OneFamily's Privacy Notice
OneFamily is committed to preserving the privacy and security of your personal information. We ask that you read this Privacy Notice carefully as it provides you with important information on:
- your rights and obligations
- how we collect and use your personal information
- who we share your personal information with
- what we do to keep it secure
- how to contact the OneFamily Data Protection Officer
This Privacy Notice applies to you (and where have applied on behalf of a child, that child) if you access or apply for a Post Office ISA, CTF or Junior ISA (together the Office Products) on behalf of yourself or a child over the phone, or by post or online via our websites and online services.
1. Who are the data controllers of your information?
There are three data controllers in respect of the Post Office Products.
OneFamily - when we say ‘OneFamily’, ‘we’, ‘our’ or ‘us’ we are referring to Family Equity Plan Limited.
Post Office - Post Office Limited. The Post Office acts as an introducer for the Post Office Products.
Bank of Ireland UK - Bank of Ireland UK plc.
This Privacy Notice will tell you how OneFamily uses your personal information in the administration of your Post Office Product. To find out more about how the Post Office and Bank of Ireland UK will use your personal information, please see their respective privacy notices set out in the links below.
2. What types of personal information do we collect?
The personal data we collect includes:
Identity and contact details - your title, name, address, date of birth, contact details and contact details history, passport number and security details such as your national insurance number.
Financial - your financial position, status and history.
Transactional - details about your transactions with us, such as, Direct Debit mandate instructions and any claims. Your online account login details, including your user name and password.
Communications - information about you from emails, secure messages or letters you send to us or information gathered during telephone conversations with you.
Open data on public records - details about you that are in public records such as the Electoral Register and company registers, and information about you that is publicly available, such as the press and online search engines.
Information Technology - when you use our website, we monitor website behaviour via analytics software and we collect information about how each visitor uses our site. This information is then used to compile reports and to help us improve our site. We collect information about any device you have used to access our services (such as your IP address).
Special Category Data - the law and other regulations treat some types of personal information as special. These categories are personal data relating to your:
- Racial or ethnic origin
- Health data
3. How do we collect your personal information?
Personal information provided by you directly
When you engage with us for a product or service
- When you visit or register details on our websites
- When you fill in an application form either online or by post
- When you telephone us, you provide us with information, including answers to your security questions and we record your conversations with us
- When you send communications to us via post or electronically
- When you take part in our competitions, promotions or surveys
- When you provide us with your customer feedback and/or join customer forums
We collect information from other sources about you:
- The Post Office and Bank of Ireland UK may provide us with information about you
- Credit reference and fraud prevention agencies to verify your identity and to comply with anti-money laundering legislation
- Public records and government and non-government agencies such as the Electoral Register and property registration authorities
- Someone authorised on your behalf, such as a Power of Attorney
4. How do we use your information?
Your privacy is protected by law. We are only allowed to process your personal data (which includes storing it and sharing it with other companies) if we have a legal basis for doing so. UK data protection laws outline a number of reasons (legal basis) which we can rely on, but at least one must apply to allow us to use your data. The purposes and reasons for processing your personal data are detailed below.
It is necessary for the performance of our contract with you
We will process your personal data where it is necessary for the entry into a contract or to fulfil an obligation under the contract with you for the relevant product or service.
- To take steps before entering into the contract
- To manage and perform the contract
- To deal with any of your transactions
- To update your records
- To resolve complaints.
It is our legitimate interests to do so
In certain situations, we require your personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.
