Privacy Policy

 

Company contact details
Intertrain (UK) Ltd Railway Training Services
Garry Taylor Data Protection Manager
Balby Court Business Campus
Balby Carr Bank
Doncaster        DN4 8DE

Necessary Processing

All tasks performed by the company are necessary to ensure adequate standards for operating on a legal basis under GDPR legislation, May 25th 2018.  The company review data quantities and necessary processing annually by a third party GDPR practitioner to ensure all subject processing tasks remain as few as possible to maintain this standard.

Intertrain (UK) Ltd provide employee details to sponsors of employment only.  We do not provide information to third parties other than those required for worksite regulations.  Such bodies include Sentinel, Intertrain, Amco Giffen, Siemens and the individual’s direct contractor responsible for forwarding that person to our training company.  We hold your data live and in automated backup for upto six years following termination of contract with ourselves or named third parties as aforementioned.  This data is to personally identify you and confirm you are at a level of wellbeing for railway employment.  We have two classifications for your data under these descriptions; personal and sensitive.

Data analysis is for search engine rankings and meta data analytics only.  Analytics do not include any subject data.

Data Protection Objectives

Necessary processing tasks are reviewed every month.  Such tasks include, but are not limited to:

Legislative updates demonstrating transparency and fair use of data
Right of access to data we hold on you
Right to be informed of changes and updates that will affect the use of your data
Right of data portability to ensure it is accessible
Right to object against anything we hold about you
Right to erasure should you wish to remove all records
Right to restrict processing in the case of dispute
Right to rectification if the data we or mentioned third parties are incorrect
Rights regarding automated profiling and decision making
Hardware and software security measures to ensure the safe use of your data
Pseudonymisation, tokenisation and encryption to restrict access beyond designated parties
Anonymisation of data analytics for company performance

Management and staff are bound by confidentiality and we take unnecessary access and processing of data we hold and a very serious matter.  A Data Protection Impact Assessment (DPIA), is undertaken as part of the annual review and updated monthly as a metrics management system to gauge improvements towards data protection and information security protocols.

Marketing and Advertising

Collection of data is by service appointment only and not used for marketing.
Advertising of services is by appointment of designated third parties only and sharing of information between those third parties is as aforementioned without being used as advertising material.

SARs (Subject Access Requests)

Subjects have the right to access their own data as within the rights mentioned above.  If requested by telephone, security will require details of personal information, a password, and unique details of employment respective to the enquiry, such as NI number for payment enquiries, and Sentinel number for worksite enquiries.  We can confirm that details you have provided are true, but we cannot provide personal data over the phone or by email, so if you fail security questioning, your request will be processed by post or directly through your contractor.  Requests made by email will be responded to by post to the address provided most recently unless it is generic, or to confirm details formerly provided using your email address as confirmation of identity.  Provisions of update using email are provided by a single-use URL for one viewing only as a portable method of display.  This is to avoid delivering details directly over email as a security protocol.

Contractors may access subject data if necessary, providing adequate security data as above such as Sentinel number, nationally-recognised identification or otherwise proof of association.  

Unless in case of emergency, no other parties may be provided subject data by any channel of request.

SARs are logged automatically and subject to review regularly as fraud prevention.