Privacy policy

This Privacy Notice explains how Transport for Greater Manchester (TfGM) deals with the personal information we collect about you, or that you provide to us. It covers how we will use your personal information when we provide our services to you and in carrying out our functions as a Transport Authority.

This Privacy Notice also includes details of how you can exercise your rights under the data protection laws (UK General Data Protection Regulation and Data Protection Act 2018) and any other governing legislation.

TfGM is a statutory body and a data controller for any personal information where we are managing and determining how we process your personal information.

We are committed to ensuring that personal information is processed fairly, lawfully and securely in accordance with data protection laws.

How to use our Privacy Notice

To provide you with a service, we will collect and process various types of personal information.

This Privacy Notice is going to take what is known as a ‘layered approach’ which means this page will provide you with the key pieces of information you need to know in a brief format and if you wish to read in more depth then a link to further information is provided.

More details about the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR) and what they mean for you can be found on the Information Commissioner’s Website (external link).

About us

Transport for Greater Manchester (TfGM) is a Public Authority, and we have a number of legal responsibilities to provide services to you in Greater Manchester (GM). These services include being responsible for co-ordinating transport services including the Metrolink service.

TfGM have also been commissioned by the Greater Manchester Combined Authority (GMCA) to operate the Bee Network in GM. More information on how GMCA processes personal information can be found on GMCA's Privacy Notice.

Personal information and the types of information we process.

Personal information (sometimes referred to as personal data) is any information that lets us identify a living individual, either directly or indirectly. The types of information that we process to deliver our services to you are included below. The information we collect from or about you depends on the service being delivered.

name,
address,
telephone number,
email address,
date of birth,
Telephone recordings of calls made to us
passport number,
National Insurance number
NHS number
Incident reference number
lifestyle and social circumstances
financial details
employment and education details
licenses or permits held
individual’s carers or their representatives
student and pupil records
staff, people contracted to provide a service
business activities
unique identifier such as a travel card number
offenders and suspected offenders
complainants, enquirers or their representatives
professional advisers and consultants
service user case file information
traders and others subject to inspection
people captured by CCTV: images, personal appearance and behaviour
representatives of other organisations
Electronic records, social media comments, etc

Some information is classed as ‘special category information’ and needs more protection because it is more sensitive. It is often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:

Sexuality, sex life sexual health
religious or philosophical beliefs
racial or ethnic origin
physical or mental health information
trade union membership
political affiliation
political opinion
genetic/biometric data.

The law also requires us to take special care when handling information about criminal convictions and offences.

To fulfil our statutory obligations, we are required by law to hold some personal information.
Your personal information will be stored on our systems only for as long as it is needed for the relevant activity or the contract with us. You may request a copy of our retention policy via email. We endeavour to keep your personal information up to date and correct. You can support us by letting us know of any alterations in the information you have shared with us, such as your address or contact details. You can get in touch with us via email: Data.Protection@tfgm.com.

How we use your personal information

We collect and use any personal information that you provide us through different means, such as online and paper interactions or forms, telephone, email, fax, or face-to-face contact, or when you visit our website (which logs your internet protocol (IP) address). As the controller of this information, we determine how we manage it:

for the purpose for which you provided the information, e.g., services we have provided in relation to transport;
to communicate with you, provide services and information appropriate to your needs;
to monitor our performance in providing services to you, to gather statistical information to allow us to plan future provision of services to you and to obtain your opinion about our services;
to meet various legal or contractual requirements;
for the prevention and/or detection of crime;
to process financial transactions including payments and benefits directly involving us or where we are acting on behalf of other government bodies such as the Department for Work and Pensions
in the event of civil disasters or emergencies
where it is permitted under the Data Protection Act 2018 / UK GDPR, for example, to comply with legal obligations, or for us to seek legal advice or undertake legal proceedings;
for marketing purposes to keep you updated on the latest news and services;
to inform you of network disruption.
for accident investigation and road safety
to ensure the health and safety of our staff and members of the public using our services;
to manage all types of consultation including online forms
to manage all types of complaints and feedback
to manage all types of survey including online forms
applications for travel passes
for job applications and employee information
for general processing where you have given your consent for us to do so;
to improve the experience of visitors to our websites including manage your online and marketing preferences.

