Personalised rail passenger experience and privacy

Enhancing the passenger experience through personalisation has been the subject of many initiatives in the transport sector and in pursuit of this goal, new systems and technologies are being deployed which capture more data about the state of the network and its passengers than ever before.

Go to the profile of Helen Treharne
Sep 28, 2017
Upvote 2 Comment

Authors:  Helen Treharne, Stephan Wesemeyer, Steve Schneider, Tracy Ross, Andrew May, Stuart Cockbill, Raja N. Akram, Konstantinos Markantonakis, Simon P. Blainey, James A. Pritchard, and Matthew Casey


In this article the authors discuss the implications of this data collection in terms of its potential benefits to the customer experience, its impact on passenger privacy, the information security risks to the industry from storing all this personal data as well as the need for data provenance and how anonymisation of data will impact its provenance and utility.

It is imperative for the industry to look at the trade-offs between the need to store personal data to provide an improved customer service and the legal ramifications of doing so, especially in the light of the incoming General Data Protection Regulation (GDPR) [1] (to be enacted in UK law by May 2018) which makes organisations liable for a substantial fine in the case of a serious data security breach.

To help operators address these data protection and legal compliance issues, the authors provide a brief overview of existing privacy and security frameworks, standards and guidelines which can assist the industry in utilising a best practice and well-established approach.


Passenger numbers have grown substantially on many (although not all) railway systems around the world in recent years. This growth in traffic has increasingly been paralleled by an increase in passenger expectations regarding the quality of the journey experience which is provided by rail operators. Other modes (notably the private car) have seen a step change in the level of information provision and on-board equipment provided over the last two decades. Rail operators are therefore under pressure to provide a similar level of improvements if they do not want to risk their market share being eroded, particularly if autonomous road vehicles achieve widespread adoption. This paper draws on previous research which studied the customer experience of passengers with assistance needs [2] and as well as on-going research of passengers whose journeys have the highest environmental and economic impact [3]. While both pieces of research share the idea that personal data can be a great enabler to provide personalised experience, in this article we focus on customer privacy as well as the legal challenges posed by the gathering of personal data required to enable such a solution.

Data and the Rail Customer Experience

Defining the Customer Experience

Rail Delivery Group (RDG)’s submission to House of Commons Transport Select Committee on “Improving Rail Passenger Experience” [4] makes it clear that rail passengers expect more from train operators than just being transported from A to B. It describes an ideal end-to-end journey experience which allows passengers to plan, book, pay for their journey and then travel confidently knowing that they will be informed about any potential disruptions or changes to their journey by the operators. While many train operators have implemented or at least trialled parts of this vision, there is still no holistic, industry-wide approach addressing all of the associated issues raised by this ideal customer experience.

There are many customer journey experience pinch points as captured by RDG’s “Customer Heartbeat” study [4] which graphs the different stages of a typical journey and their relative importance against the service delivered. While useful, the “Heartbeat” graph is limited by its high-level, generic view of a “typical customer”. Indeed, our research in [2] showed that passengers with assistance needs have very different requirements due to the diverse nature of each passenger’s impairment (wheelchair, visually impaired, vulnerable, etc.). Generalising from the findings in [2], there is unlikely to be a “one-size-fits-all” solution as: o commuters are likely to be more interested in the least busy carriage on the next fastest train;

  • occasional/leisure travellers are likely to be more concerned with finding a seat and getting detailed information about the route/destinations;
  • travellers with assistance needs might require physical assistance as well as good accessibility information about the trains and station which are part of their journey, etc.

Thus, different passengers require different personalised solutions and in order for the train operators to be able to provide this customised information, they will need to know much more about the characteristics of the individual or the specific context of the journey.

