How Long Should Retailers Keep Records of Ticket Purchases For?

[Hadders]

In a thread in Disputes & Prosecutions GWR and Trainline have researched a customers online ticket purchasing history for the last five years.

Penalty Charge retrospectively by GWR based on Trainline history for the past 5 years

Hi everyone, I have recently taken a train to Castle Cary (going to Glastonbury on June 26) and when I was presenting my ticket on the exit I realised that my Railcard expired so they have sent me to a GWR representitives on the side who were taking details from anyone with a similar situation...

www.railforums.co.uk

How long do ticket retailers keep details of online ticket purchases?
I'm not a GDPR expert but as I understand it data should not be retained for longer than it is usefully required. How long should this be for rail tickets?
Prevention of crime is an exemption under GDPR but should online ticketing purchasing histiries be kept for years 'just in case' a ticketing irregularity is identified in a few years time.

Can anyone comment on the policy of any particular retailer or be more definitive about the legal position?

 

[Tazi Hupefi]

Probably 6 years+

It is evidence of a contract. Some tickets can have validities of over 12 months in any event, so probably 6 years from the date of expiry as a minimum.

It would be necessary in the event of any number of possible civil claims, as well as for general accountancy and taxation purposes. Financial records should be kept for 6 years from the end of the last company financial year they relate to.

This forum is very keen on promoting the rights of customers, so surely, you want the best possible data to be available throughout before the statute of limitations for a claim kicks in?

Important to note that nobody buys a ticket. You cannot buy a ticket. You buy rights under a contract. The ticket is simply the proof of your entitlements and responsibilites relating to that contract. Therefore even if a ticket is long gone, the underlying contract hasn't disappeared.

Some particular transactions, let's call them tickets to keep things simple, may even have a necessary need well beyond 6 years - for example, where certain discounts are used, and there needs to be an audit trail, for example, records of staff discounted tickets or pass useage may be retained throughout employment etc. Job Centre Discounted travel may need to be retained for government audit purposes / national statistics and so on.

If you buy a 3 year railcard, even if there wasn't a requirement to maintain the financial records for 6+ years, it is probably quite reasonable in law, for "the railway" to try to connect that railcard to your purchases, at least throughout it's validity period - for commercial reasons, as well as law enforcement, customer service etc. Historically that may have proved more difficult than the present, where technology is now available.

(Some, but not all of the requirements are within Sections 386-389 Companies Act 2006).

386 Duty to keep accounting records​

(1)Every company must keep adequate accounting records.

(2)Adequate accounting records means records that are sufficient—

(a)to show and explain the company's transactions,

(b)to disclose with reasonable accuracy, at any time, the financial position of the company at that time, and

(c)to enable the directors to ensure that any accounts required to be prepared comply with the requirements of this Act F1....

The other relevant legislation is Section 2 or 5 Limitation Act 1980. However, the limitation period can be extended in some circumstances, as specified in the legislation, such as for theft or fraud.

There is currently also a Bill passing through Parliament -

Economic Crime and Corporate Transparency Bill​

This introduces (in some circumstances) a new "Failure to Prevent Fraud" offence and requirements. This is (deliberately) likely to strengthen the case (and requirement) to retain records amongst many other things for the purposes of crime prevention and law enforcement - as not only will a company need it to take a stronger position on potential fraud, they will also need to be able to provide evidence in their own defence, if they are accused of not doing enough to prevent fraud in a criminal court. This is primarily intended to tackle 'insider fraud' - but such fraud could naturally have an effect on customers, and therefore their data etc.

The Home Office has a helpful fact sheet:

Factsheet: failure to prevent fraud offence

www.gov.uk

 

[fandroid]

Mod note: merged into this thread

We've had a recent request for advice where Trainline has given a TOC's prosecution department ticket purchasing data relating to an individual that has gone back beyond 2019. Is keeping that data compliant with GDPR? I have done the training and remember that there has to be a good reason for retaining personal data like that. I would have thought that "we have to keep it in case a TOC comes fishing" is not a valid reason. They obviously have to keep financial records for a certain length of time, but that doesn't mean the archive financial data has to be linked with personal accounts in maximum detail.

Can anyone advise what the legal position is?

 

[Surreytraveller]

Detection and prevention of crime is a good enough reason under GDPR.

