Trainline fare history data legality

[mrmartin]

I did see some previous threads about this but I think the SJPN disaster shines new light on this.

I really have a sneaking suspicion that TOCs using Trainline data is going to prove to be a massive legal headache.

I was genuinely quite surprised when I started seeing cases of these happen, first when they started trying to nail caught offenders with more incidents, and then even more so when West Midlands Trains afiak (but probably others too) are just getting the data feeds and doing "fishing" exercises

Firstly, it seems (as per usual) completely disproportionate compared to other industries. It's a bit like the police getting a daily data dump of any phone call being made, which they then trawl through to find suspicious patterns and start arresting people on. As far as I know this is not allowed, the police have to have a suspicion and then get a court order or similar to get the phone network data. Another similar example would be ISPs providing data of people downloading pirated content - they do not just send Warner Music or whatever a dump of everyone's internet traffic.

Secondly, their privacy policy seems weak on this. It says "we only share what is necessary to meet this purpose", but in reality I suspect they share basically all data with minimal safeguards (again, I can sort of seeing this being ok if they were just requesting individual data based on an in person revenue check, but not really for doing mass fishing exercises where there was otherwise no suspicion).

Finally, it just seems like a giant conflict of interest at face value, especially if (as i suspect) Trainline is getting financial gain for doing/helping this investigation. I don't expect to go to Tesco and buy some Nestle coffee, then Tesco get paid by Nestle to report me and my purchase history if I ask for refunds too much (to nestle!) on the quality of their coffee.

Just seems so many parallels here to recent private prosecution debacles, where there is a complete lack of checks and balances compared to other industries im familiar with.

 

[Alex C.]

Having dealt with both making and receiving requests relating to the prevention and detection of fraud, I am surprised how much sharing goes on and I think what started legitimately has probably turned something much more in the gray areas of the GDPR.

It's pretty reasonable to say "We caught a customer and based on our own evidence we suspect there is a high likelihood that you have further evidence which will support our investigation, they have been travelling between x and z stations but only using a ticket from x to y, please can you let us know if you have any tickets sold for travel matching that pattern". It is not reasonable to say "we caught a customer who had a Railcard 5 days out of date and we would like 5 years of your data to trawl through". Trainline should also be considering these requests on a genuine case by case basis and documenting the rationale for providing the information.

It's also worth highlighting that TOCs have no more a right to this information than anyone else. They are not a 'competent authority' and so their authority to request the data is only derived from the legitimate interest provisions of the legislation.

Of course none of this really matters without enforcement of the law, although a complaint to the ICO by someone with a valid railcard who has been through this process (or the complete fishing expeditions WMT which seem to be without any justification) would be interesting.

 

[Cdd89]

The aspect that surprises me is that there appears to be no obligation on retailers to disclose to the customer that their data has been shared (in response to a request from a third-party).

This may be legal but feels like a shortcoming of the existing legislation where data is shared outside existing consents. Obviously there will be situations where it's important to avoid "tipping off" the customer but these should be exceptional and involve the police.

 

[AlterEgo]

My understanding is that not all retailers habitually share this data and Trainline got leant on to do it, as it is the largest and most prone retailer to customer fraud. Is that right?

 

[island]

The aspect that surprises me is that there appears to be no obligation on retailers to disclose to the customer that their data has been shared (in response to a request from a third-party).

This may be legal but feels like a shortcoming of the existing legislation where data is shared outside existing consents. Obviously there will be situations where it's important to avoid "tipping off" the customer but these should be exceptional and involve the police.

There isn't a requirement for each and every individual instance of sharing to be disclosed; this would be wildly impractical for many data controllers. It's perfectly valid for the privacy statement to list the parties, or categories of parties, to whom they disclose data.

 

[Richardr]

It's a bit like the police getting a daily data dump of any phone call being made, which they then trawl through to find suspicious patterns and start arresting people on. As far as I know this is not allowed, the police have to have a suspicion and then get a court order or similar to get the phone network data. Another similar example would be ISPs providing data of people downloading pirated content - they do not just send Warner Music or whatever a dump of everyone's internet traffic.

