How your personal information is used by Scottish Friendly.
Last updated December 2018
This notice describes how we collect, store, use and share personal information. It applies to personal information provided, either by you or by others on your behalf. It also explains the rights you may have in relation to the personal information that we hold on you.
Scottish Friendly is a financial services group based in Glasgow offering a wide range of financial products and services. We've been helping families to save and invest for over 150 years and we are proud to be one of the largest mutuals in the UK. As a mutual, we don't have shareholders so we are owned and run for the benefit of our members.
You can contact our Data Protection Manager (DPM) by mail if you have questions about this policy or are not happy with how we are using your information at:
Data Protection Manager
Scottish Friendly Assurance Society Limited
Scottish Friendly House
16 Blythswood Square
Glasgow, G2 4HJ
We are committed to keeping your personal information private and safe and that you are in control of how your data is used. We have a legal duty to protect any personal information we collect about you. We use leading technologies to safeguard your data, and keep strict security standards to prevent any unauthorised access to it.
We will never sell your data onto others. We will endeavour to update your records according to your instructions if your details change or if your marketing choices change at any time.
Collecting your information is necessary to provide our products and services to you. It also deepens our understanding of what you are interested in and helps us improve what we do.
Your privacy is protected by law and this section explains how that works in more detail.
The data protection law means all laws that relate to data protection, privacy, the use of information relating to individuals, and or the information rights of individuals including, without limitation, the Data Protection Act 2018, the Privacy and Electronic Communication (EC Directive) Regulations 2003 and the General Data Protection Regulation ((EU) 2016/679)), and all and any regulations made under those acts or regulations.
The Data Protection Regulation permits us to use personal information. We can do this only if we have a proper reason to do so. This extends to sharing personal information outside of the Scottish Friendly Group.
The law requires that we must have one or more of these reasons to use your personal data:
To fulfil a contract we have with you;
When it is in our legitimate interest;
When you consent to it;
When it is our legal duty.
This policy provides detailed information on when and why we collect your personal information, how we use it, the limited conditions under which we may disclose it to others and how we keep it secure.
The personal information we may collect is made up of:
The data you may give to us;
The data we may collect when you use our services, and;
Data from third parties we work with.
Information on how we may collect this data is given below.
When we collect your information, we’ll let you know if any of it is optional. If it is, we’ll explain why it would be useful to have it, and you can decide if it’s something that you are happy to share with us.
4.1 The data you give us
We obtain information from you when you:
Ask for more information about our products and services.
Apply for our products and services.
Talk to us on the phone.
Email us and / or send letters to us.
Make a claim on a policy.
Supply documents to us - like your passport, drivers licence, or birth certificate.
Register to receive information from us, including our regular email newsletter or details about our products and services.
Use our websites or mobile device app.
Use our websites to redeem gift vouchers or benefits.
Complete our customer surveys.
Engage with us on social media.
Take part in our competitions or promotions.
Download or install our mobile app.
4.2 The data we collect when you use our services
When you use our services we may obtain:
Information about you – for example your name, address, date of birth, phone numbers, email address, and gender.
Payment and transaction data - details about payments to and from your accounts with us, and insurance claims you make.
Contractual - details about the products or services we provide to you.
Usage data - this includes information about your visit to our website, how you use our website and your browsing history using cookies and other internet tracking software.
Technical - details on the devices and technology you use.
Consents - any permissions, consents, or preferences that you give us. This includes things like how you want us to contact you, whether you get paper statements, or prefer electronic formats.
National Identifier - a number or code given to you by a government to identify who you are, such as a National Insurance number.
Open data and public records – such as smart search screening to perform identity checks.
Documentary data - details about you that are stored in documents in different formats, or copies of them. This could include things like your passport, drivers licence, or birth certificate.
Special types of data - we may collect sensitive personal information for the purposes of providing a quote for products or for settling a claim. This can include information such as racial or ethnic origin, nationality, health data such as smoker status or medical related issues relevant to your policy, gender, and genetic and bio-metric data.
