Data code

What do we do with your personal data?

Start date: 20 December 2016
End date: 23 February 2017

When handling personal data, organisations must comply with the Data Protection Act 1998 (DPA).  According to the DPA, any information held by a public authority which can be used to identify an individual constitutes personal data. The principles underpinning the act mean that this data must be:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • handled according to people’s data protection rights
  • kept safe and secure
  • not transferred outside the European Economic Area without adequate protection

As technology rapidly develops, more personal data will be collected, increasing both the potential benefits and the risks. This investigation by the GLA Oversight Committee will assess whether the personal data collected by the GLA Group is collected, used and stored appropriately.


Personal data in the GLA Group

Transport for London (TfL) and the Metropolitan Police Service (the Met) collect the greatest volume of personal data of the GLA Group organisations, and they will be the main focus of the investigation. Examples of personal data collected by TfL and the Met include:

  • TfL collects personal data every time someone uses a registered Oyster or contactless payment card to travel.
  • TfL records vehicle movements (linked to individuals) across London’s Low Emission Zone and Congestion Charge Zone through around 1,300 Automatic Number Plate Recognition (ANPR) cameras.
  • The Met collects and has access to highly sensitive data, including the health information of highly vulnerable individuals.
  • The Met has around three million photos of arrested individuals, which it plans to keep indefinitely, regardless of whether the individuals are charged or convicted.


The GLA Oversight Committee is conducting an investigation into the collection and use of personal data in the GLA Group. It will use its meeting on 23 February 2017 to discuss this issue with invited guests.