Privacy Policy

Privacy Policy

 

Introduction

Go-Ahead London is committed to protecting and respecting your privacy when you use our services.

This Privacy Policy explains:

  • What personal data we collect from you when you use our websites, smartcards, apps, visit our bus stations, contact us or use our services, or WiFi;
  • How we will collect and use that information;
  • How we keep information secure; and
  • How you can contact us if you wish to exercise any of your rights in relation to the information or make a complaint.

Contents

  • Information we may collect from you
  • How we use your information
  • Sharing or disclosure of your information
  • When we collect information
  • Website visits and purchases
  • CCTV
  • Where we store your personal information
  • Information Security
  • Your rights

The Data Controller is London General Transport Services Ltd trading as Go-Ahead London, 3rd Floor, 41-51 Grey Street, Newcastle Upon Tyne, NE1 6EE

Our Data Protection Manager is Des Farthing

You can contact the Data Protection Manager in writing to Go-Ahead London, No 18 Merton High Street, London SW19 1DN or by email to hr@goaheadlondon.com

You can contact the Go-Ahead Group Data Protection Officer in writing to The Go-Ahead Group plc, 4 Matthew Parker Street, London, SW1H 9HQ or by email to data.protection@go-ahead.com.

More information about Data Protection can be found on the Information Commissioners Website ico.org.uk

The Information Commissioner is our regulator for data protection matters.

Information we may collect from you

We may collect and process information about you when you: buy tickets for our commercial services; travel on our services; visit our premises; use our website; buy a product from us or make a sales enquiry.

Regarding our commercially operated services, we may collect information such as your contact details, ticket purchases, bus stops visited, payment and refund details.  We may require additional details for some services, such as photographs for ID, or your age for age restricted tickets. This information is generally provided by you.

Sometimes we obtain details from third parties, for example if we have taken over a contract/bus company, or a complaint is passed to us from Transport for London or another operator.

If you use Transport for London (TfL) contracted services operated by Go-Ahead London the on-bus system will collect personal data from you in connection with your use of Oystercards or contactless payment cards on our buses. This data does not pass through any data management system operated by us and TfL does not permit bus operators such as Go-Ahead London access to any personal data collected in this way.

If you want to know more about the information collected from you in connection with your use of TfL buses please contact: Customer Services, Transport for London, 14 Pier Walk, North Greenwich, London, SE10 0ES.

How we use your information

We will only use the information you provide as permitted by the Data Protection Law. Depending on how you contact us, use our services, the consent you have given, our legitimate interests, or legal obligations we may have, this will include: 

  • To provide you with the service (Things like carrying out our obligations arising from any contracts- selling tickets, making and taking payments. For Go-Ahead London this is restricted to our commercial services.  We mostly rely on the legal ground of contractual performance to process your data, but sometimes the data is also used for our legitimate interests of customer service, health and safety, improving our services and other legal obligations, like providing information to our regulators
  • To provide you with details of our services and information about travelling, and customer service (this is based on our legitimate interests, to run bus and associated services. Sometimes it is part of our contract or our other legal obligations). For Go-Ahead London this is restricted to our commercial services.
  • To run our services and improve them we believe in investing in our services, to benefit passengers and the wider community, environment, and economy. We also aim to run our services safely, make money and be a good employer - we call these our legitimate interests. Some of these things are also covered in our legal obligations, not just to customers, but under Local Authority contracts and/or Transport for London.
  • For your safety and security.
  • For fraud and crime prevention.
  • To enhance your experience of our website, as described in our cookie policy.

We are part of a Group of Companies and share administrative services and support. Your data may therefore be shared with them.  We may also be required to pass certain customer data to a successor business, local authority or Transport for London.

Our Legitimate Interests

Running our business and Group businesses, (in a safe and socially and environmentally responsible manner, efficiently, to provide sustainable and high quality passenger transport services, improve and expand our services, be a leading employer in the transport sector, investing in and developing our colleagues, operating with financial discipline to provide shareholder value, provide and improve customer services).

