Zip Oyster photocard

Personal information we hold

The personal information we hold about you or your parent/guardian includes:

  • Information about the Zip card holder (you), which includes name, address, date of birth, photograph, and telephone number
  • Scanned image of your passport details page (which includes your photograph and passport number)
  • Information about your parent/guardian, which includes name, email address
  • The name of your educational establishment or training provider
  • Your journey history
  • Payment card information or bank account and sort code numbers
  • Transaction information (when and where you topped up your balance or purchased a season ticket, or were issued with a refund)
  • Enquiries, complaints or other correspondence from you or your nominated parent/guardian

If you apply online for a 5-10, 11-15 or 16+ Zip card, you will need to verify your date of birth by entering your passport number. Alternatively, you can download a verification letter from your TfL account and take it to a London post office with proof of your age (this can be a passport, European ID card, birth certificate or biometric residency permit). If the documents provide all of the information required, the post office will confirm to TfL that they have verified your age.

If you or your nominated parent/guardian signs in to your online account, TfL will collect the IP address used by your device for the purpose of fraud prevention and detection.

Legal basis for using your information

Under data protection legislation, TfL is only allowed to use personal information if we have a proper reason or 'legal basis' to do so. In the case of Oyster, there are a number of these 'legal grounds' we rely on, which are:

  • Our statutory and public functions:
    • to undertake activities to promote and encourage safe, integrated, efficient and economic transport facilities and services, and to deliver the Mayor's Transport Strategy
  • Where you have given your consent to TfL, for example:
    • you have asked the contact centre to resolve an issue or complaint for you
  • For the 'performance of a contract', for example:
    • in connection with the terms and conditions of the particular Zip card you have applied for

Obtaining and using your personal information

The personal information we hold is provided by you or your parent/guardian when you apply for your Zip card.

TfL and the companies that process personal information on our behalf use your and your parent/guardian's information for customer services and to administer the Zip card scheme you have applied for. For example, we will use your personal information to ensure that you are eligible (and continue to be eligible) ;for the particular Zip card scheme you have applied for, to issue your Zip card and respond to queries if you or your parent/guardian contacts us.

In June 2019, we introduced a new requirement that all applicants must supply a scanned image of their passport details page (the page with your photograph and passport number) as part of the online application process for a Zip Oyster photocard. We did this in order to prevent and detect fraudulent applications, and to ensure that our concessionary travel schemes are only used by those people actually eligible to do so. We will not use your passport information for any other purpose.

If you contact Customer Services, we will need to collect information from you so that we can respond to your query or request. If you phone us we may record your call and this allows us to train staff, review call quality and have access to a verbal record of what has been said in the event of a subsequent complaint. At the end of your contact with us, we may email you to take part in a customer satisfaction survey about your experience with Customer Services. This will help us to monitor our performance, improve quality and plan for future services.

We sometimes also undertake analysis or research into the types of subjects that commonly cause customer concerns and complaints. For example we might look for key words or themes and this helps us improve and plan our services for the future. Pseudonymisation, or other appropriate data minimisation techniques are applied so that we can analyse the subject matter without needing to know the identity of the person themselves. This is a way of protecting people's privacy in line with the Information Commissioner's Anonymisation Code of Practice.

We may send you or your nominated parent/guardian a text message to let you know when applications are open for the next school year, or that your card is on its way. We will also contact you or parent/guardian near the expiry date of the Zip card to tell you about your future ticketing options.

When you or your parent/guardian create a photocard account to apply for your Zip Oyster photocard, from time to time we will also send certain messages by email. These messages are necessary in relation to your Zip Oyster photocard and we are obliged to send these to you or your parent/guardian (you cannot opt out from these). These messages might include:

  • updates about your application
  • reminders that your card is close to expiry
  • confirmation of updates you made to your account (eg change of personal details)
  • important changes to the terms and conditions of your Zip Oyster Photocard; for example, the days and times you can use your concession

We will not use your or your parent or guardian's personal information for marketing purposes and will not pass it to any other organisation for this purpose.

TfL's ticketing systems record the location, date and time a Zip card is used to make a journey on TfL's network, affiliated National Rail services or London River Services on which Oyster cards are accepted.

Relevant police services, and Local Authority Anti Social Behaviour units may provide TfL with details of any criminal convictions, warnings, reprimands, or other sanctions issued in relation to offences that have been committed by you on, or in relation to, London's public transport network.

Such information may be used as the basis for the withdrawal of your Zip card, and TfL may inform the police of any decision to withdraw your concession.

TfL will use aggregated or depersonalised Oyster journey information to carry out research and analysis, for example, to look at travel demand, provide customers with information on how busy stations are at particular times and to make improvements to our transport services. Individuals will not be identified using this information.

