Clean Bus Fund Retrofit Privacy Notice

 

Introduction

Transport for Greater Manchester (TfGM) is committed to making sure that we tell you about the ways in which we use your personal information and that we have the right controls in place to make sure it is used responsibly and kept safe from inappropriate access, theft, or misuse.

The Clean Bus Fund (CBF) is part of the Vehicle Renewal Scheme of the Greater Manchester Clean Air Programme (GM CAP) which in this case would offer subsidies to bus operators to retrofit existing Euro IV and V buses.

 

In March 2020 government awarded £15.4m towards bus retrofit funding.  In November 2020 a grant-making and administration system was procured to assist in the distribution of funding to eligible bus operators.  The system is a SaaS solution (Flexi-Grant provided by Fluent Technology).

The system will allow bus operators to register and input company and vehicle information for TfGM to assess eligibility for funding.

TfGM is the data controller for the Clean Bus Fund and Fluent Technology are our processor. Fluent Technology will be using two sub-processors; Postmark and Mailgun to manage emails on behalf of Fluent.

This notice explains how we will use your information and tells you about your privacy rights and how the law protects you.

For further information about our core data protection obligations and commitments please see TfGM’s primary privacy notice.

https://tfgm.com/privacy-policy

 

What information do we collect and why?

Personal data that will be collected includes:

  • Name of the applicant
  • Organisation Email address
  • Organisation Address/postcode
  • Organisation phone number

 

Other data that will be collected includes:

  • Company Number
  • PSV Licence Number of Business
  • Vehicle registered address

 

How do we keep your information safe?

TfGM is committed to the security of the information we collect, and we use reasonable measures to prevent unauthorised access to that information.  We are required to demonstrate that our solutions meet the required levels of personal, procedural, policy, data and technical security. We will only process personal information for the purposes it has been collected or subsequently authorised. 

Fluent and the Flexi-Grant system are is IS027001 certified and Cyber Essentials Certified.

All electronic consultation information will be encrypted with a secure password. Fluent and TfGM will restrict access to your personal information.

 

How long is the information kept for?

Information will kept for a minimum of 5 years from the allocation of the grant and held by TfGM for another 2 years as per the Limitations Act.

 

Where is the data processed?

The data within the Flexi-Grant system is stored and processed within the UK, however Mailgun and Postmark will be used to manage emails to and from Flexi Grant, and this data will be processed in the US. Both organisations follow GDPR compliance.

For any further information about how your data is processed by them please click on the below links:

https://postmarkapp.com/eu-privacy#security-and-privacy

https://www.mailgun.com/gdpr/

 

Lawful basis for processing your information

Our lawful basis for processing under GDPR is:

  • GDPR Article 6(1)(e): the processing is necessary for the performance of its official tasks carried out in the public interest

 

Who we will share your information with?

The information collected will only be used by TfGM. Your personal data will not be shared with any other third parties.

 

Your rights as a data subject (any individual person who can be identified)

The GDPR gives you the following rights over your information:

  • Your right to get copies of your information
  • You have the right to ask for a copy of any information about you that is used.
  • Your right to get your information corrected
  • You have the right to ask for any information held about you that you think is inaccurate to be changed.
  • Your right to limit how your information is used
  • You have the right to ask for the use of any information held about you to be restricted. For example, you can ask this where you think the information TfGM is using is inaccurate.
  • Your right to object to your information being used
  • You can ask for any information held about you not to be used. This is not an absolute right and TfGM may need to continue to use your information. We will tell you why if this is the case.
  • Your right to get your information deleted
  • You can ask for any information held about you to be deleted. This is not an absolute right and TfGM may need to continue to use your information. We will tell you why if this is the case.

To find out what information we hold about you, you need to make a Subject Access Request.  If you wish to exercise any of your information rights including making a Subject Access Request, please contact us on data.protection@tfgm.com.

If you are not satisfied with the response from us, you can complain to the Information Commissioner’s Office. For further details on this and your information rights please visit the Information Commissioner’s Website.

 

Data Protection Officer (DPO)

TfGM is required by law to have a DPO. The DPO has several duties, including:

  • Monitoring the organization’s compliance with data protection law;
  • Providing expert advice and guidance on data protection;
  • Acting as the point of contact for data subjects; and,
  • Co-operating and consulting with the Information Commissioner’s Office (see ‘Complaints’ below).

 

TfGM’s DPO can be contacted at data.protection@tfgm.com.

Further details of how TfGM process your data and how you can exercise your rights are available at www.tfgm.com/privacy-policy.

Further information about data privacy and your rights under the General Data Protection Regulation (the “GDPR”) can be found at the ICO website  www.ico.org.uk/for-the-public.