- What personal data we collect from you when you use our website, apps, visit our stations, contact us or use our services, or WiFi;
- How we collect and use that information;
- How we keep information secure
- How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint
We are registered as a data controller with the Information Commissioner's Office (ICO) under registration number: ZA072414
The data controller is:
Govia Thameslink Railway Limited
24, Monument Street
Registered in England company no. 07934306
Our Data Protection Manager is:
1st Floor, Monument Place
24, Monument Street
Our nominated Data Protection Officer is:
Group Data Protection
The Go-Ahead Group plc
4 Matthew Parker Street
More information about the Data Protection Act can be found on the Information Commissioners Website. The Information Commissioner is our regulator for data protection matters.
- Information we may collect from you
- How we use your information
- Sharing or disclosing your information
- When we collect information
- Where we store your personal information
- Information Security
- Your rights
- How long we keep your personal data for
As “controller” of your personal data, GTR is responsible for making decisions about how and why we process this data, and for ensuring that we do so in accordance with Privacy laws.
“Processing” in this case means the collection, storage, use and sharing of your personal data.
We may collect and process information about you when you:
- buy tickets
- travel on our services
- visit our stations or car parks
- use our website or apps
- buy a product from us or make a sales enquiry
- contact Customer Relations
- enter a competition or sign up to receive updates or marketing
We collect information such as your contact details, ticket purchases, stations visited (for example for charging the correct fares on smart cards), payment and refund details. We may require additional details for some services, such as your age for age restricted tickets. This information is generally provided by you.
Sometimes we obtain details from third parties, for example if we have taken over a franchise or a complaint is passed to us from another operator.
The lawful bases for processing your personal data include:
- where you have given us your consent to process your personal data for one or more specified purposes; or
Where it is necessary for:
- the performance of a contract to which you are a party
- compliance with a legal obligation to which we are subject
- our legitimate interests, as long as these interests are not overridden by your fundamental rights and freedoms as a data subject
Our legitimate interests include data processing which allows us to:
- run our services in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality, locally focused passenger transport services
- improve and expand our services and be a leading employer in the transport sector
- enhance our customer services
- operate with financial discipline to provide shareholder value
Special Category Personal Data
In limited situations, we may process special category personal data, which includes information revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, information concerning your health or information concerning your sex life or sexual orientation.
This will only be done where at least one of the above purposes/justifications, and one of the following additional purposes apply:
- where you have given us your explicit consent to process that special category personal data for specified purposes (for example, Passenger Assist); or
- where it is necessary:
- to allow us to comply with our legal obligations under employment, social security and social protection law, including health and safety and equalities legislation;
- for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- for reasons of vital interests (e.g. emergency situation concerning your health when you are travelling on our trains);
- for reasons of public interest in the area of public health in accordance with specific laws; or
- for reasons of substantial public interest, as set out in the Privacy Laws. This includes processing of special category personal data for the prevention or detection of crime.
Criminal convictions and offences data
In limited situations we may process criminal convictions and offences data, which includes information about actual or suspected crimes such as about fraudulent ticket use and incidents happening on trains. This will only be done where at least one of the purposes/justifications outlined above apply, and when one of the substantial public interest reasons in Privacy Laws (as mentioned directly above) applies – e.g. prevention or detection of crime.
