Your information rights
In current circumstances, we may not be able to answer Subject Access requests or process deletion requests as usual. Please do not make a request to us at the moment.
In particular, it may not be possible to fulfil non-statutory requests for CCTV footage to support insurance claims.
We cannot process London Underground CCTV requests at all at the moment. These requests require specialist staff to travel to individual stations to download and collect the footage. In order to protect the wellbeing of staff and other critical workers using the network, this type of travel will not be done right now.
Answering requests will use limited resources and take the attention of staff who could be supporting other essential activity. In any event, our response time will be affected by the current situation. If you do submit a request, please don't send by post - instead use the relevant form on our Access Your Data page or email DPO@tfl.gov.uk.
Data enables us, for instance, to manage and recruit staff, provide customer service, operate the ticketing system and the Congestion Charge and Cycle Hire schemes and regulate the taxi and private hire trade.
Information about how people move around London helps us provide you with safe, efficient transport services, as well as providing you with services to help you plan your journey.
Contacting the Data Protection Officer
Richard Bevins is the Data Protection Officer for TfL and its subsidiary companies, including London Underground Limited, Crossrail Ltd, the TfL Pension Fund and the London Transport Museum.
You can contact the Data Protection Officer by email at email@example.com.
What the Data Protection Officer does
It is a requirement for public authorities to appoint a Data Protection Officer to oversee the collection, handling and use of personal data. The Data Protection Officer informs and advises TfL and its subsidiaries about our obligations to comply with the General Data Protection Regulation (GDPR) and other data protection legislation.
The Data Protection Officer manages the Privacy and Data Protection team, who monitor compliance with data protection legislation, raise awareness of data protection issues, train employees and advise on, and monitor, data protection impact assessments.
The Privacy and Data Protection team consider and coordinate responses to requests and complaints from people whose personal data is processed by TfL and its subsidiary companies.
Your rights under data protection legislation
Right to be informed
There must be a clear reason why Transport for London (TfL) needs to collect or use personal information. We tell people when we're collecting their personal information and what we're going to do with it. A summary of this information will usually be provided to you when we collect your personal information, with more detailed descriptions relating to the TfL website and TfL services published on our Privacy & cookies page.
Right of access
Data protection legislation gives you a right to ask to see, and receive a copy of, any personal information that we hold about you. This is known as a subject access request. We may need some background information from you before we can start this process, and we will require proof of identity to make sure that personal data is not sent to the wrong person. Where possible you can access the information we hold via your TfL account, such as Oyster, Contactless, Santander Cycles or Road User Charging. Requests will normally be answered within one month, and we will tell you if it is necessary to extend this time period. We have a web page and a series of forms to help you access your data.
Right to rectification
You can ask us to correct the information we hold about you if it's inaccurate or incomplete. If we have passed the information on to others, we will take steps to pass on the correction too. If we find that the information should not be changed, we will contact you within one month to explain our decision and provide details about how you can challenge the decision if you are dissatisfied with the outcome.
Right to erasure
We take steps to make sure that your information is not kept for longer than necessary, and you can also ask us to delete it if any of the following circumstances apply:
- The information is no longer necessary for the purpose which we originally used it for
- We asked you for permission to use your personal information and you have changed your mind
- We told you we were using your personal information for 'legitimate interests' and there is not a good reason to keep your personal information
- You want us to stop sending you direct marketing information
- You believe we have used your personal information unlawfully
- You believe that we have a legal obligation to stop holding your personal data; or
- The information relates to use of online services by a child
If we have passed the information on to others, we will take steps to tell them it has been deleted. The right to erasure doesn't apply to all information, such as information that we are legally obliged to hold, information that we need to keep for our official duties or information relating to legal claims. We may also refuse to delete information if there is no clear reason to do so or if it would be an excessive task.
Requests for deletion will normally be answered within one month. If we do not agree that we should delete your information we will explain our decision and provide details about how you can challenge the decision if you are dissatisfied with the outcome.
Please note in cases where we do comply with a request, we may still be obliged to keep some information about you - for example the fact that you made, and we acted on, a deletion request. We may also have to keep your contact details on a 'suppression list' to ensure that don't send you direct marketing messages by mistake in future.
Right to restrict processing
You can ask us to restrict or stop using your personal data whilst we are considering an objection or rectification request, or if it has been used unlawfully. You may also ask us to retain data required to establish, exercise or defend a legal claim. We will contact you within one month to explain our decision and provide details about how you can challenge the decision if you are dissatisfied with the outcome.
Right to data portability
If we are using computers to process personal information that you have provided to us, either under contract, or with your permission to use it, you can request this information is supplied to you in re-usable electronic format, such as a CSV, JSON or XML file.
Requests will normally be answered within one month, and we will tell you if it is necessary to extend this time period for any reason.
Right to object
You have a right to object to use of your personal information we have told you we use as part of our statutory and public function (also known as our public task), in the public interest, or if we have advised you we are using your personal information in support of our legitimate interests. You can also ask us to stop sending you direct marketing or, in limited circumstances using your personal information for scientific or historical research and statistics.
We must stop using your personal information for direct marketing when you ask us to. In other cases we may continue to use your personal information if we can demonstrate compelling grounds to do so, or if it is necessary in connection with legal claims.
We will contact you within one month to explain our decision and provide details about how you can challenge the decision if you are dissatisfied with the outcome.
Rights related to automated decision making including profiling
Data protection legislation protects you against decisions taken by machines that could have a significant impact on you. Automated decision making involves making a decision only by automated means without any human involvement. Profiling is a term used in data protection legislation to describe a form of automated processing of personal data to analyse or predict things about an individual. If the automated decision making (including profiling), would have a legal, or similarly significant effect on you, it can only be carried out if it is:
- Necessary for entering into or performance of a contract between an organisation and yourself
- Authorised by law (for example, for the purposes of preventing fraud or tax evasion); or
- Based on your explicit consent
We are required to tell you if we are using automated decision making to make decisions that would have a legal, or similarly significant effect on you. We will explain what information we use, why we use it and what the effects might be. You can ask us to reconsider the decision with human involvement.
How to exercise your rights under data protection legislation
We have published privacy notices on our Privacy & cookies page and easy to use forms to help you access your data. Please specify if you require it in a particular format. You can also access the information we hold via your TfL account, such as Oyster, Santander Cycles or Road User Charging.
You should email DPO@tfl.gov.uk if you have a concern about the accuracy of personal information we hold about you, if you want us to erase or restrict use of your personal information, if you object to use of your personal data or if you wish to exercise rights in relation to automated decision making.
The right to contact the Information Commissioner's Office
You are also entitled to raise a concern with the Information Commissioner's Office (ICO), the UK's independent body set up to uphold information rights. For more information, visit their website at ico.org.uk.