We also collect information via CCTV. CCTV helps us to protect our properties, vehicles and premises, to provide a safer environment for people who work at and visit these locations including preventing and investigating crime. For these reasons, the information processed may include:

visual images or recordings including people’s faces
personal appearance, and behaviours.
information may be about employees,
customers and clients, going about their daily business
offenders and suspected offenders, who access the offices without authorisation
members of the public and those inside, entering or in the immediate vicinity of the area under surveillance.

In addition, there may be instances where our staff use body-worn video (BWV) technology in specific locations. Where BWV is used, this will be clearly sign-posted within the vicinity of the relevant area(s) and on the uniform of the staff members who are recording.

We use also use your information for research purposes to produce statistical information that helps us to prioritise activities, target and plan the provision of services. We ensure that your identity is not revealed where possible when we use your information in this way, it will be specifically to:

maintain our own accounts and records
support and manage our employees
manage our property
enable licensing and regulatory activities
provide services required by us as a public service
prevent crime and prosecute offenders including the use of CCTV
administer any corporate activities we are required to carry out as a data controller and as a public authority
undertake research
provide commercial and non-commercial activities that we undertake as a public body
support internal financial and corporate functions
manage archived records for historical and research reasons
undertake data matching for local and national fraud initiatives
improve public health
assist in disputes or potential cases of malpractice
investigate complaints

We may also use your information to help to target some of our services and let you know what information or activities may be available to help you. This may include:

promoting the services we provide
marketing, for instance related to our local tourism
carrying out health and public awareness campaigns
providing leisure and cultural services
local fraud initiative
national fraud initiative
carrying out surveys

When communicating to you electronically we will abide by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

Who do we share your information with?

We use a range of organisations to either store personal information or help deliver our services to you and where we are permitted to do so by law.

The following is a broad summary of the types of organisations your personal information may be shared with

Internally:

To provide appropriate, timely and effective services, we may share basic information about you such as your name or address between departments. This is so we can keep your information as up to date as possible and so we can improve our services to you. However, we ensure that staff can only access the information they need in order to do their job.

Partner organisations under Data Sharing Agreements or protocols:

We have data sharing arrangements in place with local agencies and partner organisations, who we work with to provide certain services to you. For example, we may sign up to or follow local or national protocols, such as the National Fraud Initiative, which requires us to share particular personal information in a certain way. Therefore, under data sharing arrangements, certain personal information is shared for a specific purpose. The agency or organisation receiving the information must only use that information as outlined within that data sharing agreement so that they can to carry out that specific tasks in line with the agreed purpose. They must always keep your data safe and secure and process it lawfully as outlined in that agreement.

Third Parties:

We may have to share your personal information with a third party if the law requires us to do so. For example, we may provide your information to the courts, either because they have ordered us to do so, or because we need a court order for something (e.g., to prevent or detect crime). In all cases, we will follow data protection laws when we share data internally or externally.

We may also share your information with a third party even if the law does not oblige us to do so, if we think that there is a very important reason for doing so. However, we will only override your privacy right if the risk is serious. This is rare, but we may share your information in order to:

find and stop crime and fraud;
protect the public, our staff or other professionals against any serious risks