 

[Hadders]

Detection and prevention of crime is a good enough reason under GDPR.

Yes but for how long should records be kept. A year, 5 years, 10 years?

What’s to stop a rogue train company that’s short of a few quid carrying out a fishing expedition from 10 or 20 years ago.

CCTV is routinely destroyed after 31 days, I’m not suggesting that ticket purchasing history should be deleted after 31 days but we don’t keep CCTV for years ‘just in case’.

 

[Surreytraveller]

Yes but for how long should records be kept. A year, 5 years, 10 years?

What’s to stop a rogue train company that’s short of a few quid carrying out a fishing expedition from 10 or 20 years ago.

Presumably for as long as the information would be useful. Is the limit six years to take someone to court for dodging their fares?

 

[WelshBluebird]

It is worth adding that the Trainline keeping a record of my previous transactions was useful when I was challenging GWR on removing a particular fare last year. I try to clean out my emails where I can so I didn't have a record there, but my Trainline account had the details of the fare and how much it cost, which allowed me to argue with GWR about how much the removal of that fare would cost passengers making that journey, which is partly why they ended up reinstating that fare. Without that record I wouldn't have been able to make a convincing argument. It isn't all bad, and it is worth stating the obvious that retailers keeping a history of your transactions is incredibly common and absolutely isn't something unique to the railways. On my Amazon account I can see my purchases going back 10 years (of course that doesn't mean it 100% complies with GDPR, but something being as common as that isn't exactly "shady").

 

[Watershed]

I think the realistic limit has to be something on the order of 6 years from the last date on which the ticket would have been valid - seeing as this is the civil statute of limitations.

Much longer than this and it's hard to justify the necessity under the GDPR; the possibility of a civil claim and need to keep adequate records for tax and accounting purposes suggests it's reasonable to keep records for at least this long.

 

[Surreytraveller]

It is worth adding that the Trainline keeping a record of my previous transactions was useful when I was challenging GWR on removing a particular fare last year. I try to clean out my emails where I can so I didn't have a record there, but my Trainline account had the details of the fare and how much it cost, which allowed me to argue with GWR about how much the removal of that fare would cost passengers making that journey, which is partly why they ended up reinstating that fare. Without that record I wouldn't have been able to make a convincing argument. It isn't all bad, and it is worth stating the obvious that retailers keeping a history of your transactions is incredibly common and absolutely isn't something unique to the railways. On my Amazon account I can see my purchases going back 10 years (of course that doesn't mean it 100% complies with GDPR, but something being as common as that isn't exactly "shady").

Maybe keeping long records is satisfactory, with a caveat that records older than six years can only be shared with other organisations with your consent?

 

[fandroid]

I had a look at GWR's Privacy Policy. They keep records of Railcards for the validity period of the Railcard and for two years thereafter. The latter in case the purchaser wants to renew.

In the case that prompted this thread the investigation relates to Railcard discounts, so it's unreasonable for a TOC to expect an individual to keep Railcard records any longer than they do themselves.

Given that an actual prosecution is very unlikely for historical ticket incidents without a full confession, this trawling through old records is simply a debt recovery operation.

I think the "crime investigation" excuse could be said to invalidate just about all of GDPR. There's always a possibility that any bit of data could help detect and prosecute a crime. GDPR was designed to protect individuals, not make them more vulnerable

 

[Surreytraveller]

I do think the thread which prompted this one is a very big fishing expedition, and it is GWR that need to be providing the evidence, rather than the OP that their brother has a Railcard. The only evidence GWR have is that the OP didn't have a Railcard on that one occasion, and the OP should offer the full fare of that one journey in full and final settlement.
Any reasonably competent solicitor should be able to get this thrown out of court, if GWR took it that far.
GWR are just trying their luck

 

[fandroid]

I do think the thread which prompted this one is a very big fishing expedition, and it is GWR that need to be providing the evidence, rather than the OP that their brother has a Railcard. The only evidence GWR have is that the OP didn't have a Railcard on that one occasion, and the OP should offer the full fare of that one journey in full and final settlement.
Any reasonably competent solicitor should be able to get this thrown out of court, if GWR took it that far.
GWR are just trying their luck

I had a quick look at Trainline's Privacy Policy too. They even offer a template letter for complaining to them about Trainline's misuse of personal data! And explain how to complain to the Information Commissioner .

