Our Client Banner

Privacy Policy

This privacy policy explains how First Rail London Limited ("FRL", "we", "us" or "our") collects and uses personal data when you use London Overground services or interact with us.

FRL operates London Overground services within the Transport for London (TfL) network under a concession arrangement. Rail for London Limited (“RfL”), a subsidiary of TfL, is responsible for managing London Overground operations on TfL’s behalf. Personal data may be processed by TfL, RfL and authorised operators and service providers acting under their instructions. This means that, depending on the activity, FRL may act as a controller, joint controller with TfL or processor for TfL. TfL’s privacy notices are available here.

1. About us

  • FRL is the concession operator for London Overground, a company registered in England and Wales under company number 16186446 whose registered office is at 8th Floor, The Point, 37 North Wharf Road, London, W2 1AF.

We are registered as a data controller with the Information Commissioner's Office and our registration number is ZC124403.

2. How to contact us (and the Data Protection Officer)

We have appointed a Data Protection Officer. They are responsible for our approach to data protection and protecting your privacy.

If you have questions about this privacy policy or how your personal data is handled, or if you want to exercise your rights, you can contact us:

  • Email: FRL.DPO@firstgroup.co.uk
  • Post: First Rail London DPO, 8th Floor, The Point, 37 North Wharf Road, London, W2 1AF.

If FRL is acting as a processor for the personal data you are asking about, we will pass your request to TfL (as the relevant data controller).

3. The personal data we collect

We collect and use personal data from a range of sources depending on how you travel and engage with FRL.

Customers and members of the public

This may include:

  • customer contact details (for example, name, email address, phone number, postal address);
  • feedback, surveys and complaints;
  • CCTV and body worn video (images of employees and members of the public);
  • incident reports and accident records (including personal data provided in reports, statements and correspondence);
  • information rights request data (where FRL is involved in handling or supporting such requests).

Special category data

Some personal data is more sensitive under data protection law. This is known as “special category” data. We may process this where necessary and where an appropriate legal condition applies.

We apply additional safeguards to special category data.

4. How we use your personal data

We use personal data to deliver rail services, keep the network safe and secure, and provide customer support.

CCTV

We use closed-circuit television (CCTV) across our stations and trains, and in other London Overground areas where signs tell you CCTV is in operation.

CCTV will capture images of customers, employees and members of the public present on London Overground property.

We use CCTV to:

  • help keep customers, staff and the network safe and secure;
  • deter, prevent, detect and investigate crime and anti-social behaviour;
  • support safeguarding and public safety;
  • investigate and manage incidents and accidents;
  • support enforcement activity and legal claims (including prosecutions and civil claims);
  • assist with the operational management of stations and trains (for example, responding to emergencies and monitoring safety-critical areas).

We rely on the following lawful bases under the UK GDPR:

  • legitimate interests (for example, preventing crime and protecting customers, staff and assets); and
  • legal obligation (where we must comply with a legal or regulatory requirement);

Incident reports and accident records

We process personal data in incident reports and accident records relating to events on London Overground services and property (for example accidents, injuries, near misses, security incidents and operational incidents).

Depending on the event, the personal data processed may include:

  • your name and contact details;
  • details of the incident (including date, time, location and what happened);
  • witness statements and accounts provided by you or others;
  • information about any injury or medical assistance provided (which may include special category data);
  • photographs, video or audio linked to the incident (for example from CCTV/body worn video where relevant);
  • correspondence with you (for example emails, letters or call notes);
  • where relevant, information about any claim, complaint, enforcement or legal proceedings connected to the incident.

We rely on the following lawful bases under the UK GDPR:

  • legal obligation (for example, to comply with health and safety and regulatory reporting duties);
  • public task (where necessary for tasks carried out in the public interest within the TfL network);
  • legitimate interests (for example, improving safety, investigating incidents, and protecting customers, staff and assets); and
  • vital interests (in emergencies).
  • Where we process special category data (for example health information about an injury), we will only do so where an appropriate Article 9 UK GDPR condition and a relevant Data Protection Act 2018 Schedule 1 condition applies, and we apply additional safeguards.

Customer feedback, complaints and service improvement

We may process personal data relating to customer feedback and complaints about FRL. Our role is limited to investigating and responding to issues using information provided to us by Transport for London (TfL) (for example, where TfL receives the complaint and asks us to investigate operational matters).

  • The personal data we process is typically the information provided to us by TfL, which may include:
  • your name and contact details;
  • details of your feedback, enquiry or complaint (including dates, times, location, route and service details);
  • any supporting information you (or someone acting for you) has provided to TfL (for example copies of correspondence, photographs or other evidence);
  • our investigation notes and findings (for example staff accounts and operational checks relevant to the issue); and
  • reference numbers and correspondence records needed to manage the case.

In some cases, the information provided may include special category data (for example health information relevant to an accessibility issue or injury).

We rely on the following lawful bases under the UK GDPR:

  • legitimate interests (for example, investigating issues, improving services and managing disputes); or
  • legal obligation (where we must comply with a legal or regulatory requirement).

Where special category data is processed, we will only do so where an appropriate Article 9 UK GDPR condition and a relevant Data Protection Act 2018 Schedule 1 condition applies, and we apply additional safeguards.

Compliance, legal and regulatory

We may process personal data where it is necessary to establish, exercise or defend our legal rights. This includes dealing with disputes and claims (including personal injury and other civil claims), handling litigation and pre-action correspondence, obtaining legal advice, and managing insurance matters in accordance with our obligations under the London Overground concession arrangements including, where relevant, working with Rail for London Limited and Transport for London.

