Onboard staff adding a comment to a digital ticket

[bakerstreet]

I could see sense in an exception for cases where a Fraud Act prosecution brought via the Police and CPS was under consideration (while TOCs can prosecute this or anything else privately I've not heard of them doing so). However most of this is just stuff that would be written on a paper ticket, so why should our rights reduce?



This is very 2023, but I strongly dislike this to the highest extent possible. "Fishing expeditions" are a massive concern of mine with e-tickets. I"m waiting for "you changed unnecessarily* on a ticket with BoJ banned, £100 please". Customers MUST be protected against this sort of "easy money" approach. And one way to protect them is to give them strong, powerful rights over data held with regard to their affairs - this being the root of GDPR.

* BoJ isn't defined any more so TOCs can interpret it how they like when it comes to these settlements which are tantamount to extortion. Has that happened yet? I don't think so. Will it? I'm confident it will, yes.

I’ve been worried about this sort of thing for a while

Will after-the-event e-ticket database checking be a risk to passengers?

Re this thread: Stopping short on Advance if Season is held. https://www.railforums.co.uk/threads/stopping-short-on-advance-if-season-is-held.230762/ And this post which I think raises an interesting issue. This sort of thing will become easier to police with e-tickets and automatic...

www.railforums.co.uk

 

[Bletchleyite]

If you comply with your ticket restrictions, concessions, discounts etc - nothing will flag up will it? Nobody is interested in retrospectively poking around one off break of journey issues etc unless there's something else going on with that customer. Despite all this new data, there's still only a finite number of investigators - so naturally the more serious end of the scale is prioritised, it has to be.

While the more valuable cases will be, I can't help but think that there's plenty of evidence of the railway going for easy targets, e.g. they'll pounce on the respectable old lady who won't put up a fight rather than dealing with the bunch of scally kids or the rough looking drunk football fans.

All I'm asking is that in order to ensure a level playing field with the vast number of grossly incompetent/poorly trained staff out there checking tickets (I'm referring mostly to contract security guards, such as the bunch of barely-literate-in-English rentathugs Northern seem to use at Manchester gatelines, or the similarly full-of-attitude ones you seem to see south of London, not the likes of the polite and professional LNR ones at Euston and MKC) I'm party to any notes added to a scan on my ticket just like I was when it was a paper ticket. Not much to ask in my book.

I’ve been worried about this sort of thing for a while

Will after-the-event e-ticket database checking be a risk to passengers?

Re this thread: Stopping short on Advance if Season is held. https://www.railforums.co.uk/threads/stopping-short-on-advance-if-season-is-held.230762/ And this post which I think raises an interesting issue. This sort of thing will become easier to police with e-tickets and automatic...

www.railforums.co.uk

It's a particular problem because of unfair T&Cs the railway use. For instance, the gateline staff might let me out at MKC to get a taxi because the next Bletchley is cancelled and I don't want to sit there on an Advance for 45 rather than 15 minutes, say, but then a "fishing expedition" might flag that I ended my journey short on an Advance and send me a £100 bill, which I won't be able to counter because I won't have evidence that the staff OKed it.

I'm confident this is going to happen at some point to someone.

That sort of situation may actually arise on a trip I've got coming up soon - if I'm late I may have to end short for an alternative bus connection - no need to do so if the railway complies with its part of the contract and delivers me to the destination on time, so I don't see why I should have to buy an Anytime just so I'm allowed to end short if the railway fails to deliver (fairly sure that on the journey involved BoJ is prohibited on the Off Peak outward too). Because it's cross London I've got CCST so it won't be a problem - but if it was an e-ticket that's a potential black mark in their database against my name...

 

[father_jack]

So the comment will appear on the device anyone who scans the ticket using the same (or similar) software but as far as I know is only a feature of TTK. Eg. The clipper app used by First group TOC’s never used to be able to do this.

"Clipper" on First Group company mobile devices is being decommissioned and replaced by the TTK TICKET CHECKING APP.

 

[WelshBluebird]

So you're saying if staff suspect fraud and flag it with a suitable comment/endorsement for managers/other staff to review, customers should be able to see that staff believe an investigation into this customer may be required?

That's ludicrous for several reasons.