It strikes me that in the case in point, they had no valid reason to keep personalised data that long, and secondly, they handed it over to GWR without any safeguards concerning its use. Bullying customers for cash is not a legitimate use.

 

[Benjwri]

I think the realistic limit has to be something on the order of 6 years from the last date on which the ticket would have been valid - seeing as this is the civil statute of limitations.

Much longer than this and it's hard to justify the necessity under the GDPR; the possibility of a civil claim and need to keep adequate records for tax and accounting purposes suggests it's reasonable to keep records for at least this long.

This is correct. Trainline are legally required to keep a record of their invoices for 6 years from the end of the current tax year, and therefore the data obviously shouldn’t be deleted under GDPR.

It is also in the customer interest to keep these journeys, as anyone running their own business or self employed may have claimed train journeys as a business expense on their tax, and therefore also has to keep records for the same amount of time.

 

[Tazi Hupefi]

Presumably for as long as the information would be useful. Is the limit six years to take someone to court for dodging their fares?

It depends what approach and what legislation is used.

If criminal prosecution is sought:

Fraud Act 2006 and other miscellaneous legislation- Largely open ended. Fraud prosecutions can regularly take up to a couple of years following the offence simply because of the effort required can be demanding.

Byelaw/Regulation of Railways - 6 months FROM THE DATE THE PROSECUTING AUTHORITY REASONABLY BECOME AWARE OF THE OFFENCE(S).

For suing a passenger / civil recovery instead:

5 year after the last "incident" (Scotland)

6 years elsewhere after the last "incident" (England and Wales)

Even if you make the argument that a TOC rarely uses the civil approach, they still have the right to do so for that period of time afterwards, and thus have valid justification for data retention, although the financial reporting requirements align with this anyway so it's a moot point.

I had a quick look at Trainline's Privacy Policy too. They even offer a template letter for complaining to them about Trainline's misuse of personal data! And explain how to complain to the Information Commissioner .

It strikes me that in the case in point, they had no valid reason to keep personalised data that long, and secondly, they handed it over to GWR without any safeguards concerning its use. Bullying customers for cash is not a legitimate use.

They do have good reason. As has been specifically indicated throughout this thread.

You appear not to like that fact, but from a legal perspective, they will be watertight and have several defences to any complaint.

You cannot focus on just one strand of reasonableness when it comes to data protection, just because one reason for retention may not apply/is more restrictive, does not mean that there is no other legal basis or requirement that makes it a moot point. Reasonabless in some circumstances is highly subjective anyway - and is entirely dependent on the unique circumstances of the particular matter at hand.

Things are not so binary as you seem to think. Having read the GWR thread, the forum simply does not have anywhere near enough information or detail to be able to make any qualified assesment of the data protection concerns you refer to.

A person under investigation is not entitled to any evidence / disclosure in crime anyway unless and until criminal proceedings are actually brought by way of a charge.

 

[fandroid]

Can you legitimately request that a ticket seller removes all personal sales data after say three years?

If someone wants to avoid exposure to fishing expeditions by TOCs, would they feel reasonably secure if they only used ticket machines? And in that case would the TOC have any right of access to bank records if cards were used?

 

[ainsworth74]

Can you legitimately request that a ticket seller removes all personal sales data after say three years?

You can legitimately make such a request that stop processing your personal data but they may simply turn around say that they have a legitimate interest in keeping the data for a longer period of time. Consent is not a catch all within GDPR, it's simply often the easiest way for an organisation to show that they had permission to process an individuals data (as well as arguably being the most transparent). Organisations are perfectly entitled to rely upon another basis for the processing of personal data. Though they should be clear before the start processing which bases they are relying upon. They shouldn't change horse halfway through (i.e. saying that the rely on consent and then suddenly change all their policies to say "Oh actually it's legitimate interest", they should have started out by clearly saying it's consent and legitimate interest).

The ICO have a lot of information (and most of it is quite well written so easy to understand) on this subject but the summary version would be:

What are the lawful bases for processing?​

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

A guide to lawful basis

ico.org.uk

 

[Tazi Hupefi]

Can you legitimately request that a ticket seller removes all personal sales data after say three years?

