Privacy notice

We respect your right to privacy. This privacy notice sets out details about the way the Office of Rail and Road (ORR) processes personal data that we collect from and about you and how we may use your information in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018.

Who we are

The ORR is a public authority. Our railway health, safety, economic and road functions overall are driven by UK and EU legislation. We are accountable to Parliament and the public to protect the people who use, interact or work on the railway; ensure fair access to a rail network which is becoming increasingly congested; ensure Highways England delivers its major programme of investment and other performance commitments; and protect the interests of future users by working with the industry and funders as they develop the network of tomorrow.

Purpose of processing

There are a number of reasons why we would obtain your personal data. We have set these reasons out below and the legal basis for processing.

1. Our website

When someone visits www.orr.gov.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.  The analytics tool uses cookies to provide statistical information about visits to pages and other information relating to usage of this website.  We use the information provided by Google analytics to make informed decisions about future website developments.

Our public register website is hosted by Google Sites.  We use Google Analytics to collect visitor statistics to enable us to monitor site usage.  Our public register website search is powered by Google.

As a third party service provider the Google privacy policy applies to visitors to our site. Here is a link to their privacy notice.

You can read more about how we use cookies on our cookies page.

Search queries and results are logged anonymously to help us improve our website and search functionality.

2. People who contact us

There are many instances when people will contact ORR, including:

  • making complaints about ORR or third parties;
  • queries or requesting information;
  • freedom of information requests;
  • excercising their rights under Data Protection laws;
  • in connection with ORR’s regulatory duties.

If you send an email or letter to us, including any attachments, it may be monitored and used by us for reasons of security and for monitoring compliance with office policy.  Email monitoring or blocking software may also be used.

When you contact us we will collect personal information to allow us to deal with the request, this may consist of:

  • your name;
  • email address/correspondence address;
  • date of birth;
  • details of any complaint/request;
  • depending on the nature of the complaint/request this may consist of special categories of personal data such as:
    • medical/disability personal information;
    • trade union membership.

Use of your personal data

The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it.  Where you have contacted us we are relying upon the lawful basis that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested on ORR.

We will use the personal data you have provided to us to handle the reason for your correspondence. We may contact you in order to further, clarify and respond to your correspondence.

Disclosure of your personal data

In order to properly handle a complaint, we may need to contact a third party (such as a train operating company.) In these circumstances we will obtain your consent prior to providing any third party with your personal information.

3. Email subscription services/lists

When you subscribe to any of ORR’s email alert or newsletter services we may collect:

  • your name;
  • email address;
  • subscription preferences;
  • type of contact, i.e. if you are from industry/sector/private sector;
  • job title;
  • telephone number.

When we collect your data we will notify you about what information we are collecting and the intended uses. We will also make it clear what information is required and voluntary.

In order to carry out our functions, it is necessary for ORR to maintain lists of relevant stakeholders and/or contacts who we may be required to contact in order to discharge these functions. We will make it clear to these contacts that they can request to be removed from these lists.

Use of your personal data

The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it. Where you have signed up to receive any ORR email alerts or to subscribe to bulletins on subject areas through ORR’s website, we are relying upon the lawful basis of consent.

Where your personal information is contained in a list of contacts, we are relying upon the lawful basis that processing is necessary for the performance of a task carried out in the exercise of an official function vested in ORR.

We will use the personal data you have provided to us to send you email alerts and gather feedback to improve our email alerts. We may also occasionally contact you to improve our service.

Storage and retention of your personal data

If you have subscribed to an email alert or subscription service, we will keep your personal data for as long as you are subscribed to that service. If you make a request to be removed from this service then your personal data will be deleted.

Disclosure and security of your personal data

We may also share your personal data with other organisations where there is a lawful basis for doing so, such as the provision of shared services to you.

Whilst some email lists are managed in-house using ORR’s IT systems, some are managed by third party providers, MailChimp and PRGloo to provide the technology for email alerts and subscription services. Where we use third party providers, information in relation to the third party and their privacy notice, will be provided to you when you subscribe to that service. We have in place contracts with these data processors to ensure that they handle your data only in the way that we instruct them to do so.

4. Responding to consultations/Research

ORR occasionally carries out consultations/research to improve the rail experience for passengers and consumers. When conducting a consultation or research we may collect the following information:

  • your name;
  • email address;
  • date of birth;
  • depending on the nature of the research this may consist of special categories of personal data such as:
    • data concerning your health such as an injury or disability;
    • your ethnicity;
    • trade union membership.

When we collect your data we will notify you about what information we are collecting and the intended uses.

