Privacy notice

Camera systems we operate

Our CCTV is used to capture, record and monitor images of what takes place at our stations and car parks and on our trains, in real time. In limited circumstances, we use body worn cameras which make audio visual recordings.

Depending on the type of camera, images are recorded on video tape (analogue) or as digital information. Cameras can be fixed or set to scan an area. In some circumstances, they can be operated remotely by controllers.

Why we operate CCTV cameras

We operate CCTV for the following purposes:

• Health and safety of employees, passengers and other members of the public;
• Crowd management; and
• Prevention and detection of crime and anti-social behaviour.

Camera locations

We operate cameras at the stations and car parks we manage and on some of the trains that we run.

We operate cameras at some of the stations and car parks across our network. You can see a full list of stations and car parks and operators on our website.

Network Rail and other TOCs operate the cameras at some stations that our services stop at. These are shown below:

• Birmingham New Street
• Wolverhampton
• Birmingham International
• Stafford
• Coventry
• London Euston

We operate CCTV on some of the trains that we run.

Length of time CCTV footage is kept

CCTV footage at stations and on train is generally held for a maximum of 31 days from the time of recording.

Recordings from body worn cameras is generally held for 24 hours, unless required for legitimate business reasons.

Disclosing CCTV/personal data to the police

At our discretion, we may disclose CCTV/personal data in response to valid requests from the police and other statutory law enforcement agencies.

Before we authorise any disclosure, the police must demonstrate that the CCTV/personal data is necessary to assist them in the prevention or detection of a specific crime, or in the apprehension or prosecution of an offender.

Requests from the police are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with the DPL.

Sharing CCTV footage with other third parties

Some of our CCTV infrastructure is shared with the British Transport Police, Local Authorities, Network Rail, [Network West Midlands] and Car Park operators under formal data sharing agreement.

In certain agreed circumstances, they may take control of a limited number of cameras and use them for activities such as the prevention and detection of crime and anti-social behaviour, policing major events and crowd control. WM Trains is not responsible for the CCTV when it is in the control of a third party.

We may also disclose personal data to third parties, if required to by law or it is necessary for a legitimate purpose such as defending or bringing legal action. DPL allows us to do this where the request is supported by:

• evidence of the relevant legislation
• a court order
• satisfactory evidence and assurances of the legitimate interest.

Legitimate interest would include requests such as defending or making a legal claim, such as to insurers following a vehicle collision in a carpark. When we are not required to provide CCTV, we will consider the circumstances and any potential harm to individuals, we may also charge a fee and seek indemnity for any use beyond which it is requested.

External guidelines and best practice

WM Trains operates its CCTV systems in compliance with the CCTV Code of Practice issued by the Information Commissioner’s Office (ICO) in 2017. The Code describes best practice standards which should be followed by organisations operating devices which view or record images of individuals. It also covers other information derived from those images that relates to individuals (for example vehicle registration marks).

This section shows the information we collect when you use our Website, Apps and Ontrain Wi-Fi and Media Service (Loop). Before providing us with your details, please read the following important information regarding:

• Collection of visitor information;
• Hyperlinks;
• Cookies; and
• JavaScript and Pixels.

Collection of visitor information

We will only use the information that we collect about you lawfully, in accordance with the DPL.

The details you provide about yourself and any other information which identifies you (‘Personal Information’) is held by WMT on this website (the "Site") for operational purposes, for example account registration or processing payments. We may also use your Personal Information to personalise your experience on the Site by informing you of new products or services that we may think are of interest to you.

WMT gathers general information about users, for example, what services users access the most and which areas of the WMT site are most frequently visited. Such data is used in the aggregate to help us to understand how the WMT site is used. We gather this information so that we can continue to improve and develop our services to the benefit of our users. We may make this aggregated information available to [users of the WMT site] and to auditors. These statistics are anonymous and contain no personal information and cannot be used to gather such information.

