Abellio ScotRail is committed to protecting and respecting your privacy when you use our services.
This is the Privacy Statement of Abellio Scotrail Ltd (“ScotRail”, “we”, “us”, or “our”). ScotRail is a private limited company (company number SC450732) with registered office address as 5th Floor, The Culzean Building, 36 Renfield Street, Glasgow, G2 1LU.
Our Privacy Statement explains how we collect, use, share and look after your personal information.
- Information we may collect about you
- Why we process your information
- The legal basis for processing
- Where we collect your personal information from
- Who we share your personal information with
- Where we store your personal information
- Information security
- Information about profiling and automated decision making
- How long we keep your personal information for
- If you choose not to give your personal information
- Your rights
- Contact details and complaints
- Changes to this Privacy Statement
We collect personal information about you such as your name, contact details, ticket purchases, stations visited (e.g. for charging the correct fares on smart cards), payment and refund details. We may also require additional details for certain services, such as your age for age restricted tickets.
Examples of situations where we collect your personal information are:
- Customer relations database – when you contact us by letter, email, web form, phone or social media, we may collect information such as your social media name, photo card image, information in correspondence with you, details of compensation claims you have made, proof of journey(s) and other information you may provide. We may, in certain circumstances, record or monitor telephone calls and will let you know when this happens, except for calls for information or assistance to National Rail Enquiries, where providing advance notice could result in a delay in the provision of assistance.
- Season tickets – when you buy a season ticket valid for one month or more, we keep a record of your personal information on our database including your name, address, photo card number, contact details and date of birth (if you provide them) and the method of payment used.
- CCTV and cameras – we operate camera systems to capture, record and monitor images of what takes place on our trains and at our stations, car parks and other premises, in real time. In limited circumstances, our staff will use body worn cameras which make audio visual recordings.
- Wi-Fi – when you use our station or train Wi-Fi service, we collect your device MAC addresses (device identification), train GPS position, IP address, timestamp and session ID.
- Using our website – when you use this website https://www.scotrail.co.uk (the “Site”) you may provide personal information to us, including when you login or register to create a new ScotRail account or carry out other activity through the Site.
- Car parking – some of the services we provide at, or relating to, car parks in our network require you to supply your car registration number, such as the car park at Union Square, Aberdeen.
- Revenue protection and penalty fares – we may collect a range of personal information during revenue protection activity. This may include ID information, journey details, personal descriptions and other information you provide to support an appeal against any penalty fare you may have been issued with.
We collect, use, store and share your personal information for the following purposes:
- To provide you with the service –to provide services to you such as your rail travel on our trains in accordance with our contractual obligations. Some data is also shared to run interoperable services – in the Rail Industry this is overseen by the Rail Delivery Group - this is how you are able to use a ticket on a train and tube for example, or use a rail Discount card.
- To provide and improve customer service – to provide you with details of our products and services, information about travelling and other helpful customer services, such as travel alerts or changes to the ScotRail products or services that you use.
- To run the railway and improve the service - we believe in investing in our railway services, not just to benefit passengers but also the wider community, environment, and economy. There are lots of activities we do to achieve this, which include monitoring passenger numbers and popular stations and improving technology to help plan journeys.
- To obtain feedback, conduct surveys and research - to conduct surveys and research to learn more about you and your views, to obtain your feedback and to improve the railways and our services.
- To manage our business – to manage our business efficiently and properly, to conduct proper financial administration (such as processing payments) and in the course of any corporate activity relating to ScotRail or its assets
- To meet our franchise obligations – to comply with our obligations under the ScotRail franchise arrangements.
- For the prevention and detection of crime and health and safety purposes – we operate CCTV and use body worn cameras: (i) to protect the health and safety of employees, passengers and other members of the public; (ii) for crowd management; and (iii) for the prevention and detection of crime and anti-social behaviour. We operate our CCTV systems in compliance with the Information Commissioner’s Office CCTV Code of Practice.
- Recruitment – where you apply for a job with us, the personal information you provide to us as part of the job application process will be used by us for assessments, interviews, medical and conducting background checks.
- Accidents and incidents – to process safety forms and potential claims if you have an accident, or report an accident, whilst at a station or when you travel on our trains.
- Marketing and event promotion – to provide you with details of promotions, events and offers which we feel may interest you (where you have given consent for us to contact you). You have the right to ask us to stop sending and serving marketing messages to you and may unsubscribe at any time by logging in to your account and updating your preferences. Please note changes to your subscription preferences can take up to 14 days to take effect.
