Data Privacy Notice

Introduction

‘We’, ‘our’, ‘us’, ‘Skipton’ and the ‘Society’ in this Privacy Notice means Skipton Building Society which, is the Data Controller.

This Privacy Notice explains the types of personal data we collect, what we do with it, who we share it with, how long we keep it and your rights.

It does not extend to other organisations, such as any external websites you may access from our website. Other organisations will inform you how they use your personal data.

Personal Data We Collect

We collect, use and hold the following data to identify you, manage your accounts and relationship with us, and to help prevent financial crime:

Name, title, address, contact details (including any previous changes), date of birth and/or age.

Lifestyle, social and family details, for example: location; web browsing history; marital status; next of kin and dependants. We also use this to understand your circumstances and needs, and assess the suitability of products and services you have or apply for with us.

Telephone, voice recording, video images, webchat, IP and/or MAC address where known, your location based on your mobile phone signals and social media handles. We use these to:

  • correspond with you and answer your queries, and provide a record of the dealings and conversations you have with us
  • understand your needs and assess the suitability of our products and services
  • provide colleague training to help improve the quality of our service

CCTV

Biometrics – finger print secure passcode. We use this to provide you with access to the Skipton Mobile App if you choose this validation option on your device. Skipton does not collect or store your biometric data.

Car registration. We use this for visitors to our Principal Office for visitor and car park management only.

Nationality and national identifiers, for example, national insurance, passport and driving licence. We also use this to meet Her Majesty’s Revenue & Customs (HMRC) and Foreign Account Tax Compliance Act (FATCA) reporting regulations where required.

Details of the relationships, products and services you hold with us, our partners and/or other organisations including financial details, for example, balance, transactions, how you operate the accounts and services. We also use this to assess the suitability of products and services you apply for or already hold and to manage your relationship, products and services with us and our partners.

The data protection regulations call sensitive data ‘special category’ data, which includes: ethnic or racial origin; health; political opinions; religious or philosophical beliefs; trade union membership; sex life or sexual orientation and genetics or biometrics. In general we do not collect special category data about you, but sometimes the personal data we collect may reveal this. We collect personal data about criminal convictions, (including pending convictions, bankruptcy/receivership, county court judgements, court records and pending orders). This is limited to the minimum required.

We only collect and use special category personal data with your explicit consent, or if we are required to by law, there is an overriding public interest, or where we believe you or someone else may be at risk.

We use the data in the list below to understand your circumstances and needs, assess the suitability of products and services you apply for or have with us, support financial crime and fraud prevention and meet regulatory requirements:

Property details and occupancy status, for example, current and previous properties you have lived at, other properties you own, whether you are an owner, tenant or living with parents.

Employment details including your salary, other income and status, for example, employed, self-employed, retired. We also use this to verify the data you provide.

Additional financial details relating to other income, outgoings and spending habits, for example, benefit entitlement and income, rental income, credit, loans, debts. We also use this to assess how you manage account payments and credit.

Criminal convictions, pending convictions, bankruptcy/receivership, county court judgements, court records and pending orders.

We use the data in the list below to understand your circumstances and needs, assess the suitability of products and services you apply for or have with us, meet regulatory requirements and provide financial advice and recommendations.

Property details & occupancy status, for example, owner, tenant, living with parents.

Employment details including your salary, other income and status, for example, employed, self-employed, retired. We also use this to verify the data you provide.

Additional financial details relating to your financial position. This includes details of any pensions, investments, life policies, your spending habits, debts and regular and ad hoc income and outgoings etc.

Estate planning arrangements you have in place, for example, will, power of attorney, funeral plan and trust.

Details relating to your financial attitudes and aspirations including attitude to risk, investment goals, plans and priorities.

Lifestyle, social and family circumstances, for example, location, web browsing history, marital status, next of kin, dependants, health, medical and smoker history.

We use the data in the list below to understand your circumstances and needs and assess the suitability of products and services you apply for or have with us:

Property details and occupancy status, for example, owner, tenant, living with parents.

Family details, for example, marital status, next of kin, dependants.

We ask for your position in the organisation, which we use to:

  • identify you
  • process, manage and administer your applications, enquiries, deposits and transactions with us
  • provide colleague training to help improve the quality of our service and for general quality assurance and communication monitoring
  • prevent crime, money laundering, counter terrorist financing, carry out sanction screening, protect you and others from fraud, provide security and for public safety
  • communicate with you about the deposits you hold with us
  • meet our legal, regulatory, auditing, tax and accounting obligations
 

Who we share data with and why

There are times when we need to share your personal and special category (sensitive) data with others. We keep this to a minimum and ensure that appropriate security measures are in place.

We will not sell your information to another firm.

These are the types of organisations and/or individuals we share personal data with, and why/when we share personal data.

Joint account holders, including former, current and/or future account holders and trustees.

Your authorised representatives, for example, family members, attorneys.

  • enquiries, requests and further applications
  • ongoing administration of your joint account, products and services
  • processing transactions.

We do this where:

  • the data is common to all account holders
  • they are authorised to operate the account without you, for example, each account holder is authorised to operate the account separately.
  • they confirm they have your authority to provide your data on your behalf.

Financial advisers, where you have authorised them to act on your behalf.

Credit reference agencies.

  • To verify your identity and to help trace your whereabouts if we have been unable to contact you
  • To review and assess your suitability, and application for products and services

Field agents, debt collection agencies, tracing agents and appointed receivers and trustees in bankruptcy.

  • understand your circumstances and financial situation
  • assist in recovering debt
  • locate you when we have been unable to contact you via our usual communication channels
  • meet legal requirements where receivers or trustees in bankruptcy have been appointed to deal with your financial affairs.

Solicitors, licensed conveyancers, valuers, panel managers and other professional advisers.

  • provide professional services
  • review and assess your suitability and application for products and services
  • manage your ongoing relationships
  • administer and manage disputes and/or legal claims.

