I had a situation with Southeastern a while back.

One of their Revenue Protection Inspectors issued me with a Penalty Fare somewhere in the region of £68,

so I was legally required to provide them with my name and address.

I appealed on the basis that the ticket I presented to the inspector was valid for the journey I was undertaking,

only he wasn't sufficiently trained on how to determine the validity of tickets.

The favoured approach is issuing a Penalty Fare or calling the British Transport Police over verifying the validity of the ticket.

The appeal was upheld because I was right about the ticket.

Because I presented a valid ticket for inspection, there was no way I was giving Southeastern any of my money towards that Penalty Fare,

so I made a part payment with a £50 Rail Travel Voucher.

I later lodged a Subject Access Request to Southeastern for all information they held on me.

In the response,

I found out that a member of staff from the Independent Penalty Fares Appeals Service (IPFAS, part of Southeastern)

decided to email out my details to various entities, not all of which were Train Operating Companies.

The IPFAS were trying to find out the origin of the voucher I had paid with.

I reported this suspected breach to the Information Commissioner's Office.

This was the ICO's response.

Dear [name removed],

 

Thank you for your data protection complaint about London and South Eastern Railway Limited (‘Southeastern’).

 

[...]

 

Your complaint to us

 

In your case, the matters you have raised that are relevant to the DPA relate to the first and sixth data protection principles.

 

 

The first principle says that:

 

“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

a) at least one of the conditions in Schedule 2 is met, and

b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met”

 

The sixth principle says that:

 

“Personal data shall be processed in accordance with the rights of data subjects under this Act.”

 

You are concerned that Southeastern Limited shared your personal data with a number of other train operating companies

without your consent or a legitimate reason to do so.

 

I can see that this relates to an email sent by an employee on 21 May 2013 asking if anyone had sent a voucher to you,

disclosing your name and postcode in doing so.

 

You are also concerned that Southeastern failed to fully comply with a subject access request (SAR) you made on 4 October 2013,

within the prescribed timeframe.

 

I can see that you asked for a copy of all the information held about you and several emails were exchanged on this matter.

 

Our decision

 

I wrote to Southeastern about this matter and have now received its response.

 

On the basis of all of the information provided by you and Southeastern,

we have decided that it is unlikely that Southeastern has complied with the requirements of the DPA in this case.

 

This is because it would appear likely that it failed to process your personal data in accordance with the requirements of the first principle,

when it shared information relating to you with some other train operating companies outside of one’s reasonable expectations and unfairly.

 

It also appeared to fail to supply a complete response to your SAR within the 40 day timeframe, based on all the evidence available to me.

 

However, based on the information provided in relation to this complaint,

the Information Commissioner has decided that further regulatory action is not required at this time.

 

When deciding whether regulatory action is appropriate, we take into account the organisation’s general record of compliance with the DPA.

 

This may include any previous assessments we have made, or any regulatory action we have already taken against the organisation.

 

We may also consider any other information that is in our possession (including information given during the course of our assessments).

 

Further information

 

As you are aware, we asked Southeastern about the safeguards that are in place to help ensure it handles personal data properly

and we are satisfied with its response.

 

Southeastern has explained the reason why details relating to you were shared with the other train operating companies

in the emails provided was due to a misunderstanding of the correct process to follow by one employee,

when settling an account involving a voucher being used.

 

As I understand it, it was not necessary to advise the other train operating companies of your details to find out where the voucher had originated from.

Therefore, it would seem unlikely that the processing in question met a condition for processing under the first principle and was likely to have been unfair.

 

In respect of the way your SAR was processed,

 

Southeastern has explained that it was responded to within the 40 day timeframe and that it provided you with an extensive amount of records.

 

It says that after receipt of this information, you wrote to Southeastern again asking for further emails that had not been picked up by its initial searches.

 

Southeastern confirm that the additional information was located and provided within 9 days and is satisfied that you have been provided

with all the information you are entitled to.

 

Based on the information available to me, it would seem likely these further emails should have been supplied as part of Southeastern’s initial response,

within the 40 day timeframe, which is why I have made the assessment above.

 

As a result, I have made some good practice recommendations to Southeastern

and I am also aware that it plans to take a number of steps to strengthen its data protection safeguards in these specific areas.

 

Having carefully considered all relevant information that we hold about this complaint at the present time,

we have decided that formal regulatory action is not required.

 

Next steps

 

However, most organisations want to put things right when they have gone wrong and learn from complaints that are raised with them.

 

We have therefore asked Southeastern to consider the information we have provided during the course of this assessment

and take steps to prevent the situation from happening again.

 

We will keep a record of your complaint and take this assessment into account if we receive further complaints about Southeastern.

The information we gather from complaints may form the basis for action in the future.

 

Thank you for bringing this matter to our attention. This case is now closed.

I had followed your thread on another forum and have to say that this response is pretty well as expected.

ICO recognise an error in misunderstanding process by one individual member of staff at SE.

SE explanation accepted by ICO and no evidence of any systematic failure.

A general type of standard response 'We will retain this information if any future complaint received' is sent.

Case closed.