OneFamily Privacy Notice

OneFamily is committed to preserving the privacy and security of your personal information. We ask that you read this Privacy Notice carefully as it provides you with important information on:

  • your rights and obligations
  • how we collect and use your personal information
  • who we share your personal information with
  • what we do to keep it secure
  • how to contact the OneFamily Data Protection Officer

This Privacy Notice applies to you if you access or apply for any of our products or services over the phone, or by post or online via our websites and online services. It will also apply to you if you register and vote via the Foundation website or are a financial adviser or mortgage broker who introduces potential customers to us.

1. Who are we?

When we say ‘OneFamily’, ‘we’, ‘us’ or ‘our’ we’re generally referring to the separate and distinct legal entities that make up the OneFamily Group who are data controllers as set out below:

 Product /Services/ Activity  Data controller
Lifetime mortgages OneFamily Lifetime Mortgages Limited
Lump sum investment bonds
Regular premium savings bonds
Life Insurance
Pensions
Annuities
Family Assurance Friendly Society Limited
Junior ISAs
ISAs
Lifetime ISAs
Child Trust Fund
Family Equity Plan Limited
Child Trust Funds (formally Engage CTF) Engage Mutual Funds Limited
Unit Trusts Family Investment Management Limited
ISAs (formerly PEPs) Family PEP Managers Limited
Advice on Mortgages OneFamily Advice Limited
Foundation activities OneFamily Foundation Limited
Cash savings Governor Finance Limited
Insurance intermediary Engage Mutual Services Limited

OneFamily acts as the data controller in the collection, use, storing, protection and transfer of your personal information.

2. What types of personal information do we collect?

The personal data we collect includes:

Identity and contact details - your title, name, address, date of birth, contact details and contact details history, passport information and security details such as your national insurance number

Employment - your employment status and details of your work or profession

Financial - your financial position, status and history

Transactional - details about your transactions with us, such as, Direct Debit mandate instructions and any claims. Your online account login details, including your user name and password and memorable information

Communications - information about you from emails, secure messages or letters you send to us or information gathered during telephone conversations with you

Open data on public records - details about you that are in public records such as the Electoral Register and company registers, and information about you that is publicly available, such as the press and online search engines

Criminal history – details of criminal records, convictions or allegations

Photographs or videos – for some OneFamily activities we may use photographs or videos of our customers and individuals who are involved in Foundation grants/awards

Information Technology - when you use our websites, we monitor website behaviour via analytics software and we collect information about how each visitor uses our site. This information is then used to compile reports and to help us improve our site. We collect information about any device you have used to access our services (such as your IP address). For our terms of use of our website including information on cookies and tags, please follow this link: www.onefamily.com/terms-of-use/

Special Category Data - the law and other regulations treat some types of personal information as special. These categories are personal data relating to your:

    • Racial or ethnic origin
    • Religious, political or philosophical beliefs
    • Trade union membership
    • Genetic and bio-metric data
    • Health data
    • Lifestyle information, including data related to sex life or sexual orientation

    We will only process Special Category Data such as information about a disability, your health, a vulnerability or a change in your personal circumstances with your explicit consent to do so.

    When we collect your personal data, we will let you know if it is mandatory or optional, including if we ask you for your consent to process it. Where you do not provide us with the mandatory data, we may be unable to process or respond to your application, query or service.

3. How do we collect your personal information?

Personal information provided by you directly

When you engage with us for a product or service

  • When you visit or register details on our websites
  • When you request a quote, or fill in an application form either online or by post
  • When you telephone us, you provide us with information, including answers to your security questions and we record your conversations with us
  • When you send communications to us via post or electronically
  • When you take part in our competitions, promotions or surveys
  • When you provide us with your customer feedback and/or join customer forums.

When you engage with the OneFamily Foundation

  • When you register with the OneFamily Foundation and take part in our OneFamily Foundation events including voting for a community project or charity.

We collect information from other sources about you

  • From a broker or intermediary who we work with to provide products, services or quotes to you
  • Business partners such as financial services institutions and insurers who are a part of providing your products and services or operating our business
  • Credit reference and fraud prevention agencies to verify your identity and to comply with anti-money laundering legislation
  • Public records and government and non-government agencies such as the Electoral Register and property registration authorities
  • Someone authorised on your behalf, such as an attorney under a Power of Attorney
  • Medical professionals to confirm certain health information.

4. How do we use your information?

Your privacy is protected by law. We are only allowed to process your personal data (which includes storing it and sharing it with other companies) if we have a legal basis for doing so. UK data protection laws outline a number of reasons (legal basis) which we can rely on, but at least one must apply to allow us to use your data. The purposes and reasons for processing your personal data are detailed below.