This forum has a serious problem with rose tinted spectacles. At best you get a handful of customers per week writing about their one-sided dispute experience, most of which are pretty obviously guilty and want to settle. There is an absolute miniscule number of genuinely innocent people who somehow find themselves in serious trouble. However even innocent people can and should be investigated if there is a suspicion, it's the whole point of an investigation, to determine who is and who is not up to no good.

What happens with paper tickets (given any "comment" added to paper tickets can be read by the passenger)?

 

[Bletchleyite]

What happens with paper tickets (given any "comment" added to paper tickets can be read by the passenger)?

Presumably they'd fill in an MG11 separately. Which is what they should really do with an e-ticket, not type notes all over it saying the passenger is evading. Of course, an MG11 is shared with the passenger too.

I don't think there are going to be many cases where an e-ticket scan contained something like "investigate this person for fraud". But what it might contain is "cancel ticket, passenger has ended journey early" when they just broke it, say, and at least if you know that you can go to a booking office (ha!) and try to have it resolved, or buy another ticket and seek to do so retrospectively. Whereas if you get to a gateline with an invalid ticket, it might be MG11 time for that.

 

[Wallsendmag]

Getting way of topic now, but your fishing expedition to most professional investigators would be a lawful, balanced investigation into potentially suspicious activity.

The fact that the railway now has much better access to 'big data" alongsidethe industry becoming better at sharing data between TOCs, RDG and other law enforcement agencies means an increase in fraud related investigations was inevitable. As soon as they've caught up with all of the historic offending which is now only coming to light, things will inevitably calm down and become more business as usual.

If you comply with your ticket restrictions, concessions, discounts etc - nothing will flag up will it? Nobody is interested in retrospectively poking around one off break of journey issues etc unless there's something else going on with that customer. Despite all this new data, there's still only a finite number of investigators - so naturally the more serious end of the scale is prioritised, it has to be.


Can be linked - doesn't necessarily mean they are automatically. I'm not quite sure even RDG/GBR appreciate how much data is actually "missing" (but available looking elsewhere) through fragmentation.

GBRTT know what the position is no idea about RDG.

 

[Watershed]

One concern I have is of badly informed staff marking tickets as invalid.

I suspect this just about gets away with not being subject to a Subject Access Request due to not being directly associated to a person, but there is a big problem with changes to the power dynamic here. Really it should be possible for passengers to see what has been recorded so they can challenge it if it is wrong or unfair.

It contains the name of the person under whose account the ticket was bought, so I'm highly dubious that it doesn't constitute personal data which - in principle - must be disclosed upon receipt of a SAR.

 

[Adam Williams]

Getting way of topic now, but your fishing expedition to most professional investigators would be a lawful, balanced investigation into potentially suspicious activity.

As ever, I suspect that the reality lies somewhere in the grey area in the middle.

Are there absolutely "bang to rights" investigations that go on into folks who are clearly guilty? Yes. Lots of the threads in the disputes forum here are clearly folks who tried it on and got caught. But - are there cases where I think the case made by the TOC is dubious at best? Also yes. And do I think suppressing scan records for historical UTNs forever from someone that travelled in the past is necessary and proportionate when weighed up against the data subject's right? Ehh, I am not convinced.

There is an absolute miniscule number of genuinely innocent people who somehow find themselves in serious trouble

You might see it as miniscule, but a sizeable number of people on the forum have seen it play out far too many times with passengers who should not have been pursued to just "trust the process" in the way you seem to be suggesting people do. I've seen it myself.

I'm not quite sure even RDG/GBR appreciate how much data is actually "missing" (but available looking elsewhere) through fragmentation.

This is a feature, not a bug. Customers generally entrust (third-party and TOC) retailers to treat their personal data with respect. The various decentralised standards that exist try to strike a balance between revenue protection and privacy.

 

[Bletchleyite]

You might see it as miniscule, but a sizeable number of people on the forum have seen it play out far too many times with passengers who should not have been pursued to just "trust the process" in the way you seem to be suggesting people do. I've seen it myself.

Personally I won't "trust the process" until the railway loses the right to bring private prosecutions under the Byelaws and RoRA, with everything having to go via Penalty Fares with its proper appeals process. It's too one-sided and there are too many clueless and sometimes even vindictive staff checking tickets under contract these days, not just professional railwaypeople.