Sharing or disclosure of your information

We will only share or disclose your information as set out in this Policy or in accordance with Data Protection Law and will obtain your consent where we are required to do so. We will only use third parties to process information where we are satisfied that they comply with these standards and can keep your data secure. We may share or disclose information for the following reasons:

  • We use data processors to provide or assist with some of our services. Where we do so, they must agree to strict contractual terms and to keep your data secure.
  • Where we share data across our Group Companies, this is only in accordance with a written data sharing agreement.
  • To respond to your complaints or administer requests you have made, either to us or another regulatory body or local authorities and contract partners;
  • To process payment card transactions on our commercial services;
  • To comply with requests from the police or other law enforcement agencies for the purposes of crime prevention or detection. These are dealt with on a case-by-case basis, under an overall Information Sharing Protocol, to ensure that any disclosure is lawful;
  • To comply with other legal obligations for example, relating to crime and taxation purposes or regulatory activity;
  • To protect our legitimate business interests, for example, for fraud prevention or to protect our contract and commercial service revenue; and
  • We have a policy in place for one off sharing of data, such as a request from an insurance company.

You can find out more below about the information we collect and how we use, share or disclose it.

Types of Information we collect

CCTV

Camera systems we operate

Our CCTV is used to capture, record and monitor sound (in some cases) and images of what takes place at our bus depots and on the inside and outside of our buses in real time.

Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers.

Why we operate CCTV cameras

We operate CCTV for the following purposes:

  • Health and safety of employees, passengers and other members of the public;
  • Prevention and detection of crime and anti-social behaviour.

Camera locations  

We operate cameras at the depots we manage and on most of the buses that we run

Length of time CCTV footage is kept

CCTV footage at our premises is generally held for a maximum of 31 days from the time of recording. On our buses- the CCTV footage is recorded over on a continual basis and footage is retained for a maximum of 10 - 12 days before it is overwritten.

How to access your CCTV personal data

You can request copies of images or footage of yourself by making a subject access request. The Subject Access Request form on this site explains the information you will need to provide

Disclosing personal data to the police

At our discretion, we may disclose personal data in response to valid requests from the police and other statutory law enforcement agencies

Before we authorise any disclosure, the police must demonstrate that the personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.

Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the Data Protection Law.

Sharing CCTV footage with other third parties

We may disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action.  Data Protection Law allows us to do this where the request is supported by:

  • evidence of the relevant legislation; or
  • a court order
  • Satisfactory evidence and assurances of the legitimate interest.

Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision.  When we are not required to provide CCTV, we will take into account the circumstances and any potential harm to individuals, we may also charge an administration fee and seek indemnity for any use beyond which it is requested.

External guidelines and best practice

Go-Ahead London operates its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office in 2017. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals.

Website visits and purchases

This section shows the information we collect when you use our website. Before providing us with your details, please read the following important information regarding:

  • Collection of visitor information;
  • Hyperlinks;
  • Cookies

Collection of visitor information

We will only use the information that we collect about you lawfully, in accordance with the Data Protection Law

The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held on this website (the "Site") for operational purposes, for example processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.

Go-Ahead London gathers general information about users, for example, what services users access the most and which areas of the site are most frequently visited. Such data is used in the aggregate to help us to understand how the Go-Ahead London site is used. We gather this information so that we can continue to improve and develop our services to benefit of our users. We may make this aggregated information available to users of the site and also to auditors. These statistics are anonymous.

When you register to buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with and accept our Terms & Conditions, you are not anonymous to us. Your personal data will be used principally to communicate with you with reference to your request. 

Hyperlinks

We may provide hyperlinks from our website to websites of third parties. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from our site. These links are provided for your convenience only and do not imply that endorse or recommend the content of such sites. We encourage our users to be aware when they leave our site to read the privacy statements of every website that collects personally identifiable information. This Privacy Policy applies solely to information collected by Go-Ahead London.

Cookies

A cookie is a small piece of information that is sent to your browser when you access a website. Cookies contain information about your visits to that website and the purpose of cookies is to enable our websites to remember you, and your browsing habits, when you visit it again in the future.

With most Internet browsers you can configure your browser so that it refuses new cookies, prompts you to accept cookies or disables cookies altogether. Exactly how this is done is dependent on the browser you use. To find out more about the cookies we use please visit our cookie policy.