- To maintain our own records and accounts for business accounting, tax, auditing and risk management purposes
- To update your records, trace you if we lose contact, and collect and recover money that is owed to us
- To perform and test the performance of the Post Office Products to ensure we have robust systems and controls to manage our business
- To carry out searches at credit reference agencies before entering in to a contract with you
- To establish your identity to comply with law and regulation concerning the prevention of money laundering, fraud or terrorist financing
- To record telephone calls for training and monitoring purposes, and your protection
- To share your personal information with The AA, Bank or Ireland UK and service providers when you apply for a product to help manage your AA ISA
- To perform and test the performance of the AA ISA to ensure we have robust systems and controls to manage our business
- To carry out market research, analysis and develop statistics, including through reputable agencies to develop new products and services to meet our customers’ needs and to assess how well we are performing
- To use web profile and usage data to personalise your browsing experience to better aid our understanding of customer behaviour so we can serve you better, or target our marketing more successfully
- To carry out data segmentation and statistical analysis to better aid our understanding of customer behaviour so we can serve you better, or target our marketing more successfully
To comply with our legal obligations
Your personal data may also be used by us or on our behalf to comply with our legal, regulatory and corporate governance requirements
- To help you exercise your rights under data protection law
- To provide statutory and regulatory information
- To prepare returns to regulators and relevant authorities including preparation of income tax, capital gains tax, capital acquisition tax and other revenue returns
- For establishment and defence of legal rights
- For activities relating to the prevention, detection and investigation of crime.
With your consent or explicit consent
- We will only collect and process Special Category Data such as information about a disability, your health, a vulnerability or a change in your personal circumstances, where you have given us your consent to do so. You may withdraw your consent easily and at any time.
5. Who might we share your information with?
OneFamily takes your privacy very seriously and will never disclose your information unless there is a legal basis for doing so. We will not sell, license, trade, or rent your personal information to anyone. We may disclose your personal information to:
- Law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies where we are required or requested to do so by law
- Our professional advisers including auditors and actuaries
- Credit reference agencies and fraud prevention agencies
- The Post Office and Bank of Ireland UK
- Where we need to do so in order to exercise or protect our legal rights, other users, or our systems and services
Subcontractors to perform functions on our behalf. Examples include companies that:
- Analyse data
- Provide us with systems and services that support the administration of the Post Office Products
- Provide banking and payment services to support or enable payment, for example by direct debit or debit/credit card
- Companies that help us delete or store data, including for disaster recovery purposes
- Anyone else where we have your consent or as required by law.
Credit referencing agencies
The personal information we collect from your or about you may be shared with credit reference agencies who collect and maintain information on consumers’ and businesses’ credit behaviour on behalf of lenders in the UK. When you apply for a product, where relevant, we will notify you if your information may be sent to a credit reference agency.
Fraud prevention agencies
We use your personal information in accordance with this Privacy Notice for the purposes of preventing fraud, money laundering and to verify your identity. We provide this information to fraud prevention agencies.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the Post Office Product you have requested, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. . Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years. If you have any questions about this, please contact us.
The Post Office and the Bank of Ireland UK
We will provide account information to the Post Office and the Bank of Ireland UK from time to time which will include any updates to your personal data that you have informed us about.
For other purposes approved by you
- Family members or other individuals that you have told us may act on your behalf
- Where the policy is for a child, we may share information about the child and the policy with the named registered contact or parent/guardian or payer of the policy, in line with the terms and conditions of that product
- In response to requests from individuals (or their representatives) seeking to protect their legal rights or the rights of others
- In circumstances other than as set out above, you will receive notice when information about you might go to third parties and you will have an opportunity to choose not to share the information.
Other reasons for sharing data
We will transfer your personal information to other organisations in certain scenarios such as:
- If we're discussing selling or transferring part or all of a business, your information may be disclosed to prospective purchasers, but only so they can evaluate that business
- If we are reorganised or sold to or merged with another business entity, your information may be disclosed to our new business partners or owners.
Transfer of data outside of the EEA
We're based in the UK, but sometimes your personal information may be transferred by us or our data processors to countries outside of the European Economic Area. If this is the case, we will ensure that the information is transferred in accordance with this Privacy Notice and as permitted by the applicable laws on data protection.
Links to other websites
We sometimes provide you with links to other websites, but these websites are not under our control. Therefore, we will not be liable to you for any issues arising in connection with their use of your information, the website content or the services offered to you by these websites. We advise you to consult the privacy notice and terms and conditions on each website to see how each supplier may process your information.