It is necessary for the performance of our contract with you

We will process your personal data where it is necessary for the entry into a contract or to fulfil an obligation under the contract with you for the relevant product or service.

  • To take steps before entering into the contract
  • To manage and perform the contract
  • To deal with any of your transactions
  • To update your records
  • To resolve complaints.

It is within our legitimate interests to do so

In certain situations, we require your personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.

  • To maintain our own records and accounts for business accounting, tax, auditing and risk management purposes
  • To update your records, trace you if we lose contact, and collect and recover money that is owed to us
  • To carry out searches at credit reference agencies before entering in to a contract with you
  • To establish your identity to comply with law and regulation concerning the prevention of money laundering, fraud or terrorist financing
  • To record telephone calls for training and monitoring purposes, and for your protection
  • To share your personal information with business partners and service providers when you apply for a product to help manage your products and services
  • To perform and test the performance of our products and services to ensure we have robust systems and controls to manage our business
  • To carry out market research, analysis and develop statistics, including through reputable agencies to develop new products and services to meet our customers’ needs and to assess how well we are performing
  • To conduct marketing activities (unless you have opted out of such marketing in which we will keep a record of the withdrawal of your consent to comply with direct marketing rules)
  • To use web profile and usage data to personalise your browsing experience to better aid our understanding of customer behavior so we can serve you better, or target our marketing more accurately
  • To carry out data segmentation and statistical analysis to better aid our understanding of customer behaviour so we can serve you better, or target our marketing more successfully
  • To verify application forms and monitor voting for Foundation awards.

To comply with our legal obligations

Your personal data may also be used by us or on our behalf to comply with our legal, regulatory and corporate governance requirements

  • When you exercise your rights under data protection law and make requests
  • To provide statutory and regulatory information
  • To prepare returns to regulators and relevant authorities including preparation of income tax, capital gains tax, capital acquisition tax and other revenue returns
  • For establishment and defence of legal rights
  • For activities relating to the prevention, detection and investigation of crime.

With your consent or explicit consent:

  • For certain activities, we will only process your personal data where you have given us your consent to do so. You may withdraw your consent easily and at any time. Where you have given us your consent to use it in certain ways including when you request that we disclose it to a third party and for direct marketing communications (by us and the third parties named when we asked for your consent). You have the right at any time to ask us, or the third parties notified to you, to stop contacting you or passing your details to others for marketing purposes
  • Where you have given us your explicit consent to use the information provided by you and any subsequent correspondence with you for the purpose of processing and considering any application to the OneFamily Foundation
  • Where you have given us your explicit consent to collect and process Special Category Data such as information about a disability, your health, a vulnerability or a change in your personal circumstances.

5. Who might we share your information with?

OneFamily takes your privacy very seriously and will never disclose your information unless there is a legal basis for doing so. We will not sell, license, trade, or rent your personal information to anyone. Depending on the product or service that you have with us we may disclose your personal information to:

  • Law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies where we are required or requested to do so by law
  • Our professional advisers including auditors and actuaries
  • Credit reference agencies and fraud prevention agencies
  • Funders, lenders and surveyors in relation to mortgages. Also, as part of the mortgage application process, we will in certain circumstances pass your data to solicitors to facilitate the completion of a loan and the management of the transfer of funds to that solicitor on your behalf.
  • Health insurance and funeral plan providers
  • Business partners (e.g. financial services institutions, insurers and re-insurers)
  • Your broker or financial adviser
  • Trustees of pensions schemes and service providers involved in the administration of these schemes
  • Where we need to do so in order to exercise or protect our legal rights, other users, or our systems and services
  • Subcontractors who perform functions on our behalf. Examples include companies that:
  • Analyse data, provide marketing assistance, provide search results and links (including paid listings and links)
  • Provide us with systems and services that support the administration of our products and services
  • Companies that help us delete or store data, including for disaster recovery purposes
  • Payment systems and services to support or enable payment, for example if you use Direct Debits we will need to share your data with the Direct Debit Scheme and BACS
  • Anyone else where we have your consent or as required by law.

Credit reference agencies

The personal information we collect from your or about you may be shared with credit reference agencies who collect and maintain information on consumers’ and businesses’ credit behaviour on behalf of lenders in the UK. When you apply for a product, where relevant, we will notify you if your information may be sent to a credit reference agency.

Fraud prevention agencies

We use your personal information in accordance with this Privacy Notice for the purposes of preventing fraud, money laundering and to verify your identity. We provide this information to fraud prevention agencies.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years. If you have any questions about this, please contact us.

