Last updated: 7 J anuary 2013

Data Protection Policy

Scope

Our commitment

We understand our legal obligations towards data protection and recognise that it is
important in building confidence and trust with the public, our staff and our partners.
We are highly committed to complying with the principles and requirements in the
Data Protection Act 1998 (the Act) and other relevant laws.

Who does this policy apply to?

It applies to anyone working at Network Rail who handles personal data in any way,
but particularly if you handle lots of personal data on a day to day basis as part of
your role. Personal data is anything which tells us something about a living person,
and might include staff photos, emails containing opinions on or comments about
someone, personnel files, sickness absence logs, and lists containing names and
addresses.

Your duties

So that were achieving the highest standards of compliance with the Act, we need to
be clear about what we need to do and how we need to do it. In practical terms this
means completing data protection training if we need to and making sure we always
handle personal data securely.

Training

Teams that deal with significant amounts of personal data or whose work has been
identified as carrying a high data protection risk must complete the e-Learning
training on data protection. Details of how to access it are in Appendix D. Contact
the Data Protection Advisor if you feel you or your team require tailored face to face
data protection training.

Security

We must take steps to keep personal data secure at all times against unauthorised or
unlawful loss or disclosure. When dealing with personal data we should:

Check that we are authorised to process the data, i.e. is it essential to our
business function?
Make sure electronic files are secured with password access controls.
Never give out our passwords to anyone, even other members of our teams.
Never send or store files on USB mobile storage without encrypting them first.
Make sure shared drives can only be accessed by the appropriate people.
Never leave documents or files unattended. Keep them locked in a drawer.
Collect all our print outs from printers promptly.
Avoid sending documents to our personal email accounts.
Screen lock computers when leaving them unattended, even if only for a short
while.
Where possible anonymise data before passing it on to someone else.
Refer to the Information Security Policy for further information on the.
companys security requirements.



Last updated: 7 J anuary 2013
Be fair and transparent

Whenever we use personal data we need to make sure we are fair and transparent
about the way we are using it. For instance:

Wherever possible we should get the consent of the person before using their
personal data. This is especially important if we are using it for marketing or
communication purposes.
If you are involved in a new project which involves the processing of personal
data, inform people about the personal data being used, why it is needed for
the project, how it will be used and who it will be passed on to.
If it is not possible to get consent make sure you have a good business case
for collecting the data and communicate this to those likely to be affected.

Retention

If we keep too much personal data for too long, we will increase the number of data
protection risks we run. Too little data prevents us from making informed business
decisions. So it is essential that we carry out regular checks to make sure personal
data on IT systems and in paper files is accurate, up to date and only being kept for
as long as necessary.

Personnel files and general HR personal data should be retained for 6 years after an
employee has left Network Rail. All other personal data should be retained for as
long as we think is necessary for the business purpose it was created. Further
information regarding how long we should keep our data can be found in the Records
Management Policy.

Definitions

Appendix A contains technical definitions of certain words which have a particular
meaning when used in the Data Protection Act. Because some of these meanings
are different to the everyday use of the words, it is important to understand precisely
what they mean.

Processes

To ensure consistency and best practice we have a number of set processes that
must be followed in certain circumstances. These include:

When a person (whether an employee or not) asks for their own data (subject
access requests).
When a person asks for copies of their case notes (HR Direct).
When the police or the Office of Rail Regulation ask us for someone elses
personal data (statutory requests).
What we should do if personal data is lost or there is a significant security
breach.
Frequent transfers of personal data from Network Rail to other organisations
(data sharing agreements).

Further details of these and other processes are in Appendix B.

Business Area Responsibilities

Please look at Appendix C for details.
Last updated: 7 J anuary 2013

Appendix A

Definitions

What are the Data Protection Principles?

The Act stipulates that anyone processing personal data must comply with Eight
Principles of good practice. These Principles are legally enforceable.

What is personal data?

Personal data under the Act is data which relates to living identifiable individuals.
However we should treat the data of dead people held on our systems as if the
person was still alive. In depth guide to the definition of personal data can be found
here.

What is processing of personal data?

The term has a specific meaning in the Act which covers a variety of activities
involving personal data, for example collecting, viewing, using, storing, or disclosing.

Data Subject

This is the person to whom the personal data belongs.

Data Controller

A person who (either alone or jointly) decides the purposes for which and the manner
in which any personal data are, or are to be, processed. Network Rail is the data
controller for the personal data we hold and has obligations under the Act in relation
to that data.
Data Processor

Any person (other than an employee of the data controller) who processes data on
behalf of a data controller. In most situations any company to which Network Rail
outsources services is the data processor. Network Rail is responsible for how the
data processor processes personal data. Therefore, it is important to make sure
commercial contracts between Network Rail and our outsourcing partners contain
detailed data protection clauses and that compliance with these clauses is monitored.
Sensitive personal data

Under the Act certain types of data are classified as sensitive personal data and
need to be handled with extra caution. Examples of sensitive personal data include:

Information about a persons ethnic origin.
Information about a persons sexual orientation.
Information about a persons religious beliefs.
Information about a persons membership of a Trade Union.
Information about a persons criminal history.