For certain members, we may be aware that they are a member of a trade union but this information is never used in any way.
Audio recordings –when you contact us, calls may be recorded for training purposes to help us to continually improve our customer service and also protect your information.
Health information – such as smoker status, medical, occupation or pastime related issues relevant to your policy.
4.3 The data we recieve from others
We may obtain your data from others if:
You apply for one of our products via a cashback or price comparison website.
You apply for a product with an organisation that we work in partnership with.
You use the Internet; we may receive information from advertising networks, search information providers and analytics providers.
You are a customer of an organisation that we acquire.
We obtain information from you from data brokers to tailor the marketing material we send.
Your employer or Pension Trustees establishes a pension contract for your benefit.
We may obtain your data from others for legal or contractual purposes:
Medical practitioners - for some insurance based products, we may ask your GP or other medical professional to send us a report for underwriting your policy or for claims assessment. Before we do this we will get your consent first. We may also obtain information from a medical professional in the event of a death. We may share this information with reinsurers if we need another opinion on specialist cases.
Tracing companies – if we lose touch with you, we may source information such as contact details so we can get in touch and remind you about your product.
Credit reference agencies – so we can check your identity.
The Data Protection Regulation gives us a number of different conditions to allow us to process your information lawfully. We’ll only use your information when one of those conditions has been satisfied. Below you can see how we use your information and the legal grounds for processing this.
5.1 Product information requests
If you request product information from us, we collect any or all of the following information:
Title, name, address, telephone number, email address, and date of birth.
This data will be collected from either a coupon that you have completed, or via telephone or email if you contact us.
The data you supply will be used for the following purposes:
To send you an information pack in the post to fulfil your request for further product information. Our lawful basis for processing the information you give us is ‘contract’, because you have asked us to provide more product information before you can enter into a contract with us. If you have not taken out the product you enquired about or requested a further information pack within the first 3 months of your original request, we will stop processing your data for the purpose of providing an information pack.
To send you information about Scottish Friendly products. When you enquire and express an interest in receiving information about our products and services, our lawful basis for processing your information for this purpose is ‘legitimate interest’. If you have not taken out a product with us within the first 2 years of your original request, we will stop processing your data for the purpose of sending you information about Scottish Friendly products. We will aim to retain your data in our marketing database for a maximum of 12 months after the date that we stop processing the data, after which it will be delete as soon as practicable.
To email you with news and information from Scottish Friendly including information about our products and services. Processing is required to fulfil your request and by consenting to receive news, product and service information via email you agree to your data being processed on this basis.
5.2 Setting up your product
When you apply for a product with us, we collect the information you provide as follows:
Title, name, address, telephone number, email address, date of birth, investment selection, investment amounts, payment details, National Insurance number and marketing preferences.
We may also collect certain medical data if your product includes any element of insurance such as our tax-exempt savings plans and life assurance products. We only process and store this sensitive data for the purposes of providing an insurance quote and ensuring claims are validly paid.
When you apply for our products your data may be used for the following purposes:
To issue a limited number of emails to you within a short period of time if you do not fully complete the application, to identify if there is an issue we can help you with.
To issue your confirmation email to confirm we are processing your application, if you have applied online.
Processing the application for the product that you have applied for.
To issue your welcome pack that contains your policy documentation.
To issue your welcome gift, where applicable.
To provide you with your My Benefits card, where applicable.
To validate cashback payments from cashback websites, where applicable.
To provide you with customer correspondence in relation to your product.
Processing is required to fulfil our contractual obligations to you. We will retain this data for the purposes of fulfilling our legal and regulatory duties, even after you close your product.
5.3 Sending you marketing communications about our products and services
When you apply for a product with us, we may use the information you provide to:
Issue an electronic customer feedback survey.
Send you information related to your product and other products you may be interested in. We won’t do this if you have told us not to.
Administer any prize draws or competitions that you enter.
