Privacy policy

  1. Introduction and consent
  2. Information we may collect from you
  3. How we use your information
  4. Your rights
  5. Disclosure of your information
  6. Where we store your personal information
  7. Cookies
  8. CCTV
  9. Monitoring - Telephone calls
  10. Third party websites
  11. Changes to this Privacy Policy

1. Introduction and consent

1.1. Govia Thameslink Railway Limited (“We”/”us”/”our””) are committed to protecting and respecting your privacy when you our services.

1.2. This Privacy Policy (the “Policy”) explains:

1.2.1. What personal data we collect from you when you use our website, apps, visit our stations, contact us or use services (“information”)

1.2.2. How we will collect and use that information; and

1.2.3. How you can contact us if you wish to exercise any of your rights in relation to the information.

1.3. By providing us with your information you consent to our use of it in the manner set out in this policy.

1.4. For the purposes of the Data Protection Act 1998 (the “Act”), the Data Controller is:

Govia Thameslink Railway Limited
Monument Place
24 Monument Street
London EC3R 8AJ
Company No. 07934306

1.5 Our representative for the purpose of the Act is:

Julie Sadler
Internal Audit and Compliance Manager
1st Floor
Monument Place
24 Monument Street
London EC3R 8AJ

More information about the Data Protection Act can be found on the Information Commissioners website 

2. Information we may collect from you

2.1. We may collect and process the following information about you:

2.1.1. Information that you provide to us when filling in forms on this website or that you provide when you contact us. This may include your title, first name, surname, address, telephone number(s), email address(es), date of birth and in certain circumstances details of payment methods used by you, your place of employment or education, student number, and a photograph proof of ID, details of journey, amount paid and proof of payment. This information may be given:

2.1.1.1. when you contact us with queries, complaints or a request for information or purchase tickets;

2.1.1.2. when you register for the key smartcard;

2.1.1.3. when you respond to surveys that we may conduct, and you have agreed to be contacted;

2.1.1.4. whilst recording transactions that you carry out on our site, although we do not hold any information about your financial transaction other than details of the value of the ticket(s) that you purchase, when they are purchased and the method of purchase;

2.1.1.5. to issue a Penalty Fares or take other fare evasion enforcement action;.

2.1.2. When you visit our website details of your visits, how you use our site and the resources that you access on our site may be recorded as explained in our cookie policy.

2.1.3. When you use the key we record your transaction and journey history.

2.1.4. When you visit our stations we may collect your image on CCTV or via body worn recoding equipment.

3. How we use your information

3.1. We may use information held about you in the following ways:

3.1.1. To notify you about changes to our services;

3.1.2. To make and receive any payments necessary between us;

3.1.3. To carry out our obligations arising from any contracts entered into between you and us;

3.1.4. We use your personal information for customer services and administration, customer research, fraud and crime prevention.

3.1.5. To provide you with details of our services, information, newsletters, and details of promotions and offers which we feel may interest you;

3.1.6. To enhance your experience of our website, as described in our Cookie Policy;

3.1.7. To share with our suppliers where this is required by our processes; and

3.1.8. To share with other members of the Go-Ahead Group PLC (registered in England, company number 02100855) (“Go Ahead”), of which we are a member, in order to respond to queries, complaints or a request for information from you or where Go-Ahead has any services, promotions and offers which we feel may interest you. Details of other members of Go-Ahead can be found at www.go-ahead.com

3.1.9. To process Penalty Fares or take other fare evasion enforcement action where applicable;

3.1.10 If we lose the franchise that allows us to operate this train service then we will need to pass the details that you have provided to us for marketing purposes to the DfT and any successor operator of the next franchise.

If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information where you have indicated your agreement and then only about goods and services similar to those which were the subject of a previous sale to you.

4. Your rights

4.1. To prevent marketing to you: You have the right to ask us not to process your personal information for marketing purposes. We will usually inform you (before collecting your information) if we intend to use your information for such purposes or if we intend to disclose your information to any third party for such purposes. If you do not want us to use your information for marketing purposes please make sure that you indicate this via the tick box when you sign up or, if you have an account with us, by logging in and changing your contact preferences.