Last updated: 7 J anuary 2013
Appendix B

Processes

Subject Access Requests (SARs)

When someone asks for information about themselves we are under a legal
obligation to provide any information (i.e. paper, electronic, CCTV) we hold to them
as soon as possible and no later than 40 calendar days from the date they asked.
Refer to the Subject Access FAQ for detailed instructions on what to do if you get a
SAR.

HR Direct Case Notes

Employees are entitled to view any Case Notes held within HR Direct that contain
their personal data. Employees should contact HR Shared Services Customer
Support Services team on 0161 880 1100, if they require a copy of their case notes.

Statutory Requests

If we receive a request from the Police or another statutory organisation such as the
ORR for someones personal data we need to act quickly and have the right
information to hand when deciding if we can provide the data to them. Refer to this
Statutory Request FAQ for detailed instructions on what to do if you get a request like
this.

Data Loss Reporting

Any loss of data through accidental loss, damage or theft should be reported to
Information Security on 01270 721600 or anonymously via the Speak Out Line on
0808 143 0100.

Whistleblowing

Any personal data passed to Internal Audit as part of the whistle blowing process will
be processed in line with the data protection principles and in accordance with the
Speak Out Policy.

Procurement of third party services

Contracts with third party companies to carry out services which involve processing
of personal data will require data protection clauses in them and an audit process to
ensure the clauses are being followed.

Privacy Impact Assessments (PIA) and the Procurement of IT systems

A PIA is an assessment of the data protection risks involved within a new project. It
should be carried out at the start of any new project which involves the processing of
personal data. A PIA should also be carried out as part of the procurement process
for new IT systems in which personal data will be processed.

Data sharing agreements

We should only start transferring personal data to other organisations once we have
drawn up and signed a data sharing agreement between us and them. The
agreement must specify:

The type of data being shared
The purpose of the sharing
Last updated: 7 J anuary 2013
Security and access controls around the sharing of the data
The job titles of the people responsible for security of data
How long the data will be kept for
The fact that the sharing has been notified to the Information Commissioners
Office
The method by which the fact that the sharing is taking place has been.
communicated to the data subjects.

All data sharing agreements should be completed according the Data Sharing
Template and are only necessary where data is shared on a regular basis. We dont
need to complete one for one-off transfers.

Transferring personal data outside of the European Economic Area (EEA)

Do not transfer personal data outside the EEA (the European Union plus Iceland,
Liechtenstein and Norway) without first discussing it with the Data Protection Advisor.

Cloud Computing

For the purposes of cloud computing we should consider and process personal data
as Confidential unless classified otherwise by the Information Security Team. We do
not store, share, or otherwise process personal data via a cloud computing service
unless the company offering the service meets the conditions laid down in our Cloud
Computing Policy and agrees that they will protect and manage the data in line with
our Data Protection Policy and Information Security standards and policies.

Network Rail Micro sites

A Network Rail micros site is any website that is hosted on behalf of Network Rail.

When creating a micro site we should:

Ensure that the site has a privacy policy which sets out the purposes for the
data collected on the site and a detailed description of cookies used within
the site
Present a first time user with a cookie consent pop up which allows a user to
give consent or not to place cookies on their computer.

Use of IT systems and internet

The Internet and IT Systems Acceptable Use policy can be found here.

Enforcement

Any significant breach of this policy will be handled under our disciplinary procedure.
Examples of a significant breach include:

Disclosing information to someone else for malicious purposes
Accidently uploading information to the internet with significant amounts of
sensitive personal data
Storing a large volume of personal data onto a USB stick or CD Rom without
encrypting it and then sending it via the post or email.

Notification to the Information Commissioners Office (ICO)

As an organisation we need to register all the types of personal data we use and how
we use it. If your business area handles a significant amount of personal data please
contact the Data Protection Officer to discuss whether we ought to notify the ICO.

Last updated: 7 J anuary 2013

Appendix C

Business Area Responsibilities

The Board

The Board has overall responsibility for ensuring that Network Rail complies with its
legal obligations.

Data Protection Advisor

The Data Protection Advisor is currently Andrew Lall, with the following
responsibilities:

Briefing the Board on Data Protection (DP) responsibilities
Reporting to the Board on high risk DP breaches
Reviewing DP and related policies
Advising staff on DP issues
Ensuring that DP induction and training takes place
Notification to the Information Commissioners Office.
Overseeing the subject access, CCTV request and statutory request
processes
Advising on unusual or controversial disclosures of personal data
Reviewing data sharing agreements with third party organisations
Ensuring that contracts with Data Processors are DP compliant.

Employees

All our employees must read and understand any policies and procedures that relate
to the personal data they may handle in the course of their work.

New starters must read and sign a confidentiality agreement when joining the
company.

Appendix D

Accessing the e-Learning Data Protection Essentials Module

On your computer desktop, log on to E-Business Suite
Click on OLM Learner Self Service NR
In the Search fields, next to Course, type Data Protection Essentials and
click Go
Click on the briefcase symbol to Enrol on the event. Click Apply
Your Current Learning screen will then be displayed Click the Play button
for the video briefing you have just enrolled on, this is the blue button to the
right of the module name
Click No to the Security Warning Dialog Box
To exit the course in OLM, click on the Home icon at the top right hand corner
of the webpage.