FOI request detail

Freedom of Information Request - Right to Erasure

Request ID: FOI-2478-1920
Date published: 16 December 2019

You asked
Dear Transport for London, Under the freedom of information act, I am requesting information surrounding the rights to erasure under GDPR which came into place May 25th 2018. Please answer the following with as much detail as possible (and without using links to other websites which make break in the future). Please answer as many questions as you can. 1) Is it possible to erase all personal data pertaining to any oyster card, registered or unregistered (this includes photocards such as zip cards, student oyster, and so on) under the GDPR laws right to erasure? 2) If the above is no, please explain what cannot be erased (or what is kept on record) and how this does not violate GDPR laws. Please further explain what can be erased. £) If 1) is yes and a request is made for deletion - is it possible for anyone to recover this data? Please take into consideration that it is assumed the oyster should no longer work once a data erasure request is made and as such it is assumed not to work - it is assumed the card will be discarded.

We answered

TfL Ref: FOI-2478-1920

Thank you for your clarified request received by Transport for London (TfL) on 15 November 2019 asking for information about personal data.

Your request has been considered in accordance with the requirements of the Freedom of Information Act and our Information Access Policy. You asked:

  1. Is it possible to erase all personal data pertaining to any oyster card, registered or unregistered (this includes photocards such as zip cards, student oyster, and so on) under the GDPR laws right to erasure?

     

  2. If the above is no, please explain what cannot be erased (or what is kept on record) and how this does not violate GDPR laws.Please further explain what can be erased.

     

    In order to respond to these two questions, please find attached a copy of our deletion request response template.  This contains some information that is not of direct relevance to Oyster. 

     

     

    In responding to deletion requests we use this template as a basis for our final response, once any necessary clarification has been obtained from requesters. Although the template assists our Privacy team, each request is handled on a case-by-case basis and so on some occasions the template will be amended further to provide an accurate reply for a specific request.

     

     

    This template explains the information that is deleted and then that which is held for a further period.  In accordance with our responsibilities under Article 17 of the GDPR, the ‘right to erasure’ doesn’t apply to all information.  Where a Data Controller has a requirement to retain data for a further period (eg that which they are legally obliged to hold, information needed for official duties, information relating to legal claims) they can provide a justification for this.  This is explained further under the relevant sections in the attached template.

     

     

     

  3. If 1 is yes and a request is made for deletion – is it possible for anyone to recover this data?

     

    We do not have a record that allows us to respond to this question. We have not previously been asked for a deletion request to be reversed. However, data may be held on Backup tapes and discs for disaster recovery and business continuity purposes. The daily incremental Backup and weekly Backup are retained for one month and a monthly Backup and annual Backup are retained for two years.

     

     

     

  4. Please take into consideration that it is assumed the oyster should no longer work once a data erasure request is made and as such it is assumed not to work – it is assumed the card will be discarded.

If a customer holds a web account that they would like deleted, they must first remove any Oystercards linked to it.  This means that the card must be cancelled and so no longer available for travel. 

The Oystercard must be removed/cancelled because if cards are still attached to a web account when personal details are removed it means that any cards associated with the account cannot be added to a new account should one need to be set up in the future – for example if a customer needs to claim a refund for an incomplete journey from not touching in and out correctly.

Please see the attached information sheet for details of your right to appeal.

Yours sincerely,

Melissa Nichols

FOI Case Officer

General Counsel

Transport for London

Back to top

Want to make a request?

We'll email you the response within 20 working days.


We'll publish the response online without disclosing any personal information.

Make a request

Something wrong with this request?


If you believe this request is not suitable, you can report it for attention, at foi@tfl.gov.uk