4.2. To prevent all contact by us to you: Alternatively you can opt out at any time by contacting us by using the following details:

Julie Sadler
Internal Audit and Compliance Manager
1st Floor
Monument Place
24 Monument Street
London EC3R 8AJ

More contact detail information can be found in our Contact Us section.

4.3. To request a Copy of your information: Under the Data Protection Act you can ask to see any personal information that we hold about you.

Such requests are called subject access requests. To make a subject access request, please complete the subject access request form set out here. The details of the information you will be required to provide are contained in the form. A subject access request may be subject to a fee not exceeding £10 to meet our costs in providing you with details of the information we hold about you. Please contact our nominated representative for the purpose of the Act.

5. Disclosure of your information

5.1. From time to time we may disclose your personal information to other companies that are also subsidiaries of the Go-Ahead Group.

5.2. In addition we may disclose your personal information to third parties:

5.2.1. To process payment card transactions;

5.2.2. To respond to your complaints or administer requests made by you;

5.2.3. In the event that we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets;

5.2.4. If we or substantially all of our assets are acquired by a third party, in which case personal information held by it about its customers will be one of the transferred assets; and

5.2.5. If we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in order to enforce or apply our terms of use; or to protect or property or business or the rights, property, or safety of our other customers, or other individuals. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

5.2.6. If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the survey return.

5.2.7. At our discretion, we may disclose personal data in response to valid requests from the police and other statutory law enforcement agencies. Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the Data Protection Act.

5.2.8. On the instruction of a regulatory body of competent jurisdiction Such as the Department for Transport; other train operating companies where this is necessary to process your contact with us, Transport Focus and London Travel Watch, other transport providers where you request this, any other body carrying out statutory functions;

5.2.9. In respect of information provided to us for marketing purposes only, to the Department for Transport and/or any successor operator of the rail franchise in order that they may contact you for marketing purposes in the event that we cease to operate this rail franchise.

6. Where we store your personal information

6.1. Other than as set out in below) the information that we collect from you will be stored in the European Economic Area (“EEA”).

6.2. In order to respond to your complaints or administer requests made by you we may engage third party processors to process the information contained in your correspondence. These processors are sometimes located outside of the EEA. We will take such steps as are required by law to ensure that suitable safeguards are in place when any information is transferred to other countries.

6.3. Any payment card transactions will be processed securely, the suppliers that we use to process payment card transactions operate in accordance with the PCI DSS industry standard payment card security process to ensure that your online purchases are secure.

6.4. We will keep your information secure. Please note: where you use a password on any website we provide it is your responsibility to keep that password confidential.

7. Cookies

7.1 Cookies are small data files that are placed onto the hardware device which you use to browse the internet by websites that you visit.

Cookies contain information about your visits to that website and the purpose of cookies is to enable our websites to remember you, and your browsing habits, when you visit it again in the future. Details of how we use cookies can be found in our Cookie Policy .

8. Monitoring - CCTV

This section explains how we use information collected via the Closed Circuit Television (CCTV) camera systems in place across it’s network. It also shows how long that information is kept and the circumstances in which we might disclose it to a third party.

8.1. Camera Systems We Operate

8.1.1. Our CCTV is used to capture, record and monitor images of what takes place at our stations; car parks; depots and sidings; and on our trains, in real time.

8.1.2. Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances they can be operated remotely by controllers.

8.2. Why We Operate CCTV Cameras

8.2.1. We operate CCTV for the following purposes

8.2.1.1. Health and safety of employees, passengers and other members of the public

8.2.1.2. Prevention and detection of crime and anti social behaviour

8.3. Camera Locations

8.3.1. We operate cameras at the stations and car parks we manage and on the trains that we run. Network Rail operates the cameras at some stations that our services stop at. These are shown below:

8.3.1.1 London Bridge

8.3.1.2. London Kings Cross

8.3.1.3. St Pancras International

8.3.2. Applications for CCTV footage at these stations should be made to Network Rail. Contact details can be found at www.networkrail.co.uk/managed-stations

8.4. Length of time CCTV footage is kept

8.4.1. The maximum retention period is shown below. This period may be shorter, depending on the location and system in use.

