Using data from apps like Trainline as part of fare evasion prosecutions

[packermac]

Mod Note: Posts #1 - #19 originally in this thread.

I will not comment on if the prosecution proposed by TIL is valid or not. Hoever I am very concerned (if true) by your comments about previous Trainline history.
As I can see it this data could only be legally obtained by you authorising them to have access to this data.
Otherwise I can only see that they either
Have an agreement with Trainline, that Trainline (illegally?) allow third party access to their customers accounts.
Buried in Trainline T&C's it says they can give your data to third parties for such use.
TIL have hacked the Trainline system somehow.

Did the communication you received from TIL mention how this data was obtained?

 

[ForTheLoveOf]

I will not comment on if the prosecution proposed by TIL is valid or not. Hoever I am very concerned (if true) by your comments about previous Trainline history.
As I can see it this data could only be legally obtained by you authorising them to have access to this data.
Otherwise I can only see that they either
Have an agreement with Trainline, that Trainline (illegally?) allow third party access to their customers accounts.
Buried in Trainline T&C's it says they can give your data to third parties for such use.
TIL have hacked the Trainline system somehow.

Did the communication you received from TIL mention how this data was obtained?

GDPR allows for data sharing for the purposes of law enforcement, as well as the detection, prevention and prosecution of (suspected) crimes. TIL haven't done any hacking here; The Trainline will be sharing details upon a request from TIL. At a stretch TIL may be using industry databases that record ticket sales but that strikes me as unlikely.

 

[Cricketer8for9]

Specifically Schedule 1 Section 10 of the Data Protection Act 2018.

 

[Puffing Devil]

GDPR allows for data sharing for the purposes of law enforcement, as well as the detection, prevention and prosecution of (suspected) crimes. TIL haven't done any hacking here; The Trainline will be sharing details upon a request from TIL. At a stretch TIL may be using industry databases that record ticket sales but that strikes me as unlikely.

Specifically Schedule 1 Section 10 of the Data Protection Act 2018.

The Trainline cannot share information without a request from a "Competent Authority". These are set out in Schedule 7 of the act.

Schedule 1 describes lawful reasons to hold and process data, not disclosure.

Access to the Trainline history, possibly without consent, was one of my first concerns at the top of this thread.

 

[island]

The strand of GDPR that permits the processing of the data is article 6.1f i.e. that it is in the legitimate interests of Trainline and LNWR to process the data by transferring it from Trainline to LNWR, as both companies have a legitimate interest in ensuring that passengers pay their fares. It is clearly legal and I would urge members to focus on the material matter at hand, namely the fare evasion, rather than clutching at irrelevant GDPR straws.

 

[Puffing Devil]

The strand of GDPR that permits the processing of the data is article 6.1f i.e. that it is in the legitimate interests of Trainline and LNWR to process the data by transferring it from Trainline to LNWR, as both companies have a legitimate interest in ensuring that passengers pay their fares. It is clearly legal and I would urge members to focus on the material matter at hand, namely the fare evasion, rather than clutching at irrelevant GDPR straws.

You are incorrect. None of the lawful basis for the processing of data appear to apply in this case. The OP has not been back to comment on any consent.

Access to the data is a great concern in this case when TIL, not Trainline or LNWR have been accessing historical ticketing information. Trainline can pass details of ticketing information required for the specific performance of a contract and no more. They are restricted by their own published privacy policy - which appears to be quite well written and well defined.

 

[ForTheLoveOf]

You are incorrect. None of the lawful basis for the processing of data appear to apply in this case. The OP has not been back to comment on any consent.

Access to the data is a great concern in this case when TIL, not Trainline or LNWR have been accessing historical ticketing information. Trainline can pass details of ticketing information required for the specific performance of a contract and no more. They are restricted by their own published privacy policy - which appears to be quite well written and well defined.

Even if this constitutes a GDPR breach, that does not nullify OP's liability for any crimes committed. It would give OP the right to compensation against whomever had breached the GDPR.

 

[island]

You are incorrect. None of the lawful basis for the processing of data appear to apply in this case. The OP has not been back to comment on any consent.

Consent is not required for the processing of personal data.

 

[Puffing Devil]

Consent is not required for the processing of personal data.

...if the data is being processed on one of the other lawful grounds for processing. If one of those cannot be shown, then consent is very much required. In this case, there was no right for TIL to access the historic data unless permission had been granted.

Even if this constitutes a GDPR breach, that does not nullify OP's liability for any crimes committed. It would give OP the right to compensation against whomever had breached the GDPR.

There may be the question of the admissibility of the evidence in court if it were obtained illegally. Also the potential prosecution of the Trainline for a data breach.

 

[The Phoenix]

Access to data from third parties is permitted for the prevention and prosecution of crime. I used to do this a lot in my old role some time back.

Back then it used to be a section 29 application currently it’s the disclosure of personal data Under Schedule 2 Part 1 Paragraph 2 of the Data Protection Act 2018 and GDPR Article 6(1)(d) which is permitted for either the Toc or the prosecuting authority providing it is for the prevention of crime or the prosecution of an offender.

