Skip to main content

TfGM Privacy notice

Who we are

Transport for Greater Manchester is committed to making sure that we tell you about the ways in which we use your personal information and that we have the right controls in place to make sure it is used responsibly and kept safe from inappropriate access, theft, or misuse.

This notice explains how we use your information and tells you about your privacy rights and how to law protects you.


What is personal information?

Personal information can be anything that identifies and relates to a living person. This can include information that can identify somebody when it is linked with other information. For example, this could be your name and contact details, or it could be a unique identifier such as a travel card number.

The law treats some information as ‘special’ because the information is more sensitive, and may need more protection. This information includes:

  • Racial or ethnic origin;
  • Sexuality and sexual life;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Political opinions;
  • Genetic and biometric data;
  • Physical or mental health; and
  • Criminal convictions or offences.

Purposes

Your personal information may be collected and used for one or more of TfGM’s services or activities depending on your relationship with us.

Generally, we may need to use some information about you:

• to deliver services and provide support to you;
• to plan future services;
• to administer grants;
• to manage and check the quality of our services;
• to keep track of spending on services;
• if you apply for a job or become employed by us;
• to ensure the health and safety of our staff and members of the public using our services;
• to investigate any concerns or complaints you have about our services;
• to answer requests for information;
• to improve the experience of visitors to our websites;
• to manage your online and marketing preferences;
• in the event of civil disasters or emergencies; and
• for archiving, research or statistical purposes. This includes research and evaluation undertaken by us or in combination with other organisations to inform future service planning where it is not possible to use anonymised data.


Legal basis for processing

Generally, we collect personal information where:

• you, or your legal representative, have given consent;
• you have entered into a contract with us for a service;
• it is required by law (such as an Act of law or under a court order);
• it is necessary to perform statutory functions (including law enforcement);
• it is necessary for employment related purposes;
• it is necessary to protect you or others from harm;
• it is necessary for exercising or defending legal rights;
• you have made your information publicly available;
• it is necessary for archiving, research, or statistical purposes;
• it is necessary in the substantial public interest for wider benefits to society and is allowed by law;
• it is necessary to prevent fraud and protect public funds; and/or
• where it is in our legitimate interests (or those of a third party) provided your interests and rights do not override our interests.

Your personal information may also be shared with other organisations, including those who help us provide our services and those who provide technical help like data storage and hosting for us.

These arrangements and the laws about the sharing and disclosure of personal information are different for every service we offer.

For this reason, each of our key service areas have provide extra information about how they collect and use your information. These notices explain:

• why we need your information;
• who else we get your information from;
• the legal basis for collecting or using your information and the choices you may have;
• who we share it with and why;
• whether decisions which legally affect you are made solely using machine based technology;
• how long we keep your information; and
• how to exercise your rights.

These service specific privacy notices may be accessed here.


Data transfers beyond the EEA

We will only send data outside the European Economic Area (EEA):

• with your consent; or
• to comply with a lawful and legitimate request; or
• if we use service providers or contractors in non-EEA countries.

If we do transfer your information beyond the EEA, we will make sure it is protected in the same way as it would within the EEA. We will use one of these protections:

• Transfer it to a non EEA country with privacy laws which give the same protection as laws within the EEA. Learn more on the European Commission Justice website;
• Put in place a contract with the organisation that means they must protect it to the same standards as the EEA. More information about these contracts is available from the European Commission Justice website; or
• Transfer it to organisations that are part of the Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used in the EEA. You can find out more about Privacy Shield on the European Commission Justice website.

If we plan to make a transfer in response to a lawful and legitimate request we will normally tell you in advance, unless there is a reason for us not to, like law enforcement, or reasons of safety which justify not telling you.


Automated decisions

If we make a decision which legally affects you by using a computerised process that does not involve a human being, our service specific privacy notices will explain this. Our Guide to Exercising your Rights Guide to exercising your rights explains how you can ask us for an automated decision to be reviewed by a person.


Data retention

We will only keep your information for as long as we need to for legal reasons, or for the length of time that we need to for our business needs.

Our Retention schedule tells you how long we keep certain types of information.


How we keep your information safe

We are committed to keeping your information safe and protected from accidental loss or alteration, inappropriate access, misuse or theft.

As well as technical, physical and organisational controls, we recognise that a well-trained, informed, and security alert workforce minimises privacy risks from human error and/or threats from malicious actors.

We require our service providers to implement appropriate industry standard security measures, and only allow them to process your personal information for specified purposes as written in our contracts with them.


Rights of Individuals

You may exercise the rights listed below in relation to TfGM’s use of your personal information.

Some rights only apply in certain situations. To find out more, please refer to our Guide to exercising your rights or alternatively visit the Information Commissioner’s website.

To exercise these rights, please contact TfGM’s Data Protection Officer (DPO). Contact details for the DPO are below.


Complaints to the Information Commissioner

If you are not satisfied with the way in which we have answered a request or concern, or how we have handled your information, you have the right to make a complaint to the Information Commissioner. Their contact details can be found on their website.

You do not need to complain to us first, but we would encourage you to contact our Data Protection Officer so we can consider your concerns as quickly as possible.


Data Protection Officer contact information

Whether you are exercising your rights or raising a concern, you will normally need to include documents that prove your identity as well as a clear and precise description of your request or concern.

We will process requests as the law tells us to, and within the times allowed by the law, and we will let you know if an extension of time will be needed.


To contact the Data Protection Officer:

By email: data.protection@tfgm.com

By post: Data Protection Officer, Transport for Greater Manchester, 2 Piccadilly Place, Manchester, M1 3BG


Cookies

To find out how we use cookies, please see our cookie notice.


Updates

We may update or revise this Privacy Notice at any time so please refer to the version published on our website for the most up to date details.


Service specific privacy notices

Each department within TfGM processes personal data for different purposes and under different legal bases. For more information on how we process your personal data please view the below service specific privacy notices:

Logistics and environment
Projects Group