MTR Corporation (Crossrail) Limited – Privacy Policy

Title: MTR Elizabeth line Privacy Policy
Address 63 St Mary Axe, London, EC3A 8NH
Contact email address dpo@mtrel.co.uk
Contact person Data Protection Office Approval Date 19/12/2024
Accountable person Finance Director Version number 2.0
First published 25/05/2018 Next revision 18/12/2027

Introduction

This Privacy Policy sets out how MTR Elizabeth line (registered as: MTR Corporation (Crossrail) Limited) will use and protect any information that you give us how we will use this data, who or if it will be shared with and your privacy rights and how the law protects you.

We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified, then you can be assured that it will only be used in accordance with this Policy.

We may make changes to this Policy from time to time and you should check our website or Business Management System (for existing colleagues) to review the latest version.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

1. How we get the personal information about you and why we have it

1.1  Information you give us

Most of the personal information we process is provided to us directly by you. You may give us information about you by filling in forms on our website or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you subscribe to our services, apply for one of our job vacancies, make a general enquiry and when you report a problem with our site.

The information you give us may include your:

Identity Data Which includes you first name, last name and title.
Contact Data Which includes your home address, email address, home telephone number and mobile number.
Profile Data Which includes information such as preferences and interests, customer surveys and offers.
Optional Data Which includes optional information for equality monitoring purposes as part of job applications, for example ethnicity, disability, sexual orientation, religious beliefs.
Employment Data Which includes the information in your curriculum vitae and any covering letter including employment history, other relevant experience, achievements, skills and qualifications and any information you provide to us during an interview.

 

1.2  Information from third parties or publicly available sources

We may receive personal data about you from various third parties and public sources as set out below:

  • Recruitment agency, from which we collect the identity data, contact data and employment data.
  • Background check provider, from which we collect personal data.
  • Your named referees.
  • LinkedIn or similar sites for information to validate the skills, experience or qualifications you tell us about.

1.3  Special Categories of Personal Data

In any job application you make to us, we may also collect, store and use the following “special categories” of more sensitive personal information:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.

We do this to comply with our legal obligations and for reasons of substantial public interest (equality of opportunity or treatment). We also have legitimate interests: as part of investigations by regulatory bodies, or in connection with legal proceedings or requests.

  • Information about your health, including any medical condition, health and sickness records.

We do this to perform our legal obligations. We also have legitimate interests to maintain our employment records and to comply with legal, regulatory and corporate governance obligations and good practice, to ensure safe working practices.

  • Information about criminal convictions and offences.

We do this to comply with our legal obligations and for reasons of substantial public interest (preventing or detecting unlawful acts, suspicion of terrorist financing or money laundering in the regulated sector and protecting the public against dishonesty).

2. Using your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract, we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

We use the above information for the following reasons:

  1. To perform any contract that we are about to enter into or have entered into with you including any employment contract.
  2. Our legitimate interests or those of a third party and your interests and fundamental rights do not override those interests. In some cases, we will use your personal information so that we can carry out the following activities
    • To process any job application, you make and assess your suitability for the role you have applied for.
    • To make decisions about whether to offer you an interview or employment; to carry out relevant pre-employment screening (e.g. verify your address, academic qualifications and work experience; carry out appropriate credit reference and criminal record checks, depending on the role).
    • For internal record keeping and internal operations such as troubleshooting, data analysis, statistical and survey purposes.
    • To improve our website and services.
    • To periodically send you promotional emails about new products, special offers or other information, which may be of interest to you, but only if you have provided your consent.
    • To contact you by email or phone for market research purposes from time to time; to customise our website according to your interests.
    • To review and audit the recruitment process and its outcomes.
    • To keep our website safe and secure.
  3. Legal requirements. We will use your personal information to ensure we are complying without legal obligations:
    • To carry out checks in relation to your right to work in the UK.
    • To make reasonable adjustments if you have a disability.
  4. We envisage that we will process information about criminal convictions.
    • We will collect information about your criminal convictions history if we would like to offer you the role (conditional on checks and any other conditions, such as references, being satisfactory).
  5. We will use your particularly sensitive personal information in the following ways:
    • We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during an interview.
    • We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