6. Security of your personal information
We take the security of your personal data seriously and the following measures are in place to protect your information including:
- We maintain physical, electronic and procedural safeguards appropriate to the sensitivity of the information we maintain. Our security procedures mean that we may occasionally request proof of identity before we disclose personal information to you
- We maintain a CCTV record inside and outside our head office for the purposes of detecting, preventing or prosecuting crime
- We implement access controls to our information technology, such as firewalls, ID verification and logical segmentation and/ or physical separation of our systems and information
- We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate business purposes
- We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.
7. How long do we keep your personal information for?
We keep your personal information only for as long as necessary. The criteria we use to determine data retention periods include:
- regulatory and legal requirements
- good business practice
- time periods applicable to assessing and defending claims and/or investigations
- dealing with any queries you may have.
When we have no ongoing legitimate business need to hold your personal information, we will either delete or anonymise it. If we’re unable to do this for technical reasons, we will securely store your personal information, only use it for a purpose we’ve already communicated to you, and isolate it from further processing until archives are deleted.
8. Your rights
|Your rights||More information|
|Right to access||
You can request a copy of the personal information that we hold about you.
This is generally known as a ‘Data Subject Access Request’ and we normally have 1 month to respond.
To request this information, you will need to contact us a >.
|Right to rectification||We take reasonable steps to keep your information accurate and current. However, please remember that it is your responsibility to tell us about any updates to this information.|
|Right to erasure or to be forgotten||In certain circumstances, you have the right to ask us to erase your personal information. However, this right will need to be balanced against other factors, for example the type of personal information we hold about you and why we have collected it. There may be some legal and regulatory obligations which mean we cannot comply with your request.|
|Right to restriction of processing||
In certain circumstances, you are entitled to ask us to stop using your personal information,
for example where you think that the personal information we hold about you may be inaccurate
or where you think that we no longer need to process your personal information.
Where a restriction is in place we can continue to store your information but only otherwise process it with your consent or for the establishment, exercise or defence of legal claims, for the protection of another individual's rights or for important public interest reasons.
We will inform you before any restriction.
|Right to be informed||In certain circumstances, you have the right to ask that we transfer any personal information you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your personal information.|
|Right to data portability||In certain circumstances, you have the right to ask that we transfer any personal information you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your personal information.|
|Right to object to processing||
Where our processing of your information is performed on the basis of ‘Legitimate Interest’ or
‘public interest’, you can request we stop the processing. We can continue to process your
information for the establishment, exercise or defence of legal claims and if we demonstrate compelling
legitimate grounds which over-ride your interests, rights or freedoms.
You can object to our processing of your information for direct marketing purposes and we will cease any processing related to direct marketing.
|Right not to be subject to a decision based solely on automated processing||
You have the right to object to us making automated decisions about you,
including profiling that would have a legal or significant effect on you.
We will inform you when we will make this type of decision.
If you would like to exercise any of these rights, please contact us.
9. Changes to this Privacy Notice
We may change this Privacy Notice from time to time. Any changes to this Privacy Notice will be posted on our websites, and/or where we think it is appropriate, via email so that you will always know what information we gather, how we might use that information, and whether we will disclose that information to anyone.
Please check our website regularly to see recent changes.
This Privacy Notice was last updated in August 2019.
10. How to contact us about the privacy of your information
All comments, complaints and requests relating to our use of your personal information are welcomed and should be addressed to:
Contact: The OneFamily Data Protection Officer
Address: OneFamily, 16-17 West Street, Brighton BN1 2RL
Email: [email protected]. We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your mail server does not support TLS, please don't send confidential personal information to us by email as it’s not secure and there's the risk it could be intercepted.
Contact: The OneFamily Data Protection Officer
You also have the right to complain to the Information Commissioner's Office, which is the body created to uphold information rights. Go to https://ico.org.uk/concerns to find out more.