 

[Adam Williams]

It contains the name of the person under whose account the ticket was bought, so I'm highly dubious that it doesn't constitute personal data which - in principle - must be disclosed upon receipt of a SAR.

The ICO's guidance I read suggested that if data can be tied back to a person with an "extra link", it's not anoymised and is merely pseudonymised. Given the appropriate records from the retailer, I'd expect the ticket UTN - number under the barcode and in the scan records - to be able to be linked back to an individual person.

 

[jfollows]

One innocent person being in serious trouble because of staff incompetence, poor training, arrogance or malice is one too many. This forum will of course be a magnet for reports, and therefore the number of such cases is actually relatively low, but it seems to me that having the ability to annotate electronic tickets without the bearer/user of the ticket being able to read the annotations is dangerously wrong. In particular because, like others, I definitely don't trust "the railway" to run its prosecution processes reasonably, there are many examples of when they don't on this forum.

 

[daveo]

In your hypothetical scenario, it's not really any difference to writing 'not valid" in pen on a paper ticket - just electronically. No change at all except the means.

Except pen and ink is visible to the customer!!

 

[LowLevel]

Presumably they'd fill in an MG11 separately. Which is what they should really do with an e-ticket, not type notes all over it saying the passenger is evading. Of course, an MG11 is shared with the passenger too.

I don't think there are going to be many cases where an e-ticket scan contained something like "investigate this person for fraud". But what it might contain is "cancel ticket, passenger has ended journey early" when they just broke it, say, and at least if you know that you can go to a booking office (ha!) and try to have it resolved, or buy another ticket and seek to do so retrospectively. Whereas if you get to a gateline with an invalid ticket, it might be MG11 time for that.

If I write up a Travel Irregularity Report the details are not available to the customer.

Nor is the Inspector's Version of Events on the back of an unpaid fares notice.

I don't think I've ever used the Comments box on an e-ticket for anything other than a favourable endorsement. On that note, apart from Restrictions Advised very rarely I don't think I've ever written something negative on the back of a ticket and handed it back.

Writing "this one's a bit of a prat" just doesn't happen - I could phone someone to share that far more easily.

 

[Bletchleyite]

Writing "this one's a bit of a prat" just doesn't happen - I could phone someone to share that far more easily.

I'm not suggesting it should be like a helpdesk where some agents were habitually writing stuff like that, only to be caught out when self service tools meant they could see it.

My main concern is staff invalidating tickets because they think they've been misused, or vindictively (yes, some of the thugs Northern use likely would do that), or writing other stuff that might limit further use or cause undue scrutiny.

You're of course professional and wouldn't do that (seriously, can we clone you and put one on every train and at every gateline? ), but many of the rentathug type ticket checkers would. Manchester Victoria is highlighted as a particular problem quite often.

 

[Krokodil]

Except pen and ink is visible to the customer!!

Messages passed between staff aren't though. Think "watch out for the blond man with the ponytail who gets on the 1203 every day, he'll pretend to be asleep, always goes straight to the front."

 

[transportphoto]

My main concern is staff invalidating tickets because they think they've been misused, or vindictively (yes, some of the thugs Northern use likely would do that), or writing other stuff that might limit further use or cause undue scrutiny.

Would you object to a member of staff putting a black cross through the Outward portion of a return ticket, whilst you’re using the return?

Electronically scanning the return portion of an eTicket does exactly the same job.

 

[Bletchleyite]

Would you object to a member of staff putting a black cross through the Outward portion of a return ticket, whilst you’re using the return?

No, but I doubt that's very common because while you're required to carry the unmarked return to use the outward, you're not required to carry the outward to use the return, indeed most of the time a gateline will already have retained it.

Electronically scanning the return portion of an eTicket does exactly the same job.

Except for that I can't see it. And it can happen innocently, e.g. the wrong half is presented and the staff don't notice. That actually nicely highlights the problem of this sort of thing being able to happen with the passenger being unable to see evidence of it.

 

[crablab]

I'm not suggesting it should be like a helpdesk where some agents were habitually writing stuff like that, only to be caught out when self service tools meant they could see it.

Indeed, there have are embarrassing moments where such internal comments, which staff never intended to be read externally, have been SARd by the customer.

Messages passed between staff aren't though. Think "watch out for the blond man with the ponytail who gets on the 1203 every day, he'll pretend to be asleep, always goes straight to the front."