If someone wants to avoid exposure to fishing expeditions by TOCs, would they feel reasonably secure if they only used ticket machines? And in that case would the TOC have any right of access to bank records if cards were used?

You calling it a fishing expedition does not make it one. It is a criminal investigation. Naturally, some suspicions are unfounded, but that is what an investigation is for, to see whether a case exists based on an allegation and/or whatever evidence (or potential evidence) is available, including giving the person under investigation an opportunity to make certain statements or respond to questions.

At the risk of getting a bit off topic, consider that a TOC is going to investigate you for a potential criminal matter.

At some point, there is likely to be an interview under caution and ongoing statements etc from that point forwards.

You do not have to say anything. But, it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence

You can ignore the investigation, you can fail to respond etc - you can even respond 'no comment', but there are potential consequences of doing so. All this nonsense about it being entirely for the TOC to prove alone etc is fantasy, the reality is that an investigation needs cooperation and pragmatism. If the suspect has some information that assists the investigation, they should offer it up. If it gets to court, and you only then start to offer explanations etc, the judiciary will take a dim view of that behaviour.

If the suspect is guilty, and knows they are, well that's a different matter - and proper legal advice would likely result in an alternative strategy when it comes to cooperation.

 

[ainsworth74]

Trainline's Privacy Policy is quite interesting (and easy to follow to be fair!) and they do rely on legimate interest quite a lot so from a Trainline perspective consent rarely enters into the discussion. For instance:

Payment card details and the address your card is registered to​

• Necessary to pay for ticket, provide refunds and compensation for journey delays, where eligible.
• Some of the travel operators we work with may run your data through their own payment and eticket systems, to issue your tickets.

Legal basis for processing: Processing is necessary for the performance of a contract.

• To prevent and detect fraud against either you or Trainline.

Legal basis for processing: Processing is necessary for the purposes of Trainline's legitimate interest.

No consent necessary here. You could ask them to delete your data but they'd simply come back and say that they were processing the data on the above bases and so have decided not to delete the data. You could then complain to the ICO of course to argue the toss.

In terms of who they pass data onto they say the following:

Travel operators (rail, coach and bus)​

We work with travel operators who also need your data to create your tickets and provide services in relation to your journey as well as to deal with after-sales matters. Some travel operators may run your data through their own payment and eticket systems in order to issue your tickets or notify you of any travel disruption. We may also share your personal data with travel operators to prevent and detect fraud against either you, Trainline or the travel operator. We only share what is necessary to meet this purpose, and we make it clear to them they must keep your personal data safe.

Again fairly boilerplate I would have thought, especially that clause about how they share it to prevent or detect fraud against either you, Trainline or the travel operator. Can't argue that they weren't upfront about passing information onto railway companies! Though it does an interesting question for me. I'd be fascinated to know what they do actually pass onto operators. It's not immediately clear to me where they say that this could include purchase history as only payment card details and the address registered to the card are listed as being involved in the detection or prevention of fraud. Personally I'd expect to see it somewhere in the privacy policy that they would pass that sort of information across or at least that they would process it for the purpose of the detection or prevention of fraud. Not a show stopper but interesting anyway.

I also think their policy on retention is interesting:

Keeping your data​

While you’re using our services, your personal data will be safe with us, but we’ll never keep it for longer than we need to.
As soon as we don’t need your personal data to offer our full services to you, we’ll make sure it’s either deleted or anonymised.

"As soon as we don't need your personal data to offer our full service to you" is a bit woolly as that would suggest, to me, that they should be deleting/anonymising records as soon as say any refund time limits have passed for a ticket which obviously can't be the case as they must surely need to keep that information for financial record keeping purposes for six years. I'm surprised that they don't just do a blanket statement to that effect to be honest! A request by someone to Trainline to confirm that they've deleted/anonymised records of a ticket purchase, on the basis that they don't need the personal data to offer the full service anymore, from say two years ago could be quite interesting. To be clear I think they have a need to keep the data for six years, just feels like that they've mis-stepped slightly with their wording there.