Some of the third parties that we may share your personal information with are (but not limited to):

those who assist us in providing services, such as Metrolink and Bus Operators as well as those who perform technical operations such as data storage and data hosting for us.
families, guardians, carers, associates and representatives of the people whose personal data we are processing (including legal advisers and counsel);
local and central government departments (such as the Department for Transport, Cabinet Office, the Department for Work and Pensions, Her Majesty's Revenues and Customs, Border Agency);
Local Authorities
Greater Manchester Police or other UK police forces.
Greater Manchester Fire and Rescue Services
current, past and prospective employers;
educators and examining bodies;
providers of goods and services;
financial organisations;
business
press and the media;
professional advisors and consultants;
professional bodies;
voluntary and charitable organisations;
religious organisations;
the National Fraud Agency;
ombudsman and regulatory authorities;
courts and tribunals;
enforcement agents;
regulatory bodies;
law enforcement and prosecuting authorities, including international law enforcement and examining bodies;

Research and evaluation partners

In addition to sharing information to improve the delivery of services, we may also share information with other service providers, survey and research organisations to create statistical and anonymised or pseudonymised data to:

better plan how we provide services to our community;
help improve services and to make sure they are effective;
be published in various reports that will be publicly available;
improve the health of the population as a whole

Where we anonymise the data, we make sure that it does not reveal you, your family or any individual person. This means that any information that shows who you are, or your family or carers will be removed before the results of any research or evaluation that we or others publish (including in public reports).

When we pseudonymise data, this type of personal data will be processed in a way that makes it harder to identify you, your family or carers. We will use pseudonymised techniques such as replacing, removing or transforming information that identifies specific individuals such as names, addresses, phone numbers, etc., and keep that information separate from the rest of the data. For example, a name can be replaced with a unique number or a code.

The data used for research and evaluation will not have any impact on you because it will not be used to make any decisions about you or affect your rights or benefits. It will only assist us to improve the quality, effectiveness, and delivery of transport needs across Greater Manchester by providing us with insights and feedback on our services and the needs of the people we help.

Using your personal information differently

We may need to either:

use your personal information for a different reason than we originally told you because our purpose for using your personal information has changed; or
use your information for an extra reason and we did not tell you about this in either this privacy notice or the privacy notice of the specific service using your personal information.
If we need to do this, unless the new reason is compatible with our original purpose, we will generally provide you with a new or updated privacy notice. This will explain the new or additional reason we need to use your personal information, and on what legal basis we can do so. This will be given before we begin to use information we already hold. The exception to this is where we obtained your information from a third party, and it would be impossible or disproportionate for us to provide you with a new privacy notice. If this happens, we will publish the new privacy notice on our website with the same right to object to the additional use of your personal information.

What we do before we share information

Before we share your information with anyone, we may conduct a Data Protection Impact Assessment (DPIA) and record the outcomes accordingly. These include but are not limited to:

What specific information will be shared
The reason for the sharing
The legal basis for the sharing
An assessment of the potential risks that the sharing would pose and how we minimise them
How the information will be kept safe

However, a DPIA is not required for all data sharing, but only if it is likely to result in a high risk to individuals or involves sensitive information.

The Information Commissioner’s Office have issued a Code of Practice (external link), that explains the process we must go through when we complete a DPIA.

Find out more about how and when it is appropriate to share your information from the Information Commissioner’s website (external link).

Where we share your information with other people and organisations who help us provide our services to you, these providers are legally obligated to keep your details safe and secure at all times and only use your personal information to provide the service to you according to our instructions.

We will always ensure we have a legal basis for processing or sharing your personal information and that we abide by the UK GDPR and Data Protection Act 2018. Anyone who works with us must follow the same strict rules we do when using your personal information.

We will not sell or give your personal information to a third party for marketing purposes without your consent.

How the law lets us use your personal information

We are a Public Authority, and we have legal powers and duties to provide services to residents across Greater Manchester. We can use your information to help us deliver these services. This means we are a ‘data controller and processor’ under Article 4 (7) and 4 (8) of the UK GDPR.

Some of the legal acts and regulations that allow us and empower us to provide our services to you are:

Localism Act 2011
Crime and Disorder Act 1998
Environmental Protection Act 1990
Environment Act 1995
Transport Acts 1968 and 1985,
2000 Local Transport Act 2008,
Buses Act 2017
Climate Change and Sustainable Energy Act 2006

To ensure that our data processing activities comply with the law, we will follow this and other relevant legislation.