The Prosecution will have to disclose all the information under CPIA should it go to Trial etc. This would include any information and how they obtained the information and if it was obtained unlawfully this would be addressed by the court if its unlawful then the case would be thrown out.

Any Lawyer will tell you that any information obtained must be done lawfully. I think the chain here is getting a little off course from the initial issue and there must be more to it than we have been informed of by the OP.

 

[island]

...if the data is being processed on one of the other lawful grounds for processing. If one of those cannot be shown, then consent is very much required. In this case, there was no right for TIL to access the historic data unless permission had been granted.

Go on then, run me through your rationale as to how it is not in the legitimate interests of a train company and a company selling train tickets to share data to aid the prosecution of people who travel without buying a train ticket.

There may be the question of the admissibility of the evidence in court if it were obtained illegally. Also the potential prosecution of the Trainline for a data breach.

Please provide a source for your assertion that data obtained in breach of GDPR is inadmissible in court.

 

[Puffing Devil]

Go on then, run me through your rationale as to how it is not in the legitimate interests of a train company and a company selling train tickets to share data to aid the prosecution of people who travel without buying a train ticket.

Please provide a source for your assertion that data obtained in breach of GDPR is inadmissible in court.

The commercial interests of a train company do not necessarily trump the right of the individual to have their data secured. Sharing data is simply not permitted unless it falls under one of the provisions of the GDPR. As has been said before, a formal application would need to be made to release the data and the data controller is legally responsible for that decision and the implications of it. The issue here is that the Trainline is not the TOC and is not TIL - it's messy from a data protection standpoint. The TOC is only legally entitled to the data necessary to support a journey.

Any data resulting from a breach of the GDPR/Data Protection Act would be challenged in court under s78 (inadmissibility) brought about by s67 (failure to abide by Codes) of PACE.

 

[35B]

The commercial interests of a train company do not necessarily trump the right of the individual to have their data secured. Sharing data is simply not permitted unless it falls under one of the provisions of the GDPR. As has been said before, a formal application would need to be made to release the data and the data controller is legally responsible for that decision and the implications of it. The issue here is that the Trainline is not the TOC and is not TIL - it's messy from a data protection standpoint. The TOC is only legally entitled to the data necessary to support a journey.

Any data resulting from a breach of the GDPR/Data Protection Act would be challenged in court under s78 (inadmissibility) brought about by s67 (failure to abide by Codes) of PACE.

I can’t comment on admissibility, but have practical experience (non rail) of the bounds of “legitimate interest” being set significantly wider than has been suggested here, and in favour of the commercial interest. In the absence of case law, I’d be disinclined to say that a transfer of the kind discussed here would be barred under GDPR.

 

[WesternLancer]

Just out of wider interest ref the GDPR thing, when revenue protection staff pull you over and question you (never happened to me so I am drawing on the way people talk about these things in their posts, or from viewing TV programmes that feature revenue checks), I think they ask you to confirm address details etc etc and get you to sign a document that you agree wit their notes. Do such documents have clauses int hem that give you permission to access ticket purchasing details form retailers etc? IE when you sign the document they have, unless you take special care do strike through anything like that, do they effectively gather the right to access this info via a permission you give (possibly without even realising it) with your signature?

 

[221129]

Just out of wider interest ref the GDPR thing, when revenue protection staff pull you over and question you (never happened to me so I am drawing on the way people talk about these things in their posts, or from viewing TV programmes that feature revenue checks), I think they ask you to confirm address details etc etc and get you to sign a document that you agree wit their notes. Do such documents have clauses int hem that give you permission to access ticket purchasing details form retailers etc? IE when you sign the document they have, unless you take special care do strike through anything like that, do they effectively gather the right to access this info via a permission you give (possibly without even realising it) with your signature?

No it's just signing to say what is written is correct.

 

[WesternLancer]

No it's just signing to say what is written is correct.

Thanks for explanation - helpful to know.

 

[island]

The commercial interests of a train company do not necessarily trump the right of the individual to have their data secured.

But that is not the test. The test is that the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data“ (art 6.1(f) GDPR).

I put it to you that the interests of a data subject in getting away with a crime he has committed do not override the interests of a train company in bringing him to justice for it.

Sharing data is simply not permitted unless it falls under one of the provisions of the GDPR.

That is correct, and happily, in this case, it does.

As has been said before, a formal application would need to be made to release the data

This may be your opinion on what good practice looks like, but it is not a requirement of the GDPR.

and the data controller is legally responsible for that decision and the implications of it.

This is accurate, although of limited relevance.

The issue here is that the Trainline is not the TOC and is not TIL - it's messy from a data protection standpoint.

The only thing that is “messy” is your logic.

The TOC is only legally entitled to the data necessary to support a journey.

Please quote the article of the GDPR which says this.

Any data resulting from a breach of the GDPR/Data Protection Act would be challenged in court under s78 (inadmissibility) brought about by s67 (failure to abide by Codes) of PACE.