Central and local government departments and agencies, for example, Department of Work and Pensions, Jobcentre Plus, local councils.

  • confirm payments received and ongoing benefits
  • assist with enquiries, investigations, complaints and assessments.

Fraud prevention agencies

  • carry out checks for the purposes of preventing fraud and money laundering
  • verify your identity
  • assess your suitability for products and services.

Other companies in the Skipton Building Society Group

  • manage your relationships and experience with us and our Group companies
  • refer you to them for the additional products and services they can offer you
  • provide and improve our security and systems and protect you
  • support any joint Group reporting requirements to our regulators
  • financial crime and fraud prevention purposes.

Financial organisations

  • review and assess your suitability and application for products and services
  • manage payments (including the use of payment services involving the transfer of electronic payments into or out of your account), transactions and ISA transfers
  • respond to requests for the postponement of a charge on your property
  • financial crime and fraud prevention purposes
  • assist with enquiries and investigations.

Law enforcement agencies including police forces, private investigators, security organisations and prosecuting authorities

  • assist with any ongoing investigations relating to the security and/or safety of individuals
  • financial crime and fraud prevention purposes.

Courts and tribunals

  • respond to court and tribunal requests
  • manage and resolve complaints, disputes and/or legal claims.

HMRC

  • provide information for tax reporting purposes
  • assist with enquiries, investigations, complaints and assessments
  • financial crime and fraud prevention purposes.

Ombudsmen and regulatory organisations, for example, Financial Ombudsman Service, Financial Conduct Authority, Prudential Regulation Authority, Financial Services Compensation Scheme, Information Commissioner’s Office

  • provide our regulatory and governing bodies with data about our business
  • assist with enquiries, investigations, complaints and assessments.

Trade associations and industry groups, for example, UK Finance, Building Societies Association

  • assist with enquiries, investigations, complaints and assessments
  • develop industry standards
  • understand and predict trends in customer and financial behaviours.

Management Consultancy firms

  • gain a range of insights , for example, into market trends, consumer behaviour, competitors and technological change
  • help make recommendations into future development and strategy
  • get support with a range of business decisions.

Research and insight agencies

  • better understand our customers and members including their experiences, life stages, circumstances, needs and responses to our current and potential products, services and wider initiatives
  • gain a range of insights, for example market trends; consumer behaviour; competitors; technological change
  • support a wide range of business decision making such as product development.
  • Data for profiling and customer segmentation to create a broad understanding of our customers, to help shape our communications, products and the overall customer experience from what our branches look like, to how we handle phone calls and other customer contacts.

Incentive agencies

  • verify your eligibility for an offer
  • administer the incentive

Media agencies and marketing service providers

  • show you targeted adverts based on your previous web browsing history

Registrars

  • keep registered shareholder information in relation to Permanent Interest Bearing Securities.

Scrutineers

  • oversee and inspect votes received in connection with our Annual General Meeting (AGM) and Extraordinary General Meetings (EGM) when applicable.

Voluntary and charitable organisations

  • register and manage your involvement in our charity or community events.

Mailing houses and printers

  • provide you with service information, for example, account statements
  • provide you with a range of other communications about our products, services, news and offers.

Information Technology service providers

  • provide third party systems, storage, software and application support.

Data modelling and risk organisations

  • understand and predict trends in customer and financial behaviours
  • support a wide range of business decision making including the provision of credit to customers
  • review and validate the accuracy of reports and/or model outputs from other organisations.

Organisations that either lend, or arrange the lending of funds, to the Society

  • meet regulatory disclosure obligations relating to secured funding transactions
  • meet legal obligations which are present in the secured funding transaction legal documentation
  • assist with the creation of the secured funding transaction.

External auditors, risk and rating agencies, for example Moody’s and Fitch

  • support a wide range of business decision making such as product development
  • validate reports
  • facilitate the management and audit of business operations
  • perform reviews of mortgage files for secured funding transactions to enable the necessary reporting to be completed
  • assess the Society, including Group entities, to enable the granting of a credit rating
  • assist in meeting our legal obligations.

Other organisations involved in handling mergers, acquisitions and other corporate transactions

  • enable the sale or purchase of all or part of our business.

Credit Reference Agencies

  • review, assess and confirm your credit worthiness
  • update your payment history (including defaults, arrears and repossession hearings) with them.

Employers (current, past or prospective)

  • confirm your employment and employment status and income received.

Lenders and landlords

  • confirm your residency status and payment history.

Mortgage Guarantors or potential guarantors and their legal representatives

  • deal with their enquiries, requests and further applications
  • manage the ongoing administration of your accounts, products and services
  • process transactions.

Non-borrowing adult occupiers

  • to inform them of your application and confirm they have no claim on the property

Housing Associations

  • administer and manage your shared ownership mortgage application and ongoing account, and so that we can do this too.

Fund providers, managers, insurance companies and platforms

  • provide the products and services we’ve recommended
  • enable the effective and efficient management of your investments, funds, accounts and chosen products and services
  • help manage your ongoing relationship with us and them
  • enable the ongoing correct charging of products and services you have selected both to you, and between us and the third parties as appropriate.

Credit Suisse AG

  • manage existing structured deposits which combine traditional savings with stock market investments.

Insurance Companies.

  • assist with enquiries, assessments, the provision of insurance and to administer claims.

Claims Management Companies.