For other purposes approved by you

  • Family members or other individuals that you have told us may act on your behalf
  • Where the policy is for a child, we may share information about the child and the policy with the named registered contact or parent/guardian or payer of the policy, in line with the terms and conditions of that product
  • In response to requests from individuals (or their representatives) seeking to protect their legal rights or the rights of others
  • In circumstances other than as set out above, you will receive notice when information about you might go to third parties and you will have an opportunity to choose not to share the information.

Other reasons for sharing data

We will transfer your personal information to other organisations in certain scenarios such as:

If we're discussing selling or transferring part or all of a business, your information may be disclosed to prospective purchasers, but only so they can evaluate that business

If we are reorganised or sold to or merged with another business entity, your information may be disclosed to our new business partners or owners.

Transfer of data outside of the EEA

We’re based in the UK, but sometimes your personal information may be transferred by us or our data processors to countries outside of the European Economic Area. If this is the case, we will ensure that the information is transferred in accordance with this Privacy Notice and as permitted by the applicable laws on data protection.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to "international frameworks" intended to enable secure data sharing.

Links to other websites

We sometimes provide you with links to other websites, but these websites are not under our control. Therefore, we will not be liable to you for any issues arising in connection with their use of your information, the website content or the services offered to you by these websites. We advise you to consult the privacy notice and terms and conditions on each website to see how each supplier may process your information.

6. Security of your personal information

We take the security of your personal data seriously and the following measures are in place to protect your information including:

  • We maintain physical, electronic and procedural safeguards appropriate to the sensitivity of the information we maintain. . Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you
  • We maintain a CCTV record inside and outside our head office for the purposes of detecting, preventing or prosecuting crime
  • We implement access controls to our information technology, such as firewalls, ID verification and logical segmentation and/ or physical separation of our systems and information
  • We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate business purposes
  • We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

7. How long do we keep your personal information for?

We keep your personal information only for as long as necessary. The criteria we use to determine data retention periods include:

  • regulatory and legal requirements
  • good business practice
  • time periods applicable to assessing and defending claims and/or investigations
  • dealing with any queries you may have.

When we have no ongoing legitimate business need to hold your personal information, we will either delete or anonymise it. If we’re unable to do this for technical reasons, we will securely store your personal information, only use it for a purpose we’ve already communicated to you, and isolate it from further processing until archives are deleted.

8. Your rights

Your Rights More information
Right to access You can request a copy of the personal information that we hold about you. This is generally known as a ‘Data Subject Access Request’ and we normally have 1 month to respond.

To request this information, you will need to contact us.

Right to rectification We take reasonable steps to keep your information accurate and current. However, please remember that it is your responsibility to tell us about any updates to this information.
Right to erasure or to be forgotten In certain circumstances, you have the right to ask us to erase your personal information. However, this right will need to be balanced against other factors, for example the type of personal information we hold about you and why we have collected it. There may be some legal and regulatory obligations which mean we cannot comply with your request.
Right to restriction of processing In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to process your personal information.Where a restriction is in place we can continue to store your information but only otherwise process it with your consent or for the establishment, exercise or defence of legal claims, for the protection of another individual’s rights or for important public interest reasons.

We will inform you before any restriction.

Right to be informed You have the right to be informed. We must provide you with fair processing information. This information is contained in this Privacy Notice.
Right to data portability In certain circumstances, you have the right to ask that we transfer any personal information you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your personal information.
Right to object to processing Where our processing of your information is performed on the basis of ‘Legitimate Interest’ or ‘public interest’, you can request we stop the processing. We can continue to process your information for the establishment, exercise or defence of legal claims and if we demonstrate compelling legitimate grounds which over-ride your interests, rights or freedoms.

You can object to our processing of your information for direct marketing purposes and we will cease any processing related to direct marketing.

Right not to be subject to a decision based solely on automated processing You have the right to object to us making automated decisions about you, including profiling that would have a legal or significant effect on you.

We will inform you when we will make this type of decision.

If you would like to exercise any of these rights, please contact us.

9. Changes to this Privacy Notice

We may change this Privacy Notice from time to time. Any changes to this Privacy Notice will be posted on our websites, and/or where we think it is appropriate, via email so that you will always know what information we gather, how we might use that information, and whether we will disclose that information to anyone.

Please check our website regularly to see recent changes.

This Privacy Notice was last updated in April 2019.

10. How to contact us about the privacy of your information

All comments, complaints and requests relating to our use of your personal information are welcomed and should be addressed to:

Contact: The OneFamily Data Protection Officer

Address: OneFamily, 16-17 West Street, Brighton BN1 2RL

Email: [email protected]. Please don’t send confidential personal information by email as it’s not secure and there’s always the risk it could be intercepted.

You also have the right to complain to the Information Commissioner’s Office, which is the body created to uphold information rights. Go to ico.org.uk/concerns to find out more.