UK GDPR and Data Protection Act 2018

We will only process your information in accordance with the UK GDPR and Data Protection Act 2018 when we are confident that we have a lawful basis for doing so. This means that one of the following conditions from Article 6 of the UK GDPR must be met whenever we process your personal data:

it is necessary to perform our public tasks
it is required by law or we have a legal obligation to collect the information
it is necessary to protect someone in an emergency or to protect public health
you have entered into a contract with us
it is necessary for the purpose of pursuing a legitimate interest
you, or your legal representative, have given consent, and this consent has not been withdrawn. If you have provided us with your consent to use your personal information, you can withdraw your consent at any time by contacting us.

Where we use personal information for law enforcement purposes, we will do so in accordance with Part 3 of the Data Protection Act 2018. The term ‘law enforcement purposes’ relates to the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties (including the safeguarding against, and the prevention of, threats to public security).

Sometimes we may need to collect and use special category information about you. We may do so -where:

it is necessary to perform our public tasks (which are in the substantial public interest)
it is necessary to comply with employment, social security or social protection laws
it is necessary for legal claims
it is information which has already been made public by you
it is in the public interest for public health reasons
it is necessary for medical purposes
it is necessary for archiving, statistical and research purposes
the use of special category information about you is necessary to protect you or someone else in an emergency; or
we have your explicit consent to use the particular special category information about you

In some limited circumstances we may also need to collect and use criminal history information about you. We may do so where:

it is in the substantial public interest
it is necessary for any legal claims
it is necessary to protect you or someone else in an emergency
it is information which is already in the public domain, or
we have your explicit consent to use criminal history information about you

Where we use sensitive personal information for law enforcement purposes, we will only do this where it relates to a pressing social need, which cannot reasonably be achieved through less intrusive means. Such processing will only take place if either one of the law enforcement purposes set out in Part 3 of the Data Protection Act 2018 is satisfied, or you have given your consent.

Where we keep and protect your personal information

Most personal information we collect is stored on electronic systems in the UK.

However, there are some occasions when your information may leave the UK, some personal information may be stored on computer services located in the European Economic Area (EEA). For example, if it needs to be transferred to another organisation, which may be based outside of the UK or that uses systems which store information outside of the UK.

Generally, personal information in our control will not be sent outside EEA, unless stored within cloud-based computer services. If this is done appropriate assessments, procedures and technologies will be put in place to maintain the security of all personal information processed outside of the EEA.

We will take appropriate steps to make sure we hold records about you in a secure way, including:

all employees, and those acting on our behalf, who have access to your personal information or are associated with the handling of that data are obliged to respect the confidentiality of your personal information.
All employees, and those acting on our behalf, undergo annual mandatory information security and data protection training.
there will be procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.

Keeping your personal information

We will only hold your personal information for as long as needed and in line with legal requirements or industry guidelines. The storage time for personal information varies between our services.

Automated decision making and profiling

‘Automated decision making’ is where decisions are made about you by a computer, without any human involvement. If any of our services carry out any automated decision making using your personal information, this will be explained in the service specific privacy notice.

‘Risk profiling’ is where decisions are made about you based on certain things in your personal information, e.g., your health conditions.

If we use your personal information to profile you to deliver the most appropriate service, we will tell you.

If you are worried about us using automated decision making or profiling, you can get help from the Data Protection Officer (DPO) who will be able to explain to you how we are using your information. The DPO’s contact details can be found in the section called ‘What are my rights of access to my information?”

What are my rights of access to my information?

The UK GDPR gives you the following rights over your information:

The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.

For more information on the UK GDPR and your rights go to the Information Commissioners website (external link).

How can I exercise these rights?

If you have any questions or concerns about how we use your personal information, contact our Information and Data Governance team: Data.Protection@tfgm.com.