  • assist with enquiries and the assessment of compensation claims

Social Media platforms & providers

  • communicate with you and answer your queries
  • show you targeted advertising

Your authorised representatives. This includes family members, attorneys, mortgage guarantor, executors and beneficiaries

  • manage our business relationship with them and to enable them to manage your accounts, products and services in line with your authorisation. Personal data may also be shared with the account holder about these authorised representatives (e.g. communications, transactions)

Other adults living in your mortgaged property

  • for them to confirm they have no claim on the property

Employers, lenders and landlords

  • obtain data about your relationship with them

We collect, use and hold personal data about the following people, in order to identify them and to manage our business relationship:

  • Brokers and financial advisers etc
  • Solicitors, licensed conveyancers, and other professional advisers
  • Voluntary and charitable organisations and their representatives/members
  • Field agents, debt collection agents, appointed receivers and trustees in bankruptcy

Skipton can offer or introduce you to a number of products and services provided by our third party partners. If you enquire or request details about these products and services we will share your personal data with our partner so they can answer your queries, provide you with illustrations and complete your application. They will also share data with us so we can identify all your relevant holdings and improve the experience you have with us. Where we introduced you to a partner who we no longer have a relationship with, only in limited circumstances will we receive any data about you.

Our current third party partners and the product or service provided/introduced are:

Legal & General Insurance Limited

  • Home and Landlords insurance and claims administration.

AIG Life Limited

  • life insurance and claims administration

Dignity Pre Arrangement Limited

  • Funeral planning services.

Scottish Widows Limited.

  • Stock market based investments for our financial advice service.

Ascot Lloyd Financial Services Limited

Financial advice in relation to:

  • defined benefit and other pension options
  • Life Time Allowance and Annual Allowance.

Canopius Managing Agents Limited and Lloyds Syndicates

  • Mortgage payment protection insurance and claims administration.

Skipton Trustees Ltd

Skipton Building Society partners with Skipton Trustees Ltd (STL) which is a trust corporation. STL is a wholly-owned subsidiary of the Society. If you wish to contact STL for any purpose, please use the Society’s contact details. These partnerships are as follows:

Wills and Power of Attorney (POA) Referral Service, and

Legal Documents Care Package

  • STL’s Third Party - Redstone Wills Limited
  • Relationship - Provided by STL and administered by Redstone Wills Limited

Estate, Trust & Property & Financial Affairs’ POA Administration

  • STL’s Third Party - 1825. '1825' is a trading name used by Pearson Jones plc, which is part of the Standard Life group
  • Relationship - Provided by STL and administered by 1825.

Family Bereavement and Serious Illness Helpline. Part of the Legal Documents Care Package

  • STL’s Third Party - Red Arc Assured Limited
  • Relationship - Provided and administered by Red Arc Assured Limited
 

What allows us to collect, use, share and keep your personal data

We must have a lawful basis to collect, use, share and keep your personal data. The different lawful bases we use and how these affect you, are:

Legal obligation

At times we are required by law to collect, use, share or hold personal data.

As we operate in a regulated industry we have to comply with the laws and regulations set by government bodies and our regulators. Our regulators are the Financial Conduct Authority, Prudential Regulation Authority and the Information Commissioner’s Office.

Contract

This is where you choose to enter into an agreement with us or make an enquiry with the intention of entering into an agreement. It includes the terms and conditions for the ongoing management of those accounts, and products and services once opened.

Legitimate business interest

This is where we or another third party has a valid interest in the personal data we collect, use, share and hold as long as it does not unduly affect you or cause you undue detriment, damage or distress.

You have a right to challenge our legitimate interest if you believe we do not have a valid reason to collect, use, share or hold your data.

Consent

This is where we ask for your consent to carry out certain activities such as marketing. You may withdraw your consent at any time.

Explicit consent

This may be relied upon regarding special category data.

Vital interest

This is applied in very limited circumstances where we feel you or another individual may be at serious risk, for example, life or death circumstances and no other lawful basis can be applied.

Public Interest

This may be relied on in the exercise of official authority or to perform a specific task in the public interest that is set out in law.

 

How we use your personal data

There are many reasons why we need your personal data. What personal data we need and how we use it will depend on a range of factors including the type of products and services you have with us, whether you have a sole or joint account, and many more.

We will collect, use, share and keep personal data needed for us to deal with your enquiry, process your application, provide any illustrations you require, and manage the ongoing administration of your accounts, products and services. This includes keeping your account records up to date and contacting you when needed.

We use agencies to provide analysis, financial and behavioural insight into customers. This includes the use of predictive modelling to assess future behaviours including likelihood of defaulting on payments. These agencies help us assess customer creditworthiness and other behaviours to help take a range of business decisions such as whether to provide future credit to customers. We also use the agencies to enable the management and audit of business operations, including accounting, to meet our legal obligation to carry out audits.

We will collect, use, share and keep personal data, including relevant sensitive data, to provide you with a Decision in Principle if required; assess, review and process your application, and contact you when needed.

When you request a Decision in Principle and/or apply for a mortgage, you will be taking the steps necessary to enter into a contract with us.

This process involves reviewing your application with the use of financial models, automated systems provided by Credit Reference Agencies and against our full lending criteria. This is to help us better understand your mortgage application and to assess the affordability of the products and services you apply for. When we do this the Credit Reference Agencies will keep a record of our search, whether or not you proceed with a full mortgage application. This is known as a credit footprint. They do this so that you can see who has looked at your credit report, when it was looked at and why. This record may also be seen by other lenders and could affect your ability to obtain future credit.

All of our mortgage applications are underwritten by a team here at Skipton.

We will be unable to proceed with your mortgage application without undertaking one or more of these activities.

We will continue to assess the ongoing performance of your mortgage once you have taken it out.

After the redemption of your mortgage, we will continue to use, share and hold your personal data for as long as required to meet our legal, regulatory or other lawful requirements. In addition, data will be used for ongoing modelling to support future business decisions such as ensuring the business has appropriate capital reserves for future lending and changes in the economic environment.

Transfer of mortgage

If you make a transfer of mortgage application, any borrower who is to be removed from the mortgage account, with our agreement, will remain on the account until our legal adviser sends us written confirmation that the transfer of the mortgaged property has been legally completed. Until we receive that confirmation, all borrowers will still be liable under the mortgage and can have access to the account details, including details of any additional lending.

