Personal information charter

Outlines the standards you can expect when we ask for or hold your personal information and explains what we ask of you, to help us keep information up to date.

This policy explains how DfT Operator Limited will, as a data controller, comply with with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Your privacy

We know how important it is to protect your privacy. If we need to collect, store or otherwise use your personal data, we will comply with the principles and other provisions of data protection law.

What allows DfT Operator Limited to process your personal data

We will only process your personal data if we have a lawful basis to do so. Most of the processing we do relates either to contracts, our public tasks, or is necessary for our legitimate interests. Where we process more sensitive, or ‘special category’, personal data, we will ensure that we meet the relevant requirements.

When we collect your personal data

When we collect your personal data, we will provide you with specific information including:

  • how to contact our Data Protection Officer (DPO)
  • the purpose and legal basis for our processing
  • where relevant, who your data will be shared with and whether it will be transferred to a third country (and if so the safeguards that will be put in place to protect it)
  • how long it will be kept for
  • your rights in connection with that processing
  • how to complain
  • whether you are obliged to provide your data and if so the possible consequences of not doing so

Where we receive your personal data from a third party, we will normally tell you who gave it to us and why and provide the same privacy information we would have given you if we had collected it directly. We will do this within one month, unless there is an exemption. The categories of data we typically process include your name, contact details (such as email address),and the content of your correspondence or complaint.

Your rights

The GDPR gives individuals a number of rights in relation to their personal data. The most commonly used right is subject access, which allows you to request a copy of any data we might hold on you. The Information Commissioner’s Office has published a full description of your rights and how they might apply to the way we use your personal data. DfT Operator Limited will uphold your rights to the extent that they apply to the way we process your personal data.

If you wish to exercise any of your rights, including accessing a copy of your personal data, contact dpo@dftoperator.co.uk. If we don’t already know who you are, we may ask for proof of identity such as a copy of your driving licence, passport or another official document before we can start processing your request.

Our privacy information notice

The purposes for which we process personal data include:

  • maintaining our accounts and records
  • consideration and investigation of complaints
  • answering queries
  • the provision of education or training
  • property management
  • corporate administration
  • the administration of grants
  • the recruitment, support and management of our staff
  • activities linked to our role as the owning group of several train operating companies, including limited data sharing and work related to the future structure of the railway

When we share information

We may share personal data within our organisation or with other bodies where we are permitted to do so by law. This may include sharing between DFTO and our train operating companies, where necessary for group-wide functions or public sector responsibilities. There are some cases where we can pass on your data without telling you – for example, to prevent or detect crime, or in order to produce anonymised statistics. In all cases, whether data is shared internally or externally, we will comply with data protection law.

Correspondence

When you write to DfT Operator Limited, we will look after any personal information you disclose to us and use it only as necessary to provide you with an answer. This will be in accordance with our task as a public authority to be accountable and transparent about the functions and policies that we are responsible for. This may include corresponding in our capacity as the owning group of several train operating companies, where appropriate.

Where your correspondence relates to a policy area or issue for which another public body has responsibility, it will in most cases be passed to them to respond to you. We will let you know when this happens.

In the case of requests for information that are handled under the Freedom of Information Act 2000, DfT Operator Limited will use your personal data as necessary to comply with those laws. We operate a centralised Freedom of Information function on behalf of our train operating companies. Requests originally sent to a train operating company (TOC) will be shared with us so we can respond on their behalf. We may need to consult with other public authorities in central government where a coordinated response is required. Where an information request would be more appropriately directed to another organisation, our response will advise you where it should be sent, but the request will not be forwarded.

A record of general correspondence will be held by us for at least 3 years. FOI requests and related correspondence will be retained for 6 years. Records will only be kept for longer where it is necessary in connection with an ongoing issue.

Our Data Protection Officer

Our Data Protection Officer informs and advises us on how to comply with data protection law and provides assurance that we are doing so.

Our DPO can be contacted at:

DfT Operator Limited
2nd Floor
Waterloo Station
London SE1 8SW

Email: dpo@dftoperator.co.uk

When contacting the DPO, please make clear that your correspondence relates to DfT Operator Limited. If your query or complaint concerns one of our group train operating companies, you should usually contact them directly, as they are separate data controllers. We do not routinely forward correspondence to TOCs. If you are contacting us about a TOC, please make this clear in your message.

The steps we take to keep your data secure

We take information security seriously and will protect your personal data from unauthorised access, accidental loss, destruction and damage. We ensure that staff who routinely access personal data as part of their jobs receive appropriate training in how to protect it and we carry out regular reviews and audits to ensure that our methods of collecting, holding and processing personal data meet the government’s security standards and industry good practice. This includes personal data that may be shared with us by our train operating companies.

We will only transfer your personal data overseas where appropriate safeguards are in place to protect it. The cross-government security policy framework sets out the government’s approach to protective security.

Data breach notification

DfT Operator Limited will do everything it can to keep your personal data secure. If, despite this, a breach occurs which creates a risk to your rights and freedoms, we will ensure that the Information Commissioner’s Office is informed without delay and in any event within 72 hours after we have become aware of it.

Where we assess that there is a high risk to you, we will ensure that you are notified without undue delay. Where it is not possible to contact you directly, we will attempt to make you aware through other means, such as a public announcement. The information we will provide to you will include:

  • the contact details of DfT Operator Limited’s Data Protection Officer
  • the likely consequences of the breach
  • details of the measures already taken or planned to address the breach including any steps taken to mitigate potential damaging effects

This applies to personal data we hold directly. If your personal data is held by one of our group train operating companies, they will handle any breach notification in line with their own legal obligations.

How to make a complaint

If you’re unhappy with the way we have handled your personal data and want to make a complaint, you can write to our Data Protection Officer.

Although it is not currently a legal requirement to raise your complaint with us before contacting the Information Commissioner, we follow the complaint-handling standards set out in the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025). This means:

  • we’ll acknowledge your complaint within 30 days
  • we’ll take appropriate steps to investigate it without undue delay
  • we’ll keep you informed of progress during the investigation
  • once concluded, we’ll send you a clear outcome

You can raise your complaint by email or by requesting a complaint form.

Email: dpo@dftoperator.co.uk

Data Protection Officer
DfT Operator Limited
2nd Floor, Waterloo Station
London
SE1 8SW

If you remain dissatisfied after we’ve completed our response, you can contact:

Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Contents