Complying with our obligations under the Data Protection Act 1998 (‘the DPA’) and related legislation is important to us, and we have taken steps to ensure that we do. The DPA requires data to be processed fairly and lawfully. Personal data shall be obtained only for lawful purposes, and shall not be further processed in any manner incompatible with those purposes.
This section of the website explains what information we collect about our customers, how it is used and the procedures we have in place to safeguard their privacy.
Arriva Rail North Ltd are the data controllers, as defined under the DPA. We are only allowed to process your personal data in accordance with the DPA and for the purposes notified to the Information Commissioner. You can find more information at the Information Commissioner’s website.
What personal information do we collect?
Do we collect sensitive personal data?
Generally we will have no need to collect sensitive personal data outside the context of the notice in question.
What do we use the personal data for?
The personal information that we collect is used for the following purposes:
- • for the prevention and detection of crime, fare evasion and other travel irregularity
- • to provide you with the service requested
- • for the ongoing administration of the service
- • to allow us to improve the products and services we offer to our customers
- • for research and statistical analysis
- • to enable us to comply with our legal and regulatory obligations (including HMRC).
To ensure that we follow your instructions correctly and to improve our customer service, we may monitor and/or record any communication between you and us.
Do we use your information for marketing purposes?
How we will contact you
This may be by post, e-mail, telephone or text messaging to SMS enabled devices depending on the information you have provided to us.
How long do we keep your personal data?
We will retain your information for as long as necessary to fulfil the purpose(s) above, and in accordance with the law. In general, this will be:
- • Seven years for data relating to Failure to Purchase Notices, Unpaid Fare Notices, Penalty Parking Notices and reports for possible prosecution
- • One year for data relating to name and address checking enquiries by our customers’ inspectors.
When do we disclose your information to third parties, and why?
We will only disclose your information to other parties in the following limited circumstances:
- • where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities
- • where there is a duty to disclose in the public interest
- • where disclosure is necessary to protect our interest or that of our customers e.g. to prevent or detect crime and fare evasion or other travel irregularity on the railway network
- • where you give us permission to do so.
How do we protect your data?
Records on systems are protected by Firewalls externally and are penetration tested by Trustwave every quarter to ensure that we have not slipped on data security. A copy of our current certificate is available on request, paper records are always kept in a secure storage facility accessible only by authorised personnel.