Until the transfer of mortgage application has been completed, we will share data about the mortgage account, the progress of the application and the existing and new borrowers, and any guarantors, with each of them.

Guarantors

Where a guarantor has been agreed on your mortgage account, we will share details of your account, including balance outstanding, interest rate(s) applicable, early repayment charges and monthly payments with them. The guarantor will also be advised of any additional borrowing or further application while they remain a guarantor.

If you are appointed as a guarantor on a mortgage account, your data and payments made will be shared with the current and any future potential borrowers. This will include if one of them requests to add or remove a name from the account in the future.

Adult occupiers

If there are other adults living in the property who are not party to any mortgage or additional borrowing application you make, we will contact them to inform them of your application and ask them to confirm that they have no claim on the property.

Second charge

If you take a second or subsequent mortgage or loan with another lender and secure it against the property you have in mortgage to us, this is known as a second charge. If we receive an application or request to postpone a charge on your property from another charge holder, we will share data about your account, including projected balance and projected monthly payments with them.

Debt recovery

We share data about you and how you conduct your account (including defaults, arrears and repossession hearings) with credit reference agencies, fraud prevention agencies, solicitors, debt collection agencies and/or tracing agents acting on our behalf to assist in recovering the debt and to locate you if we have been unable to contact you via our usual communication channels.

Commercial lending

For commercial mortgage accounts we hold data about the named contacts on the account, including company directors and authorised employees. This is so that we can effectively manage the account and are able to contact the relevant business owner where necessary.

Shared ownership

Where the application relates to a shared ownership mortgage, the Society will share details of the mortgage account including application, payment history, requests for variation and all other relevant matters relating to the conduct of the account with the housing association which holds an interest in the property.

When you take out a savings product with us, we need data to, for example: verify your identity; open your account; process payments; calculate and apply interest and government Lifetime ISA bonuses.

ISA transfers

If you request an ISA transfer between us and another provider we will share your data with the other provider in order to meet your request and comply with ISA regulations.

Payment services

If you choose to use payment services to make or receive electronic payments between us and another service provider, we will share your personal data with that service provider in order to administer and manage your request and to comply with payment services regulations.

Tax reporting

We will deal with tax and government bonuses as required by legislation and following HMRC guidance. Your account information will be reported to HMRC where legally required. HMRC may share this information with the government of another territory.

When you contact us about financial advice we will collect data in order to get to know you and understand your needs, so we can offer personalised advice and provide financial planning recommendations tailored to your needs and circumstances.

If you choose to proceed with any of the recommendations given by our financial adviser we will share your data with external organisations such as fund providers and platforms, where needed, to:

  • provide the products, services and investments you choose
  • communicate with you about your investments, products and services
  • manage your ongoing relationship
  • send you details about our products, services, news and offers where you have given your permission for us to do this
  • support crime and fraud prevention purposes.

Should you select an ongoing review service we will communicate with you about your investments, products and services in order to enable us to undertake these reviews.

If you take out Skipton Building Society Home Insurance, we will share data about you and details of your policy and claims with:

  • our third party partner who provides and underwrites the insurance product
  • fraud prevention bodies.

These organisations will also share data directly with us and with each other when needed to manage your policy, renewal and claims.

This data will additionally be made available to other prospective lenders and insurers to assist with enquiries, investigations and to detect and prevent fraud.

In respect of insurance, we will use your data, including details of any criminal offences and proceedings, health and other relevant items to:

  • understand your needs
  • assess the suitability of our products and services
  • verify your identity
  • contact you
  • prevent and detect fraud
  • comply with legal and regulatory requirements
  • undertake market research
  • provide marketing communications with your consent.

Mortgage Payment Protection Insurance

We will share data with Claims Management Companies and/or Insurance Companies to assist them with their enquiries and assessment of any mortgage payment protection insurance you hold or have taken out in the past. We will only do this if they provide evidence that they have your signed authority to act on your behalf. The signed authority must be dated within six months of us receiving the request.

We process your personal data on the basis that it is necessary in the public interest or in exercising official authority for us to prevent fraud and money laundering, and to verify identity, in order to protect ourselves and to comply with laws that apply to us.

More information about how we use this data is below.

Credit and identity checks

In order to process your application, we are required by law to identify you and assess the affordability of the products and services you apply for. We do this by using automated systems provided by one or more credit reference agencies. If you take products and services from us we may also make periodic searches at credit reference agencies to manage your account in future.

We will share your data with the credit reference agencies and they will give us data about you. This will include public data, for example, from the electoral register and other data, for example, from your credit applications about your financial situation, financial history, shared credit and specific fraud prevention data.

We will use this data to:

  • identify you
  • assess your creditworthiness and whether you can afford to take the product
  • prevent criminal activity, fraud and money laundering
  • manage your accounts
  • trace and recover debts
  • ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange data about you with credit reference agencies while you have a relationship with us. We will also inform the credit reference agencies about your settled accounts. If you borrow and do not repay in full and on time, credit reference agencies will record the outstanding debt. This data may be supplied to other organisations by credit reference agencies.

When credit reference agencies carry out a search they will place a footprint on your credit file that may be seen by other lenders.

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together. You should make sure you share this information and discuss it with them before making an application. Credit reference agencies will also link your records together if they identify a link between you, joint applicants and/or any individual identified as your spouse or financial partner. These links will remain on the files until such time as you or your partner successfully files for a disassociation with the credit reference agencies to break that link.

Any documents requested or provided to help prove your identity may be checked with the issuing authority and/or anyone who has certified a copy.

The data from the credit reference agencies is used to automatically assess your application against the Society's lending criteria. If your application is declined based on this automatic assessment you have a right to challenge the decision. If you do not agree with the assessment you can contact us to challenge the decision and we will give you the opportunity to discuss this with us and review the results of the assessment for accuracy.

