right to data portability
Right to object to the use of your personal information
Right to withdraw consent
Right to complain to the relevant data protection authority

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated of our timescales.

Website cookies and third party links

Website cookies

Cookies are small files that are placed on your computer, tablet or smartphone, by websites and apps that you use.

Visit our Cookie Policy page to find out more about the cookies we use, what they’re used for and when they expire.

Third party links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for how they handle your personal information. When you leave our website, we encourage you to read the privacy notice or policy of every website you visit.

Safety and public information digital campaigns

We run marketing campaigns throughout the year to communicate safety and public information messages. As part of these campaigns we run online digital advertising that may use third party personal data to target relevant audiences. Network Rail will not collect any personal information.

We publish advertisements across various media platforms which offer these targeting capabilities. These platforms collect the personal data via cookies on various websites. The data is fully anonymised and no identifiable information is shared with Network Rail at any point in the process. Cookies are also used to evaluate the campaigns, by tracking metrics such as the number of people who engage with the advertisement. This information is also fully anonymised.

Throughout the process we engage third party companies to plan, book, and run the advertisements on our behalf. As the data controller, Network Rail only work with reputable companies who have clear data protection policies and procedures in place, and who are fully compliant with UK General Data Protection Regulation (UK GDPR).

Changes to our privacy notice and your duty to inform us of changes

This privacy notice was last updated on [08/03/2022].

Any changes we make to this privacy notice in the future will be posted on this page and, where appropriate, notified to you by email. The updated privacy notice will take effect as soon as it has been updated or otherwise communicated to you.

Please keep us informed if your personal information changes during your relationship with us.

Contact

Questions, comments, and requests regarding data protection matters are welcomed and you can contact us at TranspennineEngagement@networkrail.co.uk, or you can contact our Data Protection Officer directly:

By email: data.protection@networkrail.co.uk

By post: Data Protection Officer, Network Rail, The Quadrant, Elder Gate, Milton Keynes, MK9 1EN.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_4P1ELR3V2M	2 years	This cookie is installed by Google Analytics.
_gat_UA-202409909-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
guest_id	2 years	Twitter installs the guest_id cookie to enable Twitter integration and for social media advertising. This cookie helps to track user behaviour for marketing, to enable sign in and personalize the user's Twitter experience across devices.

Cookie	Duration	Description
guest_id_ads	2 years	No description
guest_id_marketing	2 years	No description
loglevel	never	No description available.
muc_ads	2 years	No description

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.