When you register with WMT, set up a travel alert, enter a competition, or buy a ticket, we ask for personal information such as your name, contact details, and other details. Once you register with WMT and accept our Terms & Conditions, you are not anonymous to us. We may use information that you provide to alert you to our own products and services. We may contact you regarding site changes or changes to the WMT products or services that you use.

If you buy a ticket online with WMT, we will record your personal details and send you a confirmation email. Your personal data will be used principally to communicate with you with reference to your purchase.

You may opt-in to receive newsletters, exclusive discounts, special offers and other marketing emails from WMT. You may unsubscribe at any time by logging in to your account and updating your preferences. Please note changes to your subscription preferences can take up to 14 days to take effect.

Alternatively contract our Customer Relations Team via our web form or write to us at: Customer Relations, West Midlands Trains, 134 Edmund Street, Birmingham, B3 2ES.

We may provide hyperlinks from the site to third party websites. No liability is accepted for the contents of any site operated by a third party which may be accessed via links from the site. These links are provided for your convenience only and do not imply that WMT approves or recommends the content of such sites. We encourage our users to be aware when they leave our site to read the privacy statements of every website that collects personal data. This Privacy notice applies solely to information collected by WMT.

Our website uses cookies to help us to provide you with a good experience when you browse our website and also allows us to improve our website.

What is a cookie?

A "cookie" is a small text file that is placed on your equipment when you visit a website (equipment like computer, phone, and tablet). There are several types of cookies:

Functional cookies

Functional cookies are used to enable basic web browsing functionality such as navigating from one page to another or storing your website preferences. For example, we will use functional cookies to:

• remember the products you purchase during online shopping;
• remember and pass on the information that you enter during the log-in process or that you leave behind on the various web pages during the ordering process, so that you do not have to enter the same data every time;
• save your preferences; and
• detect abuse of our website.

Analytical cookies

These cookies are used to analyse your visit to - and interaction with - our website. For example, we may analyse the following:

• the number of visitors to our website and how often they visit
• the duration of the visit
• the order of the pages visited; and
• whether the pages of a website need to be adjusted.

With the help of the information we collect using analytical cookies we can make our websites more user-friendly as well as identify and solve possible technical problems on the websites. One such tool we use to gather analytical information is Google Analytics. On the web, you can choose to opt-out of Google Analytics by installing Google’s opt-out browser add-on.

Advertising cookies

Our website is supported by advertising. Advertising cookies, often placed by third parties, are used to track visitors across different websites. This helps us offer relevant and engaging advertisements during your visit to our website. Our advertising technology is provided by Google and you can choose to opt-out of interest based advertising using Google’s Ads Settings . You can also control interest based advertising and learn more by visiting Your Online Choices and About Ads .

JavaScript and Pixels

In addition to cookies, we use JavaScript and Pixels.

By using JavaScript in your browser, we can make our sites interactive and develop applications for the web.

A Pixel is a small graphic image on our site. By means of this image, we can, for example, determine how many visitors saw the page at which times. These techniques can also be used for marketing and tracking purposes. We use two types of Pixel; a Facebook Pixel, which analyses visits to our website from Facebook and Exchange Lab Pixel, which analyses visits to our website from our advertising across the internet.

Cookies from external parties

Some of the cookies are used by third parties with our consent with the aim to bring certain products and services to your attention or to give you direct access to social media. These third parties include:

• Google Maps
• Twitter
• YouTube
• LinkedIn
• Google AdWords
• Instagram
• Facebook ; and
• My NewsDesk

For the cookies that these external parties place, the information they collect with them and the purpose for which that information is used, please refer to the privacy statements of these parties on their respective websites. These statements can change regularly and we have no control whatsoever.

Visit the All About Cookies website to learn more.

Privacy Options

If you would prefer us not to set cookies on our Website, you can disable them by changing your internet browser settings. How to do this will depend on the browser you are using, but the following is a step-by-step guide to the most popular browsers:

Microsoft Internet Explorer:

1. Click on the "Tools" menu
2. Select "Internet Options"
3. Click on the "Privacy" tab
4. Select the desired setting

Google Chrome:

1. Click on the Customisation menu at the top right of the page
2. Select "Settings"
3. Select "Show Advanced Settings" and then "Content Settings"
4. Select the desired settings under the "Cookies" heading.