The information we obtain from credit reference agencies is owned by them and limited to what is needed for our own purposes. We will tell you if your application is rejected because of information we have received from credit reference agencies but will not be able to provide any details. You will need to contact the credit reference agencies directly to request a full credit report if you require details of what they hold about you.

More details about which credit reference agencies we use, their role as fraud prevention agencies, what personal data they hold (including how they use and share it), their retention periods and your data protection rights with the credit reference agencies, are explained in more detail in the Credit Reference Agency Information Notice (CRAIN).

The CRAIN is accessible from each of the three credit reference agencies – clicking on any of the three links below will take you to the same CRAIN document: TransUnion, Equifax, Experian.

Fraud prevention

Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that it is necessary in the public interest or in exercising official authority for us to prevent fraud and money laundering, and to verify identity, in order to protect ourselves and to comply with laws that apply to us.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

CONSEQUENCES OF PROCESSING

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact the organisation that referred you to this page.

DATA TRANSFERS

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to "international frameworks" intended to enable secure data sharing. Cifas, the UK leaders in fraud prevention, has published more information about data transfers.

Crime prevention and public safety

Within our premises we have CCTV in operation. Footage may be reviewed by ourselves, or passed to police or law enforcement agencies upon request following any incidents relating to the security and/or safety of individuals and to assist with any ongoing crime investigations.

We have a legal obligation under the Building Societies Act to hold an AGM. We will use your information to identify if you are eligible to vote in the AGM and, if so, to send you your voting pack. We use an external scrutineer to issue the voting packs and to undertake the vote count.

How you vote is confidential to our external scrutineer. If you vote, we will receive data after the AGM to say you’ve done so, so we can update your record. We will also receive a copy of any comments you’ve made. Your vote is viewed as an interaction with the Society, which is important because it shows us your account is not dormant. We will only know if you have voted, but not how you voted.

We will use any of the contact details we hold for you to communicate with you about the products and services you hold with us, contact you as requested and to send you information we are required to provide you with by law, for example, account statements, notification of annual and extraordinary general meetings.

Marketing

We may use your information to provide details about our products, services, news and offers that we believe may be of interest to you. The communications sent to you will be based on a range of factors including what products you already have with us, whether you are a member of the Society, where you live, data received from third parties, for example, customer lifestyle information from external data agencies and other information gained about your behaviours and dealings with us.

We will only get in touch with these types of communication if you have given your consent to be contacted for marketing purposes, and only contact you by the methods you have agreed to, for example, post, telephone, email or text.

You can change your marketing preferences at any time by visiting a branch, logging into Skipton Online and going to ‘My Account’ (if you’re registered for Skipton Online), calling us on 0345 850 1700 or writing to us at FREEPOST SKIPTON BUILDING SOCIETY (please use block capitals). Where you have chosen to receive ‘Email Updates’ you can either use the ‘unsubscribe’ at the bottom of the updates or you can change your preferences at our preference centre.

Personalisation

If you’ve provided your consent to the use of cookies for ‘measurement and personalisation’ purposes (see cookie policy for more details) these cookies will collect data about how you use our websites, which we’ll use in combination with information about the products you hold or services you use from us, as well as data from research and insight agencies to allow us to provide personalised content for you on our website and in our marketing and service communications to make them more relevant.

For example if you have a savings account that is due to mature, then the information you see on our website or that you receive via your chosen marketing channels may be about our latest savings offers. Or, if you have viewed a page on our website then we may show this on our homepage for your next visit so it’s easier for you to find what you were looking for.

You can update your cookie preferences at any time by visiting the preference centre. If you didn’t accept these cookies then your website experience or communications you receive might not be as relevant.

Social Media

We have a presence across a range of social media channels. When you use any of our channels we may record and retain personal data and other information about you including your social media handle, the frequency, dates and times of your visits, and any information you share on our social media pages or as direct messages to us.

Any information you provide through our social media channels may be shared with other Skipton Building Society Group companies, and any third parties who provide services on our behalf to enhance our social media services, presence and your customer experience. Your comments, opinions and messages may be used so that we can better understand our customers and improve our products, services and overall customer offering.

Market Research and customer relationship management

We want to provide you with the best products, services and experience. To do this, we need to understand what you and other customers’ needs and circumstances are, what you like about Skipton and any improvements you think could be made.

Market Research: We use external agencies including market research companies to help us gain such insights, carry out market research, and obtain feedback about products, services and experiences. We will pass your contact details to the agencies so they can contact you. They will share the data they obtain from you with us, this can be at an individual customer level, at group level or anonymised. This supports a wide range of business decision making such as product development. If you are contacted by our market research companies you can choose not to participate and we will not contact you again for market research.

Customer Relationship Management: We use data for profiling and customer segmentation to create a broad understanding of our customers. This helps shape our communications, products and other activity. We also carry out behaviour and trend analysis, including the use of financial, behavioural and other models. In this way we can understand not only what is important to our customers now, but also predict future behaviours and needs. This includes looking at information we hold about you, or that we may have received from other sources, such as credit reference agencies.

Competitions/Prize Draws

We sometimes run competitions/prize draws for customers, members and the wider public. When we collect personal data for this reason, we use it to administer the competition and notify the winner. If we wish to use the data for any other purpose this information will be provided at the time.

Seminars, talks, information events

We sometimes run seminars, talks or information events for customers, members and the wider public. When we collect personal data for this reason, we use it to administer the event including contacting you to confirm attendance and notifying you of any changes to the event. If we wish to use the data for any other purpose this information will be provided at the time.

Promotional material

From time to time, we may use case studies, video footage and/or photographic images of our customers in promotional content for the Society, both internally and externally. We will let you know how we would like to use these when we ask for your consent prior to the collection and use of this type of content. If the use of it changes we will notify you and re-obtain your consent for the new usage.

You can withdraw your consent for the use of your information in case studies and promotional material by emailing marketingpromotions@skipton.co.uk or by telephoning 0345 850 1700.