3. Who we might share your data with

We may have to share your personal information with the parties set out below:

  • Internal authorised personnel (i.e. recruiting line manager, Human Resource professionals, screening service provider and occupational health professionals), who are directly involved in the management and administration of the recruitment process and have a legitimate need to access your personal information.
  • Internal third parties such as other members within our group, including MTR Corporation Limited in Hong Kong, these exchanges are governed by an internal Binding Corporate Rules agreement.
  • External third parties for the purposes of Reference/Security checks and medical screening.
  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

3.1 International Transfers

If we share your personal data within the MTR Corporation (Crossrail) Group. This will involve transferring your data outside the European Economic Area (EEA). To ensure that your personal information does receive an adequate level of protection we have a Binding Corporate Rules document (MTR Inter Group Agreement) signed by MTR International Corporate Hubs.

The MTR Inter Group Agreement puts in place appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with, and which respects the EU and UK laws on data protection.

4. Website specific

This Policy should be read carefully alongside, and in addition to, our website terms and conditions. By using this website, you agree to the terms of this Policy (including as updated or amended from time to time).

  • Links to other websites

Our website may contain links to enable you to visit other third-party websites of interest easily. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this Policy.

5. Automated Processing

In some circumstances, your job application may include automatic processing e.g. based on pre-screening questions answered or the results of online testing. On such occasions you will be informed that automatic processing is being used and given the opportunity to withdraw your application. We will only use automated decision making where we are required or authorised by law, it is necessary for entering into or performing the contract or we have your explicit written consent.

Please note the Elizabeth line (MTR Crossrail) does not use automatic data processing on protected characteristics defined in the Equalities Act 2010. In order to demonstrate compliance with the Act, the Elizabeth line (MTR Crossrail) may ask you to complete an optional equal opportunities questionnaire as part of the application process.

6. Marketing

Whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you consent to your information being used by us for direct marketing purposes. We will only use your information for direct marketing purposes where you have specifically given consent for us to do so.

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

You can ask us or third parties to stop sending you marketing messages at any time by writing to us at MTR Corporation (Crossrail) Limited, Providence House, Providence Place, Islington, London N1 0NT or emailing us at communications@mtrel.co.uk.

7. Storage of your personal information

7.1 Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions as data controller and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7.2 How long do we keep your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider:

  • The amount, nature, and sensitivity of the personal data.
  • The potential risk of harm from unauthorised use or disclosure of your personal data.
  • The purposes for which we process your personal data and whether we can achieve those purposes through other means.
  • The applicable legal requirements.

In some circumstances you can ask us to delete your data. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

If the data we collect is as a result of a job application you made to us, and your application is unsuccessful, we will retain your personal information (CV, personal details, interview and assessment notes, test results and copies of ID) for 6 months from the date you are informed you were unsuccessful. Your registration details will be deleted if your account remains inactive for a period of 12 months. We retain your personal information for this period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with applicable laws and regulations.

8. Your data protection rights

Under data protection law, you have rights including:

You have the right to ask us for copies of your personal information.

You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incorrect.

You have the right to ask us to erase your personal information in certain circumstances.

You have the right to ask us to restrict the processing of your personal information in certain circumstances.

You have the right to object to the processing of your personal information in certain circumstances.

You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

9. Processing of Supplier personal information

Where MTR Elizabeth line chooses to enter into a business engagement with supplier, we will be the controller of any personal data, that you provide to us, to enable us to process that business engagement and are therefore responsible for processing it in accordance with the law.

We respect the privacy of our suppliers and those individuals working for our suppliers and recognise that when you choose to provide us with personal data, you trust us to act in a responsible manner with that information. This privacy policy contains important information about how we use personal data for the following data subjects:

  • Our suppliers, vendors and service providers, either historical, existing or prospective, who are natural persons; and
  • representatives or contact persons of our suppliers and service providers who are legal entities.