Length of time we keep information

TfL will retain personal information in line with its data retention policies. This means that we will not hold information for longer than is necessary for the purposes we obtained it for.

We usually retain data about the individual journeys made using your Zip card for between eight and nine weeks after the card is used. The journey data in the ticketing system is then disassociated from your card during the ninth week (ie pseudonymised). This period is considered reasonable to enable customers to verify or make enquiries concerning their Zip journeys (for example, for refund purposes). As a temporary measure to assist customers, following the cyber incident TfL experienced in September 2024, we will be extending the length of time we keep information about individual journeys made using a Zip card beyond nine weeks, to support future customer refunds and access to journey history.  

Some journey information is also stored on the Oyster card itself; this comprises the last eight journeys and related charges, up to three season tickets, (generally the most recent three tickets, including future dated), and the last two incomplete journeys, if any. If you don't use your Oyster card very often, the data stored on the card may be older than eight weeks. However, no other data is stored on the Oyster card itself (eg name or address).

The information we collect as part of the application process (including the scanned image of your passport details page) and records relating to the ongoing administration of your photocard applications will be retained three years after the expiry date of your photocard. The information we collect as part of your web account will be retained three years after the expiry date of the most recent photocard on your account. If your Zip card has been withdrawn or suspended at any time for breaching the behaviour code different retention periods will apply.

Details of debit or credit cards used to pay the admin fee when you apply for your Zip card, or to add pay as you go credit or buy season tickets are retained for a maximum of 18 months.

If you breach the Behaviour Code, you may lose your concessionary travel for a certain period of time. If so, TfL will keep a record of this for 18 months from the date your sanction is lifted and you are able to receive concessionary travel again.

Call recordings made when you contact Customer Services are kept for 6 months.

Keeping personal information secure

We take the privacy of our customers very seriously and a range of robust policies, processes and technical measures are in place to control and safeguard access to, and use of, personal information associated with Zip cards.

This includes payment card data which is handled in accordance with the Payment Card Industry Data Security Standard ('PCI DSS').

Anyone with access to personal information held in TfL's systems is required to complete TfL's privacy and data protection training on an annual basis.

We also publish guidance on the steps you and your parent/guardian can also take to protect your personal information.

Automated processing and profiling

Under data protection legislation we have to let you know when we use your personal information to do something 'automatically' using our computers or other systems, or make an automated decision (without human intervention) that significantly affects you.

If you use pay as you go on your Zip card, TfL calculates the fares you are charged using automated means - ie using the location where you start your journey (touch in) and, if travelling by train or tube, end your journey (touch out). If you use a pink card reader, that data will be used to confirm you took a particular route and charge you accordingly.

On some occasions, TfL may 'auto complete' a journey for you if you do not tap your Zip card on a yellow reader at both ends of your journey. We do this by looking at other journeys you have made previously and making an assumption about the likely origin or destination of the incomplete journey.

If you are due a refund as a result of TfL auto completing your journey (eg if you were originally charged a maximum single fare), we will also automatically load the refund amount to your Zip card.

We may also proactively issue you a refund if we can see from your journey history that you have been affected by a major disruption or incident that has severely impacted your travel.

If you believe you have been incorrectly charged, or not received a refund you were due, you or your nominated parent/guardian can ask Customer Services to review those transactions.

We analyse application data, journey patterns and transaction history to inform measures to protect TfL against fare evasion and fraudulent transactions. We use this data in different ways, including identifying 'hotspots' so we can deploy Revenue Inspectors in certain London Underground stations or on particular bus routes.

We may also use the outcome of our analysis to contact you or your nominated parent/guardian directly, with advice to touch in and out at the correct stages of a journey.

We may also suspend or withdraw Zip cards based on eligibility concerns, purchases, or subsequent top ups and disable web accounts based on online activities.

Part of our statutory responsibilities includes a duty to do all we reasonably can to reduce crime and disorder on and around the transport system - and we work together with our local authority, policing, and other law enforcement partners as part of this.

We may use aggregated or depersonalised Oyster journey data to undertake intelligence, analysis and research activities to identify and inform responses to a number of issues including:

  • Reducing all crime and antisocial behaviour on and around the public transport network
  • Creating crime and antisocial behaviour strategies
  • Targeting crime and disruption hotspots to better coordinate and deploy policing resources
  • Reducing fear of crime and improving public confidence in the safety of the journeys they make in the capital

Sharing personal information

TfL uses an external service provider to process your application, issue your photo card and operate the photo card scheme on a day to day basis, including Customer Services support. TfL also uses external service providers to operate 'back office' technical services and customer database management.