S78 PACE states that evidence may be disallowed if “admission of the evidence would have such an adverse effect on the fairness of the proceedings that the court ought not to admit it”. That is a very high bar to clear.

S67 does not appear to me to assist.

I think the above exhaustive explanation makes it clear that there is no GDPR issue here, or if I am wrong, that the issue would lead only to a potential (and small) award of compensation to the passenger.

Out of consideration for my time and of the fact that this is drifting off-topic, I won’t be entering into further discussion on this particular matter.

 

[Puffing Devil]

Out of consideration for my time and of the fact that this is drifting off-topic, I won’t be entering into further discussion on this particular matter.

In which case, I won't bother with a strong rebuttal.

 

[TurbostarFan]

Even if this constitutes a GDPR breach, that does not nullify OP's liability for any crimes committed. It would give OP the right to compensation against whomever had breached the GDPR.

But is the evidence admissible? If not, then this needs addressing at court.

 

[setdown]

So data can be shared if there’s a legitimate interest between parties. So trainline could share my purchase history with LNWR for the purposes of learning one’s travel habits and tailoring, for example, email marketing? I mean it’s in both of their interests to sell me more tickets isn’t it?

 

[Puffing Devil]

But is the evidence admissible? If not, then this needs addressing at court.

That would be the subject of an argument in court. I would say not, others may disagree which is why it would need to go before a judge. I don't have time to research case law on the use of GDPR Breach data in a prosecution.

 

[Puffing Devil]

So data can be shared if there’s a legitimate interest between parties. So trainline could share my purchase history with LNWR for the purposes of learning one’s travel habits and tailoring, for example, email marketing? I mean it’s in both of their interests to sell me more tickets isn’t it?

No.

Purpose limitation

You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.

In this case, Trainline states that it will pass on data only for the purpose of facilitating travel. It could, perhaps look at running anonymised analysis of travel patterns for a generalised campaign.

 

[Bletchleyite]

The strand of GDPR that permits the processing of the data is article 6.1f i.e. that it is in the legitimate interests of Trainline and LNWR to process the data by transferring it from Trainline to LNWR, as both companies have a legitimate interest in ensuring that passengers pay their fares. It is clearly legal and I would urge members to focus on the material matter at hand, namely the fare evasion, rather than clutching at irrelevant GDPR straws.

The legitimate interest test is twofold. It isn't just that those transferring the data have a legitimate interest in doing so, but also that that is not balanced by a disadvantage to the subject of the data. In this case, it very clearly is.

 

[island]

The legitimate interest test is twofold. It isn't just that those transferring the data have a legitimate interest in doing so, but also that that is not balanced by a disadvantage to the subject of the data. In this case, it very clearly is.

I have addressed that point in the first two paragraphs of post 16.

 

[Bletchleyite]

I have addressed that point in the first two paragraphs of post 16.

I don't agree with you. It is certainly not in anyone's interests to be privately prosecuted by a highly disreputable, private, profit-making organisation like TIL. It would be my view that it would only be legitimate were the prosecution being carried out by the CPS with the support of the Police (and in that case the Police would use a proper method to obtain the data, namely a warrant).

Whether the prosecution was justifiable or not, I would absolutely make a complaint to the Information Commissioner about this.

 

[221129]

It is certainly not in anyone's interests to be privately prosecuted

It is definitely in the interests of the TOC that is prosecuting and in the interests of TIL who are investigating.

 

[WesternLancer]

This is all quite interesting, because we do see, from time to time, people coming on to this forum for help where they say that the prosecutor / TOC is showing other evidence from the Trainline etc showing other purchases that the investigator regards as suspicious - often young people it seems (tho they are probably regularly if not always using the Trainline for their ticket purchases).

I guess a basic lesson if you are minded to dodge fares is not to buy the tickets you use to access the railway / short fare / use child fares etc etc on a website with an account linked back to yourself that can then be used as a body of evidence against you!

 

[Bletchleyite]

It is definitely in the interests of the TOC that is prosecuting and in the interests of TIL who are investigating.

It is, but the legitimate interest test is a balance - you can't use it if it would cause significant disadvantage to the subject, and being privately prosecuted absolutely will.

I don't believe the law enforcement basis can be used by a private company, either, it would have to be by the Police/CPS.

 

[221129]

I don't believe the law enforcement basis can be used by a private company

Can you back that up?

 

[Bletchleyite]

Can you back that up?

This is the main list:

Data Protection Act 2018

www.legislation.gov.uk

However:

Scope and key definitions

This Guide to Law Enforcement Processing highlights the key requirements of Part 3 of the Data Protection Bill.

ico.org.uk

says:

If you are not listed in Schedule 7, you may still be a competent authority if you have a legal power to process personal data for law enforcement purposes. For example, local authorities who prosecute trading standards offences or the Environment Agency when prosecuting environmental offences.

...which might provide a get-out. That said, while TIL might fit that description (I am unconvinced, and they may well be just doing it anyway on the basis of a lack of legal precedent on the meaning of that paragraph), Trainline absolutely doesn't, and in transferring to TIL would be processing for the purposes of law enforcement, which I don't believe is OK.