Credit Union Privacy Notice
We are committed to protecting our members’ privacy. The credit union requires any information marked as mandatory for membership to either meet legal obligations or to enable us to perform our contract with you. Where you are not able to provide us with this information, we may not be able to open an account for you. Where we request further information about you not required for these reasons, we will ask you for your consent.
How we use your personal information
Blackpool Fylde & Wyre Credit Union Limited may process, transfer and/or share personal information in the following ways:
For legal reasons
- confirm your identity
- perform activity for the prevention of financial crime
- carry out internal and external auditing
- record information about you on a members’ register
For performance of our contract with you
- deal with your account(s) or run any other services we provide to you;
- consider any applications made by you;
- carry out credit checks and to obtain and provide credit references
- undertake statistical analysis, to help evaluate the future needs of our members and to help manage our business
- To send you statements, new terms & conditions (including changes to this privacy statement), information about changes to the way your account(s) operate and notifications of our general meetings.
For our legitimate interests
- recover any debts owed to us
With your consent
- maintain our relationship with you including marketing and market research
Sharing your personal information
We will disclose information outside the credit union:
- to third parties to help us confirm your identity to comply with money laundering legislation
- to credit reference agencies and debt recovery agents who may check the information against other databases – private and public – to which they have access to
- to any authorities if compelled to do so by law (e.g. to HM Revenue & Customs to fulfil tax compliance obligations)
- to fraud prevention agencies to help prevent crime or where we suspect fraud;
- to any persons, including, but not limited to, insurers, who provide a service or benefits to you or for us in connection with your account(s)
- to other members if they request to view the members’ register which contains certain limited information i.e. names, joining dates, leaving dates, and mailing addresses
- to our suppliers in order for them to provide services to us and/or to you on our behalf
- to anyone in connection with a reorganisation or merger of the credit union’s business
- other parties for marketing purposes
Where we send your information
While countries in the European Economic Area all ensure rigorous data protection laws, there are parts of the world that may not be quite so rigorous and do not provide the same quality of legal protection and rights when it comes to your personal information.
The credit union does not directly send information to any country outside of the European Economic Area, however, any party receiving personal data may also process, transfer and share it for the purposes set out above and in limited circumstances this may involve sending your information to countries where data protection laws do not provide the same level of data protection as the UK.
Retaining your information
The credit union will need to hold your information for various lengths of time depending on what we use your data for. In many cases we will hold this information for a period of time after you have left the credit union. Details are available upon request.
Credit rating agencies
In order to process credit applications you make we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.
We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. This may affect your ability to get credit.
The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail on:
- Our website at clevr.money/crain
- TransUnion at transunion.co.uk/crain
- Equifax at equifax.co.uk/crain
- Experian at experian.co.uk/crain
Your rights under data protection regulations are:
- The right to be informed
- The right to access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to data processing
- Rights related to automating decision-making and profiling
- Right to withdraw consent
- The right to complain to the Information Commissioner’s Office
Please see our website here for more information
We take the protection of your information very seriously and high security measures will be taken to ensure your data is protected. All online banking activity is protected by a secure certificate using the TLS1.2 standard encryption which provides an industry standard level of security.
To provide you with a good online journey, we will store a number of cookies on your machine, to help us associate important information with you.
If you want more information on how we use and hold your data, or if you think we may be holding incorrect information, please get in touch on the details below and we will happily review the information we store. We will keep all the records we have on you unless you tell us otherwise.
If you would like to request a copy of all the personal details we are holding on you then please get in touch on the details below. Any request will be subject to a £10 administration fee.
If you no longer wish us to hold your personal data, please contact us on the details below. Please note that we may not be able to provide you with our services without access to your data.
- In person at– 13 Birley Street, Blackpool, Lancashire, FY1 1EG
- By email to– email@example.com
- By telephone on– 01253 478 827
- In writing to– 13 Birley Street, Blackpool, Lancashire, FY1 1EG
Data Protection Policy
- GDPR Principles
- Lawful Bases for Processing
- Accountability and Governance
- Individual Rights
- Data Security
- Personal Data Breaches
- Data Retention
- Data Accuracy and Limitation
- Data Disclosures
CLEVR Money collects, holds and processes personal data about customers, employees and other key stakeholders. It therefore has a number of legal obligations under the General Data Protection Regulation (GDPR) and the provisions of the Data Protection Act 2018 (DPA 2018).
