Abellio London and Surrey trading as Abellio Rail Replacement (ARR) is committed to protecting and respecting your privacy when you use our apps.
- What personal data we collect from you when you use our apps
- How we will collect and use that information;
- How we keep information secure; and
- How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.
- Information we may collect from you
- How we use your information
- Sharing or disclosure of your information
- Types of information we collect
- Where we store your personal information
- Information Security
- Your rights
For the purposes of the Data Protection Act 2017, the data controller is:
Abellio Rail Replacement
301 Camberwell New Road
London SE5 0TF
Our Data Protection Manager (DPM) is:
Abellio UK Bus
301 Camberwell New Road
London SE5 0TF
Our nominated Data Protection Officer (DPO) is:
Abellio UK HQ
36 Renfield St
5th Floor, The Culzean Building
More information about the General Data Protection Regulation and all related and subordinate legislation as amended or re-enacted from time to time can be found on the Information Commissioners website https://ico.org.uk/
The Information Commissioner is our regulator for data protection matters.
INFORMATION WE MAY COLLECT FROM YOU
We may collect and process information about you when you use our app.
We collect information such as your name, phone number and device name.
This information is generally provided by you.
Sometimes we obtain details from third parties, for example if our Group structure changes or for legitimate business reasons.
HOW WE USE YOUR INFORMATION
We will only use the information you provide as permitted by Data Protection Law (DPL). Our reason(s) for using your data include:
- To enable you to work effectively with us – things like correctly identifying your shifts/duties so we can provide you with detailed information we mostly rely on the legal ground of contractual performance to process your data, but sometimes the data is also used for our legitimate interests of customer service, health and safety, improving our services and other legal obligations, like providing information to our regulators
- To run our services and improve them - we believe in investing in our rail replacement services, not just to benefit passengers and colleagues but also the wider community, environment, and economy. There are lots of activities we do to achieve this, some are administrative and we also do things like monitoring passenger numbers, improving technology to help plan journeys - make money, run our services safely and be a good employer - we call these our legitimate interests. Some of these are also covered in our legal and contractual obligations, including to regulators.
- For your safety and security.
- For fraud and crime prevention.
We are part of a Group of Companies and share administrative services and support. Your data may therefore be shared with other Group companies where appropriate.
Our Legitimate Interests
Running our business and Group businesses, in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services, improve and expand our services, be a leading employer in the transport sector, investing in and developing our staff, operating with financial discipline and reducing crime and fraud to provide shareholder value, provide and improve customer services.
SHARING OR DISCLOSURE OF YOUR INFORMATION
We will only share or disclose your information as set out in this Policy or in accordance with DPL and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure.
Due to the nature of the services we provide, we process a large range of data, in a manner of ways, across a number of solutions. Accordingly, it was deemed impractical to set out the details of all the third parties that we may share your data with below. You can find out more about the information we collect and how we use, share or disclose it below or by contacting us at email@example.com.
We may share or disclose information for the following reasons:
- Sharing your phone number with other coordinators working on the same route and shift to enable the coordinators to contact each other with queries and issues that arise during the shift
- We use data processors to provide or assist with some of our services, for example, the processing of bookings. Where we do so, they must agree to strict contractual terms and to keep your data secure;
- Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement;
- To comply with requests from the British Transport Police under an Information Sharing Protocol, ensuring that any disclosure is lawful;
- To comply with the police or other law enforcement agencies for the purposes of crime prevention or detection, these are dealt with on a case-by-case basis, under a specific Information Sharing Protocol, to ensure that any disclosure is lawful;
- To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity;
- To protect our legitimate business interests, as outlined above;
TYPES OF INFORMATION WE COLLECT
This section shows the information we collect when you use our app. Before providing us with your details, please read the following important information regarding collection of user information.
Collection of user information
We will only use the information that we collect about you lawfully, in accordance with the DPL. We will collect:
- Your name
- Your phone number
- Your current, future and historic shifts
- Book on/off times
- Vehicle departure times and details
The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by ARR on this app and our back office system (the "Site") for operational purposes.
When you register with ARR, we ask for personal information such as your name, contact details, and other details. Once you register with ARR and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the ARR services that you use.
A cookie is a small piece of information that is sent to your browser when you access a website.
There are two kinds of cookies. A session cookie is a line of text that is stored temporarily in your computer's memory. Session cookies used by the ARR website are destroyed no more than one hour after you close your browser.
A persistent cookie is a more permanent line of text that gets saved by your browser to a file on your hard drive.
On those pages where the ARR website uses "session cookies" to facilitate your use of this site, we do not collect personal information about you and the cookie will be destroyed no more than one hour after you close your browser. This kind of cookie helps you use the ARR website interactively.
With most Internet browsers you can configure your browser so that it refuses new cookies, prompts you to accept cookies or disables cookies altogether. Exactly how this is done is dependent on the browser you use.
Access to our database containing personal information on registered users of the site is restricted. In order to increase security we ask you to input a password when you register as a user of the app. Please keep this password secret. As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g. e-mail) is at your own risk. If you have any questions about the use of this app, please contact your local ARR Team or Coordination Manager.
WHERE WE STORE YOUR PERSONAL INFORMATION
The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA, other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place. Please contact the DPM if you wish to find out more about the safeguards.
We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.
Unless stated otherwise we will aim to satisfy your instruction, or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet with this timeframe we will let you know within 30 days and explain what the problem is.
ASK FOR A COPY OF YOUR PERSONAL DATA
You are entitled to request a copy of the personal information we hold about you.
Please contact firstname.lastname@example.org
We may need to ask for some further information, such as checking who you are. You can download and send this form http://www.abellio.co.uk/media/1714/abellio-sar.pdf which will help us deal with your request more efficiently.
Please let us know in what format you wish to receive your information.
Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.
In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below.
RECTIFICATION / RESTRICTION
If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.
This is also known as the “Right to be forgotten”, you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.
WITHDRAWAL OF CONSENT
If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by contacting our DPM.
We will act upon such an instruction as soon as possible.
Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.
HOW WE DEAL WITH RIGHTS REQUESTS
We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.
There are various limitations and exemptions in relation to the exercise of rights in DPL - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.
The DPO role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against:
- the business, please contact our DPO ; or
- the DPO / DPM, please contact the ICO.
We also have a complaints policy. If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our DPM is the first point of contact for dealing with Rights Requests and complaints and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group DPO (Gabe Barrett).
If you are not satisfied with the response you can complain to the ICO. Their contact details are:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510
HOW LONG WE KEEP YOUR PERSONAL DATA FOR?
We’ll store your information for as long as we have to by law or regulatory requirement. If there’s no legal or regulatory requirement, we’ll only store it for as long as we need it. We’ll also keep some personal information for a reasonable period after your last contact with us – just in case you decide to use our services again. We, or one of our partners, may contact you about our services during this time if you haven’t opted out of receiving marketing communications from us.
We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.
This Policy was last updated on 5 April 2018.