8.4.1.1. CCTV footage at stations is held for a maximum of 30 days from the time of recording.

8.4.1.2. CCTV footage on trains is held for a maximum of 20 days from the time of recording.

8.5. How to access your CCTV personal data

8.5.1. You can request copies of images or footage of yourself by making a subject access request. The Subject Access Request section on this site explains the information you will eed to provide and the charge we make.

8.6. Disclosing personal data to the police and other agencies who are lawfully entitled

8.6.1. At our discretion, we may disclose personal data in response to valid requests from the police and other statutory law enforcement agencies.

8.6.2. Before we authorise any disclosure, the police have to demonstrate that the personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.

8.6.3. Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the Data Protection Act.

8.7. Sharing CCTV footage with other third parties

8.7.1. Some of our CCTV infrastructure is shared with the British Transport Police under a data sharing agreement.

8.7.2. In certain agreed circumstances, they may take control of a limited number of cameras and use them for activities such as the prevention and detection of crime and anti social behaviour, policing major events and crowd control. We are not responsible for the CCTV when it is in the control of a third party.

8.7.3. We may also disclose personal data to third parties, if required to by law. The Data Protection Act allows us to do this where the request is supported by:

8.7.3.1. evidence of the relevant legislation.

8.7.3.2. a court order.

8.8. CCTV on replacement buses

8.8.1. We use a number of companies to provide replacement buses during disruption or planned engineering. Any CCTV on these buses is the responsibility of the company that runs that particular service.

8.8.2. If you require access to images of yourself recorded by a CCTV camera inside a replacement bus, you should contact the company that operates the service. You can find this information from signage displayed inside each vehicle.

8.9. External guidelines and best practice

8.9.1. We operate our CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).

8.9.2. We also voluntarily comply with the 12 principles set out in the Surveillance Camera Code of Practice issued by the Home Office in 2013

The Code states that organisations which use surveillance camera systems must:

8.9.2.1. use them for a specified purpose in pursuit of a legitimate aim

8.9.2.2. take into account their effect on individuals and their privacy

8.9.2.3. be as transparent as possible about how they use them

8.9.2.4. have clear responsibility and accountability arrangements for all surveillance activities

8.9.2.5. have clear rules, policies and procedures in place

8.9.2.6. have no more images and information stored than is strictly necessary

8.9.2.7. restrict access to retained images and information

8.9.2.8. work to meet and maintain relevant operational, technical and competency standards

8.9.2.9. have in place appropriate security measures to safeguard against unauthorised access and use

8.9.2.10. have effective review and audit mechanisms

8.9.2.11. use them in the most effective way to support public safety and law enforcement

8.9.2.12. keep associated data accurate and up to date

9. Monitoring – Telephone calls

This section explains how we use information collected via voice recordings when you contact us.

9.1. Customer Services

To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record and or monitor telephone calls however you will always be forewarned when this is to happen.

9.2. Station Information Points

On our stations we maintain Customer Information Points, these are linked directly to our Control function. Due to the nature of these information points and the potential for them to be used in an emergency situation these calls are recorded and monitored. However, there is no forewarning of the recording as this could result in a delay in the person suing the Information Point and contact with a staff member in Control.

10. Third-party websites

Our website may contain links to sites owned and operated by third parties. They have their own privacy policies, and we urge you to review them before browsing those sites. We do not accept any responsibility or liability for the privacy practices of such third-party websites and your use of such websites is at your own risk.

11. Changes to this Privacy Policy

11.1 We may occasionally update this statement. Any changes that we make to our privacy policy in the future will be posted on this page, where appropriate Your continued use of the site will mean that you accept those revisions.