Depending on what was said and how identifiable it was, it could be in scope for a SAR. Data that's sufficient to identify an individual is considered PII.
That's why it's very important such communication goes through company systems, where it can in theory been located should a Data Subject exercise their rights, and PII is kept strictly to systems designed to hold it (so you don't have to do searches through the entirety of Teams/Slack). It becomes very difficult when someone requests deletion/modification and you're unable to do that because their data has been spread out across multiple different systems...
But that's drifting off topic into data classification and governance.

I didn't say you didn't. I'm simply saying passengers should be able to access these scans, just like they could if you had endorsed a paper ticket with the same information.

I entirely agree. It's not impossible for certain types of indicator (eg. "reported to revenue protection") to be withheld automatically for legitimate reasons (although in a SAR might require manual review as it might be disclosable).

I don't see why the bulk of the data shouldn't be available to passengers. As prosecuting authorities are so fond of reminding us, "nothing to hide, nothing to fear"...

 

[35B]

Depending on what was said and how identifiable it was, it could be in scope for a SAR. Data that's sufficient to identify an individual is considered PII.
That's why it's very important such communication goes through company systems, where it can in theory been located should a Data Subject exercise their rights, and PII is kept strictly to systems designed to hold it (so you don't have to do searches through the entirety of Teams/Slack). It becomes very difficult when someone requests deletion/modification and you're unable to do that because their data has been spread out across multiple different systems...
But that's drifting off topic into data classification and governance.

Just on this point, it’s not just a question of which system, but also where in the system. Free text fields in customer databases are a data protection nightmare because of the way that users input all sorts of personal data (and sometimes even sensitive personal data) in them.

Knowing that the passenger may see what’s entered - as with a paper ticket mark - should be part of the design, with staff instructed that what they write will be visible. If there’s an issue with specific flagging for investigation, this should be separate, exceptional, and audited against misuse.

 

[Tetchytyke]

If you comply with your ticket restrictions, concessions, discounts etc - nothing will flag up will it?

If you comply AND revenue staff agree you’ve complied then nothing will flag up.

If you’ve complied but revenue staff disagree- witness the regular arguments at the Euston and Paddington gate lines about peak/off-peak- then things will potentially flag up.

Despite all this new data, there's still only a finite number of investigators - so naturally the more serious end of the scale is prioritised, it has to be.

Is the serious stuff that requires a lot of manpower prioritised? Really? Because I’d say the evidence is the exact opposite, that the TOCs go after the low-hanging fruit as it’s more lucrative.

 

[Bletchleyite]

If you comply AND revenue staff agree you’ve complied then nothing will flag up.

If you’ve complied but revenue staff disagree- witness the regular arguments at the Euston and Paddington gate lines about peak/off-peak- then things will potentially flag up.

Precisely my concern.

It shouldn't be too far off to be able to get a computer to "say no", as it were, very accurately and quickly. That would be better than often clueless contract staff doing things that can really ruin a passenger's day, particularly as prosecution departments now no longer seem to sanity check before sending out requests for a hundred quid.

Though this does require defining things like break of journey properly again. And if you're really not going to let Advance users out of gatelines where there are no station facilities outside, providing e.g. smoking areas inside the gateline.

Is the serious stuff that requires a lot of manpower prioritised? Really? Because I’d say the evidence is the exact opposite, that the TOCs go after the low-hanging fruit as it’s more lucrative.

Agreed. I gave the example above - do you spend time PFing an old lady who's clearly just lost her ticket or doesn't quite understand how to use her phone, or do you deal with that threatening group of lads smoking dope, or those rowdy football fans who on being asked for tickets said "no, and we aren't paying either, so f*** off"? It's almost always the former.

 

[Krokodil]

Is the serious stuff that requires a lot of manpower prioritised? Really? Because I’d say the evidence is the exact opposite, that the TOCs go after the low-hanging fruit as it’s more lucrative.

"Evidence" in this space presumably being anecdata from these boards.

You have no idea what goes on behind the scenes (though the TfL docuseries shows some of the work to track down serial fraudsters). Big fraudsters do get investigated and prosecuted.

 

[island]

One concern I have is of badly informed staff marking tickets as invalid.

I suspect this just about gets away with not being subject to a Subject Access Request due to not being directly associated to a person, but there is a big problem with changes to the power dynamic here. Really it should be possible for passengers to see what has been recorded so they can challenge it if it is wrong or unfair.

