The Data Protection Act 1998 requires every data controller who is processing personal data to notify the Information Commissioner of any breaches no more than 72 hours after becoming aware of it unless they are exempt from doing so. Failure to notify is a criminal offence. In addition, any FCA regulated firm must notify the FCA – ideally within 24hrs of discovery of a breach.
This document should be read in conjunction with our Acceptable Use policy and Information Security policy which form part of the Employee’s Handbook. We are committed to protecting and respecting privacy.
This policy sets out the basis on which any personal data we collect from a consumer will be processed by us.
For the purpose of the Data Protection Act 1998 (“the Act”), the data controller is Nerd FS.
By visiting and using our website the consumer is consenting to the practices set out below.
If our firm needs to collect data for any purpose not stated above we should notify the Information Commissioner before collecting that data.
Whenever collecting information about people, our firm agrees to apply the Eight Data Protection Principles:
- Personal data should be processed fairly and lawfully
- Personal data should be obtained only for the purpose specified
- Data should be adequate, relevant and not excessive for the purposes required
- Data should be accurate and kept up-to-date
- Data should not be kept for longer than is necessary for purpose
- Data processed in accordance with the rights of data subjects under this act
- Security: appropriate technical and organisational measures should be taken unauthorised or unlawful processing of personal data and against accidental loss or destruction or damage to personal data
- Personal data shall not be transferred outside the EEA unless that country or territory ensures an adequate level of data protection
- Data controllers must provide their identity, people should be told exactly what the information is being collected for and any other information necessary. Consent to use their data must be given
- Thought should be given as to how the data is used – i.e. – if names and addresses are obtained for a specific campaign they should only use that information for that campaign
- The customer can give permission to be kept up-to-date with other information and products from Inter Financial Limited and this permission will be recorded
- Individuals have a right to see what data is being kept and for what purpose it is used
The same principles apply to when data is taken out of the office
- If a mailing list is bought we cannot use it for any other purpose than the original Data Controller specified – we must check original use and confirm that the customer has given permission for the data to be collected by the seller and sold on
Working at home
- Controls are in place for staff who take work home with them. This should be complied with alongside the Employee Handbook
- We retain a record of which staff take work home with them
- If working on something at home and at work we will ensure that both sets of information are kept up to date
- Home computers will have records removed once project/work records are no longer needed at home
- Staff agree to keep work taken home secure, to return all work related material upon the completion /termination of their contract and organisations should be informed if information has got into wrong hands
The use of data for marketing purposes
For marketing purposes, there are two types of data:
Data obtained in-house
- Data obtained in-house will have all of the required opt-ins required for marketing
- All opt-out and suppression requests received are stored in the central suppression database
- All data is cross referenced against the suppression database prior to any marketing activity, and previous opted-out records to be removed from marketing list
Data obtained from third parties
- Only data that has the required opt-ins for financial promotions is to be acquired
- All opt-in language is to be verified as sufficient for relevant marketing purposes
- All data to be cross checked against suppression database, and previous opt-outs removed. This to be done initially as data is received, and again before any marketing activity to that data
- All opt-outs received from third party data providers, and any other marketers, to be added to suppression database as soon as possible after receipt
- All opt-outs received to be shared with any affiliate marketing companies as soon as obtained. New affiliate marketing companies to be given entire suppression database
We have taken measures to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage.
- Adopting an information security policy
- Taking steps to control physical security (projects and staff records are all kept in a locked filing cabinet)
- Putting in place controls on access to information (password protection on files and server access)
- Establishing a business continuity/disaster recovery plan (Inter Financial Limited takes regular back-ups of its computer data files and this is stored away from the office at a safe location)
- Training all staff on security systems and procedures
- Detecting and investigating breaches of security should they occur
Customers Right to Withdraw Consent
The customer has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before it’s withdrawal. However, it does mean you can no longer rely on consent as your lawful basis for processing. They withdraw consent by either of the following; putting this in writing to address details, by calling telephone number or emailing email address.
As the right to withdraw is ‘at any time’, it’s not enough to provide an opt-out only by reply. The individual must be able to opt out at any time they choose, on their own initiative.