The post office validates Zip card applications on our behalf when you're unable to do this online. They send the information to our service provider who issues your photocard. If you use your Zip card on National Rail services, we may share your personal data with relevant train operating companies for the purposes of customer service, and fraud prevention and detection. The same applies if you use your Zip card on river services operated by other companies.

If we have concerns about your eligibility for a Zip card, we may contact your school or training provider to help verify this.

If you appeal against a penalty fare notice issued on a National rail service and you state that you used your Zip card for that journey, the independent appeals body may verify the information you provide against journey data held in our ticketing systems. This is strictly for the purpose of assessing your appeal, and any information sharing is managed in accordance with relevant privacy and data protection legislation.

If you have an enquiry, Customer Services will only discuss your application with you or the parent or guardian whose name is on the original Zip card application, unless there is an exceptional reason, which we will consider on a case by case basis.

We have partnerships with a number of academic institutions in the UK and overseas (eg the USA), who work with us to analyse journey patterns and undertake travel modelling to help us understand the way our customers travel so we can improve and plan our services for the future.

To do this we provide them with journey data derived from our Oyster ticketing systems that has been processed, replacing data, where required, with alternative identifiers (pseudonyms) so that it isn't possible to identify an individual customer.

All academic research is carried out in accordance with privacy and data protection legislation and protected by robust confidentiality agreements.

In some circumstances, disclosures of personal data to the police (and other law enforcement agencies) are permitted by data protection legislation, if they relate to the prevention or detection of crime and/or the apprehension or prosecution of offenders. Before any such disclosure takes place, the police are required to demonstrate that the personal data concerned will assist them in this respect. Each police request to TfL is dealt with on a strictly case-by-case basis to ensure that any such disclosure is lawful and in accordance with data protection legislation.

TfL may also receive or disclose personal information about customers in relation to certain emergency situations or other incidents that require an immediate response. Such events may include those involving public health, public safety or national security matters, when access to personal information is necessary to manage the incident. In some situations, we may also be required by law to disclose your personal data to the police or other enforcement, regulatory or Government body, upon a valid request to do so. These requests will be assessed on a case-by-case basis and take into account privacy considerations before a disclosure is made.

Overseas processing

TfL, its service providers and academic research partners currently process personal information relating to Oyster (including concessionary schemes) within the UK, the European Economic Area (EEA) and the USA. Any such processing is subject to appropriate contractual safeguards and carried out in accordance with the requirements of UK and EU privacy legislation.

Complying with the Behaviour Code

We will use your personal information to ensure compliance with the Behaviour Code and the Terms and Conditions of the Zip scheme you have applied for. In doing so, the Metropolitan Police Service (MPS), City of London Police and British Transport Police (BTP) may inform us if you incur a criminal conviction or other legal sanction (such as a warning or caution) for an offence committed on London's public transport network.

Before doing this, an authorised Metropolitan Police officer, British Transport Police officer or TfL employee will check against the information we hold (that you supplied to us on your application form) to ensure that you are the holder of the concessionary photocard. The police officers can only check these details for as long as you are eligible for the Zip Oyster photocard scheme.

If we withdraw or suspend your travel concession, or are considering doing so due to a failure to comply with the Behaviour Code, we will write to your parent or guardian.

Earn Your Travel Back scheme

If we withdraw your travel concession, we will write to your parent or guardian, signposting a number of organisations that offer appropriate volunteering opportunities. TfL does not pass any personal information directly to volunteering providers for the Earn Your Travel Back scheme.

To administer this initiative, we keep records such as a copy of the participation form which we ask you to share with us, information from your volunteering provider about the activities you have undertaken and any decisions we have made regarding reinstatement of your concessionary travel. More information can be found in the TfL Zip Enforcement and Appeals Policy
 

Your information rights

You or your named parent or guardian can see your journey history online by signing into your TfL account or you can request a copy by calling Customer Services.

If your parent/guardian would like to close their Oyster Photocard web account, they should contact Customer Services or contact our Privacy and Data Protection team.

For access to other personal information please see the section on Subject Access requests in Access your data.

You also have a number of other information rights which include:

  • The right to question any information we have about you that you think is wrong or incomplete
  • The right to object to how we use your data or to ask us to delete or restrict how we use it
  • The right to complain to the regulator - the Information Commissioner's Office

The TfL Privacy and Data Protection team considers and coordinates responses to requests and complaints from people whose personal data is processed by TfL and its subsidiary companies.

You can contact the Data Protection Officer by email at dpo@tfl.gov.uk

Changes to this page

It's likely that we'll need to update this statement from time to time, so check back here regularly to find out more. This page was last revised in October 2024 to provide details of a temporary change to the length of time we keep information about individual journeys made using a Zip card.