Within this policy we will set out how CLEVR Money will comply with data protection law, protect personal data and process data in a transparent manner. The policy ensures that employees, board members, suppliers and all third parties working on behalf of CLEVR Money, understand their responsibilities. The policy applies to all personal data, regardless of whether it is held in a paper or electronic format.
CLEVR Money is defined as a data controller as it ‘determines the purpose and means of processing of personal data’ and as such it pays an annual fee to the Information Commissioner’s Office as required by the Data Protection (Charges and Information) Regulations 2018.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified. This definition provides for a wide range of personal identifiers to constitute personal data, including name, DOB, postal address, email address, images, bank details or online identifiers.
The GDPR refers to sensitive personal data as ‘special categories of personal data’ and the GDPR says it is more sensitive, and so needs more protection. For example, information about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation, are all ‘special categories of personal data’.
Article 5(1) of the GDPR contains principles relating to the processing of personal data and CLEVR Money is committed to complying in full with these principles. Article 5(1) states personal data shall be:
- a) processed lawfully, fairly and in a transparent manner
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- c) adequate, relevant and limited to what is necessary
- d) accurate and, where necessary, kept up to date
- e) kept in a form which permits identification of data subjects for no longer than is necessary
- f) processed in a manner that ensures appropriate security of the personal data
Article 5(2) also requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Lawful Bases for Processing
CLEVR Money will only process personal data if one of the following Article (6)(1) lawful bases apply:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
CLEVR Money will only collect and process ‘special categories of personal data’ if one of the additional conditions set out in Article 9(2) has been satisfied.
Accountability and Governance
Data Protection Lead
CLEVR Money Data Protection Lead is the first point of contact for any data protection queries and their contact details are as follows:
Data Protection Lead (Governance & Administration Manager)
CLEVR Money, 13 Birley Street, Blackpool, FY1 1EG
or email firstname.lastname@example.org
Data Protection Officer (DPO)
Under the GDPR it is mandatory for companies who carry out certain types of processing activities to designate a DPO. The DPO’s minimum tasks are defined in Article 39:
- inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
- monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits
- first point of contact for the Information Commissioners Office
The contact details for CLEVR Money designated DPO are as follows:
Data Protection Officer
Blackpool Council, PO Box 4, Blackpool, FY1 1NA
Register of Processing Activities (RoPA)
CLEVR Money is required to maintain records of activities related to higher risk processing of personal data and CLEVR Money therefore commits to maintaining an up to date RoPA. All employees are required to notify the Data Protection Lead of any new processing activities or changes to existing processing activities to assist with the maintenance of this register. The RoPA will be made available to the supervisory authority on request.
CLEVR Money is committed to providing appropriate data protection training to its workforce as part of their induction process and will issue regular refresh training throughout the course of their employment or in the event of any changes in data protection law. CLEVR Money will retain a record of this training programme and this will be made available to the supervisory authority on request.
Data Protection Impact Assessments (DPIA’s)
Data Protection Impact Assessments (DPIAs) are a tool which enable organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. CLEVR Money commits to completing DPIA’s for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. Employees must consult the Data Protection Lead to see if they need to complete a DPIA before they embark on any new processing activities or make changes to existing processing activities. For further information employees should consult CLEVR Money’s ‘Data Protection Impact Assessment (DPIA) Procedure’.
Right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. We call this ‘privacy information’ and CLEVR Money publishes its customer privacy notice at Privacy Notice.
Right of Access
Individuals have the right to access their personal data (commonly known as ‘subject access’) and supplementary information about the processing of their data. The right of access allows individuals to be aware of and verify the lawfulness of the processing of their personal data. The information that can be requested includes:
- confirmation that their personal data is being processed
- access to a copy of the data
- the purposes of the data processing
- the categories of personal data concerned
- who the data has been, or will be, shared with
- how long the data will be stored for
- the source of the data, if not the individual
- whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual
‘Subject access’ requests should be directed to the Data Protection Lead. A response will be issued without delay and at the latest within one month of receipt of the request. Please note CLEVR Money will take reasonable steps to verify the identification of the applicant. For further information employees should consult CLEVR Money’s ‘Subject Access Procedure’.