Use of your personal data

The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it. Where you have agreed to take part in ORR research or respond to a consultation, we are relying upon the lawful basis of consent.

We will use the personal data you have provided to us for our consultation/research purposes only. We may contact you in order to obtain further information or gather feedback to improve our services.

Disclosure and security of your personal data

We may share your personal data with other organisations where there is a lawful basis for doing so, such as the provision of shared research projects.

We may publish our consultation responses/research findings. We will not publish your personal data in an identifiable form without your consent.

Whilst most research is handled in-house using ORR’s systems, we do use some third party research agencies. Where we use third party research agencies, information in relation to the third party and their privacy notice, will be provided to you when you provide your personal data.

5. Competition functions

ORR enforces the competition prohibition under the Competition Act 1998 and in Articles 101 and 102 of the Treaty on the Functioning of the European Union. We seek toensure that the rail market remains competitive and fair. We have the power to monitor markets, conduct market reviews and formal market studies as well as to conduct a full competition investigation into a company who may be acting anti-competitively.

Whilst carrying out our monitoring activity, a market review, market study or competition investigation, we may be provided with your personal information. This may consist of:

  • your name;
  • your email address;
  • your email or personal correspondence held by the company;
  • other personal information held by a company.

Use of your personal data

The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it. When we are exercising our competition functions we are relying upon the lawful basis that processing is necessary for the performance of a task carried out in the exercise of an official function vested in ORR.

When conducting our market reviews and monitoring activity we may also rely upon the lawful basis of consent.

We will use the personal data provided to us for our competition functions only.

Disclosure of your personal data

The Enterprise Act 2002 prohibits the disclosure of specified information (which is likely to include personal information) other than for specified purposes.

We may share your personal information with the Competition and Markets Authority (CMA) or the European Commission, if we are required to do in accordance with the specified purposes. The CMA and EC will handle any personal information sent to them in accordance with their privacy notice.

6. CCTV building security

CCTV is in use at all ORR offices for security monitoring.  Your image could be captured on footage obtained when entering or leaving any of our offices.

Use of your personal data

Where we collect data via CCTV cameras, we are relying upon the lawful basis of legitimate interest, namely the security of our premises, employees and the public.

Storage and retention of your personal data

CCTV data at all of our offices is retained for 30 days and is then securely and permanently deleted.

Disclosure of your personal data

We may share your personal data contain in CCTV footage with other organisations where there is a lawful basis for doing so, such as for security reasons and the prevention/detection of crime.

7. Reporting required under the Reporting of Injuries, Diseases and Dangerous Occurrances Regulations 2013 (RIDDOR)

As the safety authority for railways, it is a requirement for employers and self-employed persons to report to us any work-related injuries, diseases and dangerous occurrances.

When making a report employers/self-employed persons will provide us with the following information:

  • the name of the reporter and their organisation;
  • the name and contact details of any injured person;
  • injured person’s age, gender, status, employment details;
  • details of any injuries sustained by the injured person and their prognosis.

We may also receive a RIDDOR report from other reporting agencies such as Rail Safety and Standards Board (RSSB) for mainline railway duty holders and London Underground and from other safety authorities such as the Health and Safety Executive.

It is a criminal offence for an employer/self-employed person not to report an incident in accordance with the RIDDOR regulations.

Use of your personal data

The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it.  Where we process personal data in relation to RIDDOR reporting we are relying upon the lawful basis that processing is necessary for compliance with a legal obligation conferred on ORR and for the exercise of official authority vested on ORR.

We will use the personal data provided to us to further any necessary investigation into the reported incident (see law enforcement/investigations section below). We may also contact you for further information.

Disclosure of your personal data

In some instances we may need to share the report with other safety authorities such as the Health and Safety Executive.

8. Law enforcement/Investigatory functions

ORR regulates health and safety for the entire mainline rail network in Great Britain, as well as London Underground, light rail, trams and the heritage sector. ORR has a number of powers given to it by the Health and Safety at Work etc. Act 1974 (HSWA), which range from giving advice and information ORR regulates health and safety for the entire mainline rail network in Great Britain, as well as London Underground, light rail, trams and the heritage sector. ORR has a number of powers given to it by the Health and Safety at Work etc. Act 1974 (HSWA), which range from giving advice and information through to criminal investigation and enforcement in the criminal courts. We may also become involved in a Coroner’s inquest (or Fatal Accident Inquiry in Scotland) should an incident result in a fatality.

To this extent ORR is considered to be a competent authority for the purposes of the Data Protection Act 2018 as we have statutory functions for the purposes of the prevention, investigation, detection or prosecution of criminal offences (law enforcement purposes). When acting in this capacity, ORR will be the controller of personal data.