When your data is processed for marketing activity we may rely on our ‘legitimate interest’ to do so. This means that we will process your personal data when it is necessary for a legitimate business interest – as long as it is used fairly and without affecting your individual rights. We will never use your personal data unless we’ve ensured that it is fair and balanced to do so, it is within your expectations, and it is not unduly intrusive.
When you complete a survey you agree to your data being used for research.
We may analyse your personal information to create a profile so we can contact you with information that is relevant to you (see also section 5.10 below).
When you no longer have a product with us we will continue to contact you with information about our products and services for up to 2 years after your cancellation request and our lawful basis for processing your information for this purpose is ‘legitimate interest’. We will aim to retain your data in our marketing database for a maximum of 12 months after the date that we stop processing the data, after which it will be deleted as soon as practicable.
5.4 Product adminstration
If you contact us, we may collect any of the following information:
Personal details to verify your identity.
The conversation that takes place between us via the recording of your call.
Requests you make such as changing your payments, changing your fund selection or making a withdrawal.
Changes you notify us about to update your personal data, such as managing any changes of address or name.
Correspondence that you send to us to undertake the processing of any claims you make.
Correspondence that you send to us to respond to your queries or complaints.
This processing is required to fulfil our contractual obligations to you and by contacting us you agree to your data being processed on this basis.
Where you have taken a policy out via one of our protection cover partners we will receive your information from them. We may also need to source information if we lose touch, such as your contact details, to tell you about your product.
5.5 Email newsletter subscriptions
If you choose to sign up to our email newsletter service, we collect the following information:
Name and email address.
This data will be used for the following purposes:
Contacting you by email with news and information from Scottish Friendly.
This processing is required to fulfil your request and by consenting to receive product and service information via email you agree to your data being processed on this basis.
5.6 Web Access Statistics
Our websites use a variety of technologies that collect information about how visitors use our website. If you use our online services we collect the following information:
URL of requested resource.
Client's IP address or hostname.
HTTP request method.
Data bytes in response.
Response status code.
User agent information.
This data will be used for the following purposes:
Web site and system administration.
This data will be used by Scottish Friendly and our suppliers in order to monitor website and marketing campaign performance for analytical and research purposes. Our legitimate interest in processing this data is to ensure that our website is secure and works well.
5.7 Information from other sources
If you use another website that advertises our products and services, your data will only be passed to us with your permission. Where we receive your information, in addition to any product application data we receive, we will also collect the following data:
This data will be used by Scottish Friendly and our suppliers with the legitimate interest to monitor website and marketing campaign performance for analytical and research purposes.
5.8 Research and analytics
Some or all of the information that you supply to us may also be used for research and statistical purposes. We study this to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.
Our products are developed with a particular set of customer needs in mind. To make sure your policy is still suitable for you and is working as we intended, we combine your information with others to analyse and segment it.
We also combine your information with other customers’ to assess how much money we need to have available at any particular time.
We may conduct research before we launch new products or before we make changes or improvements to existing products to make sure it’s the right thing to do. We might also conduct research to ask customers what they think of our products and services.
Our legitimate interest for research and analytics is to be able to identify groups of customers who may be interested in any new products we’re thinking about tailoring and developing. This is to make sure the features and charges are fair, as well as ensuring the products we provide you remain suitable.
We need to make sure our communications are easy to understand and that products are sold to the correct audience. To achieve this we use research to make sure our communications are efficient and connect with the right people; so that ultimately we have confidence that we are developing products with our customers’ in mind.
We also use research and analytics to make sure we are looking after your money as effectively as possible.
5.9 Automated decisions
We may use systems to make automated decisions based on personal information we have – or are allowed to collect from others – about you. This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know.
These automated decisions can affect the products we may offer you now or in the future, or the price that you are quoted. The type of automated decision we make includes:
Pricing - we may decide what to quote for protection products based on what we know. If you apply for life assurance online with a re-insurer that we work with, our automated system may generate a price and decision based on your age and/or your health information provided.