We may use your personal data in the following ways:
- To provide you with the service - things like carrying out our obligations arising from any contracts such as selling tickets, and making and taking payments. We mostly rely on the legal ground of contractual performance to process your data
- To provide you with details of our services and information about travelling, and customer service
- To provide you with details of promotions and offers which we feel may interest you when you have given consent for us to contact you. You have an absolute right to ask us to stop sending marketing emails or SMS. We use information like the tickets you buy and stations you use to make communications to you more relevant
- To run our services and improve them - things like monitoring passenger numbers and popular stations, improving technology to help plan journeys, running our services safely and being a good employer
- To comply with our legal obligations, including providing information to the Department for Transport and Regulators
- To run interoperable services, which allows you to use a ticket on a train and the tube or use a rail Discount card. In the Rail Industry this is overseen by the Rail Delivery Group
- To ensure safety and security
- To provide additional assistance to you when you use our services, for example, for Passenger Assist which is a service offered by all Train Operators to help older and/or disabled passengers when travelling
- To detect and prevent fraud and crime
- To run competitions, promotions and marketing exercises, and study the effectiveness of these
We will only share or disclose your information as set out in this Policy or in accordance with Data Protection Law and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure. We may share or disclose information for the following reasons:
- We use data processors to provide or assist with some of our services. Where we do so, they must agree to strict contractual terms and to keep your data secure
- Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement
- To run interoperable services- this includes use of some shared systems and processors, by the rail industry generally and overseen by the Rail Delivery Group
- To respond to your complaints or administer requests you have made, either to us or another regulatory body such as the Department for Transport; Passenger Focus; the Rail Ombudsman, or other train operating companies;
- To comply with requests from the police or other law enforcement agencies for the purposes of crime prevention or detection. These are dealt with on a case-by-case basis, to ensure that any disclosure is lawful;
- To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity;
- To protect our legitimate business interests, for example, for fraud prevention or revenue protection;
- Where required as a result of the sale, merger, or acquisition of business assets. As the Railway Industry is run on a system of franchises, we are required to transfer our customer data to a successor franchise, or the Secretary of State, this is so that they can take over and continue the running of the railway service. In respect of information provided to us for marketing purposes only, to the Department for Transport and/or any successor operator of the rail franchise in order that they may contact you for marketing purposes in the event that we cease to operate this rail franchise;
- If you have agreed to receive information for competition, promotion, survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the terms and conditions of the purpose;
- Where you have consented, to share with other members of the Go-Ahead Group PLC (registered in England, company number 02100855) (“Go Ahead”), of which we are a member, where Go-Ahead has any services, promotions and offers which we feel may interest you;
- We have a policy in place for one off sharing of data, such as a request from an insurance company. You can find out more below about the information we collect and how we use, share or disclose it
This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:
We will only use the information that we collect about you lawfully, in accordance with the Data Protection Law.
The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by us on this website (the "Site") for operational purposes, for example customer registration or processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.
We gather general information about users, for example, what services users access the most and which areas of the site are most frequently visited. Such data is used in the aggregate to help us to understand how the site is used.
We gather this information so that we can continue to improve and develop our services to benefit of our users. We may make this aggregated information available to users of the site and also to auditors. These statistics are anonymous and contain no personal information.
When you register with us to set up a travel alert, enter a competition, or buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with us and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the products or services that you use.
If you buy a ticket online with us, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your request.
You may opt-in to receive newsletters, exclusive discounts, special offers and other marketing emails from us. You may unsubscribe at any time by logging in to your account and updating your preferences. Please note changes to your subscription preferences can take up to 14 days to take effect.
Alternatively you can write to our Customer Relations Team at:
PO Box 10240
A cookie is a small piece of information that is sent to your browser when you access a website. Cookies contain information about your visits to that website and the purpose of cookies is to enable our websites to remember you, and your browsing habits, when you visit it again in the future.
In order to increase security we ask you to input a password when you register as a user of the site. Please keep this password secret.
We encrypt your financial information using SSL (Secure Sockets Layer) technology so that no one else can access your credit card details as they travel through the Internet. SSL is certified by Verisign and is recognised as a secure way to pay on-line. As you may be aware, no data transmission over the Internet can be entirely secure. We will always use reasonable endeavours to protect the personal information you provide to us but we cannot guarantee the security of your information and the use of our facilities (e.g. email) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact Customer Relations.
We collect your information and comments when you contact us by letter, email, web form or phone or social media.
Personal details we hold
We may hold your name, address, email address, phone number, social media name, ticket details, our correspondence with you, the compensation claims you have made and payment made by us, proof of journey or other supporting information you may provide.
To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens. How we use your personal data
This information is used for administration of correspondence or processing claims you have made, such as delay repay as well as for fraud prevention purposes. We also use it to respond to complaints.
Sharing data with third parties
We are required to provide details of your complaint to another Train Operating Company if it relates to their services instead of ours. We may share your correspondence with Passenger Focus or London Travel Watch or the Ombudsman, if you have asked them to act on your behalf under a complaint handling procedure.
We may also share information with other Train Operating Companies for the purpose of fraud prevention. We will only do this where there is a formal data sharing agreement is in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with Data Protection Law.
Personal details we hold
When you buy a season ticket valid for one month or more, we keep a record of this on a database. We keep the following details:
- Name, address and photo card number;
- Phone number and email if you provide them;
- The origin, destination and start and end date of season tickets you have purchased, along with any duplicate, replacement or refund of these; and
- The method of payment used, but not any payment card details
How we use your personal data
We use this information for contractual obligations, Customer Relations and administration, customer research, marketing and fraud prevention.
We will only send you information about offers and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of our Group of Companies (and Successor franchise or Secretary of State for Transport) for marketing purposes without your prior consent.
Sharing data with third parties
If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to. We may also share data in order to provide joint services or tickets.
Personal details we hold
We may collect a range of personal detail during the course of revenue protection activity. This may include name, address, data of birth, proof of ID such as, journey details, payment details, physical descriptions and other information you provide to support an appeal.
