The NHS Credit Union gathers and processes your personal information in accordance with this Privacy Notice and in compliance with the relevant Date Protection Regulations and the laws. This Privacy Notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.
Who we are
The NHS Credit Union is a “data controller” in respect of personal information we process in connection with our business (including the products and services that we provide). In this notice, references to “we”, “us” or “our” are references to the NHS Credit Union. We are registered as a data controller with the Information Commissioner’s Office (ICO), the supervisory authority for data protection within the United Kingdom. Our Registration number is Z7134085.
This privacy notice (the “Privacy Notice”) will apply to all personal information processing activities carried out by the NHS Credit Union.
If you have any data protection issues or questions, please contact us by email at email@example.com or call on 0141 445 0022.
We respect individuals’ rights to privacy and to the protection of personal information. The purpose of this Privacy Notice is to explain how we collect and use personal information in connection with our business. “Personal Information” means information about a living individual who can be identified from that information (either by itself or when it is combined with other information). We may update this Privacy Notice from time to time and encourage you to check it regularly at nhscreditunion.com/privacy-policy for updates. We won’t alert you for every small change, but if there are any important changes to the Privacy Notice or how we use your information we will let you know and where appropriate ask for your consent.
The information we process
We collect and process your personal information to meet our legal, statutory and contractual obligations and to provide you with products and services within the Credit Union.
We will collect personal information when you apply to join us and also during your relationship with us as a Member. We will limit the collection and processing of information to only what is necessary to achieve one or more purpose as identified in this Notice. Personal information may include:
- Basic information, including name and address, date of birth and contact details
- Financial information, including bank account information (such as name, sort code and account number)
- Information about your family, lifestyle and social circumstances (such as dependents, marital status, next of kin and contact details)
- Information about your financial circumstances, including proof of income and expenditure, credit and borrowing history
- Visual images (such as copies of passports or CCTV images)
- Audio recordings of telephone calls for the explicit purpose of training and compliance
- Online profile and social media information, including your Credit Union profile and login information, Internet Protocol (IP) address and website visits
How we obtain information
Your personal information is made up of all the financial and personal information we collect and hold about you and your transactions. Your personal information includes:
- Information you give us
- Information that we receive from third parties who provide services to you or us, such as Credit Reference Agencies, Open Banking providers, payroll service providers, Government and law enforcement agencies
- Information we learn about you through our relationship with you and the way you operate your accounts and / or services, such as the payments made to and from your accounts
- Information that we gather from the technology which you use to access our services such as the profile created to log on to the service, IP address, telephone number and time and / or frequency of use
How we use information
The personal information we collect and hold about you may be used in a number of different ways, for example:
- To make membership and lending decisions
- For fraud prevention
- For audit and debt collection
- For statistical analysis
Your information rights
You have the right to access the personal information we hold about you. If you would like a copy of the personal information we hold about you, please contact us as per the details in the ‘Who are we’ section above.
You have the right to request that we rectify any inaccurate personal information and to update any incomplete information.
You have the right to request erasure of your personal information (in certain circumstances) or to restrict processing in accordance with the UK GDPR which includes the right to object to direct marketing from us. Where applicable you have the right to data portability and the right to object to any automated decision we may use.
You have the right to withdraw your consent at any time. We will always make it clear where we need your consent to undertake specific processing activities.
If you have any concerns on how we handle your personal information, please contact us as we hope we can address any concerns you may have. You do however have the right to lodge a complaint with the Supervisory Authority in the UK, the Information Commissioner’s Office (ICO) if you are unhappy with the way we have handled your personal information.
Failure to provide personal information
Where we need to collect personal information by law, or under the terms of a contract we have with you and you fail to provide that data, we may not be able to perform, or enter, the contract. In this case, we may have to cancel such product or service we provide to you. We will notify you directly if this is the case.
Sharing your personal information
We do not sell or lease your personal data with any other person or organisation outside of the NHS Credit Union.
We will not share your personal information with anyone outside the NHS Credit Union except:
- Where we have your permission
- Where required by law and by law enforcement agencies
- With other Banks, Building Societies or Credit Unions where required by law to help recover funds that have entered your account as a result of a misdirected payment by such a third party
- With third parties providing services and business functions to us. All processors acting on our behalf only process data in accordance with our instructions and comply fully with this Privacy Notice and data protection laws
- With other Banks, Building Societies or Credit Unions where you are a victim of suspected financial crime (and you have agreed for us to do so), or where we suspect funds have entered your account as a result of a financial crime
- With debt collection agencies
- With Credit Reference Agencies (CRAs)
- With fraud prevention agencies
- With Open Banking providers that we use for account information, for the purpose of inviting you to use this service and share third party account information with us (for more information on Open Banking click HERE)
- Where permitted by law, it is necessary for our legitimate interests or those of a third party, and it is not inconsistent with the purposes listed above
Where we send your information
While countries in the European Economic Area all ensure rigorous data protection laws, there are parts of the world that may not be quite so rigorous and do not provide the same quality of legal protection and rights when it comes to your personal information.