Personal data as an enabler

The following personal data was identified as useful in [2] for providing timely and relevant information to passengers:

  • Journey Plans: Knowing where and when a passenger wants to travel is needed to alert them to delays/disruptions
  • Name: Allows staff/messages to provide a more personal touch
  • Location: Using a passenger’s location enables services like nearest station information, available facilities (on train/at station), accessibility-aware station guidance, etc.
  • Photo: Helps staff find and identify any passengers requiring assistance more quickly thus reducing passenger anxiety of being forgotten as well as cutting dwell-time at stations.
  • (Dis-)abilities and related information: Helps staff provide efficient and effective assistance.
  • Degree of familiarity and confidence with a particular journey/station, and the rail system in general

Clearly, some of this data is very personal (medical information, photo) while other data, especially when captured over time, can reveal additional information, e.g. a passenger’s working hours, home/work address and more can be inferred from their location/journey history. Thus, the question arises of how much of this information is actually needed to provide the desired service and for how long should it be retained once the service has been fulfilled.

Data protection: current and future legislation

Cleary, gathering the information described in 2.2 has privacy implications for the passengers and data protection ones for the operators and this section discusses the current legislation governing the safe-guarding of user’s privacy and any Personally Identifiable Information (PII). For the UK, the most important authority for data protection and privacy issues is the Information Commissioner’s Office (ICO) which is tasked with enforcing the Data Protection Act (DPA) of 1998 [5] (the UK’s implementation of the European Data Protection Directive (Directive 95/46/EC) [6]). It enshrines the following 8 principles in law to make sure PII is:

  1. used fairly and lawfully
  2. used for limited, specifically stated purposes
  3. used in a way that is adequate, relevant and not excessive
  4. accurate
  5. kept for no longer than is absolutely necessary
  6. handled according to people’s data protection rights
  7. kept safe and secure
  8. not transferred outside the European Economic Area without adequate protection

There is stronger legal protection for more sensitive information, such as ethnic background, political opinions, religious beliefs, health, sexual health and criminal records. The DPA governs what organisations holding PII need to do to comply with the law. In particular, all UK companies which process PII need to register the fact with the ICO (unless exempted).

In the context of this paper, principle 2 (limited, specific use), principle 3 (adequate and not excessive), principle 5 (not kept longer than necessary) and principle 7 (kept safe and securely) are arguably the most relevant ones together with the fact that data of passengers who need assistance benefits from stronger legal protection. Train operators must ensure that their current systems are compliant with these principles.

Moreover, the European General Data Protection Regulation (GDPR) [1] updates the data and privacy protection throughout Europe and comes into force in the UK in May 2018 [7] (despite the UK’s decision to leave the European Union). It means that personal data is not limited to name, address, etc anymore but includes data that allows an individual to be identified including location data, MAC addresses, etc.

Moreover, the GDPR requires organisations to build applications with “Data protection by design and by default”. The ICO already recommends a “Privacy by Design” (PbD) approach [9], but this will become a much stronger requirement under the GDPR. Other implications (including likely cost/benefits) of the GDPR are discussed in [10] with details on how businesses in the UK will be impacted and what steps organisations need to take to be compliant. Of particular importance, though, are the fines which can be imposed for data security breaches. Depending on the severity of the breach, these can reach up to €20 million or 4% of annual turnover (whichever is the higher).

Consequently, train operators need to assess what PII needs to be stored, for what purpose, for how long and what the privacy ramifications are if their systems are breached and passengers’ PII is leaked.

Passenger data: implications for privacy, utility and service provision

To ensure that appropriate safeguards are applied to protect PII, the ICO recommended “Privacy-by-Design” approach implements the security principle of “least privilege” by either not storing any PII in the first place or only storing the minimum required and for just as long as necessary to provide the desired service. Therefore train operators need to weigh up the benefits of holding PII for, say, customer segmentation and profiling against the information security risk associated with it. The following examples illustrate how similar services can be provided with different technologies using data ranging from purely anonymous to PII:


Technical solution



Determining crowding on trains

weight sensors on coaches

sufficiently accurate for a simple traffic-light indicator but too coarse for precise passenger numbers


heat maps generated from anonymised CCTV/thermal camera footage

As above


Infrared(IR) sensors above doors

High accuracy


Smart ticketing

Rough estimate of total passengers per train but not per coach

Anonymous only if aggregated

WIFI/Bluetooth-scanning of smart devices using WIFI routers in coaches

Good accuracy as ~80% of passengers have a smart phone in the UK but raises important privacy issues, especially if passengers have not consented to having their device details scanned and stored.