- To run competitions – we run competitions to promote our services and sell tickets. If you enter a competition we will use your information to facilitate your participation in accordance with the competition rules.
- To operate our Site – to operate and improve our Site, to allow you to participate in the interactive features of the Site and its functionality, to personalise your experience on the Site and to assess which of our products and services may be of interest to you and to tell you about them
- Complaints and claims – to handle and respond to any complaints, requests or enquiries you make of us in an efficient and fair manner. This includes the use of information on our customer relations database for administration of correspondence or processing claims you have made, such as Delay Repay.
- Revenue protection and penalty fares – for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.
- Legal Proceedings – to establish, exercise or defend legal claims.
We will only send you information about offers, events and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of the Abellio Group for use for its own marketing purposes without your prior consent.
We do not routinely process children’s personal information, however in the rare instances that we do we may be required to gain consent from a parent or guardian to process a child’s information. Where we choose to rely on consent as the legal basis for processing children’s personal information, consent may be required from a person holding ‘parental responsibility’.
We will only use your personal information in accordance with data protection law. We generally rely on the following legal grounds to process personal information:
- Consent – where you have given your consent to the processing of your personal information for specified purposes.
- Contract – where we have a contractual relationship with you and we need to process your personal information in order to perform our contractual obligations with you.
- Legal obligation – where we have a legal obligation to process your personal information (e.g. for taxation, regulatory purposes, health and safety purposes or the prevention and detection of crime, including reporting incidents to the British Transport Police under an Information Sharing Protocol).
- Legitimate interests – in addition to any legitimate interests identified elsewhere in this Privacy Statement, we have a general legitimate interest in using your personal information to run our business efficiently, safely and in a socially and environmentally responsible manner. This includes providing locally focused passenger transport services, improving and expanding our services, investing in and developing our staff, operating with financial discipline, reducing crime and fraud, providing shareholder value and improving our customer services. We also have a legitimate interest in operating our business in accordance with the terms of our franchise commitments.
- Vital interests – if you fall ill or are injured, we may use your personal information to arrange appropriate medical treatment to protect your vital interests
We will collect personal information directly from you when you:
- Buy tickets and decide to travel on our services
- Visit our stations or car parks
- Use our website, apps or Wi-Fi
- Buy a product from us or make a sales enquiry
- Contact our Customer Relations team
- Enter a competition
- Sign up to receive updates or marketing
- Are involved in an accident or incident at one of our stations
- Apply for a job/vacancy at ScotRail
- We may also collect personal information about you from third parties we work with, such as:
- Other members of the Abellio Group
- Credit reference agencies
- Fraud prevention agencies
- ChargePlace Scotland and RingGo (for car parking)
- Public information sources such as Companies House
- Government and law enforcement agencies, including the British Transport Police
The information that we collect from you will generally only be stored within the European Economic Area (EEA) although we may engage processors outside the EEA to process your personal information on our behalf. Where we do so, we shall ensure that we comply with data protection law. Where any countries in which these processors operate are not recognised as providing an adequate level of protection for your personal information, we shall put in place appropriate safeguard measures to ensure that your personal information is properly protected. Please contact the Data Protection Manager if you wish to find out more about the safeguards.
We use a range of appropriate technical and organisational measures to safeguard access to and use of, your personal information and to ensure it retains its integrity and availability. These include structured access controls to systems, network protection, intrusion detection, physical access controls and staff training. We also consider anonymising or pseudonymising personal information where practical.
We target some of our marketing and service communications so that they are more relevant to you, based on the type of ticket(s) you have purchased and your location/travel stations. We will try to ensure, where possible, that the communications are compatible with the device you are using.
We use automated processing to profile customer information in order to help target our products, services and marketing communications more accurately.
We use automated decision making to calculate the validity and value of Delay Repay claims made through our website. You will receive a notification of the outcome of your claim. At this stage you are able to request that your claim is manually reviewed by a member of the Delay Repay team. If you remain dissatisfied you are able to escalate to our Customer Relations team.
We’ll store your information for as long as we are required to by law or regulatory requirement. If there’s no relevant legal or regulatory requirement, we’ll only store it for as long it is needed for the purposes for which it was collected. Some specific retention periods are outlined in the points below.
- Recruitment – personal information obtained during any recruitment process is retained on the following basis: (i) unsuccessful candidates – 6 months; (ii) successful candidates – 6 years after leaving employment
- Wi-Fi – information about your use of station or train Wi-Fi will be stored in our systems for a maximum period of 12 months and will only be used to maintain the service quality and for support issues, if necessary. After such time, it will be deleted.
