- Introduction and consent
- Information we may collect from you
- How we use your information
- Your rights
- Disclosure of your information
- Where we store your personal information
- Monitoring - Telephone calls
- Third party websites
1.1. Govia Thameslink Railway Limited (“We”/”us”/”our””) are committed to protecting and respecting your privacy when you our services.
1.2.1. What personal data we collect from you when you use our website, apps, visit our stations, contact us or use services (“information”)
1.2.2. How we will collect and use that information; and
1.2.3. How you can contact us if you wish to exercise any of your rights in relation to the information.
1.3. By providing us with your information you consent to our use of it in the manner set out in this policy.
1.4. For the purposes of the Data Protection Act 1998 (the “Act”), the Data Controller is:
Govia Thameslink Railway Limited
24 Monument Street
London EC3R 8AJ
Company No. 07934306
1.5 Our representative for the purpose of the Act is:
Internal Audit and Compliance Manager
24 Monument Street
London EC3R 8AJ
More information about the Data Protection Act can be found on the Information Commissioners website
2.1. We may collect and process the following information about you:
2.1.1. Information that you provide to us when filling in forms on this website, our apps, or that you provide when you contact us. This may include your title, first name, surname, address, telephone number(s), email address(es), date of birth and in certain circumstances details of payment methods used by you, your place of employment or education, student number, and a photograph proof of ID, details of journey, amount paid and proof of payment. This information may be given:
188.8.131.52. when you contact us with queries, complaints or a request for information or purchase tickets;
184.108.40.206. when you register for the key smartcard;
220.127.116.11. when you respond to surveys that we may conduct, and you have agreed to be contacted;
18.104.22.168. whilst recording transactions that you carry out on our site and apps, although we do not hold any information about your financial transaction other than details of the value of the ticket(s) that you purchase, when they are purchased and the method of purchase;
22.214.171.124. to issue a Penalty Fares or take other fare evasion enforcement action;.
2.1.3. When you use the key we record your transaction and journey history.
2.1.4. When you visit our stations we may collect your image on CCTV or via body worn recoding equipment.
3.1. We may use information held about you in the following ways:
3.1.1. To notify you about changes to our services;
3.1.2. To make and receive any payments necessary between us;
3.1.3. To carry out our obligations arising from any contracts entered into between you and us;
3.1.4. We use your personal information for customer services and administration, customer research, fraud and crime prevention.
3.1.5. To provide you with details of our services, information, newsletters, and details of promotions and offers which we feel may interest you;
3.1.7. To share with our suppliers where this is required by our processes; and
3.1.8. To share with other members of the Go-Ahead Group PLC (registered in England, company number 02100855) (“Go Ahead”), of which we are a member, in order to respond to queries, complaints or a request for information from you or where Go-Ahead has any services, promotions and offers which we feel may interest you. Details of other members of Go-Ahead can be found at www.go-ahead.com
3.1.9. To process Penalty Fares or take other fare evasion enforcement action where applicable;
3.1.10 If we lose the franchise that allows us to operate this train service then we will need to pass the details that you have provided to us for marketing purposes to the DfT and any successor operator of the next franchise.
If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information where you have indicated your agreement and then only about goods and services similar to those which were the subject of a previous sale to you.
4.1. To prevent marketing to you: You have the right to ask us not to process your personal information for marketing purposes. We will usually inform you (before collecting your information) if we intend to use your information for such purposes or if we intend to disclose your information to any third party for such purposes. If you do not want us to use your information for marketing purposes please make sure that you indicate this via the tick box when you sign up or, if you have an account with us, by logging in and changing your contact preferences.
4.2. To prevent all contact by us to you: Alternatively you can opt out at any time by contacting us by using the following details:
Internal Audit and Compliance Manager
24 Monument Street
London EC3R 8AJ
More contact detail information can be found in our Contact Us section.
4.3. To request a Copy of your information: Under the Data Protection Act you can ask to see any personal information that we hold about you.
Such requests are called subject access requests. To make a subject access request, please complete the subject access request form set out here. The details of the information you will be required to provide are contained in the form. A subject access request may be subject to a fee not exceeding £10 to meet our costs in providing you with details of the information we hold about you. Please contact our nominated representative for the purpose of the Act.
5.1. From time to time we may disclose your personal information to other companies that are also subsidiaries of the Go-Ahead Group.
5.2. In addition we may disclose your personal information to third parties:
5.2.1. To process payment card transactions;
5.2.2. To respond to your complaints or administer requests made by you;
5.2.3. In the event that we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets;
5.2.4. If we or substantially all of our assets are acquired by a third party, in which case personal information held by it about its customers will be one of the transferred assets; and
5.2.6. If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to in the survey return.
5.2.7. At our discretion, we may disclose personal data in response to valid requests from the police and other statutory law enforcement agencies. Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the Data Protection Act.
5.2.8. On the instruction of a regulatory body of competent jurisdiction Such as the Department for Transport; other train operating companies where this is necessary to process your contact with us, Transport Focus and London Travel Watch, other transport providers where you request this, any other body carrying out statutory functions;
5.2.9. In respect of information provided to us for marketing purposes only, to the Department for Transport and/or any successor operator of the rail franchise in order that they may contact you for marketing purposes in the event that we cease to operate this rail franchise.