Access to our recruitment database containing personal information on registered users of the site is restricted. In order to increase security we ask you to input a password when you register as a user of the site. Please keep this password secret. If you buy tickets through our website we encrypt your financial information using SSL (Secure Sockets Layer) technology so that no one else can access your credit card details as they travel through the internet. As you may be aware, no data transmission over the internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g. e-mail) is at your own risk. If you have any questions about paying for your ticket through our website, please contact the Data Protection Manager.

The information that we collect from you will only be stored in the European Economic Area (“EEA”) or, where it is necessary to disclose it to our processors located outside the EEA , other jurisdictions which are acceptable according to guidance provided by the Information Commissioner and/or where appropriate legal and security safeguards are in place.  Please contact the Data Protection Officer if you wish to find out more about the safeguards.

Information Security

We use a range of technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal data where practical.

YOUR RIGHTS

Object to direct marketing

Go-Ahead London does not undertake any direct marketing and does not share your personal information to third parties for them to market on our behalf.

Ask for a copy of your personal data

You are entitled to request a copy of the personal information we hold about you.

Please contact the Data Protection Manager at hr@goaheadlondon.com or phone 020 8545 6120

We may need to ask for some further information, such as checking who you are. There is a Subject Rights Request form on our website which you can download and send to us. This will help us deal with your request more efficiently. 

Please let us know if you want to receive the information electronically. 

We aim to get the information to you without undue delay and within 30 days.  If we have any trouble with this timeframe we will let you know within 30 days and explain what the problem is.  Sometimes we may hold information that we don’t have to provide, for example where it would prejudice a police investigation or contains someone else’s personal data.

In most cases we provide the copy of your data to you for free.  We have set out some information about when it might not be free, or provided below.

Rectification/Restriction 

If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it.  You may also request any data processing we are carrying out on your data is halted whilst a request for rectification or objection or a dispute over the lawfulness of processing is being considered. 

We will provide a response confirming the action we have taken or disagree with taking within 30 days, or provide a response within 30 days if the matter is complex and a further time is needed.

Deletion 

This is also known as the “Right to be forgotten”, you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing.

We will provide a response to you without undue delay and within 30 days, confirming whether/what personal data we have deleted and/or explaining why we don’t agree that some data does not need to be deleted.   

Withdrawal of consent 

If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand.  You can withdraw consent by contacting our data protection manager or Group Data Protection Officer.  

We will comply with your request without undue delay and within 30 days. 

Objection

You also have a right to request that no further processing takes place in relation to some grounds of processing, such as for direct marketing. 

We will respond to your request without undue delay and within 30 days, confirming the action we will or won’t take.

Portability 

Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely the rights of others.

If we are able to provide your personal data in this way, we will do so in 30 days or we will let you know within 30 days if we require more time or there are any issues with carrying out the request.

Information about profiling and automated decision making

Go-Ahead London does not use any profiling or automated decision making services. 

How we deal with rights requests

We will try to deal with your request without undue delay and at least within 30 days.  In exceptional circumstances, we may need to extend the time to respond fully, if the request is particularly complex or there are multiple requests. But we will let you know within 30 days.

We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can decide what you wanted to do next. 

There are various limitations and exemptions in relation to the exercise of rights in data protection law - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim.  We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.

Complaints

If we don’t respond to within 30 days of your request or you are not happy with our response you can lodge a complaint with the Information Commissioner Office or issue legal proceedings against us.

If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our Data Protection Managers are the first point of contact for dealing with Rights Requests and complaints.  If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the Group Data Protection Officer by writing to, The Go-Ahead Group plc, 4 Matthew Parker Street, London, SW1H 9HQ or by email to data.protection@go-ahead.com.

If you are not satisfied with the response you can complain to the ICO at Head office, Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or call 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number. Fax: 01625 524 510 or through their website ico.org.uk

You also have the right to seek a judicial remedy, issue legal proceedings against us. 

How Long we keep your personal data for

We generally retain personal data for around 6 months after the legal limitation periods in which claims can be brought or industry recommended periods.  We would also retain information if we are under a legal or regulatory requirement to do so.

We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.  

Changes to this Privacy Policy

We may occasionally update this statement.