We will refer to the above together as the “suppliers”. If you are considered a supplier (either existing, historical or prospective) we invite you to read and understand the contents set out in this privacy policy.

We may gather the following information about you during our engagement:

  • Identification and contact information (full name, title, email, phone, address etc)
  • Job Title, position, and name of company
  • Business Financial information (e.g., bank account details), insofar our supplier is a natural person
  • Background checks related to the supplier

Suppliers should ensure their employees are aware that their data is being shared with us, as described in this policy. It is the responsibility of the supplier to ensure that information shared with MTR Elizabeth line in relation to employees is kept up to date.

9.1 How do we use it?

The primary reason we process your personal data is to approve, manage, administer or effect an agreement between MTR Elizabeth line and the supplier you represent or work for. In this respect, we use your personal data, to organise our sourcing activities, issue purchase orders, process payments, perform accounting, manage our contract or review the services or products you supply us with. In addition, we process personal data to meet our legal obligations (such as record keeping obligations), as well as to manage our risks and operations (e.g. prevent and detect security threats, exercise or defend legal claims).

How we will use your personal data Our legal basis for processing
Managing our relationship with our suppliers. Legitimate interest – in cases where we process data of representatives or contacts of our suppliers who are legal entities, the processing of your data is necessary for our legitimate interest to communicate with our suppliers’ representatives in a customary, personal manner.

Necessary for the performance of a contract – we use your personal data to liaise with you on matters relating to our relationship, if you, as our supplier, are a natural person.
Making decisions about procuring goods and services (e.g., determining the terms of our contractual agreement(s) etc). Legitimate interest – in cases where our supplier is a legal person, we use your personal data to keep our supplier updated throughout our relationship.

Necessary for the performance of a contract – we use your personal data to assess your status as a new or existing supplier, and to keep you updated throughout our relationship.
Upholding our company’s interests and ensuring compliance and reporting (such as adhering to our policies, legislation and managing allegations of fraud or misconduct). To comply with our legal obligations – in cases where our supplier is a natural person, we use your personal data to investigate and prevent fraud or misconduct and to protect our economic interests.
To manage your visit to our offices. Our legitimate interests for any other purposes required by law such as for example, compliance with fire protection regulations.
Any other purposes required by law and authorities. Processing is necessary for compliance with a legal obligation to which we are subject.

 

9.2 Do we pass your information to third parties?

We may send your personal data to our UK parent company.

We may disclose your personal data if we are the subject of a sale or similar corporate transaction. We will ensure that the third parties who receive your personal data are required to keep it confidential.

We may disclose personal data to third parties when we reasonably believe we are required by law, and in order to investigate, prevent, or take action regarding suspected or actual unlawful or otherwise prohibited activities, including, but not limited to, fraud.

9.3 How long do we keep your information?

We will keep your information for as long as is necessary to fulfil the purpose for which it was collected. The retention time is the term of the suppliers’ contract until any legal claims under the contract expire, unless an overriding legal or regulatory obligation arises.

Where we hold prospective supplier information we will delete this if the supplier has not participated in a sourcing event with us in the previous three years, or the supplier makes a request for the supplier information to be removed before that time.

9.4 How do we protect your information?

We take appropriate measures to ensure that your personal data disclosed to us is kept secure, accurate and up to date and kept only for so long as is necessary for the purposes for which it is used.

10. Access to your personal information

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

If you would like a copy of the information held on you, please contact our Data Protection Officer either by email at dpo@mtrel.co.uk or in writing to DPO, Elizabeth line, 63 St Mary Axe, London, EC3A 8NH.

If you believe that any information, we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.

If you make a request, we endeavour to deal with it within twenty-eight days.

11. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at:

Data Protection Officer
MTR Elizabeth line
63 St Mary Axe
London
EC3A 8NH.
Email: dpo@mtrel.co.uk

You can also complain to the Information Commissioners Office (ico) if you are unhappy with how we have used your data.

Information Commissioner’s Office
Wycliffe House

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk