Menu Close
/ Register

Data Protection Policy Statement

The Managing Director's Statement on Data Protection

Journey details

  • Under 5s travel free

  • Add another railcard

Why CrossCountry trains?

Buy tickets for any train journey in Britain. We cross more of the country than any other train company.

Choose date & time

Going
departing after

Looking for dates further in the future?

Train operators can only release tickets for sale up to 90 days in advance.

But don't worry, you don’t have to miss out - Be the first to hear when tickets are available with our FREE ticket alert.

E-mail me when tickets become available Back to calendar

Station Finder

CrossCountry will strive for continual improvement in managing it's compliance with the Data Protection Act 1998. This policy will be shared with our employees and has the active support of the executive board.  At CrossCountry we have a legal obligation to comply with all appropriate legislation in respect of Data, Information and IT Security. We also have a duty to comply with guidance issued by the Information Commissioner's Office.

All legislation relevant to an individual's right to confidentiality and the ways in which that can be achieved and maintained are paramount to CrossCountry. Penalties could be imposed upon CrossCountry and/or employees for non-compliance with relevant legislation.

Our Data Protection Policy (XCTL-904) aims to detail how CrossCountry meets its legal obligations for confidentiality and information security standards. The requirements within the Policy are based primarily upon the Data Protection Act 1998 that is the key piece of legislation covering security and confidentiality of personal information.

There are eight principles of good practice reflected in the Data Protection Act 1998. These are normally referred to as the 'data protection principles'.

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Did you find this page useful?