Privacy Policy | Trainline

When you use our services, you're trusting us with your information. This Privacy Policy will inform you as to how we look after your personal data.

www.thetrainline.com

 

[ainsworth74]

Now, GWR is interesting. It's not as easy to read but I do think in some respects its clearer for it. Under Section 5 it's very clear actually:

What we use your personal data for (purpose)	Type of data	Legal basis for processing (including basis of legitimate interest)
To carry out our obligations arising from any contracts entered into between you and us including: (a) managing payments, paying refunds or compensation, fees and charges; (b) collecting and recovering money owed to us; (c) running fraud checks if we have reasonable suspicions; (d) provide you with the information, products and services that you request from us including, but not limited to, contacting you about your journey;	(a) Identity (b) Contact (c) Financial (d) Transaction (e) Health (f) Marketing and Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us, to pay refunds or compensation owed to you and to prevent us facilitating fraud)

It's fairly explicit there that they are a) processing data for debt recovery and fraud checks (though I like the weaselly "reasonable suspicions") and b) are not relying, at all, on consent to do so. It's performance of a contract and legitimate interest. End of discussion. If you're unhappy with them processing your data in this way it's complaint to their Data Protection Officer and then off to the ICO territory to argue the toss. They've also included the nice general get out clause of: "To establish, exercise and defend our legal rights" later in the same section as well.

Their policy on the retention period of data is also, to me, fairly boilerplate:

We will keep your personal data for no longer than is necessary for the purposes for which it was obtained. The criteria for determining the duration for which we will retain your personal data are as follows:

(1) we will retain your personal data in a form that permits identification only for as long as:

• we maintain an ongoing relationship with you; or
• your personal data is necessary in connection with the lawful purposes set out in this policy for which we have a valid legal basis.

plus
(2) the duration of:

• any applicable limitation period under applicable law (i.e. any period during which any person could bring a legal claim against us in connection with your personal data, or to which your personal data may be relevant); or
• an additional reasonable period following the end of such applicable limitation period.

and

(3) in addition, if any relevant legal claims are brought, we may continue to process your personal data for such additional periods as are necessary in connection with that claim.

During the periods in paragraphs (2)a and (2)b above, we will restrict our processing of your personal data to the storage of, and maintaining the security of, those data, except to the extent that those data need to be reviewed in connection with any legal claim or obligation under applicable law.

After this period your personal data will be anonymised so that you are no longer identified or identifiable from such information, or securely deleted/destroyed.

Without saying as such that to me says they keep it for at least six years. Though I wonder if they've left a little niggle in there for themselves by making it sound more like they retain it for the duration of any relevant limitation periods in case someone brings legal action against them rather than potentially for them to bring legal action against someone else.

Privacy and cookies | Great Western Railway

Great Western Railway keep all current and future information private. Read our privacy policy to see how we protect the personal information you give us.

www.gwr.com

In any event I'm not sure that GWR are operating in a way which is manifestly incompatible with GDPR. Their policy isn't screaming red warning flags at me especially (and neither is Trainline's really).

I think the more interesting angle is definitely in the data transfer side (between say Trainline and a TOC) where they do clearly say that they can but I wonder if they are definitely only transferring only the "necessary" information and then what's going on internally. Policy is one thing, but are they actually doing what their policy says they should?

Another area I wonder about is with these fishing exercises and what are almost certainly automated pattern matching exercises. GDPR is quite feisty on automated decision making and profiling. It's not a show stopper (organisations can do automatic decision making and profiling) but care is required and GWR don't appear to mention that they're doing that sort of thing (Northern are much more open in their Privacy Policy that they are doing some automated bits and bobs).

 

[fandroid]

Thanks @ainsworth74


While I understand that financial records have to be kept, is there any reason why they cannot be anonymised once a shorter period has elapsed? If it's mainly a tax thing, would HMRC want to know who bought what ticket?

I question the methods used by TOCs like GWR in their pursuit of information under the heading of criminal investigation. In the case which inspired this thread, GWR did a rudimentary amount of investigation using data supplied by Trainline. They put the worst interpretation on that data, assuming that all the information that they did not have would support their case, when the opposite is more probably true.

If the OP has been open with us, and we've no reason to doubt them, they did provide quite a lot of background information to the inspector which backed their case with regard to the legitimacy of their historic purchases.

GWR then used this entirely one -sided and partial view to hit the OP with a significant threat: pay £5k+ or face prosecution. The threat of prosection by a big corporation on an individual is seriously unbalanced thing. They are threatening the OP with a mightily expensive and troubling experience if they don't pay a sum based on entirely one-sided interpretation of the data.