When ORR investigates an incident it will be necessary to obtain evidence, including obtaining witness statements from you. This could be a witness statement as a direct witness to an incident, an employee or as a victim. We may also receive your personal data from third parties if it is relevant to an investigation. We may also collect your personal data if you are suspected of committing a criminal offence.

When investigating an incident we may collect personal data which may consist of the following:

  • your name;
  • email address/correspondence address;
  • date of birth;
  • details of employment and job role;
  • details of your involvement in an incident;
  • details of any criminal convictions;
  • depending on the nature of the complaint/request this may consist of sensitive categories of personal data such as:
    • data concerning your health such as an injury or disability;
    • trade union membership.

Use of your personal data

The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it.  Where you or a third party have provided us with your personal data in relation to a investigation/ prosecution, we are relying upon the lawful basis that:

  • you have consented to the processing for ORR’s law enforcement purposes; or
  • the processing is necessary for the performance of a task carried out by ORR for its law enforcement purposes.

In relation to any sensitive personal data, we are relying upon the lawful basis that:

  • you have consented to the processing for ORR’s law enforcement purposes; or
  • the processing is strictly necessary for the law enforcement purposes and is necessary for the administration of justice or exercise of a function conferred on ORR by an enactment or rule of law and is necessary for the reasons of substantial public interest.

ORR has in place a data protection policy which sets out how we comply with data protection principles. A copy of our policy can be found here.

We will handle the personal data you have provided, or we have collected, in connection with the law enforcement purposes only. We may contact you in order to obtain further information in relation to our law enforcement purposes or to inform you about legal proceedings in Court.

Disclosure of your personal data

Your data may be provided to third parties during the process of a criminal investigation and/or criminal proceedings. This could include the following recipients:

  • counsel instructed by ORR to represent them in Court;
  • any defendants including their legal representation;
  • for cases in Scotland, the Crown Office and Procurator Fiscal Service;
  • the Courts;
  • a Coroner (or the Procurator Fiscal in Scotland).

9. Train driving licensing/recognised professionals

ORR is responsible for the issuing and regulating train driver licences in accordance with the Train Driving Licences and Certificates Regulation 2010. When you apply for a train driving licence through your employer, they will send us your personal data in order to further your application. We will use this information to process your application.

ORR must keep a register of all licences issued to train drivers.

During the above process and following a successful application, ORR will process the following information about you:

  • your name;
  • date and place of birth;
  • your address;
  • status of your licence, including whether is it suspended or withdrawn;
  • your photograph;
  • your signature;
  • your education/qualification details;
  • information in relation to validity of your licence including any relevant incidents/investigations;
  • this will include special categories of personal data, namely:
    • data relating to any general professional competence assessments;
    • data relating to any medical and occupational psychological assessments.

ORR must also have, and keep up to date, a register of recognised professionals, namely doctors, examiners, psychologists and trainers. For the process of assessing and maintaining this register we will process the following information:

  • your name;
  • your contact details;
  • employment/profession details;
  • qualifications;
  • details in relation to your independence, competence.

If you do not provide this information then ORR would not be able to process your application for a train driving licence or to become a recognised professional.

Use of your personal data

The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it. Where we are processing your personal data for train driving licensing purposes we are relying upon the lawful basis that processing is necessary for compliance with a legal obligation conferred on ORR.

We will use the personal data provided to us to process your application and once issued/approved, for regulating the conditions for holding that licence/position.

Disclosure of your personal data

It may be necessary to contact your employer in relation to the periodic requirements for maintaining the validity of your licence and in relation to any queries in relation your licence. ORR may also need to investigate if anything calls into question the validity of your licence.

ORR is obligated to publish its list of recognised doctors, examiners, psychologists and trainers.
We use third party providers, Williams Lea Tag and Euclid Ltd, who act as data processors for us to enable the printing of train driving licences. We have in place contracts with these data processors to ensure that they handle you data only in the way that we instruct them to do so.

10. Recruitment/procurement

When carrying out recruitment and procurement it will be necessary for ORR to obtain your personal data. When you contact us to apply for a vacancy or bid for a contract we may collect the following information:

  • your name;
  • email address/correspondence address;
  • date of birth; *details of current/previous employment and job role;
  • details of current pay;
  • details of referees;
  • details of qualifications and educational establishments attended;
  • this may consist of special categories of personal data such as your racial/ethinic origin and disability personal information.