In some cases you may need to keep a record of the withdrawal of consent for your own purposes – for example, to maintain suppression records so that you can comply with direct marketing rules. You don’t need consent for this, as long as you tell individuals that you will keep these records, why you need them, and your lawful basis for this processing (eg legal obligation or legitimate interests).
Subject Access Request (SAR)
One of the main rights which the Data Protection Act gives to individuals is the right of access to their personal information. An individual is permitted to send us a subject access request (“SAR”) requiring that we tell them about the personal information we hold about them, and to provide them with a copy of that information. In most cases we must respond to a valid subject access request within 40 calendar days of receipt. Any business is able to charge a customer a reasonable charge of £10 for providing this data however it is not our companies policy to do so unless the request is excessive or unwarranted. Any Subject Access Requests must be sent to a Senior Manager for processing purposes.
Third party requests are also permitted e.g. a friend or relative, a solicitor, a claims management company or other third party. Under the Data Protection Act 1998 and the Data Protection Principles, are not permitted to reveal such information to a third party without the authority of a customer. On this basis, for any third party SAR, we will ensure that we have a written record of authority held on file before we release any personal data.
Where there are two or more customers linked to one credit agreement and the request comes from one of these parties, we will provide the response to both parties
We are required to ‘give’ a copy of the executed agreement and any other document referred to in it and the required statement. In the FCA’s view, sending a copy of them by ordinary second class post will suffice. Guidance on what constitutes a ‘copy’ can be found in the case of Carey v HSBC Bank plc  EWHC 3417 (QB).
The duty under the relevant section does not apply if no sum is, or will or may become, payable by customer under the agreement. This is irrespective of whether the agreement may have already been terminated.
We will promptly facilitate a SAR request, although we have up to 40 days to do so. All staff are made aware of this during induction. Refresher training will be provided on a regular basis. Although the rules permit the Firm to charge a maximum of £10 for responding to the request for personal data, it is not the Firm’s own policy to do so.
Client consent to the application of the Act and their right to access to their records are included within the firm’s terms of business/client agreement.
Any data collected must not be excessive and must be relevant to the purpose and it must not be kept longer than is necessary.
Information Commissioner’s Office (ICO)
The ICO has the power to issue monetary penalty notices of up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010, and serious breaches of the Privacy and Electronic Communications Regulations.
It is the responsibility of the senior management of our firm to ensure this policy is effective through monitoring and complaints procedures.
The Firm holds a valid Data Protection license and it is bound by the rules of the Data Protection Act 1998. The full extent of the rules can be found at www.dataprotection.gov.uk.
The 8 principles that the 1984 Act introduced are as follows. Data must be:
- Obtained and processed fairly and lawfully
- Held only for the lawful purpose described in the data user’s register entry
- Used only for those purposes and disclosed only to those people, describe in the register entry
- Adequate, relevant and not excessive in relation to the purpose or which it is held
- Accurate and where necessary, kept up to date
- Held no longer than is necessary for the registered purpose
- Available on request to the individual concerned and, where appropriate the individual has the right to have information about themselves corrected or erased
- Surrounded by proper security
A criminal offence is committed by the Firm or an individual member of staff if they knowingly or recklessly:
- Hold or use personal data without being registered to do so
- Obtain information contained within personal data which is not described in the Firm’s registered entry
- Disclose information to a person not registered
- Transfer data abroad without registration
Uses of customer information
When submitting application forms to banks, insurance companies and other financial institutions, this means that personal data will, by default, also be submitted. In these cases, clients will be informed that their personal data may be used.
The Firm will request client consent before any transfer of data takes place. Clients will be asked to confirm that they are comfortable to have their personal data used in one or more of the following forms:
Post, telephone, email etc. subject to the conditions of the Data Protection Act.
The following definitions provide a summary of the information classification levels that have been adopted by our firm and which underpin the 8 principles of information security. These classification levels explicitly incorporate the Data Protection Act’s (“DPA”) definitions of Personal Data and Sensitive Personal Data, as laid out in our firm’s Data Protection Policy.
