This privacy notice sets how Transport for Wales Rail Ltd (“TfWRL”) (referred to in this privacy notice as “we”, “us” or “our”) handle your personal data when you apply for a role with us. TfWRL respects your privacy and is committed to protecting your personal data.
Please read this policy carefully, in particular section 7 below, which explains how we may make automated decisions related to your application. 
The data controller for the recruitment process is TfWRL. A data controller determines how and why personal data can be processed. For more information please see our privacy policy.

We currently use software tools to aid in our recruitment process such as iTrent, supplied by MHR International UK Limited (trading as “MHR”). This means that your personal data is processed by MHR (the ‘data processor’) on behalf of TfWRL following the instructions TfWRL gives in writing to MHR.

This privacy notice was last updated on 28.01.2021.


The personal data we may collect, store and use from you includes:

  • contact details such as name, title, addresses, telephone numbers, and personal email addresses;
  • copies of driving license, passport, birth certificates and proof of current address, such as bank statements and council tax bills;
  • evidence of how you meet the requirements of the job, including CVs, covering letters and references;
  • evidence of your right to work in the UK and immigration status;
  • diversity and equal opportunities monitoring information – this can include information about your race or ethnicity, religious beliefs, sexual orientation, disability and other ‘special category data’;
  • information about your health, including any medical needs or conditions;
  • additional information required for some applications determined on a case-by-case basis;
  • a record of that correspondence (if you contact us regarding your application);
  • details of your use of our recruitment tools and services, such as your candidate profile and alerts for vacancies; and
  • we will also keep copies of interview notes during the recruitment process. 


3.1    Legitimate Interest
As a prospective candidate you have expressed an interest in working for our organisation. We may use the personal data we collect about you to:
•    Assess your skills, qualifications, and suitability for the role.
•    Carry out background and reference checks, where applicable.
•    Communicate with you about the recruitment process.
•    Keep records related to our hiring processes.
•    Comply with legal or regulatory requirements.
It is in our legitimate interests to decide whether to appoint you to a role since it would be beneficial to our business to appoint someone to that role.

3.2    Contract
We also need to process your personal information to decide whether to enter into a contract with you. Processing your data is necessary to move your application forward before signing a contract of work. This concerns employment or pre-employment checks.

3.3    Legal obligation 
We will process your personal data in order to comply with applicable laws such as (but not limited to) checking that candidates are entitled to work in the UK.

3.4    Processing criminal convictions and sensitive information
We collect, use and hold sensitive information such as criminal convictions on the lawful bases of contract and legal obligation. We will collect information about your criminal convictions history if we would like to offer you the work (conditional on checks and any other conditions, such as references, being satisfactory). 
We are entitled to carry out a criminal records check in order to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role.
We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.

3.5    Processing special category data
UK data protection laws set out stronger protections relating to ‘special category’ personal data. In summary, this is data which reveals: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special category data also includes: genetic data, biometric data that uniquely identifies a person, data concerning health, data concerning someone’s sex life or sexual orientation. 
We will usually only process this data with your consent. However, in certain circumstances we have a legal obligation to process this data. For example, we may process this data if it is necessary for complying with equal opportunity laws or any lawful obligation.
Any other special category of data we process we will seek your explicit consent first.


The Covid-19 pandemic has meant that we have had to change our recruitment processes to protect our team and candidates. This means that if you are brought forward for interview this will be by internet-based means such as Microsoft Teams. We will therefore be hosting these sessions using audio and video of us and you. For the needs of recruitment this will be recorded and kept for a period of 28 days and then transcribed with footage being deleted. 

You have the right to object to video and related technology being used.


We need your data in order to:

  • move your application forward;
  • check that you’re the right candidate for the role;
  • get in contact with you; and
  • send you notifications for vacancy roles or job alerts.

Any offers of employment are subject to candidates passing a medical assessment as required and in line with our regulators’ requirements or guidance. 


We usually collect your personal information when you enter it in www.comeaboard.co.uk. We might also collect information from third parties. These may include:

  • former employers and people named by candidates as references;
  • credit reference agencies;
  • the Disclosure and Barring Service (DBS);
  • Sterling Talent and other background check agencies; 
  • Medigold or other similar providers will carry out a medical assessment when needed and mandated by relevant authorities.

During the application process you will be asked eligibility questions. You will not have to disclose sensitive information, and everyone still has an equal opportunity to apply. 

