Data Governance of National Entitlement Card: FOI release

Information requested

You asked for following information regarding the National Entitlement Card (NEC) Under‑22 (Young Persons’) free bus travel scheme:

1. Hosting infrastructure: type, physical location(s) of servers/data centres

2. Categories of personal & transactional data stored (e.g., identity, travel history)

3. Identities of data controllers and processors (e.g., Transport Scotland, Dundee NECPO, Unicard Ltd), and any third parties

4. Data access policies: roles with access, access controls, retention periods

5. Security measures: encryption, pen testing, certifications; most recent audit date, result

6. Oversight mechanisms: internal/independent audits, DPIAs, GDPR/Data Protection Act compliance

7. Data sharing practices: with whom data is shared, legal basis for sharing

Response

Some of the information you have requested is available online. Where this applies is explained in the response below and links provided to the information requested. Under section 25(1) of FOISA, we do not have to give you information which is already reasonably accessible to you. If, however, you do not have internet access to obtain this information from the websites listed, then please contact me again and I will send you a paper copy.

The responses below relate to the systems managed by Transport Scotland.

1. Hosting infrastructure: type, physical location(s) of servers/data centres

The two main systems, managed by Transport Scotland, used to process transactions relating to the Young Persons’ Free Bus Travel Scheme, use dedicated server hosting infrastructure with data centres located in Maidenhead, Central London and Hampshire.

2. Categories of personal & transactional data stored (e.g., identity, travel history)

The categories of personal and transactional data stored are already published on the Transport Scotland website and can be found in the Concessionary Travel and Smart Ticketing Privacy Policy under “The personal information we hold about you”.

3. Identities of data controllers and processors (e.g., Transport Scotland, Dundee NECPO, Unicard Ltd), and any third parties

Transport Scotland is an executive agency of the Scottish Government. Transport Scotland is a data controller on behalf of Scottish Ministers relating to the Young Persons’ Free Bus Travel Scheme. A list of third party data processors is already published on the Transport Scotland website and can be found in the Concessionary Travel and Smart Ticketing Privacy Policy under “Sharing of Your Personal Information”.

Further Information on data controllers and other data processors for registrations and applications made online using getyournec.scot, are already published on getyournec.scot and can be found in The getyournec.scot Privacy Notice under “Our role in your privacy”.

The Improvement Service and Local Authorities are Joint Data Controllers for all data related to a cardholder within the NEC Card Management System.

4. Data access policies: roles with access, access controls, retention periods

Transport Scotland managed systems used to process transactions relating to the Young Persons’ Free Bus Travel Scheme are restricted by IP address. User permissions are limited to individual user roles and responsibilities for staff at Transport Scotland and Smart Applications Management required for the scheme. User access to relevant systems is managed by a team within Transport Scotland who have a robust and auditable control process.

Details of retention periods are already published on the Transport Scotland website and can be found in the Concessionary Travel and Smart Ticketing Privacy Policy under “How Long we Hold Your Personal Information”.

5. Security measures: encryption, pen testing, certifications; most recent audit date, result

Suppliers of the Transport Scotland managed systems used to process transactions relating to the Young Persons’ Free Bus Travel Scheme are certified Cyber Essentials Plus. This is a government backed, industry-supported scheme to help organisations protect themselves against common online threats.

PEN tests, BCDR tests and reviews are completed in line with contractual agreements and results are shared with Transport Scotland. Recommendations are followed to completion and re-tests are undertaken as required.

Audit Scotland conduct yearly audits of processes and system management relating to the Young Persons’ free bus travel scheme, the last audit was conducted in March 2025 with no follow up recommendations received to date.

6. Oversight mechanisms: internal/independent audits, DPIAs, GDPR/Data Protection Act compliance

Transport Scotland has a Data Protection Officer who manages and coordinates a number of data governance oversight arrangements. These arrangements include conducting annual GDPR and information management compliance audits. As part of the wider Scottish Government, Transport Scotland is also subject to topic based internal and external audits, and the Scottish Governments’ Internal Audit team reviews GDPR compliance arrangements as part of a broader Information Governance audit. Audit Scotland also assesses the Data Protection compliance arrangements as part of its external audit risk assessment work.

7. Data sharing practices: with whom data is shared, legal basis for sharing

Data sharing practices, including with whom data may be shared with and the legal basis for sharing, is already published on the Transport Scotland website in the Concessionary Travel and Smart Ticketing Privacy Policy under “Sharing of Your Personal Information”.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.