‘Confidential’ information has significant value for our firm, and unauthorised disclosure or dissemination could result in severe financial or reputational damage to us as an FCA authorised firm, including fines of up to £500,000 from the Information Commissioner’s Office.
Data that is defined by the Data Protection Act as Sensitive Personal Data falls into this category. Only those who explicitly need access must be granted it, and only to the least degree in order to do their work (the ‘need to know’ and ‘least privilege’ principles). When held outside our firm, on mobile devices such as laptops, tablets or phones, or in transit, ‘Confidential’ information must be protected behind an explicit logon and encryption at the device, drive or file level.
‘Restricted’ information is subject to controls on access, such as only allowing valid logons from a small group of staff. ‘Restricted’ information must be held in such a manner that prevents unauthorised access i.e. on a system that requires a valid and appropriate user to log in before access is granted. Information defined as Personal Data by the Data Protection Act falls into this category. Disclosure or dissemination of this information is not intended, and may incur some negative publicity, but is unlikely to cause severe financial or reputational damage to our firm. Note that under the Data Protection Act large datasets (>1000 records) of ‘Restricted’ information may become classified as Confidential, thereby requiring a higher level of access control.
- Internal Use
‘Internal use’ information can be disclosed or disseminated by its owner to appropriate members of our firm, partners and other individuals, as appropriate by information owners without any restrictions on content or time of publication.
‘Public’ information can be disclosed or disseminated without any restrictions on content, audience or time of publication. Disclosure or dissemination of the information must not violate any applicable laws or regulations, such as privacy rules. Modification must be restricted to individuals who have been explicitly approved by information owners to modify that information, and who have successfully authenticated themselves to the appropriate computer system.
Designating information as ‘Confidential’ involves significant costs in terms of implementation, hardware and ongoing resources, and makes data less mobile. For this reason, information owners making classification decisions must balance the risk of damage that could result from unauthorised access to, or disclosure of, the information against the cost of additional hardware, software or services required to protect it.
FOIA2000 / DPA1998 status
Normally accessible only to specified and/or relevant members of our staff
DPA-defined Sensitive personal data:
· racial/ethnic origin
· political opinion
· religious beliefs
· trade union membership
· physical/mental health condition
· sexual life
· criminal record
· salary information
· individuals’ bank details
· large aggregates of DPA-defined Personal Data (>1000 records) including elements such as name, address, telephone number.
· HR system data
Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations.
Normally accessible only to specified and/or relevant members of our staff
DPA-defined Personal Data (information that identifies living individuals including:
· home / work address
· telephone number
· schools attended
Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations.
3. Internal Use
Normally accessible only to our staff
· Internal correspondence,
· internal group papers and minutes,
· information held under license company policy and procedures
Subject to scrutiny in relation to appropriate exemptions/ public interest and legal considerations
Accessible to all members of the public
· Company filed documents
· Company websites
Freely available on the website.
Explicit Information Ownership and Other Rights of Access to Information
We recommend that departments and functions within our business explicitly designate information owners.
Other users may have rights of access to data according to the terms of engagement under which the data was gained or created.
Granularity of Classification
The sets of information being classified should, in general, be large rather than small. Smaller units require more administrative effort, involve more decisions and add to complexity, thus decreasing the overall security.
There may be minimum or maximum timescales for which information has to be kept. These may be mandated in a commercial contract. Other forms of information retention may be covered by environmental or financial regulations.
All ‘Users’ must obtain authorisation from their line manager before their classification request is submitted to Senior Managers. Nerd FS is responsible for assessing information and classifying its sensitivity.
A violation of our Information Security Policy and supporting policy documents will be investigated and consequentially may result in disciplinary action which could include the termination of employment contract for employees, the termination of contractual relations in the case of third parties, contractors or consultants.
A violation of this policy and misuse of the systems and applications within our firm may also be a breach of the Computer Misuse Act 1990; consequentially the company may at its discretion take legal action against an individual or organisation that is found to be in breach of its policies.
