The General Data Protection Regulation (“The GDPR”)
You may be aware that the law in relation to data protection is changing with effect from 25 May 2018, when the GDPR comes into force in the UK.
SPT takes the protection of individuals’ data very seriously, and will comply with the new data protection law when the GDPR comes into force on 25 May 2018. We will be updating our Data Protection our Digital policies to reflect the new law. You can find our Data Protection policy here.
In the meantime, individuals about whom SPT holds data (we will call these individuals “data subjects”) have new legal rights under the GDPR in respect of their personal data and can make requests to us to exercise them.
Here we’re setting out for you how you can exercise your data rights and how SPT will process requests by data subjects:
“Personal data” means any information relating to an identified or identifiable data subject. An identifiable data subject is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier.
“Processing” means any operation or set of operations that is performed on personal data, such as collection, use, storage, sharing and destruction.
- Recruitment – Applicants for posts [PDF, 90KB]
- School Transport – Information about Pupils [PDF, 92KB]
- The Strathclyde Concessionary Travel Scheme – Ferry Cards [PDF, 88KB]
- The ZoneCard Travel Diary [PDF, 96KB]
- SPT and CCTV [PDF, 86KB]
- The National Entitlement Card Scheme [PDF, 98KB]
- SPT’s Busking Competition [PDF, 81KB]
- SPT and Competitions [PDF, 86KB]
- MyBus [PDF, 92KB]
- Contractors [PDF, 386KB]
- SPT and Tender Opportunities [PDF, 386KB]
- Register of Operators [PDF, 396KB]
- SPT and Contractor Subway Passes [PDF, 387KB]
- Drivers/Attendants and the Protection of Vulnerable Groups (“PVG”) Scheme [PDF, 407KB]
- SPT and Recorded Telephone Calls [PDF, 350KB]
- Transport Planning and Policy – Preparing the Regional Transport Strategy [PDF, 350KB]
- SPT and the Ferry Card [PDF, 392KB]
- SPT and the Upper Circle [PDF, 396KB]
- Contacting SPT-Complaints and Enquiries [PDF, 373KB]
- SPT and our former employees [PDF, 125KB]
- The Subway Smartcard [PDF, 390KB]
- ZoneCard Online [PDF, 393KB]
From 25 May 2018 data subjects have the right to approach SPT and:
- Request access to personal information (commonly known as a “data subject access request” or a DSAR) and have the right to be informed about collection and use of their personal data;
- Request rectification of personal information;
- Request erasure of personal information;
- Request the restriction of processing of personal information;
- Request the transfer of personal information to another party;
- Object to processing of personal information where SPT is relying on a legitimate interest (or those of a third party) to lawfully process it; and
- Request not to be subject to automated decision making.
Rights are not absolute
It is important to note that the new rights that are afforded to data subjects under the GDPR are not absolute rights; they have to be considered and assessed and a response prepared on a case by case basis.
Before responding to any request by a data subject in relation to their personal data, we shall check whether there are any exemptions that apply to the personal data that is the subject of the request. Exemptions may apply where it is necessary and proportionate for SPT not to comply with a data subject request as described above in order to safeguard:
- national security;
- public security;
- the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- other important objectives of general national public interest, in particular an important national economic or financial interest, including monetary, budgetary and taxation matters, public health and social security;
- the protection of judicial independence and judicial proceedings;
- the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority;
- the protection of the data subject or the rights and freedoms of others; or
- the enforcement of civil law claims.
How to make your request to exercise your data protection rights
A request to exercise these rights should be made to SPT’s Information Governance and Committee Services Officer and you can submit your request as follows:
- Via email to email@example.com
- Via post to 131 St Vincent Street, Glasgow, G2 5JF, marked for the attention of the Information Governance and Committee Services Officer.
When you are exercising your rights we would encourage you to use the following forms:
- SPT’s DSAR Form (for when you want to take access to your own information); or
- SPT’s Subject Rights Form (for when you want to exercise any of the other data subject rights described above).
You can find these forms on our website and they are also available on request from our reception at 131 St Vincent Street, Glasgow, G2 5JF.
When you’re making a request for access to your personal data from SPT’s CCTV systems, please use the particular DSAR-CCTV form and it should be directed as follows:
For access to the Subway CCTV system please send your request to:
Operations and Security Manager (Subway)
Govan Subway Station,
737 Govan Road,
For access to the Bus CCTV and 131 St Vincent Street CCTV system:
Customer Services and Security Manager
Buchanan Bus Station
Once SPT receives your data subject request
- We must provide a copy of the information that you are entitled to under the GDPR free of charge.
- However, SPT is entitled under the law to charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- SPT must deal with your request for information and provide you with the information to which you are legally entitled at the latest within one month of receipt.
- However, we will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, SPT must inform you within one month of the receipt of the request and explain why the extension is necessary.
Information that SPT is processing
We will be providing a number of new notices, as required by the new law, setting out for you what personal information SPT holds, why we need that information, what we are using it for, and whether we are sharing the information.
Where SPT is holding information that relates to you and from which you are identifiable, we will retain that for so long as it is necessary, reasonable and proportionate to do so in order to fulfil the purposes for which your data was collected, and to allow SPT to perform its functions and tasks undertaken in the public interest and in order to allow us to meet our public sector duty to deliver best value.
SPT will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
It is important to note that SPT is a public authority covered by the Freedom of Information (Scotland) Act 2002 (“FOISA”) and the Environmental Information (Scotland) Regulations 2004 (“the EIRs”). This means that in certain circumstances we are obliged to release information into the public domain. Where your personal data falls within the scope of a request for information under FOISA or the EIRs, SPT will appropriately assess your personal information and the reasons why we hold that information, against our obligations and the exceptions and exemptions to the obligation to disclose information. We will only release your personal information where to do so would be compatible with the data protection law in force at the time.
The GDPR introduces an obligation for SPT to appoint a Data Protection Officer (DPO).The DPO is a leadership role responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements and other data protection laws.
The Data Protection Officer for SPT:
Assistant Chief Executive
Strathclyde Partnership for Transport
131 St Vincent Street
0141 333 3298
You can find out more about your rights in relation to data from the Data Protection Officer by telephone or in writing, (as detailed above).
More information about data protection and how it applies to you is available from the Information Commissioner’s Office: –
Information Commissioner’s Office
Cheshire, SK9 5AF
Telephone: 0303 123 1113
Information Commissioner’s Office-Scotland
45 Melville Street
Telephone: 0303 123 1115