To find out what information we hold about you, you need to make a Subject Access Request by email or in writing:

Email: Data.Protection@tfgm.com
Postal: Data Protection, TfGM, 2 Piccadilly Place, Manchester, M1 3BG

If you wish to exercise any of your other information rights, please email our Data Protection Officer: Data.Protection@tfgm.com

If you have any concerns about the way we use your personal information, we would ask you to come to us first for help. You do however have the right to complain to the Information Commissioner’s Office:

Telephone: 0303 123 1113 (local rate)
Email: casework@ico.org.uk
Live Chat Service: Advice services for members of the public
Postal: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

For general support and information on protecting your personal information visit the Information Commissioner’s Office website (external link).

Cookies

Transport for Greater Manchester collects certain information or data about you when you visit our website. For more information read our website privacy notice.

Updates

We may update or revise this Privacy Notice at any time so please refer to the version published on our website for the most up to date details.

Service specific privacy notices

Each department within TfGM processes personal data for different purposes and under different legal bases. For more information on how we process your personal data please view the below service specific privacy notices:

Active travel
Audit and assurance
Bee Network Cycle Hire scheme
Bus Reform TUPE
Bus services
CCTV
Citizen Space/GM Consult
Clean Bus Fund survey
Commercial Services
Competitions and Prize Draws
Corporate Affairs
Customer Relations
Cycle and Stride Evaluation and Monitoring
Cycle hire scheme
DDRG filming and photography
Destination Bee Network Consultation(Dogs on trams)
Facilities management
Finance
Highways
Information Services
Intervention for Blind and Partially Sighted People at Bus Stop Bypasses
Legal
Logistics and environment
Metrolink
Procurement
Projects group
Rail
Recruitment and Employment
Stockport Mixed Use Ramp Consultation Exercise
Surveys and Consultations
Transport Strategy
Visitors and Professional Contacts
White Ribbon engagement feedback survey
Voice of Customer survey (phase two)

Research specific privacy notices

As part of research activity that TfGM undertake, we may need to collect and process personal data. For further information on a certain research activity please see the individual privacy notices below:

Active Travel survey
Active Neighborhoods survey
Adapt and Build Back Better (ABBB)
Network principles
Sales funnel
Side Road Zebra Crossings
TfGM confidence survey
Metrolink customer confidence qualitative research
TfGM brand research focus groups
Big Active Conversation Feedback Survey
Bus reform
Bus reform - further consultation
Bus fare survey

Clean Air Plan Consultation
Concessionary pass survey
Destination Bee Network Consultation
Disruption Research
Further Clean Air Plan Consultation
Electric Vehicles Survey
Minimum Licensing Standards Consultation
Bee Network crossings consultation
Tram-Train Customer Research
Our Pass Evaluation
Fares and Ticketing
Town and City Centre Survey
Travel information and ticketing research
Travel Diary Survey Privacy Notice
HGV financial support scheme survey
School Streets Monitoring and Evaluation Research Privacy Policy
Rochdale Oldham Ashton bus survey
Walking, wheeling and cycling survey
GM cycle hire survey
Voice of customer survey
Leigh Salford Manchester Busway Stakeholder discussions
Rochdale Oldham Ashton Quality Bus Transit Resident Survey privacy notice
Trafford Park Link Surveys privacy notice
A555 Resident and Business Surveys
Oxford Road survey privacy notice
V1 and V2 survey privacy notice
Salford Central survey privacy notice
Our Pass survey privacy policy
Mobile phone and seat belt survey
Bus and Active Travel Surveys privacy notice
Greater Manchester rail travel privacy policy
Metrolink Park and Ride survey privacy policy
Taxi and private hire dedicated EV charging points survey privacy notice
Getting to work survey privacy policy
Night bus evaluation privacy policy
Bee Network information sessions privacy policy

If you’re unsure what the research was called then please feel free to get in touch with us at insight@tfgm.com.