Cookie Consent by Free Privacy Policy Generator website
Travel and transport

Concessionary Bus Pass Privacy Notice

City of York Council (CYC) works with Unicard Limited to provide you with the English National Concessionary Travel Scheme (ENCTS) and are joint controllers of your information for this service.

You can find more details about controllers, joint controllers and processors on the Information Commissioner’s Office (ICO) website.

This joint controller privacy notice was created in March 2025, and it will be regularly reviewed.

CYC’s current data protection notification is registered with the ICO - reference Z5809563.

Unicard’s current data protection notification is registered with the ICO - reference Z869762X.

CYC and Unicard are committed to ensuring that your information is handled in accordance with the principles set out in data protection legislation and guidance from the ICO.

This privacy notice tells you what to expect when we process your information for ENCTS and should be read in conjunction with the other relevant CYC Privacy Notice, and the Unicard Privacy Notice, and policies and procedures.

When appropriate we will provide a ‘just in time’ notice to cover any additional processing activities not mentioned in this privacy notice.

How we collect your information

We get information about you from the following sources:

  • directly from you
  • from third parties acting on your behalf, such as family members, advocates
  • from our partners, third parties, or contractors as part of the ENCTS

Top of page

What personal data we process and why

When applying for your new, renewal or replacement bus pass, you will be asked to provide some or all of the following information that is your personal data and special categories of personal data:

  • title, name, address, date of birth, national insurance number, ethnicity and gender
  • contact details, such as telephone number and email address
  • supporting evidence of your age, if applying for an older persons pass
  • a head and shoulder photograph or image
  • the reference number from your current bus pass, for renewals
  • Blue Badge number, if applicable
  • a secret word or question for security

If you make an application for a disabled person bus pass, then we will also ask for disability type and supporting evidence of your disability.

See details of the eligibility criteria and evidence required for travel passes.

If we need it we will ask for the consent of your parent or guardian, for example where you are under 13 years of age, to collect and use your personal data.

We collect your information to check your eligibility for the ENCTS using the guidelines provided by the Department for Transport and to facilitate the issuing of the bus pass.

We process your information to comply with CYC’s statutory duty as a travel concession authority of issuing travel concession permits to eligible residents as set out in the Transport Act 2000.

Your information may also be used:

  • to contact you when your bus pass has expired to remind you to reapply or to automatically reissue you with a card
  • to create an account with Unicard
  • for Unicard to send marketing to you when you have requested it. You can withdraw your consent to marketing by contacting Unicard on email: dpo@unicard-uk.com

When you complete an online form on CYC’s website and you have provided your email address, we may send you a copy of your completed online form.

When you make an online payment either on CYC’s website or through CYC’s customer services team, you can find out what we do with your information in our Online Payments Privacy Notice.

CYC may use your information to create reports and statistics that are anonymous and cannot be linked back to you or individuals such as:

  • statistical analysis
  • statutory returns
  • audit framework
  • to see how the council and its partners are supporting individuals
  • to help design better services
  • to inform funding decisions

Top of page

Automated decision-making

CYC does not carry out any automated decision-making in delivering the ENCTS

Unicard may automatically collect technical data about your equipment and actions when you interact with them as part of their services, such as through an app or using any electronic card provided to you.

Top of page

Collecting information automatically

Please see our Cookies Policy for further information about the information we collect automatically when you use our website.

The Unicard Privacy Notice includes information about how Unicard deal with Cookies.

Top of page

Children’s information

Where we provide services directly to children or young people, the information in the relevant parts of this notice applies to children and young people, as well as adults.

If you're under 16 and are not sure of the meaning of any part of this privacy notice, please ask your parent or guardian.

Top of page

Lawful basis for processing your personal data

Any personal data including special category data that we process about individuals, is done so in accordance with Article 6 and Article 9 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

The legal basis for processing your personal data is in accordance with the following:

  • Article 6 (1)(a) Consent - the individual has given clear consent for us to process their personal data for a specific purpose, for example when you request marketing from Unicard and/or if the application is for someone under the age of 13 years
  • Article 6 (1)(c) Legal Obligation - the processing is necessary for us to comply with the law, for example ENCTS - CYC has a statutory duty to issue ENCTS passes to enable eligible children, young persons and adults to access travel via concessionary measures
  • Article 6 (1)(e) Public task - the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law

The legal basis for processing your special category data is in accordance with the following:

  • Article 9 (2)(g) Reasons of substantial public interest - for example support for individuals with a particular disability or medical condition; safeguarding of children and individuals at risk

This is supported by Schedule 1, Part 2 (6) of the Data Protection Act 2018 and the following legal framework:

Some of the Schedule 1 conditions for processing special category data require an Appropriate Policy Document to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. This document explains this processing and satisfies the requirements of Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice

Our Appropriate Policy Document provides further information about this processing.