We do not directly send information to any country outside of the European Economic Area, however, any party receiving personal information may also process, transfer and share it for the purposes set out above and in limited circumstances this may involve sending your information to countries where data protection laws do not provide the same level of data protection as the UK.
For example, when complying with international tax regulations we may be required to report personal information to the HM Revenue and Customs which may transfer that information to tax authorities in countries where you or a connected person may be tax resident.
Where you have provided consent for us to do so, we will process your personal information in order to send you information about products and services which may be of interest to you by phone, email, text and other forms of electronic communication.
We may also send you information as above where we have a legitimate interest in doing so and where you have not objected to us doing so. In this situation, any information will be in respect of your similar products and services.
If you change your mind about how you would like us to contact you or you no longer wish to receive this information, you can tell us at any time by updating your preferences within the Members Area, through Nivo or by calling 0141 445 0022.
Communications about your account
We will contact you with information relevant to the operation and maintenance of your account (including updated information about how we process your personal information), by a variety of means including via our website, mobile app, email, text and post. If at any time your contact details change, please tell us promptly or update your details in the Members Area to ensure we can communicate with you and your personal information remains accurate.
Credit Reference Agencies
We may share your personal information with, and obtain personal information about you from, Credit Reference Agencies (CRAs) and / or fraud prevention agencies. We do this to:
- Manage and make decisions about your applications, including assessing your creditworthiness
- Prevent criminal activity, fraud and money laundering
- Check your identity and verify the accuracy of the information you provide to us
- Trace debtors and recover debts
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts, if you borrow and do not repay in full or on time, the CRAs will record the outstanding debt. This information may be supplied to other organisations by the CRAs.
When the CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you have a spouse or financial associate, the CRAs will link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
You can find out more about the identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs on their website.
Here are the links to the CRAs and the Credit Reference Agency Information Notice (CRAIN) explaining what they do:
TransUnion Limited – www.transunion.co.uk/crain
Equifax Limited – www.equifax.co.uk/crain
Experian Limited – www.experian.co.uk/crain
Purposes for Processing
Some of the information we collect about you is collected on the lawful basis of a contract as, you have applied for membership or for a loan and we need to process your personal data in order to consider your application.
We consider this basis for processing is necessary because we must collect personal information from you in order to:
- Confirm your identity and to carry out appropriate checks with other companies such as credit reference and fraud prevention agencies about your credit worthiness
- If your application is approved, to set up your accounts and begin allowing you to save with us or take out a loan
- Contact you about your application or the operation of your account, savings, loans or membership of the NHS Credit Union
Some of the information we collect about you is collected on the lawful basis of compliance with a legal obligation to which we as a data controller are subject to. We consider this basis for processing is necessary because, where appropriate, we will:
- Comply with a common law or statutory obligation
- Document our decision that processing is necessary for compliance with a legal obligation
- Identify the appropriate source for the legal obligation in question
It will not be possible to anticipate every legal obligation, but we will rely on this lawful basis for processing when we are required to process personal information to comply with a common law or statutory obligation. Examples may include court orders or obligations to disclose information about employees to HMRC. The information processed will depend upon the nature of the obligation imposed.
One specific legal obligation placed on Credit Unions is to inform Members of the date and time of the Credit Union Annual General Meeting (AGM). As such the NHS Credit Union will process the personal information of its Members for this purpose and may record the contact preference of each Member for this purpose.
Some of the information we collect about you is collected on the lawful basis of consent as you have given the NHS Credit Union clear consent for us to process your personal information for specific reasons, namely to keep you informed about savings or loan products, offers or competitions offered directly by the NHS Credit Union and to obtain appropriate identifying information from your employer. We consider this basis for processing is necessary because prior to you providing this information we have:
- Obtained an explicit statement of consent from you, which is easily understood prior to providing any marketing information to you and will keep a record of this
- Offered you real choice and control over the use of your own personal information
- Made it easy for you to withdraw your consent and tell you how this can be done
Retaining Your Information
We will only retain personal information for as long as necessary to comply with legal and regulatory requirements.
Retention periods for records are determined based on the type of record, the nature of the activity, product or service. We normally keep Member account records for up to six years after your relationship with the Credit Union ends. This is to allow us to respond to any questions or complaints, evidence we treated you fairly and to maintain our records according to the rules that apply to us.
We may keep your data for longer than six years if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for research or statistical purposes. If we do, we will ensure your privacy is protected and only use it for those purposes.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of our website and to compile statistical reports on website activity. For further information visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.
Our website contains links to other websites. This privacy notice only applies to the website of the NHS Credit Union so when you link to other websites you should read their own privacy notices.
We take your privacy seriously and we take every reasonable measure and precaution to protect and secure your personal information. All online banking activity is protected by a secure certificate using the TLS1.2 standard encryption which provides an industry standard level of security.
Contact us about your rights
For more information about how your rights apply to your membership of the Credit Union or to make a request under your rights you can contact us by email at firstname.lastname@example.org, call on 0141 445 0022 or write to us at 9 Dava Street, Govan, Glasgow. G51 2JA. We will aim to respond to your request or query within 28 days or provide an explanation of the reason for our delay.