- CCTV footage – this is generally held for a maximum of 31 days from the time of recording, with the following exceptions: (i) if it relates to an accident, we will retain media for 3 years; (ii) if it relates to an operational incident, we will retain media for 5 years. Recordings obtained from body worn cameras are generally held for 24 hours, unless footage from a recording is required to be retained for any of the purposes set out in this privacy statement (such as, for example, the prevention and detection of crime or health and safety purposes) in which case it shall be held for so long as needed for these purposes..
- Customer relations database and season ticket records – records are kept for the duration of the franchise in a restricted access site. We retain season ticket information to allow us to contact you if, for example, your season ticket is lost and to aid the renewal process once the season ticket is close to expiring.
- Revenue protection and penalty fares – a digital record of historical penalty fares issued is retained indefinitely. Paper copies of penalty fare forms issued are kept for up to two years. We retain this information to undertake analysis to identify any patterns in the information and to minimise future fraudulent activities.
- Claims – information about any claims that you make to ScotRail will be held for 3 years and 6 months after the claim is resolved.
Where we need to collect your personal information in order to meet our legal obligations or under the terms of a contract we have with you and you fail to provide that data when requested, it may delay or prevent us from being able to perform the contract we have entered into with you and/or comply with our own legal obligations.
- Access to your information – you are entitled to request a copy of the personal information we hold about you. Please refer to https://www.scotrail.co.uk/subject-access-requests for a copy of the Subject Access Request (SAR) form.
- Rectification – we want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
- Restriction – you may request that any processing we are carrying out on your information is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or where we disagree with your request we will provide a response which explains our reasons.
- Deletion – you can request deletion of personal information where:
> You consider that we no longer require the information for the purposes for which it was obtained;
> We are using that information with your consent and you have withdrawn your consent
> You have validly objected to our use of your personal information
> Our use of your personal information is contrary to law or our other legal obligations
- Object to direct marketing – you have the right to ask us not to process your personal information for marketing purposes. We will inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:
> Indicate this by NOT ticking the box to be sent marketing emails (or offers);
> If you have an account with us, by logging in and changing your contact preferences;
> Click the unsubscribe link on direct marketing emails; or
> Contact us – see ‘Withdrawal of Consent’ below.
- Portability – where you have provided us with your personal information and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.
- Automated processing – if we use your personal information on an automated basis to make decisions which significantly affect you, you have the right to ask that the decision be reviewed by an individual to whom you may make representations and contest the decision. This right only applies where we use your personal information with your consent or as part of a contractual relationship with you.
- Withdrawal of consent – if we relied on consent as the grounds for processing your personal information, you can withdraw this consent at any time. Withdrawing your consent does not affect the processing carried out beforehand. You can withdraw consent by contacting Customer Relations at: ScotRail Customer Relations, PO Box 27129, Glasgow, G2 9LH, or by contacting our Data Protection Officer. Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time in a number of ways – see 'Object to direct marketing' above. We will act upon such an instruction as soon as possible.
Unless stated otherwise we will aim to satisfy your request, or inform you as to why we are unable to, without undue delay and within 30 days. If we anticipate that we will not meet with this timeframe we will let you know within 30 days and explain what the problem is.
No fee is payable for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can make a decision about what you wanted to do next.
There are various limitations and exemptions in data protection law which may apply to limit the exercise of rights but we intend only to rely on those limitations and exemptions where it is necessary to do so.
Day to day queries about this Privacy Statement or how we handle your personal information should be addressed to our Data Protection Manager (DPM) whose contact details are:
Data Protection Manager
Abellio UK HQ
36 Renfield St
5th Floor, The Culzean Building
If you are not happy with the way in which we deal with your personal information or have dealt with a rights request, then please let us know. The ScotRail DPO is the first point of contact for dealing with Rights Requests issues and complaints. The ScotRail DPO is assisted by Customer Relations.
ScotRail's Data Protection Officer’s (DPO) contact details are:
Email: [email protected]
Data Protection Officer
Abellio ScotRail Ltd
Atrium Court, 50 Waterloo Street
If you are not satisfied with any response you can complain to the Information Commissioner's Office:
By phone: 0303 123 1113
By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Changes to this Privacy Statement
We may revise this Privacy Statement from time to time. The most current version of this Privacy Statement will govern use of your information and will always be available at https://www.scotrail.co.uk.
This Privacy Statement was last updated on 15 January 2019.