If you withdraw your consent we will not use your case studies, video footage and/or photographic images in any future promotional material and will remove them from any existing material already made public at the next update/re-print.

Quality assurance and communication monitoring

We may sometimes access your data as part of our internal quality assurance processes, to ensure that you have received the best and correct outcome for your situation. These monitoring activities also allow us to carry out ongoing training with our colleagues.

We will record and monitor some of your contact with us, this includes telephone calls, email and, where you use Skipton Link, the verbal content of the meeting, as well as visual and audio recording of a limited number of face to face interactions in Branch. This is to help us in our continuous attempts to improve customer service and to offer additional protection and security. We also retain information for evidential purposes and to meet legal and regulatory requirements. Telephone calls, Skipton Link and other electronic communications may also be monitored for reasons of staff training.

We provide free WiFi in some of our offices. Where you choose to use this we will use your IP/MAC address to:

  • process your registration in order to provide you with connectivity to the Wi-Fi service
  • meet our legal, regulatory and government reporting obligations (e.g. Ofcom, court order)
  • understand the total number of users of the Wi-Fi service

We take our responsibilities to our customers seriously, especially those who may be vulnerable including the families and loved ones of bereaved customers.

  • Adjustments for customers needing help

    Everyone needs a little help sometimes and we want to ensure that you get the best experience from Skipton Building Society. With your consent, we will add notes to your records about any adjustments we need to make, such as using large print when we communicate with you, to ensure it’s easier for you to interact with us.

  • Bereavement

    If you’re named as an executor in the Will or there is no Will and you’re the legal next of kin, and can show us proof of this, we can tell you the account balance(s) and interest due up to the date of death.

    At the request of the executor(s) we will share data with solicitors, HMRC and the customer’s beneficiaries.

    If you inform us about the death of one of our customers, we may tell the executor(s) who has informed us of the death.

    For more details about this please visit our Bereavement Support site.

If we sell or transfer all or part of our business, we may share or transfer customer records and data as part of the proposed/actual sale or transfer. Before we do this we will ensure there is adequate protection in place by imposing contractual obligations on the buyer/seller to ensure the security and confidentiality of your data.

Windfall benefits: Should the Society demutualise, we will provide the selected charity with certain information about you (including your name and account number) in order for such benefit to be processed. Any processing of your personal data will be in accordance with our Data Privacy Notice and the selected charity.

We may occasionally use elements of your information to test new systems or features in a controlled environment in accordance with our internal security standards. Testing with real information helps us ensure we can maintain confidentiality, integrity and availability of your information.

If we need to transfer data outside the European Economic Area (EEA) and the country it’s transferred to is not on an approved list for having adequate security controls in place, we will limit when we do this and the amount of personal data we send.

We have a subsidiary company called Jade Software Corporation Limited based in New Zealand, which provides us with systems and technical support. New Zealand is on a list of countries approved by the Information Commissioner’s Office as having adequate security controls in place.

Organisations in the USA can sign up to the EU-US Privacy Shield which is recognised by the Information Commissioner’s Office as having adequate security controls in place. When we use third party systems, application support and cloud based providers based in the USA, we will use third parties who have signed up to the EU-US Privacy Shield and impose contractual obligations on them to ensure the security and confidentiality of your data.

We will also ensure that there is adequate protection in place before sending anything to other countries outside the EEA by imposing contractual obligations on the recipients to ensure the security and confidentiality of your data.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

We may store data about you using cookies, (files which are sent by us to your computer or other device you use to access our website) which we can access when you visit our site in future. We do this to provide the online services you request, understand your needs, improve our website services and provide a better experience for you.

For full information relating to our use of cookies and similar technologies please read our Cookie Policy at https://www.skipton.co.uk/cookie-policy

Community Giving Awards Scheme

When you apply for the Community Giving awards scheme, we collect personal data about you and your nominated charity/community group. This includes what the funds will be used for to allow us to make a decision on which causes will receive a donation.

The data will be used to:

  1. administer the awards scheme and notify the nominees and charity/community group by email of the outcome
  2. to understand who is making the nomination
  3. to contact the nominator or charity/community group with any queries
  4. to undertake checks on the nominators firm and the nominee as part of the selection process on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us

Successful causes and nominators will be asked for:

  • A Photograph/testimonial of the charity/community group
  • Nominator name and details and nomination information

These will be used with relevant consent as part of our promotions for up to 12 months following the announcement.

We will explain at that time where they will be used. If you do consent, then consent may be withdrawn at any time by contacting the Community Giving Mailbox. Should you withdraw your consent we will remove mentions and media from our owned websites and social media channels to the extent that we have control.

Your rights

You have certain rights in relation to your personal data, not all rights apply in all cases, and these are explained in more detail below:

Be informed: We do this by providing this Privacy Notice, by giving information in our application forms, web pages and telephone conversations at the time it applies.

Access your personal data/make a Subject Access Request: We will provide a copy of the personal data we hold about you upon your request at no charge to you.

Have inaccurate or incomplete personal data corrected: We will correct and/or update your personal data if you inform us or we identify that it is inaccurate or incomplete.

Request erasure: We will delete your personal data if:

  • we no longer need it for the reason(s) we told you
  • you object and we do not have an overriding valid business interest

Children also have a right to request erasure. We do not offer online services on children’s accounts but we do allow children to open and operate a savings account from the age of eight either in branch or by post.

Restrict the collection use, sharing and holding of personal data: We will put on hold the use of your personal data when:

  • its accuracy needs to be verified
  • you have objected and we need to consider if our legitimate business interest overrides your request
  • it has been collected, used, shared or kept unlawfully and you have requested that it’s not deleted but want it to be restricted
  • we no longer need it but you need it to establish, exercise or defend a legal claim.

We will tell you before we remove any restrictions.

Portability: You can request that we move, copy and/or transfer your personal data electronically to you and/or another service provider.