My point is that it's not so much a criminal investigation as a flawed and incomplete data processing exercise designed to extort cash from travellers found to be at genuine fault on one occasion only.

 

[island]

Financial records are a red-herring because they could reasonably be kept with anonymised data after a certain time.

There is however reasonable cause to retain transaction data until the statute of limitations for a civil claim arising from the transaction expires (6 years in England/Wales), plus the 3 months one has to serve a claim after issuing it. This is likely to get rounded up to 7 years considering data deletions are usually conducted in bulk rather than on the exact date.

 

[Ken H]

Thanks @ainsworth74


While I understand that financial records have to be kept, is there any reason why they cannot be anonymised once a shorter period has elapsed? If it's mainly a tax thing, would HMRC want to know who bought what ticket?

I question the methods used by TOCs like GWR in their pursuit of information under the heading of criminal investigation. In the case which inspired this thread, GWR did a rudimentary amount of investigation using data supplied by Trainline. They put the worst interpretation on that data, assuming that all the information that they did not have would support their case, when the opposite is more probably true.

If the OP has been open with us, and we've no reason to doubt them, they did provide quite a lot of background information to the inspector which backed their case with regard to the legitimacy of their historic purchases.

GWR then used this entirely one -sided and partial view to hit the OP with a significant threat: pay £5k+ or face prosecution. The threat of prosection by a big corporation on an individual is seriously unbalanced thing. They are threatening the OP with a mightily expensive and troubling experience if they don't pay a sum based on entirely one-sided interpretation of the data.

My point is that it's not so much a criminal investigation as a flawed and incomplete data processing exercise designed to extort cash from travellers found to be at genuine fault on one occasion only.

The card number will be in a vault. You should not extract the card number from the vault to get a 16 digit number or you are breaking PCIDSS regs. You should certainly not pass them round between retailers and TOC's by email etc. How you can link transactions together to make a case without 16 digit card numbers I dont know.
And as I said above, vaults are purged as saving card numbers in them costs real money.

 

[Tazi Hupefi]

The card number will be in a vault. You should not extract the card number from the vault to get a 16 digit number or you are breaking PCIDSS regs. You should certainly not pass them round between retailers and TOC's by email etc. How you can link transactions together to make a case without 16 digit card numbers I dont know.
And as I said above, vaults are purged as saving card numbers in them costs real money.

It's not exactly hard. The Major Industry Identifier (MII) is the first four digits, and can tell you what type of card it is, who issued it etc. That combined with the last 4 digits is often all you need to make a match, especially when you start to understand what the payment profile looks like. For example:

4731xxxxxxx9390 £3.00 01/02/2023 used at Tiverton Parkway TVM (MID Code)
4731xxxxxxx9390 £3.00 02/02/2023 used at Tiverton Parkway TVM (MID Code)
4731xxxxxxx9390 £3.00 03/03/2023 used at Tiverton Parkway TVM (MID Code)

It's going to be the same person. Add time bands, days of week, connect it to the other ticketing data and you pretty quickly know who is doing what. I think the expiry date is available too, making it even easier.

You don't need to breach PCI-DSS.

Even cash is getting easier to track like that now - albeit you can't put a name to it (as easily anyway), but if you know someone is buying a particular cash ticket at that aproximate time every day, Monday to Thursday, only needs a plain clothes RPO to pop along and see who it is.

 

[Ken H]

It's not exactly hard. The Major Industry Identifier (MII) is the first four digits, and can tell you what type of card it is, who issued it etc. That combined with the last 4 digits is often all you need to make a match, especially when you start to understand what the payment profile looks like. For example:

4731xxxxxxx9390 £3.00 01/02/2023 used at Tiverton Parkway TVM (MID Code)
4731xxxxxxx9390 £3.00 02/02/2023 used at Tiverton Parkway TVM (MID Code)
4731xxxxxxx9390 £3.00 03/03/2023 used at Tiverton Parkway TVM (MID Code)

It's going to be the same person. Add time bands, days of week, connect it to the other ticketing data and you pretty quickly know who is doing what. I think the expiry date is available too, making it even easier.

You don't need to breach PCI-DSS.

