Please could you provide : 1. Information on the contract with Dash Parking services (the company that provides the mobile payment app for LUL's car parks). Including - contract length/expiry - commercial/pricing information relating to customers - 2017/2018 revenues from Services (SMS reminders) - Data and GDPR compliance information 2. Comparison of number of fines at car parks with and without ANPR automatic collection/payment 3. The party responsible for the road/car park surfaces at Woodside Park underground station and any Service Level Agreements in place for maintenance and repair.

---

Our Ref:         FOI-4674-1718

Thank you for your request received on 22 February 2018 asking for information about our car parks.

Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy. I can confirm we hold some of the information you require. You asked:

1. Information on the contract with Dash Parking services (the company that provides the mobile payment app for LUL's car parks). Including

- contract length/expiry

We do not hold this information as we do not have a contract with PayByPhone/Adaptis, who operate the Dash parking platform. NCP manage our car parks and they have a contract direct with PayByPhone.

- commercial/pricing information relating to customers

Car park prices are displayed on tariff boards at all car parks. For cashless sessions car park prices are not shown on the Dash website until a customer makes an enquiry, however season ticket prices are displayed when a car park is selected via the season tickets tab.

- 2017/2018 revenues from Services (SMS reminders)

TfL receives no income from SMS reminders. Customers have to choose to opt into SMS within Dash and are advised upon registration that these are chargeable. Customers can also opt out at any point via their online account or via the call centre.

- Data and GDPR compliance information

PayByPhone / Adaptis is compliant with current data protection legislation. Their servers are held in a PCI compliant environment which provides the highest level of security for personal and payment details.

Card information is tokenised by their PSP once entered which ensures that it is not held within Adaptis and is not visible to customers, clients or internally within PayByPhone / Adaptis.

Additionally they password protect customer accounts, use encrypted browsers and passwords and logs to ensure that they can audit use of their admin systems.

PayByPhone takes its obligations in regards to data privacy and security very seriously. To that end, PayByPhone is currently undertaking a company-wide review of its data collection, retention and disclosure procedures in order to assess and assure compliance with the new GDPR requirements.

One of the main goals of the new GDPR is to empower consumers by requiring companies to obtain better consent from their consumers when collecting data. Under the GDPR, consent has to be express, clear and unambiguous. Companies are only supposed to gather information on consumers that have given their consent for such collection.

Consumers must be fully aware of what data is being collected and why. Though PayByPhone is currently transparent with its consumers about the collection of data, they will be updating its Terms & Conditions and consent mechanism prior to the coming into force of the GDPR to make sure that its users are adequately informed of what information is being collected and why.

The GDPR is changing the rules about how companies are able to perform direct marketing to their customers. Companies are only supposed to engage in direct marketing communications with those consumers that have agreed to be communicated with. Our contract is already compliant. PayByPhone can continue to communicate with its customers when such communication is essential to the service being offered (i.e. a push notification that a parking session is about to expire).

The GDPR is also changing the rules around retention of data and erasure (the right to be forgotten). Companies are only allowed to retain information about their consumers insofar as that information is required to be retained to offer the service or to comply with legal and regulatory obligations. Consumers will now be allowed to ask companies to "forget them" (i.e. erase all data pertaining to them). PayByPhone will be updating its terms and conditions and privacy policy to allow its consumers to request to know what information PBP has and to remove said information - PBP will remove any information that it is not required to retain to comply with its financial obligations.

As mentioned, PayByPhone is currently reviewing its internal processes related to data collection, this includes a review of PayByPhone's terms and conditions of use and privacy policy. PayByPhone will not only be updating its terms and conditions and privacy policy, but will also be creating a guideline on compliance for its employees, as well as for its clients and consumers.

Data subjects are  provided with information on what data is collected, how their data will be used in connection with this service. PayByPhone are also in the process of updating privacy policies in line with GDPR. More information is available on their website:

https://ukparking.dashcardservices.com/dashtube/webcontent/privacy.aspx.

All customer queries are dealt with by PayByPhone’s Customer Support team initially where they work to a general service level agreement of 48 hours, however certain triggers can reduce this time such as urgent / high importance. If they receive a subject access request, this is escalated internally so that they can respond within the timeframe and a ticket is created is development action is required. Written processes for this are being put in place as part of their preparation for GDPR.

The data is hosted within AWS servers in the EEA (Ireland). Further information on cookies, web beacons etc. can be found on their website:

https://ukparking.dashcardservices.com/dashtube/webcontent/useofcookies.aspx

2. Comparison of number of fines at car parks with and without ANPR automatic collection/payment

In the 12 months from 05/02/17 to 03/02/18, 8131 penalty charge notices (PCNs) have been issued manually by our attendants and 21,274 have been issued via the Automatic Number Plate recognition where no payment is identified for a parking session.

3. The party responsible for the road/car park surfaces at Woodside Park underground station and any Service Level Agreements in place for maintenance and repair.

All temporary repairs to surface, fences, boundaries, drainage, structures and equipment are to be undertaken within 48 hours of notification. Full and permanent repairs to surface, fences, boundaries, drainage, structures and equipment are to be undertaken within 14 days of notification.

If this is not the information you are looking for please feel free to contact me.

Please see the attached information sheet for details of your right to appeal.

Yours sincerely

Gemma Jacob
FOI Case Officer
FOI Case Management Team
General Counsel
Transport for London

[email protected]

Back to top

---