Collection from Keolis Amey Operations / Gweithrediadau Keolis Amey Limited (“KAO”) 

On 7 February 2021, we (TfWRL) took over the operation of the Wales and Border rail franchise from KAO. If you are or were a prospective candidate that submitted an application to KAO within the 18 months prior to the 7 February 2021 your personal data will have been transferred from KAO to TfWRL. TfWRL is the data controller of your data for the purposes set out in this policy. All data will continue to be handled in compliance of this policy.


The system will automatically decline your application if you do not meet certain eligibility criteria (for example, if you do not have a right to work in the UK or if you do not meet the minimum qualification standards required for the role). These automated decision making processes could result in your application for a role being rejected. 

If this has significant effect on you, you have the right to object to this automated decision making process and request human intervention (for example, if you believe you have mitigating or special circumstances). In order to request human intervention, please contact us on the contact information listed in the advertisement for the role, or if no details are available, using the contact details listed in section 14 below.


Personal information you provide in the recruitment process will be made available to our recruitment team members. If you are successfully hired, we will upload your details to our HR system. As a member of staff you will sign a contract of employment and agree to additional terms on how your data is handled and stored.

We will also share your data for statistical analysis (it will be anonymised first).

We may also share data with a legal authority (for example, but not limited to, the police or the British Transport Police) if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

For certain roles there is a requirement for online and role specific testing to be completed. TFWRL shares this data with SHL and other relevant bodies as applicable. We may have to share with other parties, but we will not do this without informing you.


We will not transfer your personal data outside the UK without your specific consent.


We have put in place measures to protect the security of your information.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we only give access to your personal information to those employees, agents, contractors and other third parties who need to work on your recruitment process.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

All data provided to us is fully encrypted and stringent access controls are in place.

All candidates must login to the recruitment portal to confirm ongoing application status.


We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for - recruitment.
This will depend on:

  • the amount, nature, and sensitivity of the personal data;
  • the potential risk of harm from unauthorised use or disclosure of your personal data;
  • the purposes for which we process it; and
  • whether we can achieve those purposes in other ways.

Certain roles have a longer period of fulfilment due to their nature. These will therefore be processed for longer (please see our retention policy for more information, which can be requested from your contact or using the contact details in section 14 below).

For documents supporting recruitment, application and sifting the retention period is 18 months.

If your application is not successful, personally identifiable data is removed 18 months after your most recent application via a digital purge of data. We may with your consent request to hold your data for longer as other future roles may suit your application. For certain roles, we have talent pools of potential job candidates. If you are successful throughout the recruitment process, you will be held in our talent pool until a role becomes available. 
If your application is successful and you are offered a role with us, your data will be kept and transferred to the systems we administer for employees and retained in accordance with our Employee Privacy Notice.


You have the right to:

  • request access to your personal information (known as a ‘data subject access request’ or DSAR) – you will receive a copy of the personal information we hold about you, so you can check that we are lawfully processing it. It also allows you to request an electronic copy of any data you have provided in a structured, commonly used and machine-readable format;
  • request that we correct incomplete or inaccurate personal information that we hold about you;
  • request we delete or remove your personal information - you can do this when there is no good reason for us to keep it. You can ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
  • withdraw your consent for any data processed under the lawful basis of consent;
  • object to the processing of your personal information where we are relying on any legal basis other than contract or a lawful obligation; and
  • request we restrict the processing of your personal information - you can ask us to stop processing your personal information, for example if you want us to establish its accuracy or the reason for processing it.

To make any of these requests or to ask us to transfer a copy of your personal information to another party, contact our Data Protection Officer at data.protection@tfwrail.wales


You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, if your request for access is clearly unfounded or excessive, we may charge a reasonable fee or refuse the request.

We may request additional information to confirm your identity. This is to ensure that your personal information is not disclosed to someone who has no right to access it. Typically, this will be copies of two forms of ID - one photo ID (for example, a passport) and one proof of address (for example, a utility bill dated within the last 3 months). These copies will be destroyed after your request is satisfied.


The Data Protection Officer (DPO) provides advice and monitors TfWRL’s use of personal information. 

If you have any concerns about how your personal data has been handled or if you have any questions about this privacy notice, please contact the DPO on the details set out below:
Address:   Data Protection Officer, Transport for Wales, 3 Llys Cadwyn, Pontypridd, Rhondda Cynon Taf, CF37 4TH
Email:    data.protection@tfwrail.wales

If you have a complaint, you can also contact the Information Commissioner’s Office (ICO) (www.ico.org.uk), who is the UK’s independent regulator, set up to uphold information rights: 
Postal address:         Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number:     03031 231 113
ICO website:         https://ico.org.uk/make-a-complaint/ 
We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.


We may change this privacy notice from time-to-time. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.