If you are invited to interview or we make a conditional offer, we will ask you for information so that we can carry out pre-employment checks. You must successfully complete these checks to progress to a final offer. ORR is required to confirm the identity of our staff, their right to work in the UK and seek assurance as to their trustworthiness, integrity and reliability.

You will therefore be required to provide:

  • proof of your identity – you will be asked to attend our offices with original documents and we will take copies;
  • proof of your qualifications;
  • we will contact your referees to obtain references;
  • will will ask you to complete a questionnaire about your health to establish your fitness to work.

Some roles require a higher level of security. If this is the case, then you will be asked to submit information via the National Security Vetting (NSV) website. NSV will be the controller for this information and will provide you with information about the way it handles your personal data.

If you do not provide this information then we would be unable to process your application or take forward an offer of employment.

Use of your personal data

The lawful basis for collecting and using your personal data will depend on the specific context in which we collect it.  Where you have applied for a job vacancy or procurement we are relying on the lawful basis of consent and legitimate interest, namely the recruitment of employees and fair procurement of services.

The information you provide during the recruitment/procurement process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role for which you have applied.

You will be asked to provide equal opportunities information. This is not mandatory information and if you do not provide it, it will not affect your application. Any information you do provide will only be used to produce and monitor equal opportunities statistics.

Disclosure of your personal data

The information you provide in relation to recruitment will not be made available to any staff outside the recruitment team in a way which can identify you.

We use third parties in order to provide elements of our recruitment process who act as data processors for us. We have in place contracts with data processors to ensure that they handle your personal data only in the way that we instruct them to do so.

Disclosure of your information

It may be necessary for ORR to disclose your personal data to third parties when permitted to do so. We will only disclose your personal data to a third party for the following reasons:

  • with your consent;
  • for specific reasons set out in this notice;
  • if we have a lawful basis for doing so;
  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation.

Where you have consented to the use of your personal data, this consent can be withdrawn at any time. Any withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Transfer of personal data outside the EEA

Your data may be transferred to countries outside the European Economic Area (EEA) through our electronic document and records management system provider, Box.  The Information Commissioner has authorised the transfers of personal data under Binding Corporate Rules for Box.

Storage and retention of your personal data

ORR also has in place a records retention policy which provides details on retention periods for the types of data we collect. At the end of the retention period your personal data will be disposed of securely.

Your rights

You have rights as an individual which you can exercise in relation to the information we hold about you. You can exercise these rights either verbally, by email or by post.

In particular you have the following rights:

  • right to access your personal data;
  • right to rectification or erasure of your personal data;
  • right to the restriction of processing concerning your personal data;
  • right to object to the processing of your personal data;
  • right to data portability.

Our commitment to you

  1. We will provide the information you request in relation to any of the below rights without undue delay and, in any event, within one month of receipt of the request.
  2. Where requests are complex or numerous, we can extend this by a further two months. If an extension is required we will inform you, within one month of receipt of your request, of the extension and the reasons why it is necessary.
  3. If requests are manifestly unfounded or excessive, in particular because they are repetitive, we may:
    • charge a reasonable fee taking into account the administrative costs of providing the information; or
    • refuse to respond.
  4. When this occurs, we will provide you with an explanation of the manifestly unfounded or excessive character of the request.
  5. Where we refuse to respond, wholly or in part, we will explain to you why we are refusing the request without delay and at the latest within one month of receipt of your request.
  6. Where we have refused to respond, you have the right to complain to the Information Commissioner and to seek a judicial remedy.
  7. Where we have reasonable doubts concerning your identity, we may request additional information necessary to confirm your identity.
  8. There may be instances where we can rely upon an exemption and/or refuse, wholly or in part, your request. In these instances, we will explain to you the reasons for our decision and your right to make a complaint.

Subject access requests

  1. You have the right of access to your personal data so that you can verify the lawfulness of the processing and ensure that the data is accurate and up to date.
  2. You have the right to obtain from us:
    • confirmation that your personal data is being processed;
    • access to your personal data; and
    • access to the following supplementary information:
      • purposes of and legal basis of the processing;
      • categories of personal data concerned;
      • recipients or categories of recipient to whom your personal data has or will be disclosed, in particular recipients in third countries or international organisations;
      • where personal data is transferred to a third country or international organisation, you have the right to be informed of the appropriate safeguards relating to the transfer;
      • envisaged period of storing that personal data;
      • existence of the right to request rectification, erasure or restriction of processing;
      • existence of the right to object to processing;
      • for personal data collected for law enforcement purposes: communication of your personal data undergoing processing and of any available information as to its origin;
      • existence of the right to lodge a complaint with the Information Commissioner; and
      • existence of automated decision-making, where applicable.
  3. We will provide a copy of your personal data undergoing processing free of charge although additional copies may incur a reasonable fee based on administrative costs.

