ScotRail Trains is committed to protecting and respecting your privacy when you use our services. This policy is effective from 1 April 2022.
This is the Privacy Statement of Scotrail Trains Ltd (“ScotRail”, “we”, “us”, or “our”). ScotRail is a private limited company (company number SC328826) with registered office address as 10th Floor, Capella 60 York Street, Glasgow, Scotland, G2 8JX.
Our Privacy Statement explains how we collect, use, share and look after your personal information.
- Information we may collect about you
- Why we process your information
- The legal basis for processing
- Where we collect your personal information from
- Who we share your personal information with
- Where we store your personal information
- Information security
- Information about profiling and automated decision making
- How long we keep your personal information for
- If you choose not to give your personal information
- Your rights
- Contact details and complaints
- Changes to this Privacy Statement
Information we may collect about you
If you are a passenger, we collect personal information about you such as your name, contact details, ticket purchases, stations visited (e.g. for charging the correct fares on smart cards), payment and refund details. We may also require additional details for certain services, such as your age for age restricted tickets. We may also collect personal information about you in other contexts, for example, if you visit a station or car park or otherwise engage with us through our website or by using our wi-fi or are a stakeholder in our industry.
Examples of situations where we collect your personal information are:
- Customer relations information – when you contact us by letter, email, web form, phone or social media, we may collect information such as your social media name, photo card image, information in correspondence with you, details of compensation claims you have made, proof of journey(s) and other information you may provide. We may, in certain circumstances, record or monitor telephone calls and will let you know when this happens, except for calls for information or assistance to National Rail Enquiries, where providing advance notice could result in a delay in the provision of assistance.
- Season tickets – when you buy a season ticket valid for one month or more, we keep a record of your personal information on our database including your name, address, photo card number, contact details and date of birth (if you provide them) and the method of payment used.
- Passenger Assist – when you make a booking via TransReport, by phone or face to face, we have access to your personal information in order to provide you with the service you have requested.
- CCTV and cameras – we operate camera systems to capture, record and monitor images of what takes place on our trains and at our stations, car parks and other premises, in real time. Our staff may use body worn cameras which make audio visual recordings.
- Wi-Fi – when you use our station or train Wi-Fi service, we collect your device MAC addresses (device identification), train GPS position, IP address, timestamp and session ID.
- Using our website – when you use this website https://www.scotrail.co.uk (the “Site”) you may provide personal information to us, including when you login or register to create a new ScotRail account or carry out other activity through the Site.
- Car parking – some of the services we provide at, or relating to, car parks in our network require you to supply your car registration number, either manually or via automatic number plate recognition (ANPR) software.
- Revenue protection and penalty fares – we may collect a range of personal information during revenue protection activity. This may include ID information, journey details, personal descriptions and other information you provide to support an appeal against any penalty fare you may have been issued with.
- Interactions/relationships with stakeholders – we may collect and use personal information about individuals who have an interest in our business or the rail industry. The information we may collect includes name, address, contact details, details of interactions with you and any enquiries, opinions or complaints you may have made or expressed about us, the rail industry or policies or projects which concern us or in which we are involved.
Why we process your information
We collect, use, store and share your personal information for the following purposes:
- To provide you with the service –to provide services to you such as your rail travel on our trains in accordance with our contractual obligations. Some data is also shared to run interoperable services – in the Rail Industry this is overseen by the Rail Delivery Group - this is how you are able to use a ticket on a train and tube for example, or use a rail Discount card.
- To provide and improve customer service – to provide you with details of our products and services, information about travelling and other helpful customer services, such as travel alerts or changes to the ScotRail products or services that you use.
- To run the railway and improve the service - we believe in investing in our railway services, not just to benefit passengers but also the wider community, environment, and economy. There are lots of activities we do to achieve this, which include monitoring passenger numbers, flow and crowding on trains and in stations and improving technology to help plan journeys.
- To obtain feedback, conduct surveys and research - to conduct surveys and research to learn more about you and your views, to obtain your feedback and to improve the railways and our services.
- To manage our business – to manage our business efficiently and properly, to conduct proper financial administration (such as processing payments) and in the course of any corporate activity relating to ScotRail or its assets
- To promote our business – to promote our business, business interests and any projects in which we are involved, including by engaging with Government, regulators and other stakeholders within the railway industry.