Top of page

How long we keep your personal data

CYC will only keep your information for as long as it is needed then it will be securely and confidentially deleted or disposed of.

You can find more details about how long CYC keeps records in the council retention schedule.

Any personal data that Unicard collect through their systems and has passed their verification checks will be held for 3 months in the verification databases before being added to the unique central database. Once the data has been added to the unique central database it will be deleted from the verification database.

Data held within the unique central database will be processed in accordance with the contract Unicard have with CYC and will be held as shown in council retention schedule.

Data that does not pass Unicard’s verification checks will be held for up to 6 months to carry out troubleshooting and for further checks. Should these additional checks fail, it will be deleted and not be transferred into the central database. If the data passes the further checks, then it will be transferred into the central database.

Data may be kept for a longer period by Unicard than set out above, if they are required to keep it for combatting fraud, it relates to a legal case or claim, if under instruction from police authorities to keep hold of the data or we have any other legal or contractual obligation to keep hold of the data.

Top of page

Data sharing

CYC will only share your information where it is appropriate to, with:

  • other CYC services
  • third parties including our data processors, partners or contractors, who undertake work on our behalf
  • government agencies
  • internal and external auditors

Unicard will share information with their partner Paragon ID, who will print your bus pass and sent it to you.

Unicard may share your information within their organisation and with external organisations such as the Police and other councils if they suspect that a bus pass is being used fraudulently and/or a vulnerable person may be at risk. Basic identifiers and contact details are shared with their other internal teams to offer consistent customer support.

Unicard participate in the national fraud initiative which is currently run by the Cabinet Office. Your information will be shared with Cabinet Office as part of an exercise that matches electronic data within and between public and private sector bodies to prevent and detect fraud.

In some circumstances, such as under a court order or safeguarding, CYC and Unicard are legally obliged to share your information.

CYC and Unicard will always satisfy themselves that we have a lawful basis on which to share the information and document our decision-making.

Additionally, CYC are required under the Public Records Act 1958 (as amended) to transfer records to the City or National Archives for permanent preservation. Full consideration will be given to Data Protection and Freedom of Information legislation when making decisions about whether such records should be open to the public.

Top of page

Data processors and/or third parties

Where we have third parties providing parts or all of our services for us, we have contracts in place with them. These are listed below:

Top of page

Transfers of personal data

We don’t routinely transfer personal data outside of the UK but when this is necessary we ensure that we have appropriate safeguards in place and that is done in accordance with the UK data protection and privacy legislation.

Top of page

How we protect your information

We're committed to keeping your information safe and secure. There are several ways we do this, such as:

  • IT security safeguards such as firewalls, encryption, and anti-virus software
  • on-site security safeguards to protect physical files and electronic equipment
  • training for all staff and elected councillors
  • policies and procedures
  • limiting access to your information to authorised CYC and Unicard employees to provide ENCTS

Top of page

Your rights in relation to this processing

To find out about your rights under data protection law, you can go to the Information Commissioner's Office website.

You can also find information about your rights in our Privacy Notice and the Unicard Privacy Notice.

If you have any questions about this privacy notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us on email: information.governance@york.gov.uk, or on telephone: 01904 554145, or write to:

Data Protection Officer
City of York Council
West Offices
Station Rise
York YO1 6GA

You can contact Unicard’s data protection officer on email: dpo@unicard-uk.com, or on telephone: 01202 850810, or write to:

Data Protection Officer
Unicard Limited
Peartree Business Centre,
Cobham Road, Wimborne,
Dorset
BH21 7PT

If you need to contact us about your application process, you should contact CYC on email: buses@york.gov.uk, or by writing to:

Concessionary Bus Passes
City of York Council
West Offices
Station Rise
York
YO1 6GA

Top of page

Also see

Corporate Governance Team - Information Governance

West Offices, Station Rise, York, YO1 6GA

Telephone: 01904 554145

Comment on this page