Right to rectification

  1. You have the right to have inaccurate personal data rectified without undue delay. You may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.
  2. Upon receipt of a request for the rectification of data, we will take every reasonable step to ensure that the data is accurate and to rectify the data if necessary. We will take into account the arguments and evidence provided by you and respond within one month of receipt of the request.
  3. What steps are reasonable will depend on the nature of the personal data and the purposes for which they are processed. The more important it is that the personal data is accurate, the greater the requirement to check its accuracy and, if necessary, take steps to rectify it.
  4. Whilst a request for rectification is being considered, processing of the data affected will be restricted (see below).

Right to erasure

  1. You have the right to erasure, or the right to be forgotten. You can request that we erase any personal data we hold about you without undue delay.
  2. You have the right to have their personal data erased if:
    • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
    • we are relying solely on consent as our lawful basis for processing the data, and you withdraw that consent, and where there is no other lawful basis for the processing;
    • where we are relying on lawful basis that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested on us, or for the purposes of our legitimate interests, and you object to the processing of your data on grounds relating to your particular situation;
    • we are processing the personal data for direct marketing purposes and you object to that processing;
    • we have processed the personal data unlawfully; or
    • we have to erase it to comply with a legal obligation.
  3. Where your personal data has been disclosed to others, we will communicate the erasure to each recipient, unless this proves impossible or involves disproportionate effort. If asked, we will also inform you about these recipients.
  4. Where your personal data has been made public/available online, taking account of available technology and the cost of implementation, reasonable steps will be taken to inform other controllers who are processing the data that you have requested the erasure of links, copies or replication of the data by them.

Right to restrict processing

  1. You have the right to obtain restriction of processing of your personal data in certain circumstances. This means that you can limit the way we use your personal data. This is an alternative to the erasure of your data.
  2. You have the right to obtain restriction of processing where:
    • you contest the accuracy of your personal data and we are in the process of verifying the accuracy of the data;
    • the data has been unlawfully processed and you oppose the erasure and request restriction instead;
    • we no longer need the personal data for the purposes of processing, but we are required by you to retain it for the establishment, exercise or defence of a legal claim; or
    • you have objected to us processing your data on grounds of your particular situation and we are in the process of considering whether our legitimate grounds override your rights.
  3. 3.We will restrict data processing in an appropriate way for the type of processing being carried out by:
    • temporarily moving the selected data to a different processing system;
    • making the selected data unavailable to users; or
    • temporarily removing data from a published location e.g. on a website.
  4. We will store data that we have been asked to keep by you, but are no longer processing, in a secure restricted area.
  5. Where processing has been restricted, we will only process the restricted data, with the exception of storing it, where:
    • you have consented;
    • the processing is for the establishment, exercise or defence of a legal claim;
    • the processing is for the protection of the rights of another person (natural or legal); or
    • the processing is for reasons of important public interest.
  6. If we have disclosed your personal data in question to others, we will communicate the restriction to each recipient, unless this proves impossible or involves disproportionate effort. If asked, we will also inform you about these recipients.
  7. The right to restrict processing is temporary in many cases. If the processing has been restricted whilst we consider a request for rectification, or an objection to the processing, once we have made a decision on the accuracy of the data, or the legitimate grounds for processing, we will lift the restriction.
  8. We will inform you of our decision before a restriction is lifted.

Right to object

  1. You have, at any time, the right to object to processing based on the legitimate interests pursued by the controller or by a third party or the performance of a task in the public interest or the exercise of official authority.
  2. Your objection must be on “grounds relating to your particular situation”.
  3. You also have the right to object at any time to processing for direct marketing purposes. We will stop processing personal data for direct marketing purposes as soon as we receive an objection.

You can read more about these rights on the Information Commissioner’s website.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 23 May 2018.

Data Protection Officer

In order to contact our data protection officer about our privacy policy or any other data protection queries you can email dpo@orr.gsi.gov.uk or write to:

Sue MacSwan
Data Protection Officer
Office of Rail and Road
One Kemble Street
London
WC2B 4AN

Complaints or queries

The ORR aims to meet the highest standards when collecting and using personal information. We encourage people to tell us if they think that our collection or use of information is unfair, misleading or inappropriate.

This privacy notice does not provide exhaustive detail of all aspects of the ORR’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

We ask that you address any initial complaints to the ORR, however if you are still dissatisfied then you have the right to lodge a complaint with the Information Commissioner’s Office.