Anonymous only if aggregated

Facial recognition and tracking using on-train/station CCTV cameras

Potentially the most accurate crowding estimates. Could also provide valuable insights into passenger touchpoints at stations. As with WIFI, consent is an issue.

Arguably highly intrusive


Proactive (push)

Requires journey details and contact


As can be seen with the exception of personal assistance, most of the services can be offered in a privacy-preserving manner which does not require the user to relinquish any PII. If, however, the passenger does decide to relinquish their anonymity for a more personalised service (e.g. proactive push notifications versus pull requests), then the question remains for how long this information should be stored beyond the duration of the journey. The DPA mandates that data shall not be kept for longer than 1 The current Nation Rail Enquiry application [13] already provides proactive disruption alerts for regular journeys but lacks personalised re-routing capabilities.

According to [2], some passengers valued the interaction with staff who ask them about their assistance requirements as it made them feel less like an object to be moved efficiently needed and arguably the end of the journey is when the passenger specific data has served its purpose and should either be anonymised or deleted entirely. In fact, because of the unknown impact of future technologies on de-anonymisation, “deleting the data is a more privacy-friendly solution and preferable, although this may entail a trade-off with the utility of the data” [8].

Furthermore, while using PII to offer an improved customer experience raise very important privacy concerns, there are also still a number of technical challenges to be addressed by the industry before this vision can be fully delivered. In [2] it was shown that even simple advice, eg re-routing in case of disruption, what facilities are available in which coach to assist with boarding, will require a number of improvements to existing systems as they lack some of the necessary functionality or do not provide sufficiently detailed information: o The National Rail Enquiry (NRE) journey planner does not yet take fully into account station accessibility for passenger with assistance needs nor is it aware of currently reported faults at stations (e.g. out-of-order lifts, etc.) which might make a re-calculated route inaccessible to those passengers.

  • There is no publicly available feed providing up-to-date consist information of trains. Consequently, there is presently no reliable source of the location of facilities on coaches (e.g. cycle storage or dedicated spaces for wheelchair users or passengers with prams).
  • Identifying which coach a passenger is in can be achieved by using a mapping which matches WIFI access points to their coaches. While such mapping exists for a number of operators, these feeds are not publicly available nor is the list guaranteed to be up-to-date or accurate.
  • Platform staff should be aware of where wheelchair spaces were on the train so that boarding the train is not stressful.
  • On-train staff should be aware of passengers who need their assistance so that getting on and off a train is a smooth experience.
  • Station staff should be present at the right time and place when passengers need to alight from the train.
  • Passengers are generally happy to consent for their information to be stored if it provides a better customer experience and it is not used for other purposes (especially marketing).

In summary, the operators need to tackle a number of technical issues as well as designing any new application such that they put the user in control of when and for what purpose their data is while ensuring that any PII data handled by operators is processed in a DPA/GDPR compliant manner.

Anonymisation and data provenance

It is also important for a customer to be able to verify that an operator handles PII in a compliant manner and one potential way of achieving this is to provide data governance transparency to passengers by deploying a data provenance framework. This framework would collect the history of both system and user data from its inception point and track how it was collected, stored, shared and processed. providing passengers with a transaction history of their data of Furthermore, it also enables external and internal auditability of an organisation’s (eg TOC) data governance policies, to which the passenger might have agreed when signing up for the service.

On the other hand, an organisation might want to avoid storing PII data by anonymising it and thereby breaking the link between actual data and its anonymised form. However, in this case care must be taken that the data provenance records associated with the anonymisation process do not contain or reveal any of the PII or can be used to assist with de-anonymisation attempts. For an organisation, the simplest solution is to break the link between data provenance records when data is anonymised. Alternatively, all data provenance records that remain associated with the anonymised data must not reveal any PII. Our on-going research [3] will tackle the challenge of resolving the apparent contradiction of providing full data provenance across the actual data and its anonymised form.