GDPR also empowers individuals with the right to rectification, erasure, right to restrict processing, data portability, right to object and rights in relation to automated decision making or profiling. CLEVR Money will carefully consider any requests under these rights and requests can be submitted to the Data Protection Lead who will consult with the DPO.
Principle f) states data should be processed in a manner that ensures appropriate security of personal data. This means CLEVR Money must have appropriate security to prevent the personal data it holds being accidentally or deliberately compromised. Particular attention will be paid to the need for the security of any ‘special categories of data’.
All employees who process electronic data will comply with CLEVR Money’s ‘Information and ICT Security Acceptable Use Policy’.
When holding or processing electronic data employees must ensure:
- passwords meet appropriate security standards, be changed at regular intervals and must not be divulged to any other persons
- ensure corporate portable devices, such as laptops, USB’S and hard drives that contain personal data are stored in a locked cupboard or draw when not in use
- where personal data is shared with a third party, employees should carry out due diligence and ensure the data is sent in a secure manner or appropriate measures are taken to mitigate the risk of individuals being identified
- when sending personal data to a third party, staff must carefully check the recipient and their contact details
- where personal devices are used to access corporate email accounts, staff should ensure appropriate passwords are applied to the device
- employees should not open links when emails are received from unknown recipients or the emails appear suspicious
- personal data must be stored in a secure and safe manner, with careful consideration made to who can access the data
- when working with personal data, employees should ensure the screens of their computers are always locked when left unattended
- employees should not save copies of personal data to their own devices, they should always access and update the central copy of any data
- employees must adopt a clear desk culture
Manual data will be stored where it is not accessible to anyone who does not have a legitimate reason to view or process that data. Employees should carefully consider whether they need to take any manual data offsite before doing so and record instances where any ‘special categories of data’ is taken offsite.
Personal Data Breaches
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.
A personal data breach most commonly means that someone other than the data controller gets unauthorised access to personal data, but it can also include where personal data is accidentally altered or deleted. Common examples of data breaches include the loss or theft of equipment, the loss of hard copies of personal data and data being sent to the wrong recipient by either post or email.
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority, where feasible, CLEVR Money must do this within 72 hours of becoming aware of the breach. It is therefore essential that all employees follow the CLEVR Money’s ‘Personal Data Breach Procedure’ and make the Data Protection Lead aware of any incidents without undue delay. If the Data Protection Lead is unavailable it should be brought to the attention of the relevant manager.
The Data Protection Lead and DPO will to investigate all incidents to establish whether or not a personal data breach has occurred. If a personal data breach is confirmed, the DPO will carefully consider whether it is required to notify the Information Commissioner and the data subjects affected.
Principle e) states data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Data will only be retained for the specified period outlined in the records management schedule that CLEVR Money has adopted and will be destroyed in a secure manner thereafter. A copy of the records management schedule is available in CLEVR Money’s ‘Records Management Policy’.
Data Accuracy and Limitation
CLEVR Money is required to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible. Employees must ensure:
- data will be held in as few places as necessary and employees should avoid creating any unnecessary additional data sets
- employees should take every opportunity to ensure data is updated
- CLEVR Money will make it easy for data subjects to update the information it holds about them
- data should be updated as soon as any inaccuracies are discovered
CLEVR Money will only collect personal data for specified, explicit and legitimate reasons which are outlined in the privacy notice. If we wish to use personal data for reasons other than those given when we obtained it, we will inform the individuals concerned before we do so, and seek consent where necessary (unless an exemption applies).
In certain circumstances, the GDPR and Data Protection Act 2018 set out exemptions from some of the rights and obligations e.g. crime & taxation. Any requests for personal data under the exemptions must be made to the Data Protection Lead and will be carefully considered on a case by case basis by the DPO. Please note CLEVR Money will take reasonable steps to verify the identification of the applicant and will ensure an appropriate audit trail of the disclosure.
If an individual is unhappy with the way in which CLEVR Money is handling their personal data or information, or is unhappy with the company’s response to a ‘Subject Access Request’, they can submit a complaint to the DPO. The DPO will carefully consider each complaint on a case by case basis and submit a response without undue delay.
If the complainant is not content with the outcome of their complaint, they may apply directly to the Information Commissioner’s Office. However, the ICO encourage you where possible to exhausts the organisation’s complaints procedure. Details on how to submit a complaint to the ICO are available at https://ico.org.uk/make-a-complaint/.