General Data Protection Regulations Policy

Document Number: SLCO-L1-SMS-021

Issue No: 1

Issue Date: 29/09/2020

Function lead / Approver: MD

Document Owner: CD

Next Review Date: 29/09/2023


SLC Operations Ltd (SLCO) (trading as SLC Operations and ‘The Rail Academy’) acknowledges and agrees that any personal data that we handle shall be processed in accordance with all applicable data protection laws and regulations. These are currently the General Data Protection Regulations (GDPR) and the SLCO-L2-SMS-021 procedure. If you have any questions about this Policy or procedure, or how we handle personal information, please contact Individuals have the right to make a complaint at any time to the Information Commissioner’s Office (ICO); the UK Supervisory Authority for Data Protection issues.

Data protection principles

We will comply with data protection law. This says that the personal information we hold about an Individual must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept securely.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are “special categories*” of more sensitive personal data which require a higher level of protection.

The information we may collect

  • Individual’s name and gender*
  • Individual’s address*
  • Individuals date of birth*
  • Individual’s email address*
  • Individual’s telephone number*
  • Individual’s National insurance number*
  • Copies of Individual’s Passport* (In some cases, permits and visas*)
  • Individual’s financial information (including but not limited to payroll details and terms, HMRC data, pension scheme details, court orders and statutory payments)*
  • In certain cases, Individual’s medical information*
  • Individual’s CV/work history; including References and right to work documentation *

Any other work related information Individual’s provide, for example:

  • Education or training certificates*,
  • Past performance data*,
  • Employment records (including job titles, work history, working hours, training records and professional memberships).

We may also collect, store and use the following “special categories” of more sensitive personal information:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions*.
  • Trade union membership.
  • Information about your health, including any medical condition, health and sickness records*.
  • Genetic information and biometric data*.
  • Information about criminal convictions and offences*.
  • Compensation history*.

How we may use the information

  • To establish that an Individual has the right to work.
  • Complying with health and safety obligations.
  • To deal with any medical and health and safety issues relating to an Individual’s role.
  • To ensure their employment meets rules and regulations associated with safety critical working and Train Driver Licensing.
  • To put in place contractual arrangements and supporting documentation in place.
  • To pay Individuals.
  • Where we need to perform the contract, we have entered into with an individual.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and Individual interests and fundamental rights do not override those interests.
  • Where we need to protect individual interests (or someone else’s interests).
  • Where it is needed in the public interest or for official purposes.

How we hold the information

  • All the personal data we have is stored on a secure database.
  • Any information provided will be securely held on a password protected database, with access restricted to named individuals who require access as part of their normal duties.
  • We may share your information with other trusted third parties as follows: HM Revenue and Customs, pension scheme providers, legal advisors and other companies for the purpose of paying you.
  • We will rely on your consent to process the information marked with an * above which is collected at the outset of the recruitment process.
  • Information and documentation to establish your right to work is processed by us as we are legally obliged to do so.
  • In respect of medical information, the basis for us processing this will depend on the circumstances, but will usually be for one of the following reasons: it is necessary to protect health and safety or to prevent discrimination on the grounds of disability or where consent has been obtained, if required.
  • For the purposes of paying you, where relevant, we are legally obliged to provide information to HMRC.

Your rights

  • You currently have the right at any time to ask for a copy of the information about you that we hold. If you would like to make a request for information, please email
  • You also have the following rights to request: erasure, restriction of processing, objection and data portability.
  • We will generally keep your personal data for a minimum of 6 years after our business relationship, after which time it will be destroyed if it is no longer required for the lawful purpose(s) for which it was obtained.


Cath Bellamy,

Managing Director SLC Operations Ltd

Date: September 2020