Addressing the GDPR compliance challenges: Privacy and security frameworks, guidelines and standards

To address the compliancy issues as well as security and privacy concerns many ready-to-use frameworks and standards have been developed over the years and arguably, the most recognised framework is the ISO/IEC 27000 [16] family of documents describing the standards for implementing and securing an Information Security Management System (ISMS). The series of documents provides recommendation on how to conduct information security risk assessment, implement controls and conduct an audit. Furthermore, ISO/IEC 29100 [4] augments ISO/IEC 27000 with a Privacy framework which aims to formalise the process an organisation should follow when dealing with PII to minimise the privacy risks of the individual. While the ISO/IEC standards are well-established (especially within Europe), their main drawback is that they are not freely available. On the other hand, they allow companies to be audited and gain accreditation for the various standards which, while not guaranteeing protection from security breaches or privacy leaks, should at least increase the customer trust in the organisation.

The National Institute of Standards and Technology (NIST)( is an American body akin to the British Standards Institution. It has also published a number of documents dealing with Information Security Management and Privacy. The main advantage of NIST documentation is that they are freely available. NIST publications [17], [18], [19], [20], [21], [22], [23] cover similar Information Security Management concepts as the ISO/IEC 27000 family of standards while [24] is the NIST privacy counterpart to ISO/IEC 29100.

Although the NIST special publications are US centric, they are nevertheless an invaluable resource to ensure that good information security and privacy practices are adhered to within an organisation unless accreditation is a requirement.

Similarly, both the ISO/IEC and NIST privacy frameworks are good starting points but here the caveat is that is crucial to obtain proper legal advice on the data protection and privacy laws of the country in which an organisation operates to ensure compliance.

Lastly, the Information Commissioner’s Office (ICO) has also produced a number of recommendations and guidelines ([5], [9], [25], [26], [27], [28]) to help organisations ensure that they follow best data protection and privacy practice.

In particular, the ICO guidance on privacy notices [28] addresses a very important aspect central to the upcoming GDPR: organisations need to obtain informed consent from their users before being allowed to process their data. In particular, it is not acceptable to rely on complex privacy notices that users are either not going to read or understand. The notices need to make it very explicit and easy to understand what data is collected and for what reasons.

In summary, while information provided in this section should only be used as starting point for an information security and privacy policy tailored to the needs of a specific organisation, the reviewed documents provide well-established approaches from which such DPA and GDPR compliant documentation can be readily developed. In particular, they provide guidance on the whole data management lifecycle including the “least privilege” principle of minimising the amount of data that is collected and stored; how it should be anonymised or preferably deleted once it is not required anymore and how a user’s informed consent must be obtained before any data can be collected.

Building a privacy-preserving application

Approach and design

As part of the research in [2], a prototype mobile application was developed to demonstrate the feasibility of providing an improved customer experience whilst preserving the privacy of the passenger where possible. As part of the study, interviews were carried out with a small sample of passengers with additional assistance needs to establish what can be done to improve their customer experience and what privacy concerns the passengers have when sharing personal information. The main findings were that: o Passengers wanted staff to be able to find them or to be able to find staff themselves.

As can be seen the main issues are around allowing people to locate each other and being aware of the presence of passengers who need assistance.

These requirements formed the basis for a mobile phone application illustrating how mobility-impaired passengers, e.g. wheelchair users, could be supported by using existing and new data feeds together with a mobile application which is aware of the user’s current location while minimising the amount of personal information stored.

The idea of the application was to provide the current PassengerAssist experience of booking a journey with the appropriate assistance made available during the various stages to users without the need to use the PassengerAssist service thus enabling a possible “turn up and go” experience for passengers. It also served to identify the need for new or enhanced data feeds.

Prototype functionality


Allow the passenger to plan their journey but within the constraints of the assistance they need, e.g. show that a station might not have the required assistance for the time of travel as it is only staffed during certain hours, etc The NRE journey planner needs to incorporate assistance constraints at stations in its journey calculation

Show that user is at the station and locate any facilities (e.g. shops, nearest lifts, toilets, assistance points)

Requires improved stations information feed as well as in-station localisation (e.g. beacons)

Indicate the coach the passenger is in. Used to locate both staff and passenger as well as the facilities available on the train. Also used to alert station staff at the final stop to inform them from which coach the passenger is alighting.

A mapping linking WIFI access points to coaches was used. To be truly usable, the consist of a train needs to be available and kept up to date during the day.