How we use your personal data
We only use this information for the administration of the Penalty Fares scheme, revenue protection, collection of unpaid fares, fraud prevention and the prosecution of travel offences. Sharing data with third parties
We may share your correspondence with:
- British Transport Police
- Penalty Services Limited if you appeal a Penalty Notice issued to you
- Passenger Focus if you have asked them to act on your behalf under a complaint handling procedure. Requests from ombudsmen are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with Data Protection Law
- We may also share information with other Train Operating Companies for the purpose of fraud prevention, to operate joint services or under National Rail Conditions. We will only do this where there is a formal data sharing agreement is in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with Data Protection Law
On our stations, we maintain Customer Help and Information Points and calls are linked directly to our Control Centre or to National Rail Enquiries. Calls are recorded and monitored, but no advance notice is given as this could result in a delay in providing assistance.
Camera systems we operate
Our CCTV is used to capture, record and monitor images of what takes place at our stations, car parks and on our trains, in real time. In limited circumstances, we use body worn cameras which make audio visual recordings. Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers. Why we operate CCTV cameras
We operate CCTV for the following purposes:
- Health and safety of employees, passengers and other members of the public;
- Crowd management; and
- Prevention and detection of crime and anti-social behaviour
We operate cameras at the stations and car parks we manage and on some of the trains that we run.
Network Rail operates CCTV cameras at the following stations:
- London Bridge
- Kings Cross
- St Pancras International
If you need to see images of yourself recorded by a CCTV camera at one of these stations, you will need to contact Network Rail.
Length of time CCTV footage is kept
CCTV footage at stations is generally held for a maximum of 30 days from the time of recording before it is automatically overwritten. On train CCTV footage varies depending on the type and model of the train, but it is generally not longer than 30 days.
Disclosing personal data to the police
At our discretion, we may disclose personal data in response to valid requests from the police and other statutory law enforcement agencies.
Before we authorise any disclosure, the police have to demonstrate that the personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.
Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the Data Protection Law.
Sharing CCTV footage with other third parties
Some of our CCTV infrastructure is shared with the British Transport Police.
In certain agreed circumstances, they may take control of a limited number of cameras and use them for activities such as the prevention and detection of crime and anti-social behaviour, policing major events and crowd control. We are not responsible for the CCTV when it is in the control of a third party.
We may also disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. Data Protection Law allows us to do this where the request is supported by:
- Evidence of the relevant legislation
- A court order
- Satisfactory evidence and assurances of a legitimate interest
Legitimate interest may include a request to assist in defending or making a legal claim, for example from insurers following a vehicle collision in a car park. When we are not required to provide CCTV, we will take into account the circumstances and any potential harm to individuals, we will also charge an administration fee and seek indemnity for any use beyond which it is requested.
CCTV on replacement buses
We use a number of companies to provide replacement buses during disruption or planned engineering. Any CCTV on these buses is the responsibility of the company that runs that particular service.
If you require access to images of yourself recorded by a CCTV camera inside a replacement bus, you should contact the company that operates the service. You can find this information from signage displayed inside each vehicle. External guidelines and best practice
We operate our CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office in 2014. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).
The information that we collect from you will only be stored in the UK or a country which UK GDPR (see section 9) has deemed provides an adequate level of protection (“permitted countries”) or, where it is necessary to disclose it to our processors located outside the permitted countries, other jurisdictions where appropriate legal and security safeguards are in place. Please contact the Data Protection Officer if you wish to find out more about the safeguards.
We use a range of technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.
Object to direct marketing
To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:
- Indicate this by NOT ticking the box to be sent marketing emails (or offers)
- If you have an account with us, by logging in and changing your contact preferences;
- Click the unsubscribe link on direct marketing emails or
- Or contact us
It is possible that you may receive a pre-scheduled communication whilst your request is being processed as this can take several days.
If you have any other objections to how we are using your personal data, please contact our Data Protection Manager.
Ask for a copy of your personal data
You are entitled to request a copy of the personal information we hold about you.
Please contact us at firstname.lastname@example.org
We may need to ask for some further information, such as checking who you are. You can download and send this form which will help us deal with your request more efficiently.
Please let us know if you want to receive the information electronically.
We aim to get the information to you without undue delay and within one calendar month. If we have any trouble with this timeframe we will let you know within 30 days and explain what the problem is. Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or contains someone else’s personal data.
In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below.
Rectification / restriction
If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification or objection or a dispute over the lawfulness of processing is being considered.
We will provide a response confirming the action we have taken or disagree with taking within 30 days, or provide a response within 30 days if the matter is complex and a further time is needed.