We will do this in a safe and secure way, where you have made a request to us or another service provider, or when required to meet a contractual obligation.

Object: You can object to the collection, use, sharing and retention of your personal data where:

  • you feel our legitimate business interest will cause you undue detriment, damage or distress A legitimate business interest is where we or another third party has a valid interest in the personal data we collect, use, share and keep as long as it does not unduly affect you or cause you undue detriment, damage or distress.
  • you do not agree to direct marketing (including profiling).

Challenge automated decisions: We will give you the opportunity to discuss with us and review the accuracy of any decisions made based on an automated assessment.

How long we keep your data - overview

We have a Records Management and Retention Policy in place which sets out how long personal data needs to be kept. When determining retention periods, we consider the following:

  • maximum or minimum retention periods identified by the law or regulatory guidance
  • contractual rights and obligations
  • customer expectations, the nature of your relationship with us, your membership status and the types of accounts, products and services you have with us
  • current or future operational requirements
  • forensic requirements, for example, the potential need to access data no longer actively used in order to manage or respond to complaints and disputes
  • the risks involved in retention, deletion and removal
  • the cost of maintaining, storing, archiving and retrieving data
  • the capability or restraints of our systems and technology.

If you have more than one relationship, account, product or service with us we will retain your personal data for the longest retention period that applies to those relationships, accounts, products or services. Once the shortest retention period(s) have been reached in relation to sections 8.2(a) to 8.2(g) details of your accounts, products or services, including transactions and bank details, will be minimised in our core customer systems so that only high-level details about you, those relationships, accounts, products or services and the dates they were held are kept, this isn’t applicable in all cases for sections 8.2(h) to 8.2(v). However, all personal data relating to you and your closed relationships, accounts, products or services will remain in our back-office data warehouse storage system until the longest retention period has been reached.

General Enquiry about our accounts, products or services

If you do not request a review or follow up, and do not give us your marketing preferences, as part of your enquiry, we will keep your personal data for 6 months from the date you make an enquiry. This is to allow time for you to open an account, product or service after the enquiry.

If you have had a review or follow up to your enquiry, we will keep your personal data for 2 years from the date of your enquiry. This retention period is to manage branch performance, provide an overview of our interactions with you and deal with your queries.

Joint accounts

Where a closed joint account has reached its retention period and one, both, or more account holders still have a relationship, other accounts, products or services with us, their personal details will be retained for the longest retention period that applies to those other relationships, accounts, products or services. However, the details will be minimised on the joint account so that only high-level details about the account and the dates it was held are retained.

Details will not be retained of any joint account holder(s) that no longer have any relationship, accounts, products or services with us.

Savings:

  • Savings Account

We will keep details of your savings account for 6 years after your account is closed to meet our legal and regulatory obligations and deal with your queries.

  • Savings Account - Application only

If you apply for a savings account and the application does not progress to opening, or no money is paid into it, we will keep your personal data for 6 months, to deal with your queries.

  • Credit Suisse Savings accounts

We will keep details of your Credit Suisse Savings accounts for 6 years from the product end date to meet our legal and regulatory obligations.

  • Equity Child Trust Fund (CTF)

We will keep details of your Equity Child Trust Fund for 10 years after the date when the child reaches the age of 18 to allow time for the adult who took out the product or the child to contact us with any queries or concerns.

Mortgages

  • Mortgage Account

We will keep details of your mortgage account for 25 years after it has been paid off to meet our legal and regulatory obligations and to deal with your queries.

This period has currently been extended to 99 years to deal with and manage Mortgage Payment Protection Insurance (MPPI) claims and queries. This will be reviewed on a regular basis.

  • Mortgage - Application only

If you apply for a mortgage account, and we have carried out a credit search, but the application does not progress to opening, we will keep details of your application, including results of the credit search for 6 years to help us better understand your mortgage application, to assess the affordability of the products and services you apply for and deal with your queries. We will keep these details, whether or not you proceed with a full mortgage application.

Protection, Investment and Savings products provided by third parties

We will keep details of the protection and investment products (e.g. family, income protection, endowment, life cover, term assurance, permanent health, critical illness, ISA, savings bonds, unit trusts, PEPs, pensions) you take out until the date of what would be your 120th birthday to deal with your queries.

If we are informed of your death, we will keep details of the protection, investment and savings products you held for 25 years after your death to deal with any queries.

Legacy Planning – wills, funeral planning, powers of attorney, executors

  • Will writing service

We will keep details of your request or referral for Will writing services indefinitely to help colleagues deal with any queries or concerns such as your will being contested.

Where we are made aware that you did not complete or sign a Will document we will keep details of your referral for 2 years to measure and manage colleague performance, provide management information and contact you where appropriate.

  • Funeral Plan

We will keep details of your Funeral Planning Services referral indefinitely to help colleagues deal with any queries or concerns.

Where we are informed of the death of a Funeral Plan holder, we will keep details of the plan, including details of the person who took out the plan, where this is different from the Funeral Plan holder, for 6 years after their death to deal with any queries or concerns.

Where we are made aware that you did not take out or have cancelled a Funeral Plan, we will keep details of your referral for 2 years from you requesting to take out or cancelling the plan to deal with any queries.

  • Power of Attorney (including Estate Management where applicable)

We will keep details of your referral, when you have requested that Power of Attorney/Estate Management documentation be produced, indefinitely to deal with your queries or concerns.

Where we are made aware that you did not go ahead with the request for Power of Attorney documentation, we will keep details of your referral for 2 years to deal with any queries.

  • Executor

We will keep details of Executors or a customer’s legal next of kin when they inform us of a customer’s death in line with the retention period(s) set for the accounts, products or services with us that they relate to, to meet our legal and regulatory obligations and deal with any queries.

Payment Services

We will keep details of the electronic payments you make and or receive, in line with the retention period for the accounts, products or services you have with us, to meet our legal and regulatory obligations and deal with any queries.