Privacy analysis of the prototype

The prototype was designed with the least privilege principle in mind. In its current form, the application stores all the user details including their assistance needs. The prototyped journey planner functionality uses the assistance requirements to constrain the travel planning with no need to transmit any personal information as part of the query. Nevertheless, the on-line journey planner would also need to discard the information as soon as the request has been serviced to avoid the potential of de-anonymising the passenger from the supplied information using third-party data sources.

Once a journey has been booked, the assistance requirements together with the personal information was assumed to be made available to the station staff and the on-train staff. Again, this information only needs to be stored until the end of the journey.

The journey details can then be used to trigger various events as and when required, e.g. staff can be alerted that a passenger who requires assistance is scheduled to arrive soon. Similarly, the user can be prompted to confirm their location so that staff can find them more easily.

The application uses WIFI scanning of public access points to determine its location so instead of the user being passively scanned, the passenger carries out the scanning and uses the MAC address of the WIFI points to determine their location. Again, there is no need to transmit any user information as part of the localisation request.

Once the passenger has arrived at the station, staff and passenger can find each other using each other’s locations. This requires that staff have access to the personal details and assistance requirements of the passenger. Staff training should ensure that staff are aware of their obligations under the DPA to handle this sensitive personal information appropriately.

In the case of disruptions, the system is aware of the journey details of the user and can send an alert. The journey can then be replanned based on the disrupted service information and accessibility needs. While the user needs to share some personal details, there is no need to store them beyond the end of the journey at which point all PII should be anonymised/deleted.

Lessons learnt

The prototype showed that a location-aware mobile phone application, which keeps personal data on the device and only shares it as agreed by the user, can be used to enhance the customer experience of passengers with assistance needs while also highlighting that their PII does not need to be stored by the operators for longer than required.

It is clear that these findings are not restricted to passengers with assistance needs but apply equally to the other categories of passengers. Our on-going research [3] is attempting to demonstrate how passengers in the other categories could share even less personal data to obtain a similar service.


Evaluating the impact

It is likely that the provision of an improved customer experience, will lead to some level of growth in rail passenger numbers on the affected flows, made up both of newly generated trips and of trips transferred from other modes. The expected scale of these impacts can be quantified based on econometric methods summarised in the Passenger Demand Forecasting Handbook [14] This involves converting the impact of the improved experience into an equivalent change in journey time or fare, although depending on the precise nature of the delivered improvements a stated preference exercise could be necessary to establish an appropriate conversion factor. If the additional demand is captured from more polluting modes then this could help to reduce carbon emissions, and guidance on estimating the scale of these reductions is given in the UK government’s transport appraisal guidance [15].


While improving customer satisfaction and hence numbers is important to the rail industry, there is a similar need to investigate trade-offs between this data collection and the associated information security and privacy risks, especially given the potential financial liabilities imposed by the upcoming GDPR in case of a data security breach. Transportation operators should therefore undertake a number of steps when collecting and using personal data. A Privacy Impact Assessment[5] should be conducted to establish any impact on the passengers’ privacy of any new system. The “Privacy by Design” [9] principle should be applied as part of the design of any new system. In particular, applications should use a “privacy by default” approach which requires users to opt in to share their data rather than actively having to opt-out. The principle of least privilege should be applied when collecting personal data, with operators requesting as little information as possible to provide a service and only retaining it for as long as it is required. Informed consent should be obtained from the users as to how their personal data is used, which is already a legal requirement under the DPA and made more explicit under the GDPR. Any PII should be anonymised if possible, either by aggregation or by other means as detailed in [27]. Existing frameworks by NIST and ISO/IEC should be used to help manage the information security and privacy aspects of the data in a structured and effective manner.

While the research described here is based on the UK rail industry, similar principles will apply in all contexts where transport companies make use of individual data to enhance the customer experience. If these steps are followed, then it should be possible to provide a significantly enhanced service to public transport users without compromising the security of their personal information, thereby enabling transport operators to meet the demands of their customers.