Comments attached to an e-ticket would constitute personal data under GDPR as they can be associated with an identifiable individual.

I don't see why the person shouldn't know your ID number

That would be personal information relating to a different data subject and is exempt from disclosure unless said data subject consents.

nor the train ID nor the time of scanning.

These are not personal data and should be disclosed.

It's not like it has your name on it. After all bus drivers' PCV number had once upon a time to be on a clearly displayed badge.

A badge is not a filing system, and GDPR only applies to data stored in a (relevant) filing system.

All staff actions with regard to serious matters like this should be identifiable and traceable.

They are, but that does not necessitate personal details of staff being disclosed to passengers.

I didn't say you didn't. I'm simply saying passengers should be able to access these scans, just like they could if you had endorsed a paper ticket with the same information.

I agree.

It contains the name of the person under whose account the ticket was bought, so I'm highly dubious that it doesn't constitute personal data which - in principle - must be disclosed upon receipt of a SAR.

I also agree with this, subject to the various exemptions such as where the data would tend to identify another person, or if a law enforcement exemption applies.

 

[Haywain]

Comments attached to an e-ticket would constitute personal data under GDPR as they can be associated with an identifiable individual.

They can only be associated with a named individual by the retailer, and then not where guest checkout has been used. Wouldn't this mean it's the retailer that is responsible under GDPR?

 

[infobleep]

This is an interesting discussion. How many different comment options are there in the ticket marking system? Is there a public list of them anywhere?

 

[Idiotic]

There are several.

Accept
Accept with warning
Reject
Reject penalty fare issued
Reject New ticket sold
Excessed
There are more but can’t remember off the top of my head.

Then you can accept/reject/no clip and then manually add comments.

If I’ve ever had to add comments it’s normally to help a passenger. For example if my train is running late and they have an advance connection I like to put it in the comments that my train is late. Or I have allowed to travel on earlier/later service than booked with the reason why.

Sometimes on the reject option I will put in there anything they’ve told me. For example: TIR made, No funds to purchase new ticket, or no supporting documents (Railcard etc) and explain what I’ve done to resolve the situation.

 

[infobleep]

There are several.

Accept
Accept with warning
Reject
Reject penalty fare issued
Reject New ticket sold
Excessed
There are more but can’t remember off the top of my head.

Then you can accept/reject/no clip and then manually add comments.

If I’ve ever had to add comments it’s normally to help a passenger. For example if my train is running late and they have an advance connection I like to put it in the comments that my train is late. Or I have allowed to travel on earlier/later service than booked with the reason why.

Sometimes on the reject option I will put in there anything they’ve told me. For example: TIR made, No funds to purchase new ticket, or no supporting documents (Railcard etc) and explain what I’ve done to resolve the situation.

Interesting. What is the difference between reject and no clip? Or even accept and no clip?

 

[LowLevel]

Interesting. What is the difference between reject and no clip? Or even accept and no clip?

No clip is what it says - it adds nothing to the ticket status. You might use it if you've for example scanned the wrong ticket. Reject flags that you've declined the ticket if scanned, accept shows that the ticket has been checked and accepted as valid.

 

[Deafdoggie]

How do railcards work with this? I recently spent a few days travelling round, and only twice was my railcard seen & only one of those times was it scanned. Those TOCs that pay staff extra per scan, do they get a payment for a railcard too?

 

[island]

They can only be associated with a named individual by the retailer, and then not where guest checkout has been used. Wouldn't this mean it's the retailer that is responsible under GDPR?

The term "responsible under GDPR" doesn't have a meaning as such – GDPR uses the terms "data controller" and "data processor". The data controller is the company which makes decisions about the storage of the data, and the data processor is the company who actually owns the infrastructure on which the data are stored.

You then need to figure out whether the data are personal data, meaning whether they can be associated with a unique identifiable individual, either on their own or in conjunction with other data that are available to the data controller or generally.

In this case it seems to me that the data controller is the TOC whose staff member made the notes, and the notes can be associated with a unique identifiable individual by way of the TOC contacting the retailer. That brings them within the definition of personal data and, subject to any exemptions, within the right of access.

Guest checkout still requires a name to be entered so I'm not sure it makes any difference that guest checkout was used.