Even cash is getting easier to track like that now - albeit you can't put a name to it (as easily anyway), but if you know someone is buying a particular cash ticket at that aproximate time every day, Monday to Thursday, only needs a plain clothes RPO to pop along and see who it is.

where do you get the '4731' from? My client does not store it on their systems. Just ************1234. Well actually we store 2j4t78ss523x9390, which is the token. Why would we need to MII? We would never use it.

 

[Wallsendmag]

where do you get the '4731' from? My client does not store it on their systems. Just ************1234. Well actually we store 2j4t78ss523x9390, which is the token. Why would we need to MII? We would never use it.

Do you only accept Visa/ Mastercard ?

 

[Ken H]

Do you only accept Visa/ Mastercard ?

Amex but its very very minor. But it varies by country. Netherlands, Ideal does more than cards. Switzerland prefers PayPal. In UK, we still take an astounding number of cheques.

 

[ainsworth74]

I remain sceptical of the TOCs’ reliance on the “investigating crime” exemption. Alleging someone has committed a criminal offence does not give one carte blanche to do whatever you want with someone else’s data. You have to have a legal basis for processing that data, and the police have been given that legal basis elsewhere in the Data Protection Act. Despite their attempts to claim otherwise, the TOCs do not have those powers.

I remain firm in my believe that the TOCs and Trainline should not be doing what they are doing, but also that the UK Information Commissioner is about as much use as a chocolate teapot. As I said in the other thread, who’s going to stop them?

Sure, I don't necessarily disagree but they would no doubt argue a legitimate interest in processing the data for that purpose and indeed from looking at GWR and Trainline that's exactly what they are doing. Now, whether that would stand up to scrutiny I'm not so sure. It would be a matter for someone to complain about including going to the ICO (who I hold in slightly higher esteem than yourself!). Though I still think this might be the more interesting area in general:

I think the more interesting angle is definitely in the data transfer side (between say Trainline and a TOC) where they do clearly say that they can but I wonder if they are definitely only transferring only the "necessary" information and then what's going on internally. Policy is one thing, but are they actually doing what their policy says they should?

Another area I wonder about is with these fishing exercises and what are almost certainly automated pattern matching exercises. GDPR is quite feisty on automated decision making and profiling. It's not a show stopper (organisations can do automatic decision making and profiling) but care is required and GWR don't appear to mention that they're doing that sort of thing (Northern are much more open in their Privacy Policy that they are doing some automated bits and bobs).

(I've come over to this thread as it felt we were getting in the way of helping the OP in the original thread!)

 

[Tetchytyke]

I've come over to this thread as it felt we were getting in the way of helping the OP in the original thread!

Thank you and agreed. The GDPR rabbit hole isn’t going to help the OP in that thread.

It would be a matter for someone to complain about including going to the ICO (who I hold in slightly higher esteem than yourself!)

The UK ICO has teeth, they just won’t use them. I’m not sure why. Maybe it does take more people complaining, but even then I’d not have much faith.

I don’t think the TOCs are automating their decision making, they’re just filtering the data they get from Trainline. Easy enough to do in Excel. And one of their highly-skilled investigative officers is putting the results into a barely-literate boilerplate template letter and pressing send.

I genuinely don’t see how the TOCs think they’ve got the legal right to process this data. I work as an Inspector for a regulator, my job is literally upholding the regulations in my sector and breaches of our regulations are a potentially criminal matter, yet even I don’t have the right to go off on fishing trips in the manner the TOCs seem to do. If I rang a bank and demanded a list of transactions relating to a subject I’d be invited to Foxtrot Oscar and come back with a Court order. But Trainline just roll over and have their tummy tickled.

 

[island]

I tend to agree both that the data processing is on dubious grounds and that the ICO will do naff all about it.

[And I work for a bank and have recently told an officer investigating something (which was not rail ticket fraud) to come back with a court order ]

 

[fandroid]

None of that evidence that GWR raked up from Trainline is proof of anything except ticket purchase with Railcards. Presumably a lot of tickets bought by a good customer! They need to match every one of those purchases with other facts, to provide evidence of wrongdoing, and they don't stand a snowball in hell's chance of doing that. That's what I meant previously by "fishing expedition". They are fishing for a large sum of cash from one of Trainline's better customers. Trainline ought to have a very robust view about that.