6.1. Other than as set out in below the information that we collect from you will be stored in the European Economic Area (“EEA”).
6.2. In order to respond to your complaints or administer requests made by you we may engage third party processors to process the information contained in your correspondence. These processors are sometimes located outside of the EEA. We will take such steps as are required by law to ensure that suitable safeguards are in place when any information is transferred to other countries.
6.3. Any payment card transactions will be processed securely, the suppliers that we use to process payment card transactions operate in accordance with the PCI DSS industry standard payment card security process to ensure that your online purchases are secure.
6.4. We will keep your information secure. Please note: where you use a password on any website or app we provide it is your responsibility to keep that password confidential.
7.1 Cookies are small data files that are placed onto the hardware device which you use to browse the internet by websites that you visit.
This section explains how we use information collected via the Closed Circuit Television (CCTV) camera systems in place across it’s network. It also shows how long that information is kept and the circumstances in which we might disclose it to a third party.
8.1. Camera Systems We Operate
8.1.1. Our CCTV is used to capture, record and monitor images of what takes place at our stations; car parks; depots and sidings; and on our trains, in real time.
8.1.2. Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances they can be operated remotely by controllers.
8.2. Why We Operate CCTV Cameras
8.2.1. We operate CCTV for the following purposes
126.96.36.199. Health and safety of employees, passengers and other members of the public
188.8.131.52. Prevention and detection of crime and anti social behaviour
8.3. Camera Locations
8.3.1. We operate cameras at the stations and car parks we manage and on the trains that we run. Network Rail operates the cameras at some stations that our services stop at. These are shown below:
184.108.40.206 London Bridge
220.127.116.11. London Kings Cross
18.104.22.168. St Pancras International
8.3.2. Applications for CCTV footage at these stations should be made to Network Rail. Contact details can be found at www.networkrail.co.uk/managed-stations
8.4. Length of time CCTV footage is kept
8.4.1. The maximum retention period is shown below. This period may be shorter, depending on the location and system in use.
22.214.171.124. CCTV footage at stations is held for a maximum of 30 days from the time of recording.
126.96.36.199. CCTV footage on trains is held for a maximum of 20 days from the time of recording.
8.5. How to access your CCTV personal data
8.5.1. You can request copies of images or footage of yourself by making a subject access request. The Subject Access Request section on this site explains the information you will need to provide and the charge we make.
8.6. Disclosing personal data to the police and other agencies who are lawfully entitled
8.6.1. At our discretion, we may disclose personal data in response to valid requests from the police and other statutory law enforcement agencies.
8.6.2. Before we authorise any disclosure, the police have to demonstrate that the personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.
8.6.3. Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the Data Protection Act.
8.7. Sharing CCTV footage with other third parties
8.7.1. Some of our CCTV infrastructure is shared with the British Transport Police under a data sharing agreement.
8.7.2. In certain agreed circumstances, they may take control of a limited number of cameras and use them for activities such as the prevention and detection of crime and anti social behaviour, policing major events and crowd control. We are not responsible for the CCTV when it is in the control of a third party.
8.7.3. We may also disclose personal data to third parties, if required to by law. The Data Protection Act allows us to do this where the request is supported by:
188.8.131.52. evidence of the relevant legislation.
184.108.40.206. a court order.
8.8. CCTV on replacement buses
8.8.1. We use a number of companies to provide replacement buses during disruption or planned engineering. Any CCTV on these buses is the responsibility of the company that runs that particular service.
8.8.2. If you require access to images of yourself recorded by a CCTV camera inside a replacement bus, you should contact the company that operates the service. You can find this information from signage displayed inside each vehicle.
8.9. External guidelines and best practice
8.9.1. We operate our CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).
8.9.2. We also voluntarily comply with the 12 principles set out in the Surveillance Camera Code of Practice issued by the Home Office in 2013
The Code states that organisations which use surveillance camera systems must:
220.127.116.11. use them for a specified purpose in pursuit of a legitimate aim
18.104.22.168. take into account their effect on individuals and their privacy
22.214.171.124. be as transparent as possible about how they use them
126.96.36.199. have clear responsibility and accountability arrangements for all surveillance activities
188.8.131.52. have clear rules, policies and procedures in place
184.108.40.206. have no more images and information stored than is strictly necessary
220.127.116.11. restrict access to retained images and information
18.104.22.168. work to meet and maintain relevant operational, technical and competency standards
22.214.171.124. have in place appropriate security measures to safeguard against unauthorised access and use
126.96.36.199. have effective review and audit mechanisms
188.8.131.52. use them in the most effective way to support public safety and law enforcement
184.108.40.206. keep associated data accurate and up to date
This section explains how we use information collected via voice recordings when you contact us.
9.1. Customer Services
To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record and or monitor telephone calls however you will always be forewarned when this is to happen.
9.2. Station Information Points
On our stations we maintain Customer Information Points, these are linked directly to our Control function. Due to the nature of these information points and the potential for them to be used in an emergency situation these calls are recorded and monitored. However, there is no forewarning of the recording as this could result in a delay in the person suing the Information Point and contact with a staff member in Control.
Our website and apps may contain links to sites owned and operated by third parties. They have their own privacy policies, and we urge you to review them before browsing those sites. We do not accept any responsibility or liability for the privacy practices of such third-party websites and your use of such websites is at your own risk.