Deletion – right to be forgotten
You can request deletion or removal of personal information in some circumstances, such as when there is no compelling reason for its continued processing.
We will provide a response to you without undue delay and within one calendar month, confirming whether/what personal data we have deleted and/or explaining why we don’t agree that some data does not need to be deleted.
Withdrawal of consent
If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand. You can withdraw consent by contacting Customer Relations, our Data Protection Manager or the Group Data Protection Officer. Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time by updating your preference centre or clicking on the appropriate link in the communication or contacting us as above. We will comply with your request without undue delay and within one calendar month.
You also have a right to request that no further processing takes place in relation to some grounds of processing, such as for direct marketing. We will respond to your request without undue delay and within one calendar month, confirming the action we will or won’t take.
Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.
If we are able to provide your personal data in this way, we will do so in one calendar month or we will let you know within one calendar month if we require more time or there are any issues with carrying out the request.
If you have registered a Key Smartcard then you will be able to access your journey information by logging on to your account.
Information about profiling and automated decision making
If you have signed up to receive marketing communications from us, we will use information such as the type of tickets you buy or the stations you use, to send communications which are more relevant to you. We will try and make the communications compatible with the device you are using.
We use automated decision making to calculate the validity and value of Delay Repay claims made through one of our brand websites. If you are not satisfied with the outcome of the claim, you can request it to be manually reviewed by a member of the Delay Repay team. If you remain dissatisfied, you can escalate to our Customer Relations team.
How we deal with rights requests
We will try to deal with your request without undue delay and at least within one calendar month. In exceptional circumstances, we may need to extend the time to respond fully, if the request is particularly complex or there are multiple requests. But we will let you know within one calendar month.
We will not charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.
There are various limitations and exemptions in relation to the exercise of rights in Privacy Laws - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.
If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please let us know. Our Data Protection Manager is the first point of contact for dealing with Rights Requests and complaints, and they are assisted by Customer Relations. If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group Data Protection Officer.
If you are not satisfied with their response you can complain to the ICO. Its contact details are:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
You also have the right to seek a judicial remedy or issue legal proceedings against us.
We have policies and procedures in place to make sure we do not keep your personal data any longer than required to meet our legal and other obligations.
We generally retain personal data for around 6 months after the legal limitation periods in which claims can be brought or industry recommended periods. We also retain information if we are under a legal or regulatory requirement to do so.
We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.
UK GDPR Privacy Notice
The UK general Data Protection regulations (UK GDPR) is a set of regulations designed to keep your personal information safe. Personal information can be your:
- Date of Birth
- Home Address
- Contact Details
GTRis a "Data Controller". This means that it collects and uses information about you. As data controller we are responsible for looking after your information and only using this for relevant purposes.
Data Protection Principles
UK GDPR has some important principles to ensure that we protect your information
- We must use your information lawfully, and tell you how we use your information
- If we collect your information for one purpose we can only use it for that purpose
- We need to keep your information up to date
- We can only keep it for as long as it is needed
- We need to look after your information and keep it safe
Why do we collect and use your information?
We only collect your information so that we can use it to do our job, which is mainly transporting you safely to where you need to go. We also may use your information to:
- Contact your school
- Contact your parents
- To protect your welfare
- To assess the quality of our service
- To comply with the law in data sharing
- Processing CCTV images
- Providing season tickets
Do you have to give us your information?
You must give us quite a lot of the information we need, but there is some information that you can choose whether to let us have it or not. When we ask you for information that you don’t have to give us, we will ask for your permission and let you know why we want it and what we will do with it. If the information we are collecting is information that you can choose not to give, you can tell us to stop collecting it at any time.
How long will we keep your information?
We only keep your information for as long as we genuinely need it. We have a policy that tells us how long to keep it for.
Will your information be shared?
We won’t share your information with anyone else without your permission, unless the law says we can or should. If we do share your information, it will generally be with your School or Local Authority.
What are your rights?
You have the right to:
- Be told how we use your information
- Ask to see the information we hold
- Ask us to change information you think is wrong
- Ask us to remove information when it’s not needed anymore
- Ask us to only use your information in certain ways
- Tell us you don’t want your information to be processed
Sometimes it might be appropriate for the person who looks after you to ask us for this information.
If you’re worried about how we get and use your information, you can contact our Data Protection Manager at email@example.com or our Group Data Protection Officer at firstname.lastname@example.org.
The registered office for GTR is 3rd Floor, 41-51 Grey Street, Newcastle, NE1 6EE.
If you want to complain about how we use your personal data, you can contact the Information Commissioner’s Officer. You can find out more information about them by visiting https://ico.org.uk/.
We may occasionally update this statement.