Skip to main content
Read more
Transport for Wales logo

This privacy notice covers the Transport for Wales Rail Services (TfWRS) part of the Keolis Amey group of companies and sets out how we handle your personal data when you apply for a role with us. TfWRS respects your privacy and is committed to protecting your personal data.

The data controller for the recruitment process is TfWRS. A data controller determines how and why personal data can be processed. Please see our privacy policy.

We currently use software tools to aid in our recruitment process such as iTrent. This means that your personal data is processed by iTrent (the ‘data processor’) on behalf of TfWRS, following the instructions TfWRS sets out.


The data we collect

The personal data we may collect from you includes:

  • contact details such as name, title, addresses, telephone numbers, and personal email addresses
  • copies of driving license, passport, birth certificates and proof of current address, such as bank statements and council tax bills
  • evidence of how you meet the requirements of the job, including CVs and references
  • evidence of your right to work in the UK and immigration status
  • diversity and equal opportunities monitoring information – this can include information about your race or ethnicity, religious beliefs, sexual orientation, disability and other ‘special category data’
  • information about your health, including any medical needs or conditions
  • other information required for some applications
  • if you contact us regarding your application, a record of that correspondence
  • details of your use of our recruitment tools and services, such as your candidate profile and alerts for vacancies
  • we will also keep copies of interview notes during the recruitment process


Our legal basis for using your data

  • Legitimate Interest As a prospective candidate you have expressed an interest in working for our organisation.
  • Contract Processing your data is necessary to move your application forward before signing a contract of work. This concerns employment or pre-employment checks.
  • Legal obligation The law requires TfWRS to check that candidates are entitled to work in the UK.
  • Processing criminal convictions and sensitive information. We collect, use and hold sensitive information such as criminal convictions on the lawful bases of contract and legal obligation.
  • Processing special category data
    Personal data is defined as ‘special category’ when it reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It includes: - genetic data - biometric data that uniquely identifies a person - data concerning health - data concerning someone’s sex life or sexual orientation, we will usually only process this data by consent however in certain circumstances we have a legal obligation to process this data.

We may process this data if it’s necessary for complying with equal opportunity laws or any lawful obligation.

Any other special category of data we process we will seek your explicit consent first.


COVID 19 and Social Distancing

The current lock down situation has meant that we have had to change our recruitment processes to protect our team and candidates. This means that if you are brought forward for interview this will be by internet-based means such as Microsoft Teams. We will therefore be hosting these sessions using audio and video of us and you. For the needs of recruitment this will be recorded and kept for a period of 28 days and then transcribed with footage being deleted. You have the right to object to video and related technology being used.

Why we need your data

We need your data in order to:

  • move your application forward
  • check that you’re the right candidate for the role
  • get in contact with you
  • send you notifications for vacancy roles or job alerts
  • Any offers of employment are subject to candidates passing a Medical Assessment as required and in line with our regulators


How your personal information is collected

We usually collect your personal information when you enter it in We might also collect information from third parties.

These may include:

  • former employers and people named by candidates as references
  • credit reference agencies
  • the Disclosure and Barring Service (DBS)
  • Sterling Talent and other background check agencies
  • Medigold or other similar providers will carry out a medical assessment when needed and mandated by relevant authorities

During the application process you’ll be asked eligibility questions. You won’t have to disclose sensitive information, and everyone still has an equal opportunity to apply. The system will automatically decline your application if you don’t meet the eligibility criteria.

Data sharing

Personal information you provide in the recruitment process will be made available to our recruitment team members. If you are successfully hired, we will upload your details to our HR system. As a member of staff you will sign a contract of employment and agree to additional terms on how your data is handled and stored.

We will also share your data for statistical analysis (it will be anonymised first).

We may also share data with a legal authority (police etc.) if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

For certain roles there is a requirement for online and role specific testing to be completed. TFWRS shares this data with SHL and other relevant bodies as applicable. We may have to share with other parties, but we will not do this without informing you.

Transferring information outside the EU

We will not transfer your personal data outside the EU without your specific consent


Data security

We have put in place measures to protect the security of your information.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we only give access to your personal information to those employees, agents, contractors and other third parties who need to work on your recruitment process.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

All data provided to us is fully encrypted and stringent access controls are in place.

All candidates must login to the recruitment portal to confirm ongoing application stataus.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for - recruitment.

This will depend on:

  • the amount, nature, and sensitivity of the personal data
  • the potential risk of harm from unauthorised use or disclosure of your personal data
  • the purposes for which we process it
  • whether we can achieve those purposes in other ways
  • certain roles have a longer period of fulfilment due to the nature these will therefore be processed for longer (please see our retention policy for more information)

For documents supporting recruitment, application and sifting the retention period is 18 months.

If your application is not successful, personally identifiable data is removed 18 months after your most recent application via a digital purge of data. We may with your consent request to hold your data for longer as other future roles may suit your application. For certain roles, we have talent pools of potential job candidates. If you’re successful throughout the recruitment process, you will be held in our talent pool until a role becomes available. If your application is successful and you are offered a role with us, your data will be kept and transferred to the systems we administer for employees and retained in accordance with our Employee Privacy Notice.

Your rights

You have the right to:

  • request access to your personal information (known as a ‘data subject access request’ or DSAR) - you’ll receive a copy of the personal information we hold about you, so you can check that we are lawfully processing it. It also allows you to request an electronic copy of any data you have provided in a structured, commonly used and machine-readable format
  • request that we correct incomplete or inaccurate personal information that we hold about you
  • request we delete or remove your personal information - you can do this when there is no good reason for us to keep it - you can ask us to delete or remove your personal information where you have exercised your right to object to processing (see below)
  • withdraw your consent for any data processed under the lawful basis of consent (see below)
  • object to the processing of your personal information where we are relying on any legal basis other than contract or a lawful obligation
  • request we restrict the processing of your personal information - you can ask us to stop processing your personal information, for example if you want us to establish its accuracy or the reason for processing it

To make any of these requests or to ask us to transfer a copy of your personal information to another party, contact our Data Protection Officer

Accessing your data

You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, if your request for access is clearly unfounded or excessive, we may:

  • charge a reasonable fee
  • refuse the request

We will need some information to confirm your identity. This is to ensure that your personal information is not disclosed to someone who has no right to access it. Typically it will be copies of 2 forms of ID, one photo ID (eg passport) and one proof of address (eg utility bill). These copies will be destroyed after your request is satisfied.


Questions and complaints

If you have any questions about this privacy notice contact the Data Protection Officer:

The Data Protection Officer provides advice and monitors TfWRS’s use of personal information. If you have any concerns about how your personal data has been handled, please contact the DPO:

Data Protection Officer

Mark Povey
St Mary’s House
Penarth Road


If you have a complaint, you can also contact the Information Commissioner, who is an independent regulator set up to uphold information rights.

Information Commissioner's Office


Contact form

Telephone 0303 123 1113

Textphone 01625 545860

Changes to this privacy notice

We may change this privacy notice. When we make changes to this notice, the ‘last updated’ date at the top of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, we will take reasonable steps to let you know.