I've no informed comment on the overall issue, but these two examples don't seem to me to be similar at all. Neither the police nor the ISP in your examples have any interest or transactional releationship with the phone network / music content. Trainline though is an official agent retailing directly on behalf of the train operators. Specifically customers are made subject to the train operators terms and conditions in addition to Trainlines.

 

[mrmartin]

I've no informed comment on the overall issue, but these two examples don't seem to me to be similar at all. Neither the police nor the ISP in your examples have any interest or transactional releationship with the phone network / music content. Trainline though is an official agent retailing directly on behalf of the train operators. Specifically customers are made subject to the train operators terms and conditions in addition to Trainlines.

PRoblem is though that a) trainline does not list the individual TOCs as subprocessors, and b) NRCC do not mention data privacy at all.

 

[Fawkes Cat]

NRCC do not mention data privacy at all.

Would you expect National Rail Conditions of Travel (as the NRCC is now called) to comment on data privacy? Being as how it's not actually a condition of travel. Wouldn't you expect something like National Rail's privacy notice (https://www.nationalrail.co.uk/privacy-notice/) - and the equivalent for TOCs and vendors - to be a more likely place for it?

 

[RPI]

Interesting conversation, certainly at the TOC where I work we have to have and demonstrate reasonable suspicion and evidence of this reasonable suspicion in order to investigate previous journeys, or to even submit a DPA form, we cannot simply go "fishing".

 

[mrmartin]

Would you expect National Rail Conditions of Travel (as the NRCC is now called) to comment on data privacy? Being as how it's not actually a condition of travel. Wouldn't you expect something like National Rail's privacy notice (https://www.nationalrail.co.uk/privacy-notice/) - and the equivalent for TOCs and vendors - to be a more likely place for it?

This is my point though - the post in question I was replying to was saying that by using trainline you agree to the T&Cs of the TOCs (effectively), but the only one I can see is the NRCT, which doesn't mention data privacy. I would expect a 'National Rail privacy policy' or something that explains all this.

It's a real mess from a data privacy standpoint.

Who is it even transferred to? RDG? The fare setter of the route? All TOCs that get a slice of ORCATS revenue in the case of open tickets? All TOCs?

Interesting conversation, certainly at the TOC where I work we have to have and demonstrate reasonable suspicion and evidence of this reasonable suspicion in order to investigate previous journeys, or to even submit a DPA form, we cannot simply go "fishing".

Yes, that's exactly what I'd expect. Which makes this WMT exercise so odd.

 

[Recessio]

Would it not be extremely impractical for a TOC to have to apply e.g. for a Norwich Pharmacal order to Trainline for every individual case though?

 

[Haywain]

Which makes this WMT exercise so odd.

It’s not that odd when you consider that the WMR web booking system is provided by Trainline.

 

[talldave]

It’s not that odd when you consider that the WMR web booking system is provided by Trainline.

Which makes you wonder how close to a straightforward login the access is?

After all, to go on a fishing expedition you need free access to the pond and all its fish. You don't name a fish and go after just that one.

Sadly, I have no confidence that TOCs/retailers are operating within the law.

 

[Richardr]

Trainline's privacy policy includes:

https://www.thetrainline.com/terms/privacy

We may also share your personal data with travel operators to prevent and detect fraud against either you, Trainline or the travel operator. We only share what is necessary to meet this purpose, and we make it clear to them they must keep your personal data safe.

 

[SCDR_WMR]

Which makes you wonder how close to a straightforward login the access is?

After all, to go on a fishing expedition you need free access to the pond and all its fish. You don't name a fish and go after just that one.

Sadly, I have no confidence that TOCs/retailers are operating within the law.

WMT don't search or process the original data.Trainline sends emails to the digital fraud team with data related to ongoing cases that WMT have requested, along with data that Trainline have identified as being potentially 'fraudulent'.

WMT have previously asked Trainline for ticket purchases across their network where Jobseekers Railcard discount has been applied for instance, it hasn't accessed the data and ran such a report itself.

I tell passengers not to use Trainline due to this processing of its data, whether other retailers are so forthcoming or proactive is screening data I'm not sure.

 

[deltic]

You can turn this round, what obligations do ticket retailers have if they think fraud is taking place against TOCs?