How we may use customer data
We may as a result of a consumer or a third parties’ interaction with our website/s obtain their personal data and process their information on our computers and in any other way.
By “third parties” we mean any lender, broker or affiliate who interacts with us in enabling a consumer to make a loan application.
- By “consumer information” we mean personal and financial information. We:
- Obtain personal data from a consumer or from third parties, such as credit reference agencies (who may search the Electoral Register), fraud prevention agencies or other organisations when the consumer applies for an account or any other product or service or which the consumer or they give to us at any other time or
- Learn from the way the consumer uses and manages their account(s), from their transactions and from the payments made to their account
We will use the information to manage their account(s), give them statements and provide our services, for research, assessment and analysis (including credit and/or behaviour scoring, market and product analysis) and to develop and improve our services to the consumer and other consumers and protect our interests.
We, and other carefully selected third parties, will use their information to inform them by post, fax, telephone or other electronic means, about other products and services (including those of others) which we believe may be of interest to them.
If they contact us, we may keep a record of that correspondence.
We will keep details of transactions they carry out through our site and of the fulfilment of their applications and their loan history.
We will keep details of their visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data and the resources that you access.
In order for us to be able to collect and use personal data and / or to pass If they do not want us to use their data in this way, or to pass their details on to third parties for marketing purposes, customers must manually opt in to this agreement (See CONC section of this Compliance Manual).
We may collect information about their computer, including where available their IP address, operating system and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
For the same reason, we may obtain information about a consumer’s general internet usage by using a cookie file which is stored on their browser or the hard drive of their computer. Cookies contain information that is transferred to their computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service. Some of the cookies we use are essential for the site to operate.
Where we store data
All information a consumer provides to us is stored on our secure servers. Any transactions will be encrypted. Where we have given (or where they have chosen) a password which enables you to access certain parts of our site, they are responsible for keeping this password confidential. We ask a consumer not to share a password with anyone.
The transmission of information via the internet is never completely secure. Although our systems exceed industry standards for security, and we will always do our best to protect a consumer’s personal data, we cannot guarantee the security of a consumer’s data transmitted to our site; any transmission is at their own risk. Once we have received their information, we will use strict procedures and security features to try to prevent unauthorised access.
Disclosure of information
We may disclose a consumer’s personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may disclose a consumer’s personal information to third parties:
- Who assist us in operating our business, collecting payments, recovering debts or providing services on our behalf.
- Who are credit reference agencies or fraud prevention agencies who provide a centralised function whereby they can assist us in assessing a consumer’s ability to repay any loan that they apply for, or to verify a consumer’s identity as part as of our fraud prevention practices.
- Who may act on our behalf to process transactions in relation to the Yes card.
- For the purposes of recovering outstanding debts.
- If we are under a duty to disclose or share a consumer’s personal data in order to comply with any legal obligation, or to protect our rights, property, or the safety of our consumers, or others.
- Where any such request comes from any regulator, ombudsman or other authority where we are requested to share information with them.
Credit Reference Agencies (CRAs)
When a customer makes an application for a credit, we will check whether they are likely to be able to meet the monthly payments and repay the loan. However, we are limited in what we can actually do as we do not work directly with CRA’s as we are not eligible to do so. We will work with what the applicant divulges on their fact find/application but we can only judge as accurately as the information given allows.
When we submit an application to a lender, it is normal practice for a lender to carry out a credit search with a CRA. In the past, this would have left a search ‘footprint’ on the applicants’ credit file that may be seen by other lenders. Large numbers of applications made within a short period of time would adversely affect a customer’s ability to obtain credit, and they should always consider this before making an application for a loan.
However, the lenders that we have chosen to deal with offer a facility known as a ‘quotation’ search, which does not leave a footprint. This is in line with CONC 2.5.7 which suggests that during the ‘shopping around’ process of the customer, the lenders that we promote should only use a ‘quotation search’, which does not leave a footprint.
Access to information
The Act gives a consumer the right to access information held about them. Your right of access can be exercised in accordance with the Act. Any subject access request may be subject to a fee of £10 to meet our costs in providing them with details of the information we hold about them.