« "Portable scanning device" on the Tube ? | Main | DWP-IR Longitudinal Study racial profiling »

Oyster Card privacy policy

One of our correspondents recently enquired about whether or not it was possible to obtain an anonymous Oyster Card (all 7 zones London Underground and Bus travel, rather than the zones 1-3 PrePay card), and got this reply below:

N.B. there is no mention of whether or not the Transport for London and British Transport Police and other CCTV camera operators which cover London Underground Tube and Railway Stations and (offline) on the Buses, have routine and realtime access to the Oyster Card database, or do they have to file an individual Data Protection Act Section 29 request each and every time ?

Will 3rd party retailers also get their hands on your Oyster Card data if and when the EMV feature is used as electronic cash to pay for newspapers , sweets etc., like other Transport Smart Cards around the world do ?

Dear Mr. [......]

Thank you for your email to the Oystercard Helpdesk.

In answer to your query below, I am happy to detail the data protection arrangements for the Oystercard.

We will hold the information that you give us when you complete one of our forms - in this case, the Oyster registration form. This will comprise your name, address, postcode, telephone number and email where you've given it, security code and marketing preferences. Also dynamic data for the ongoing usage of the card e.g. ticket purchases and journeys. This information is purely for the purpose of after-sales service, marketing (where you have opted to participate), research and statistical analysis including travel patterns and conducting surveys. This is to help London Underground plan effective service for its passengers. From the statistics that we gather we can gauge which routes are popular and at which times during the day, thus we can increase the number of trains for travel and so on...

This is also for the benefit of the Customer, by retaining journey data and ticket
purchase data on the Oystercard, if you have a reason to believe that your travel card has been issued incorrectly or you have been charged the wrong amount for a journey made on a PrePay Oystercard, the Customer Service Team can see the information that information and it may be used to help resolve ticketing and refund issues with customers.

Only where you have opted to be contacted by third parties will we share your
details with other reputable companies, other than the state. All information will
be handled in accordance with the terms of existing data protection legislation.

In order to ease your concerns no personal information is held on the card itself.
Just on our database. This is for the use of the Customer Services Department. If you contact the department regarding your Oystercard we use your name and address details along with the verification of your security password (set up at the registration stage) to verify that you are the cards owner and also we require this information to send out replacements when your card is lost/stolen.

Please note that the terms that the state sets itself for gaining access to any
computerised information are not something that Transport for London has any control over. We would only disclose personal information requested by organs of the state where we were legally obliged to do so and in accordance with the provisions of the Data Protection Act, 1998

I hope that this inform has been helpful, if you have any further queries please
call the Oystercard Helpdesk on 0845 330 9876 (8am-8pm, daily)

Yours sincerely

Oyster Card Helpdesk


Look its simple. Put you name and address on the back of the card with some sticky tape. If they find the card, they can return it.

If you want to raise a query, take the card along.

If they want to track trips, they don't need to know your name.


How do you get the card in the first place? You have to APPLY! They POST it to you! Your name and address are associated with the id number before you even receive the card.

Not so easy.

they dont send it to you, you can get it at the station. If you dont want to give your correct address, give a fake one, there are no checks on the address. but if you lose it they'll send your replacement to the fake address, thats all.

Concerned about people exploiting vulnerabilities being discovered in your wireless devices? I believe that there is a good protective measure on the market when it comes to ensuring privacy protection. When you want to ensure maximum protection, use an E2X bag. They are at www.e2xgear.com and originate from technology used to counter electronic espionage efforts directed against the US intelligence community. These bags can be used to shield the Oysterpass and allow it to be recognized ONLY when and where you want it. I'm working on a slimline case specifically for the pass card right now. But as for the other uses: they can even shield your phone, pda, or any other wireless device to prevent it from transmitting or receiving when you don?t want it to. Furthermore, GPS tracking is blocked. When you need it, simply remove it from the bag. You don?t even have to turn your device off anymore (or remember to turn it back on.)
Since the manufacturers of wireless technologies seem uninterested in correcting product design vulnerabilities, it may be necessary for consumers to step in and take measures to ensure their privacy is protected. One thing is for certain, this is only the beginning of privacy issues for consumers who find wireless electronics becoming an integral part of daily life.

Does anybody know the list of codes used by the gateline staff and what they mean. I have heard that there are 46 and 120 codes, but seeing as the codes are two digits, I can't see that there'll be more than 99.