The personal data we process will depend on the matter, but may include:

  • your name and contact details (or the details of someone acting for you);
  • details of the issue, incident or dispute (including dates, times, locations and what happened);
  • relevant correspondence and communications (including emails, letters and call notes);
  • evidence and supporting documents (for example witness statements, photographs, CCTV or other recordings where relevant);
  • financial information relevant to the claim (for example claimed losses and compensation payments);
  • details relating to legal proceedings (for example pleadings, orders, settlement terms and costs information).

This information may include special category data (for example health information in a personal injury claim) and, in some cases, criminal offence data (for example where an issue relates to alleged unlawful behaviour).

We rely on one of the following lawful bases under the UK GDPR:

  • legitimate interests (for example, protecting our legal rights, managing disputes, and recovering losses), where these are not overridden by your rights; and/or
  • legal obligation (where we must comply with a legal or regulatory requirement, including responding to court or tribunal processes).

Where special category data is processed, we will only do so where an appropriate Article 9 UK GDPR condition and a relevant Data Protection Act 2018 Schedule 1 condition applies, and we apply additional safeguards.

Information rights requests

We may process personal data when we receive, handle or support requests from individuals exercising their information rights under data protection law.

To verify your identity, understand your request and respond appropriately, we may process:

  • your name and contact details;
  • information to verify your identity (for example, copies of ID documents where necessary);
  • details of your request and any correspondence with you (including dates, times and reference numbers);
  • information needed to locate the relevant records (for example journey details, station locations, incident dates/times, or other contextual information you provide); and
  • internal notes and decision records about how we handled the request (including any exemptions applied and searches undertaken).

We rely on one or more of the following lawful bases under the UK GDPR:

  • legal obligation (to comply with our obligations under data protection law); and/or
  • legitimate interests (to manage and administer requests securely and maintain appropriate records).

Stakeholder engagement activities

We may process personal data when we engage with stakeholders about London Overground services and operations. This can include meetings, workshops, forums, and correspondence with community groups, local authorities, passenger representative bodies, suppliers, neighbours and other stakeholders. We may keep meeting minutes and records of suggestions or feedback received.

Depending on the engagement activity the personal data we process may include:

  • your name, job title, employer/organisation and contact details;
  • attendance information (for example sign-in details and meeting invites);
  • meeting records (for example minutes, actions, decisions and agreed next steps);
  • correspondence and notes (for example emails, letters and call notes);
  • suggestions, views, concerns or feedback you provide (including where these relate to local issues, service changes or operational matters);
  • where relevant, photographs or recordings from events (only where this is clearly communicated at the time).

We use this information to plan, manage and run stakeholder engagement activities and to understand stakeholder views and suggestions and consider them as part of service delivery and improvement.

We rely on one or more of the following lawful bases under the UK GDPR:

  • legitimate interests (for example, engaging with stakeholders, maintaining effective relationships, and improving services).

5. Who we share your personal data with

We may share personal data where necessary and lawful, including with:

  • our ultimate holding company (FirstGroup plc) and its subsidiaries as defined in section 1159 of the UK Companies Act 2006;
  • TfL and other TfL group organisations (for network operations, safety, customer service, oversight and audit);
  • the British Transport Police or any other law enforcement agency or court to the extent necessary for purposes including preventing, investigating, detecting, and prosecuting criminal offences; preventing threats to public security in accordance with applicable law; or validating a claim;
  • other rail industry bodies including the Office of Rail and Road, other Rail Operators, Network Rail, Transport Focus, the Department for Transport, and London TravelWatch, in order to comply with our regulatory obligations and to help resolve complaints or other issues;
  • our service providers (for example, IT systems, customer contact services, payment processors, survey providers and security providers) who process personal data on our behalf; and
  • professional advisers (for example, lawyers, auditors and insurers).

We operate the London Overground concession agreement under arrangements with TfL and the concession operations may pass to a successor operator. We may disclose your personal data to the relevant authority and/or any successor operator. If this happens, you will be informed of this transfer.

6. International transfers

We aim to keep your personal data in the UK. If data is transferred outside the UK, we will ensure appropriate safeguards are in place (for example, adequacy regulations or approved contractual protections).

7. How long we keep your personal data

We keep personal data for as long as needed for the purposes described in this privacy policy, taking into account legal and regulatory requirements.

Retention varies by category. For example:

  • CCTV/body worn video is typically retained for a limited period unless needed for an investigation;
  • incident and safety records are retained in line with safety reporting requirements.

To request more detail, contact us using the details in section 2.

8. Keeping your personal data secure

We use appropriate technical and organisational measures to protect personal data, including access controls and supplier assurance.

9. Your rights

You have rights under the UK GDPR in relation to FRL’s processing of your personal data, including the right to:

  • access your personal data;
  • correct inaccurate or incomplete data;
  • request deletion (in certain circumstances);
  • request restriction of processing (in certain circumstances);
  • object to processing (in certain circumstances);
  • data portability (in certain circumstances);
  • withdraw consent (where we rely on consent).

To exercise your rights, contact us (section 2).

If the relevant controller for your request is TfL, we will pass your request to TfL (as the relevant data controller).

10. Complaints

If you are unhappy with how your personal data has been handled then please contact us in the first instance using the details in section 2 above.

If you are dissatisfied with our response to any data protection issues you raise with us, you have the right to make a complaint to the Information Commissioner’s Office (ICO). The ICO is the authority in the UK which is tasked with the protection of personal data and privacy.

11. Cookies

Our websites and apps use cookies and similar technologies. For more information, please see our cookie notice.

12. Changes to this privacy policy

We may update this privacy policy from time to time. We will publish the latest version on our website and update the “Last updated” date at the top of the page.