- For the prevention and detection of crime, and health and safety and customer service purposes – we operate CCTV and use body worn cameras: (i) to protect the health and safety of employees, passengers and other members of the public; (ii) for crowd management; and (iii) for the prevention and detection of crime and anti-social behaviour; and (iv) for the purposes of customer service. We operate our CCTV systems in compliance with the Information Commissioner’s Office CCTV Code of Practice.
- Recruitment – where you apply for a job with us, the personal information you provide to us as part of the job application process will be used by us for assessments, interviews, medical and conducting background checks.
- Accidents and incidents – to process safety forms and potential claims if you have an accident, or report an accident, whilst at a station or when you travel on our trains.
- Marketing and event promotion – to provide you with details of promotions, events and offers which we feel may interest you (where you have given consent for us to contact you). You have the right to ask us to stop sending and serving marketing messages to you and may unsubscribe at any time by logging in to your account and updating your preferences. Please note changes to your subscription preferences can take up to 14 days to take effect.
We may use your email address/information to create custom audiences or lookalike audiences through Facebook and Google for example, with the view of providing more relevant and targeted advertising of ScotRail services to you and prospective customers. As with all of our marketing activities, we will only use your information for these purposes if you provide us with consent to market to you. What this means is that you may see adverts from ScotRail when you use Facebook or Google. Any data used to create such audiences is hashed before processing meaning we do not share your data with Facebook or Google. If you do not wish to receive targeted advertising on Facebook or Google we recommend you amend your marketing preferences on those sites.
We use tracking pixels to collect data about your browsing activity on our site and app, and elsewhere on the internet. We do this so we can show you relevant content, like special offers and deals, on our site, our app, and in our marketing emails. We may also show you relevant adverts when you browse other sites. For example, when you visit another site, we may show you an advert for a journey you often search for.
- To run competitions – we run competitions to promote our services and sell tickets. If you enter a competition we will use your information to facilitate your participation in accordance with the competition rules.
- To operate our Site – to operate and improve our Site, to allow you to participate in the interactive features of the Site and its functionality, to personalise your experience on the Site and to assess which of our products and services may be of interest to you and to tell you about them
- Complaints and claims – to handle and respond to any complaints, requests or enquiries you make of us in an efficient and fair manner. This includes the use of information on our customer relations database for administration of correspondence or processing claims you have made, such as Delay Repay.
- Revenue protection and penalty fares – for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.
- Legal Proceedings – to establish, exercise or defend legal claims.
We will only send you information about offers, events and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation for use for its own marketing purposes without your prior consent.
We do not routinely process children’s personal information, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process a child’s information. Where we choose to rely on consent as the legal basis for processing children’s personal information, consent may be required from a person holding ‘parental responsibility’.
The legal basis for processing
We will only use your personal information in accordance with data protection law. We generally rely on the following legal grounds to process personal information:
- Consent – where you have given your consent to the processing of your personal information for specified purposes.
- Contract – where we have a contractual relationship with you and we need to process your personal information in order to perform our contractual obligations with you (for example buying a ticket to use our services).
- Legal obligation – where we have a legal obligation to process your personal information (e.g. for taxation, regulatory purposes, health and safety purposes or the prevention and detection of crime, including reporting incidents to the British Transport Police under an Information Sharing Protocol).
- Legitimate interests – We may rely on our legitimate interests in processing your personal data where this is not related to a task carried out in the public interest.
- Vital interests – if you fall ill, are injured or otherwise incapacitated, we may use your personal information to arrange appropriate medical treatment to protect your vital interests
- Public Information - where you have clearly made personal information about yourself public, we may use it.
- Where processing your personal data is necessary to perform our tasks in the public interest.