Mozilla Firefox:

1. Click on the "Tools" menu
2. Click on "Options"
3. Select "Privacy"
4. Choose the desired options under the "Cookie" menu.

For all other browsers, please follow the instructions provided by the relevant browser, usually located within the "Help", "Tools" or "Edit" facility.

If you only disable third party cookies, you will still be able to use this Website, but some of its content will not be as relevant to you. If you disable all cookies, this will result in our Website not working properly.

If you do choose to disable cookies, this choice will only apply to the device you are using at the time. If you want to stop cookies being set on other devices, you will need to follow the relevant steps on each device. Please note that disabling cookies does not delete cookies from your browser, you will need to do this from within your browser.

Access to our database containing personal information on registered users of the site is restricted. In order to increase security, we ask you to input a password when you register as a user of the site. Please keep this password secret. As you may be aware, no data transmission over the Internet can be entirely secure. As a result, while we will always use reasonable endeavours to protect the personal information you provide to us, we cannot guarantee the security of your information and the use of our facilities (e.g. e-mail) is at your own risk. If you have any questions about paying for your ticket through the Site, please contact Customer Relations.

Personal details we hold

When you buy a season ticket valid for one month or more, we keep a record of this on a database. We keep the following details:

• Name, address and photo card number;
• Phone number, email and date of birth if you provide them;
• The origin, destination and start and end date of season tickets you have purchased, along with any duplicate, replacement or refund of these; and
• The method of payment used, but not any payment card details.

How we use your personal data

We use this information for Contractual obligations, Customer Relations and administration, customer research, marketing and fraud prevention.

We will only send you information about offers and promotions if you chose to receive it and you can change your marketing preferences at any time. We will not pass your personal information to any other organisation outside of our Group of Companies (and Successor franchise or Secretary of State for Transport) for marketing purposes without your prior consent.

Sharing data with third parties

If you have agreed to receive information for survey or research purposes, we may share your contact details with a limited number of parties, but only for the reasons you have agreed to.

Personal details we hold

We may collect a range of personal detail during revenue protection activity. This may include name, address, proof of ID, journey details, payment details, personal descriptions and other information you provide to support an appeal. This data is processed by Penalty Services Limited.

How we use your personal data

We only use this information for the administration of the Penalty Fares scheme, collection of unpaid fares, fraud prevention and the prosecution of travel offences.

Sharing data with third parties

We may share your correspondence with:

• British Transport Police under a data sharing agreement to prevent and detect crime.
• The Penalty Services Limited if you appeal a Penalty Notice issued to you.
• Passenger Focus if you have asked them to act on your behalf under a complaint handling procedure. Requests from ombudsmen are dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.
• We may also share information with other TOCs for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.

We collect your information and comments when you contact us by letter, email, web form, phone or social media.

Personal details we hold

We may hold your name, address, date of birth, email address, phone number, social media name, ticket details, photocard image, our correspondence with you, the compensation claims you have made and payment made by us, proof of journey or other supporting information you may provide.

To ensure that we carry have an accurate record of dealings between us (and for training purposes) we may, in certain circumstances, record or monitor telephone calls, however you will always be told when this happens.

How we use your personal data

This information is used for administration of correspondence or processing claims you have made, such as delay repay as well as for fraud prevention purposes. We also use it to respond to complaints.

Sharing data with third parties

We may also share information with other TOCs for fraud prevention. We will only do this where there is a formal data sharing agreement in place, or where an ad hoc request is received this will be dealt with on a case-by-case basis to ensure that any such disclosure is lawful in accordance with DPL.

On our stations, we maintain Customer Help and Assistance Points. Depending on the service requested these are linked directly to our Control Centre or to National Rail Enquiries.

Calls for Information or Assistance made to National Rail Enquiries are recorded and monitored, but no advance notice is given as this could result in a delay in the providing assistance.

