The Data Protection Act 2018 and the General Data Protection Regulation (GDPR) provide similar rights of access as the Freedom of Information Acts, the main difference being that the Data Protection Acts do not apply to records of deceased persons.
Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data.
As with the FOI Acts, these rights extend to your own personal records and in specific circumstances, to those of your children. There are exemptions provided for in the Acts, this means that there are specific circumstances when the requested information will not be released. If any of these exemptions are used to withhold information, the reasons will be clearly explained to you.
CRR, as a Data Controller must meet our obligations under the Data Protection Act 2018 as outlined below:
obtain and process information fairly
keep it only for one or more specified, explicit and lawful purposes
use and disclose it only in ways compatible with these purposes
keep it safe and secure
keep it accurate, complete and up-to-date
ensure that it is adequate, relevant and not excessive
retain it for no longer than is necessary for the purpose
provide an individual with a copy of his/her personal data on request.
We request you to apply in writing and simply refer to the Data Protection Act 2018. No fee applies.
When to use the Data Protection Act.
You may use either the Freedom of Information Acts or the Data Protection Act to access personal information held by public bodies. However, the Data Protection Act applies only to your own personal information (or in certain circumstances that of your child). No fee applies unless the workload is exceptional.
Entitlements Under the Data Protection Act
A decision will, in normal circumstances, issue within 30 days of receipt
of your request.
Details of your entitlement to complain to the Data Protection Commissioner will be included in the decision letter.
Access to Information.
To make an access request under the Data Protection Act 2018, please submit your request in writing to:
Data Protection Officer,
Commission for Railway Regulation,
Please ensure that you describe the records you seek in the greatest detail possible to enable us to identify the relevant records.
For further information you can also visit our Privacy Statement on our website.