Where we collect your personal information from
We will collect personal information directly from you when you:
- Buy tickets and decide to travel on our services
- Visit our stations or car parks
- Use our website, apps or Wi-Fi
- Buy a product from us or make a sales enquiry
- Contact our Customer Relations team
- Enter a competition
- Sign up to receive updates or marketing
- Are involved in an accident or incident at one of our stations
- Apply for a job at ScotRail
- Interact with us in other ways, for example, in meetings, or through telephone calls or correspondence, with us
We may also collect personal information about you from third parties we work with, such as:
- Credit reference agencies
- Fraud prevention agencies
- Parking providers
- Other TOCs
- Suppliers we work with to provide our services
- ChargePlace Scotland and RingGo (for car parking)
- Public information sources such as Companies House
- Government and law enforcement agencies, including the British Transport Police
- Other stakeholders, including individuals or organisations you represent or who may represent you
Who we share your personal information with
We will only share or disclose your information as set out in this Privacy Statement or in accordance with data protection law and will obtain your consent where we are required to do so. We will only use third parties to process your personal information where we are satisfied that they comply with these standards and can keep your personal information secure. These third parties include:
- Regulators and other relevant organisations in the rail industry, such as Transport Scotland, Passenger Focus, The Office of Rail and Road, Rail Delivery Group and Journeycall
- Scottish Government
- Other train operating companies (TOCs) for the purpose of fraud prevention, or if you make a complaint to us which relates to their services instead of ours
- Government and law enforcement agencies, including the British Transport Police
- Other stakeholders, including individuals or organisations you represent or who may represent you
- Our service providers who provide and assist us with some of our services, such as to process payments and bookings or to support our marketing activities
- To any successor franchisee, so that they can take over and continue the running of the railway service
- To a purchaser in the event of the sale, merger, or acquisition of our business assets
- Suppliers we work with to provide our services
- Our insurers
- Our assigned debt collection agency
- Our third party claims handler
- Our customer relations centre
Some of our CCTV infrastructure is shared with the British Transport Police, local authorities, Network Rail, and car park operators. In certain situations, they may take control of a limited number of cameras for activities such as the prevention and detection of crime and anti-social behaviour. ScotRail is not responsible for the CCTV when it is in the control of a third party.
If you have agreed (via freely given consent) to receive information for competition, promotion, survey or research purposes, we may share your contact details with any third parties identified or referenced in the consent for any purposes described in, or contemplated by, it.
Where we store your personal information
The information that we collect from you will generally only be stored within the European Economic Area (EEA) although we may engage processors outside the EEA to process your personal information on our behalf. Where we do so, we shall ensure that we comply with data protection law. Where any countries in which these processors operate are not recognised as providing an adequate level of protection for your personal information, we shall put in place appropriate safeguard measures to ensure that your personal information is properly protected. Please contact the Data Protection Manager if you wish to find out more about the safeguards.
We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal information where practical.
Information about profiling and automated decision making
We target some of our marketing and service communications so that they are more relevant to you, based on the type of ticket(s) you have purchased and your location/travel stations. We will try to ensure, where possible, that the communications are compatible with the device you are using.
We use automated processing to profile customer information in order to help target our products, services and marketing communications more accurately.
We use automated decision making to calculate the validity and value of Delay Repay claims made through our website. You will receive a notification of the outcome of your claim. At this stage you are able to request that your claim is manually reviewed by a member of the Delay Repay team. If you remain dissatisfied you are able to escalate to our Customer Relations team.
How long we keep your personal information for
We’ll store your information for as long as we are required to by law or regulatory requirement. If there’s no relevant legal or regulatory requirement, we’ll only store it for as long it is needed for the purposes for which it was collected. Some specific retention periods are outlined in the points below.
- Recruitment – personal information obtained during any recruitment process is retained on the following basis: (i) unsuccessful candidates – 6 months; (ii) successful candidates – 6 years after leaving employment
- Wi-Fi – information about your use of station or train Wi-Fi will be stored in our systems for a maximum period of 12 months and will only be used to maintain the service quality and for support issues, if necessary. After such time, it will be deleted.
- CCTV footage – this is generally held for a maximum of 31 days from the time of recording, with the following exceptions: (i) if it relates to an accident, we will retain media for 3 years; (ii) if it relates to an operational incident, we will retain media for 5 years or as required by regulators or insurers. Recordings obtained from body worn cameras are generally held for 24 hours, unless footage from a recording is required to be retained for any of the purposes set out in this privacy statement (such as, for example, the prevention and detection of crime or health and safety purposes) in which case it shall be held for so long as needed for these purposes.
- Customer records – Customer records are held while you engage with us to provide you services or information. After 2 years of inactivity we archive these records, and will delete them after 3 years of inactivity. This includes our marketing database, service-related customer database and account-based ticketing records.