You have the right to ask that we do not use your data to make automated decisions but this may mean that we are unable to provide a product or service to you.
You can object to an automated decision and ask that a person reviews it. If you want to know more about these rights, please contact us using the address above.
5.10 Customer profiling
We may undertake research to provide us with insight into our customer types. We use commercially available sources of geodemographic data which uses a variety of publicly available and market research sources to divide the UK population into a series of categories. These categories are a way of grouping people who are likely to have similar social, demographic (e.g. age, location) and financial circumstances. The results are assessed and combined so we get a picture of our customers as a whole.
We keep a record of the category that you fall into so we can tailor our communications to you.
The Financial Conduct Authority defines a vulnerable consumer as someone who, due to their personal circumstances is especially susceptible to disadvantage. It’s been identified that a lot of people will be vulnerable at some point in the life, so we need to make sure we can identify who these customers are and support them.
When you contact us and we suspect you may be less financially aware or less engaged in financial matters based on what you tell us, we will let you know that we are treating you as a vulnerable customer. We may also keep a note of this in your record so we can tailor this in our communications with you.
We may also analyse the personal data we hold on you to build up a profile that we can use to help us understand what you would like from us. We do this using the data on: the interactions you have with us, your demographic data, and information on the products you have taken out with us.
We have a legal obligation to provide a copy of our members register to customers who request it. This includes your name, address and the date you became a member and eligible to vote.
Our employees will access your information for the uses outlined in the sections above. However, only employees requiring particular access to your data are given it. For example, our customer service staff needs to access your policy details to support you when you get in contact with us. We regularly check who has access to our systems. We may also share your information with partners and suppliers as outlined below.
By providing your information you consent that your personal information will be used by us, business partners, reinsurers, service providers, agents and professional bodies.
6.1 Sharing your data with business partners and reinsurers
When you apply for a product or service from one of our business partners, we may collect and pass your information to them to supply the product that you have. The terms in which they use your data can be found in their own separate policies.
We may pass your information to reinsurers when you hold a protection product for the purpose of assessing a claim.
When we work with business partners and reinsurers we have a contract in place that requires all parties to keep your information secure. We will share access to the personal information needed to perform functions on your behalf, in accordance with the UK's current Data Protection legislation.
6.2 Sharing your data with service suppliers and professional bodies
We use service suppliers, who agree to treat your data as securely as we do, in order to fulfil some of our business requirements. This includes providers of:
Appointed service providers and agents:
Welcome gift and benefit scheme suppliers.
Market research agencies.
Data brokers (e.g. CACI).
Mailing houses for response handling and printing.
Offsite storage companies.
Confidential waste disposal.
IT companies who support our technology.
Our professional advisers – auditors, reinsurers, medical agencies and legal advisers.
Identity authentication and fraud prevention agencies.
HM Revenue & Customs.
Regulators such as the Financial Conduct Authority and other authorities like the Information Commissioners Office.
UK Financial Services Compensation Scheme.
Market research agencies.
Direct debit scheme.
When we use our appointed service providers and agents we have a contract in place that requires them to keep your information secure. They will have access to the personal information needed to perform functions on behalf of Scottish Friendly, but may not use it for any other purposes.
We will never share your information with a service supplier for their own marketing purposes and they are required to process the data in accordance with the UK's Data Protection legislation.
We will treat your data with the utmost care and take all appropriate steps to protect it. We secure access to all transactional areas of our websites and apps using ‘https’ technology. Access to your personal data is password protected and sensitive data (such as your bank information) is secured by SSL encryption.
We regularly monitor our system for possible vulnerabilities and attacks, and we frequently carry out vulnerability scanning and penetration testing to identify ways to further strengthen security.
We store all of our data in the UK. No personal data will be processed outside of the EEA without adequate data protection in place that is at least equivalent to the current UK data protection laws.
As a general principle, we do not send your data outside of the European Economic Area (‘EEA’). In certain instances, we may use service providers who transfer your information to countries outside the EEA. For example:
We share data with Google who may process your data outside of the EEA. Google have registered under the Privacy Shield that proves their data security processes meet the requirements of the UK and EU data protection regulations.