  1. European Commission, “Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation),” [Online]. Available: [Accessed 03 02 2017].
  2. May, A., and Ross, D.,“D1 and 8 User reqmts eval,” [Online]. Available: [Accessed 03 02 2017].
  3. DICE project, “Improving customer experience while ensuring data privacy for intelligent mobility,” [Online]. Available: [Accessed 20 02 2017].
  4. Rail Delivery Group, “Improving Rail Passenger Experience,” [Online]. Available: [Accessed 20 02 2017].
  5. Information Commissioner's Office (ICO), “Guide to data protection,” 31 January 2017. [Online]. Available: [Accessed 03 02 2017].
  6. European Parliament and the Council of the European Union, “Directive 95/46/ec of the European Parliament and of the Council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” 24 October 1995. [Online]. Available: [Accessed 21 April 2017].
  7. E. Denham, “How the ICO will be supporting the implementation of the GDPR,” 31 October 2016. [Online]. Available: [Accessed 20 April 2017].
  8. S. Y. Esayas, “The role of anonymisation and pseudonymisation under the EU data privacy rules: beyond the all or nothing approach,” European Journal of Law and Technology, vol. 6, no. 2, 2015.
  9. ICO, “Privacy by Design,” no.
  10. London Economics, “Implications of the European Commission’s proposal for a general data protection regulation for business,” May 2013. [Online]. Available: [Accessed 20 April 2017].
  11. UK Parliament, “Data Protection Act 1998,” [Online]. Available: [Accessed 03 02 2017].
  12. Gizmodo UK, “Gizmodo UK,” [Online]. Available: [Accessed 20 02 2017].
  13. National Rail Enquiries, “Mobile Apps,” [Online]. Available: [Accessed 20 April 2017].
  14. Association of Train Operating Companies (ATOC), Passenger Demand Forecasting Handbook v5.1, ATOC, London, 2013.
  15. Department for Transport (DfT), “TAG Unit A3: Environmental Impact Appraisal,” December 2015. [Online]. Available: [Accessed 20 April 2017].
  16. International Organization for Standardization (ISO) & International Electrotechnical Commission (IEC), “ISO/IEC 27000 family - Information security management systems,” [Online]. Available: [Accessed 20 April 2017].
  17. National Institute of Standards and Technology (NIST), “SP 800-12r1: An introduction to computer security: The NIST handbook(Draft),” January 2017. [Online]. Available: [Accessed 20 April 2017].
  18. NIST, “SP 800-14: Generally accepted principles and practices for securing information technology systems,” September 1996. [Online]. Available: [Accessed 20 April 2017].
  19. NIST, “SP 800-30 Rev 1, Guide for Conducting Risk Assessments,” September 2012. [Online]. Available: [Accessed 20 April 2017].
  20. NIST, “SP 800-53 Rev. 4: Security and Privacy Controls for Federal Information Systems and Organizations,” 22 January 2015. [Online]. Available: [Accessed 20 April 2017].
  21. NIST, “SP 800-53A Rev. 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,” 18 December 2014. [Online]. Available: [Accessed 20 April 2017].
  22. NIST, “SP 800-64 Rev. 2: Security Considerations in the System Development Life Cycle,” October 2008. [Online]. Available: [Accessed 20 April 2017].
  23. NIST, “SP 800-100: Information Security Handbook: A Guide for Managers,” 7 March 2007. [Online]. Available: [Accessed 20 April 2017].
  24. NIST, “SP 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” April 2010. [Online]. Available: [Accessed 20 April 2017].
  25. ICO, “What is personal data?,” 123 December 2012. [Online]. Available: [Accessed 20 April 2017].
  26. ICO, “WI-FI location analytics,” 02 February 2016. [Online]. Available: [Accessed 20 April 2017].
  27. ICO, “Anonymisation: Managing data protection risk: code of practice,” November 2012. [Online]. Available: [Accessed 20 April 2017].
  28. ICO, “Privacy notices, transparency and control: A code of practice on communicating privacy information to individuals,” 7 October 2016. [Online]. Available: [Accessed 20 April 2017].
  29. Technical Strategy Leadership Group, “Railway of the future - Railway Technical Strategy,” 2012. [Online]. Available: [Accessed 03 02 2017].
  30. NIST, “SP 800-39: Managing Information Security Risk: Organization, Mission, and Information System View,” March 2011. [Online]. Available: [Accessed 20 April 2017].
Go to the profile of Helen Treharne

Helen Treharne

Head of Computer Science, University of Surrey

No comments yet.