- Season ticket records - We retain season ticket information for the same period as above which allows us to contact you if, for example, your season ticket is lost and to aid the renewal process once the season ticket is close to expiring.
- Car parking – ANPR images are used for the purposes of calculating duration of stay in the car park or during technical support, and are retained for 30 days before being deleted.
- Revenue protection and penalty fares – Paper copies of penalty fare forms issued are kept for up to two years. RailPay app information is held for 3 years after case closure. We retain this information to undertake analysis to identify any patterns in the information and to minimise future fraudulent activities.
- Data Subject rights requests – information relating to requests is held for 3 years from the closure of your request, and 5 years if it has been referred to the ICO.
- Claims – information about any claims that you make to ScotRail will be held for 10 years after the claim is resolved.
If you choose not to give your personal information
Where we need to collect your personal information in order to meet our legal obligations or under the terms of a contract we have with you and you fail to provide that data when requested, it may delay or prevent us from being able to perform the contract we have entered into with you and/or comply with our own legal obligations.
- You can exercise any of your data subject rights by emailing us at [email protected] . Please explain why you are contacting us, and provide us with your name, email address and postcode. We may need to contact you for further information. Alternatively you can complete our Data Subject Access Request (SAR) form or our Close my Account form in our app.
- Access to your information – you are entitled to understand what personal information we process about you and access that information.
- Rectification – we want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
- Restriction – you may request that any processing we are carrying out on your information is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or where we disagree with your request we will provide a response which explains our reasons.
- Deletion – you can request deletion of personal information where:
> You consider that we no longer require the information for the purposes for which it was obtained;
> We are using that information with your consent and you have withdrawn your consent
> You have validly objected to our use of your personal information
> Our use of your personal information is contrary to law or our other legal obligations
- Close your account – you can choose to close your account and delete data we hold by emailing us or using our Close my Account form in our app.
- Object to direct marketing – you have the right to ask us not to process your personal information for marketing purposes. We will inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:
> Indicate this by NOT ticking the box to be sent marketing emails (or offers);
> If you have an account with us, by logging in and changing your contact preferences;
> Click the unsubscribe link on direct marketing emails; or
> Contact us – see ‘Withdrawal of Consent’ below and contact us at [email protected] .
- Portability – where you have provided us with your personal information and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.
- Automated processing – if we use your personal information on an automated basis to make decisions which significantly affect you, you have the right to ask that the decision be reviewed by an individual to whom you may make representations and contest the decision. This right only applies where we use your personal information with your consent or as part of a contractual relationship with you.
- Withdrawal of consent – if we relied on consent as the grounds for processing your personal information, you can withdraw this consent at any time by contacting [email protected] . Withdrawing your consent does not affect the processing carried out beforehand. Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time in a number of ways – see 'Object to direct marketing' above. We will act upon such an instruction as soon as possible.
How we deal with rights requests
You can exercise any of your data subject rights by emailing us at [email protected] . Please explain why you are contacting us, and provide us with your name, email address and postcode. We may need to contact you for further information. Alternatively you can complete our Data Subject Access Request (SAR) form or our Close my Account form on our app.
Unless stated otherwise we will aim to satisfy your request or inform you as to why we are unable to, without undue delay and within one month. If we anticipate that we will not meet with this timeframe we will let you know within one month and explain what the problem is.
No fee is payable for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.
There are various limitations and exemptions in data protection law which may apply to limit the exercise of rights but we intend only to rely on those limitations and exemptions where it is necessary to do so.
For more information, please see our Data Subject Access Requests page.
Contact details and complaints
Day to day queries about this Privacy Statement or how we handle your personal information should be sent to the email address below. You can also use this email address to make a request to exercise your rights as a data subject, or you can complete our online form .
If you are not happy with the way in which we deal with your personal information or have dealt with a rights request, then please let us know.
Email: [email protected]
You can write to us at:
Data Protection Officer
ScotRail Trains Ltd
50 Waterloo Street
If you are not satisfied with any response you can complain to the Information Commissioner's Office:
By phone: 0303 123 1113
By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Changes to this Privacy Statement
We may revise this Privacy Statement from time to time. The most current version of this Privacy Statement will govern use of your information and will always be available at www.scotrail.co.uk.
This Privacy Statement was last updated on 19 September 2023.