Privacy Policy

Privacy Policy


Transport Data Initiative has an obligation to explain how we collect and use your personal information. This is known as processing.

Firstly, we give a clear general explanation of what we do with your personal data.


Data we process when you use Transport Data Initiative Services

  • When you use a TDI (Transport Data Initiative) service (e.g. Subscribing to our newsletter or registering to attend an event) we will use the information you provide (data) to handle your interactions with TDI and to provide the service to you and also to manage that service.
  • We might also analyse the data you provide to ensure that we are delivering the right and best services for you. For example we might look at the number of people attending events determine how we run and support our TDI events

Why we process it

We process this data for the purposes explained in detail below. More generally, we will use the data we collect about you to:

  • Deliver services you currently use but also might use in the future (delivery)
  • Help our team to understand how people use our services to make sure they are the best possible services (planning)
  • Ensure targets around performance and activity are met (performance)
  • Meet legal requirements around the way that services might be delivered (statutory – non safeguarding)
  • Keep in contact with you about what we do for you (communications)

Data Analysis

When we process your data we might also use different techniques to analyse this data. We will only ever analyse data for the reasons listed above and in accordance with our more specific areas of business (see below).

When we analyse this data about you, we might combine it with other information you have provided to us or even data about you we have received from other organisations. This will be done under the strictest protections to ensure it is done in a fair, lawful and transparent way and is compatible with the reason we collected it originally (e.g. we would not use information collected for public health to market a commercial product to you but we might combine it with social care information to enable us to ensure we are delivering the right services to you).

If you would like more information about the specific ways different teams might use your personal data, please see below for our more detailed notification:


Tier 2

The law requires us to publish a ‘Record of Processing Activity’ along with information which ensures that TDI is clear about what it is doing with the data it holds.

This is a live document and we will update it from time to time if we change the way we collect or use your data.

The following sections set out information we must give you and details about how we collect and use data if it is different from the use of data set out below and in our general notice above.

  1. the name and contact details of the controller and, where applicable, the joint controller and the controller’s representative;

Buckinghamshire County Council
Walton Street
HP20 1UA

Data Controller: Tom Mansfield

  1. Lawful basis and purposes of the processing;

The primary lawful basis and purposes for processing personal data is to enable the Council to deliver Council services. We need to process personal data in the exercise of our public functions and powers (public task), and to perform tasks in the public interest, that are set out in law.

We also have legal obligations and powers to process personal data under statute. These are listed in our Information Asset Register.

We also need to process your personal information to fulfil our contractual obligations to you.

We can also process your personal data with your express consent.

In exceptional cases we might also need to process your personal data to protect your own or some else’s vital interests.

  1. a description of the categories of data subjects and of the categories of personal data;

The information we hold will be personal data.

  1. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

We will sometimes need to share information outside of TDI with organisations such as our partners, third party contractors and government bodies.

We will only share information with these organisations where it is appropriate and legal to do so.  We may also share information, if we are required to do so by any court or law.  Where this is necessary, we are required to comply with all aspects of the Data Protection Legislation.

TDI will typically not disclose information to third countries and where an organisation is international in nature, we will have completed a risk assessment of the use of this data. Where possible we will require data being stored with third parties to at least be stored at sites within the EU and always with adequate protections. Where information is disclosed to a third Country, there will be a defined legal basis for this transfer which will be recorded and made available on request.

  1. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

Please see above

  1. where possible, the envisaged time limits for erasure of the different categories of data;

TDI has a list of how long it keeps data for known as a retention schedule. Details of how long material should be kept for are available on request.

  1. Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Some of the specifics of the technological security measures TDI employs are not available as they might provide a means for malicious access to our information but generally we employ the following protections for the data we hold:


Encrypted servers


Remote backup

Cloud based computing including virtual servers

Password protection


Annual Individual mandatory training

Policies and procedures around Data Protection

Confidentiality statement linked to contractual terms

  1. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

This information is recorded in our Information Asset Register, an extract is available here.

  1. where the processing is based on legitimate interests pursued by us or by a third party;

Where we rely upon the legitimate interest’s condition for processing, it will be set out in our Information Asset Register and the associated Data Protection Impact Assessment

  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

Where TDI relies upon a legal obligation for processing personal data or to form a contract with you, this will be set out in our information asset register.

Data Rights

Data Protection legislation gives specific data rights to individuals which include the following:


Name of right What this means How to enact it
Retention You have the right to be informed of the period of time that we will hold your data Contact:
Access You have the right to be informed of the information we hold about you and be informed about how this data is being used
Rectification You have the right to notify us of factually incorrect information and where requested, we will attempt to correct this information.
Erasure You have the right to ask us to delete information about you when we do not have a legal reason to hold this information.
Restriction/Objection You have the right to ask us to restrict what we hold about or to not use that data unless we have a legal basis to do so.
Portability Where applicable you have the right for information collected by an online form to be transferred to another organisation.
Withdraw Consent Where you have been asked for consent for using your personal data, you retain the right to withdraw your consent for this.
Complaint You have the right to complain to the Information Commissioner about how we have handled your personal data.

Please contact about data rights if you wish to enact any of these rights

The TDI Teams Privacy Statements:

Use of IP addresses and cookies

Cookies enhance your experience using our website. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, as well as to provide information to the owners of the site.

We use cookies to audit the use of our website and help us to customise the website for your visit. We do not store or transmit any personally identifiable data on these cookies. You can change your cookie setting at any time in the security settings in the browser you use to access the internet. Please note however, that rejecting all cookies may impact your enjoyment or use of this website.

We collect IP addresses* only for the purposes of system administration and to audit the use of our site. We do not link IP addresses to anything personally identifiable, which means that while your user session will be logged you will remain anonymous to us.

* An IP address is a unique string of numbers that identifies each computer