We use an email service provider that may process data in the US. This provider is registered with the Privacy Shield that proves their data security processes meet the requirements of the UK and EU data protection regulations.
We may share data with Facebook for the purposes of conducting targeted advertising. Facebook have registered under the Privacy Shield that proves their data security processes meet the requirements of the UK and EU data protection regulations.
We may need to collect personal information by law, or under the terms of a contract we have with you. If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your accounts or policies. It could mean that we cancel a product or service you have with us.
If you already have, or have had, a product with us we may need to retain this information to fulfil our legal or regulatory duties.
Any data collection that is optional will be made clear at the point of collection.
We’ll keep your personal information for as long as it is considered necessary, for the purpose it was collected, and to comply with our legal and regulatory requirements. This will involve keeping your information for a reasonable period of time after your plan or your relationship with us has ended.
If you have requested an information pack or more information about our products and services but have not taken out the product with us, we will stop processing your data for this purpose 2 years after your original request. We will aim to retain your data in our marketing database for a maximum of 12 months after this date, after which it will be deleted as soon as practicable.
After you stop being a customer, we may keep your data for a reasonable period of time for any one of these reasons:
To respond to any questions or complaints.
To show that we treated you fairly.
To maintain records according to rules that apply to us.
In the absence of specific legal, regulatory or contractual requirements, any other personal information is kept for our baseline retention period – this is a minimum of seven years after your plan has ended. In some instances we may be required to keep your information longer or indefinitely for legal, regulatory or technical reasons.
We may also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.
11.1 Right to be informed
11.2 Accessing your data
You have the right to request the personal data that we hold about you. On receiving such a request, we will ensure you have rights to see the requested data and confirm your identity. On confirmation of this, we will respond to you within 30 days. There is no charge to access your data, unless you contact us excessively.
11.3 Let us know if your personal information is incorrect
You have the right to question any information we have about you that you think is wrong or incomplete. Please contact us if you want to do this. If you do, we will take all reasonable steps to check its accuracy and correct it.
11.4 Data portability
In some circumstances you can ask us to send an electronic copy of the personal information you have provided to us, either to you or to another organisation.
11.5 What if you want us to stop using your personal information?
You have a specific right to object to our use of your information. You can ask us to stop using your information until your query is resolved. We will let you know the outcome before we take any further action in relation to this information.
You also have the right to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the ‘right to erasure’, or the ‘right to be forgotten’.
If you choose to object to us processing your data, or would like us to erase your data, we will remove all of the personal data we hold on you that we can. There are certain legal or other official reasons why we need to keep or use your data, for example, if you are, or have been, a customer, we have regulatory obligations that means we need to keep hold of your data. But please tell us if you think that we should not be using it.
If you do ask us to restrict the processing of your data, we will need to add you to our ‘suppression’ list of people who do not want to hear from us again in order that we can fulfil your request.
11.6 Objecting to direct marketing
You have a specific right to object to our use of your information for direct marketing purposes, which we will always act upon and you can contact us via post:
Scottish Friendly Assurance Society Limited
Scottish Friendly House
16 Blythswood Square
Or, you can contact our marketing team by firstname.lastname@example.org . If you receive email confirmations, you can also unsubscribe at any time using the link provided within the email, which will stop any further email marketing.
Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.
11.7 When we rely on legitimate interest
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We will do so unless we have a legitimate overriding reason to continue to process your data.
We will need to add you to our ‘suppression’ list of people who do not want to hear from us again in order that we can fulfil your request.
11.8 Automated profiling
You can object to a decision made solely on automatic processing of your data and ask that a person reviews it.
If we want to use your personal information for a new purpose which we haven’t previously told you about, we’ll contact you to explain the use of your information. We’ll set out why we’re using it and our legal reasons for doing so.
This policy is valid at your time of reading. It was last updated in May 2018.