To prevent marketing to you, you have the right to ask us not to process your personal information for marketing purposes. We will usually inform you before collecting your information if we intend to use or disclose it for such purposes. If you do not want us to use your information for marketing purposes either:

• indicate this by NOT ticking the box to be sent marketing emails (or offers);
• if you have an account with us, by logging in and changing your contact preferences;
• click the unsubscribe link on direct marketing emails; or
• contact us.

• Make a subject access request

You are entitled to request a copy of the personal information we hold about you.

We may need to ask for some further information, such as checking who you are. Please let us know in what format you wish to receive your information.

Sometimes we may hold information that we don’t have to provide, for example it would prejudice a police investigation or if the disclosure would cause harm to another person whose personal data is inseparable from your data.

In most cases we provide the copy of your data to you for free. We have set out some information about when it might not be free, or provided below.

• Make a subject access request

If you believe the information we hold about you is inaccurate or incomplete you can contact us and ask us to correct it. You may also request any data processing we are carrying out on your data is halted whilst a request for rectification, objection or a dispute over the lawfulness of processing is being considered. We will provide a response confirming the action we have taken or disagree with taking.

• Make a subject access request

This is also known as the “Right to be forgotten”, you can request deletion or removal of personal information in some circumstances, such as where there is no compelling reason for its continued processing. We will also take reasonable steps to notify third parties of your instruction and request that they act upon it, in a similar manner.

• Make a subject access request

If we relied on consent as the ground for processing your personal data, you can withdraw this consent at any time. It does not affect the processing carried out beforehand.

Where you have consented to receive direct marketing communications, you can withdraw your agreement at any time, as above or where available updating your preference centre or clicking on the appropriate link in the communication.

• Make a subject access request

Where you have provided us with personal data and the reasons we are processing it are based on consent or our contract with you, and the processing is automated, you have a right to ask for that information be provided to you or another data controller in a structured, commonly used and machine-readable format. The right may be restricted if it is not practical for us to provide the information in this way or it adversely affects the rights of others.

• Make a subject access request

We target some of our marketing and service communications, so that they are more relevant to you, based on the type of ticket(s) you bought, your location/travel stations. We will try and ensure where possible the communications are compatible with the device you are using.

We use automated decision making to calculate the validity and value of Delay Repay claims made through our website. You will receive a notification of the outcome of your claim. At this stage you are able to request that your claim is manually reviewed by a member of the Delay Repay team. If you remain dissatisfied you can escalate to our Customer Relations team.

We are not able to charge you a fee for dealing with rights requests, unless they are manifestly unfounded or excessive or in circumstances where copies have been provided previously. We would always let you know if we thought this was the case, so that you can decide about what you wanted to do next.

There are various limitations and exemptions in relation to the exercise of rights in DPL - for example if it would affect another’s rights and freedoms or if we need to retain the information to make or defend a legal claim. We intend only to rely on limitations and exemptions where it is fair to do so and always bearing in mind that it is your personal data.

The DPM role has been established in a manner to remain independent of business decisions. If you wish to lodge a complaint against:

• the business, please contact our DPM; or
• the DPM or DPO, please contact the ICO.

We also have a complaints policy. If you are not happy with the way in which we deal with your data or have dealt with a rights request, then please us know. Our DPM are the first point of contact for dealing with Rights Requests and complaints and they are assisted by Customer Relations . If you are not satisfied with the way in which they have handled your complaint or rights request then you can contact the DPO.

If you are not satisfied with the response you can complain to the ICO. Their contact details are:

Head office

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Fax: 01625 524 510

Website: https://ico.org.uk/global/contact-us/

We’ll store your information for as long as we have to by law or regulatory requirement. If there’s no legal or regulatory requirement, we’ll only store it for as long as we need it. We’ll also keep some personal information for a reasonable period after your last contact with us – just in case you decide to use our services again. We, or one of our partners, may contact you about our services during this time if you haven’t opted out of receiving marketing communications from us.

We may also keep your personal data for the purposes of our legitimate interests in running our Group businesses, including anonymising or pseudonymising data for analysis.