In accordance with the payment card industry data security standard (PCI-DSS), we do not hold full cardholder data on our systems.

Financial Advice

  • Financial Advice Investment Product

We will keep details of the Financial Advice Investment Product(s) you hold for 15 years after your product(s) have been closed to meet our legal and regulatory obligations and to deal with any queries.

  • Financial Advice - Pension transfers

We will keep details of pension advice relating to the transfer of Safeguarding Benefits (e.g. Guaranteed Annuity Rates/Guaranteed Minimum Pension) indefinitely to meet our legal and regulatory obligations and deal with any queries.

Insurance

  • Home Insurance (including Buildings and Contents Insurance)

We will keep details of the home, buildings and contents insurance policies you hold for 9 years after the policy end date as evidence of the policies taken, to meet our legal and regulatory obligations and to deal with any queries. If your home or buildings and contents insurance was linked to your mortgage, details of your insurance policies will be kept for the same period as set for your mortgage account.

  • Accident Sickness and Unemployment (ASU)/Mortgage Payment Protection Insurance (MPPI)

We will keep details of your Accident Sickness and Unemployment and Mortgage Payment Protection Insurance indefinitely to deal with any redress and any queries.

Fraud prevention

Fraud Prevention Agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to 6 years.

Marketing

We will keep your details including your Marketing preferences and the methods you have chosen to be contacted by until you tell us otherwise. A history of the changes you make to your marketing preferences will be held in line with the retention periods for the relationships you have with us.

If you give us your details and marketing preferences when making an enquiry or requesting a review but do not take out an account, product or service with us or do not pay any money in we will keep them for 2 years, or until you tell us otherwise.

If you haven’t updated your marketing preferences or we haven’t sent you any marketing information to you for 2 years we will set your preferences to No.

Market Research and Customer Relationship Management

We will keep details of the Market Research you take part in along with a unique reference number which can be used to identify you for up to 6 years. We will also keep a record of your unique reference number for up to 6 years when we carry out profiling, behaviour and trend analysis, as explained in the How we use your Personal Data section of this Privacy Notice. If you provide information about an impairment, disability or long-term condition or other special category data for the purposes of Market Research, this will be held for up to 2 years, with your permission.

We do this to meet our legal and regulatory obligations, understand our customers' needs, their circumstances, what customers like about Skipton, any improvements that we could make and to deal with any queries.

Competitions/Prize Draws

We will keep details of the competitions and/or prize draws you enter for 4 months after the end of the competition and/or prize draw, unless otherwise stated in the competition/prize draw information we provide to notify the winner and deal with any queries.

Seminars, Talks, Information Events

We will keep details about the seminars, talks and/or information events you attend for 6 months after the end of the event, unless otherwise stated in the event information we provide, to deal with any queries.

Community Giving Awards Scheme

We will keep all nominations for six months.

Winning nominations will be retained for 12 months for promotional purposes and to monitor how the charity/community group has benefited from the award. Where you have consented to the use of photography/testimonials, the data will remain in existing publications and on our social media and website, but will not be reused after 12 months.

Promotional Material

If you give your consent for us to use your image in case studies and/or promotional material this will be valid for 12 months from you giving consent. We will keep evidence of your consent for being included in case studies and promotional material for up to 7 years. Please note copies of any case studies and promotional material you have agreed to be included in will also be kept for up to 7 years for reference purposes.

Quality Assurance and communication monitoring

When carrying out quality assurance checks to ensure you have received the best and correct outcome for your situation, we may keep a record of your account and/or unique reference number to evidence the check has been carried out and to meet our legal and regulatory obligations, but no additional personal data will be retained for this purpose.

We will keep telephone and audio recordings for a minimum of 7 years, and visual recordings for 104 days, to meet our legal and regulatory obligations and deal with any queries.

CCTV

We will keep CCTV images of our Head Office site for 1 month and of our branch network for 3 months, for crime prevention and public safety purposes.

Annual General Meeting (AGM)

We will hold details that you’ve voted, but not how you’ve voted, in line with the retention period for the relationship you have with us. Any comments you’ve made will be held indefinitely. The external scrutineers will delete their record of how you have voted within 6 months of the AGM.

WIFI

We will keep details of your computer or mobile device IP/MAC address for 12 months from the last time you signed up to our WIFI services, to meet our legal and regulatory obligations and to understand the total number of users.

Adjustments for customers who require additional support

We will keep details of the adjustments you have asked us to make, such as using large print when communicating with you and your consent to do this, in line with the retention period for the relationship, account, product or service you have with us, or until you advise us you no longer need the adjustments making so we can manage your request and expectations.

Tax Reporting

We will keep details of any tax reporting we are legally required to report in line with the retention periods relevant to the relationship, accounts, products and services you have with us, except for capital gains tax which is held indefinitely, to meet our legal and regulatory obligations.

Complaints

We will keep details of any complaint you make to us for 6 years after the complaint has been resolved to meet our legal and regulatory obligations and to manage any escalation to The Financial Ombudsman Service (FOS). Until your complaint is resolved any other retention periods applicable to your relationship, accounts, products or services will be put on hold.

We will keep details of any complaint you make to FOS for 6 years after the complaint has been resolved with FOS or after a FOS decision has been challenged to meet our legal and regulatory obligations.

Contact us

If you have any concerns about how we collect, use, share or keep your personal data, or you think there has been a breach, please contact us by going to skipton.co.uk/contact us, into a branch or by calling 0345 850 1700.

If you make a complaint we will follow our internal complaints procedure to resolve your complaint quickly and fairly. If we cannot resolve your complaint to meet your expectations, you may contact:

The Financial Ombudsman Service (FOS)
Exchange Tower
London
E14 9SR

Telephone 08000 234 567

E-mail: complaint.info@financial-ombudsman.org.uk

Web: financial-ombudsman.org.uk

You also have a right to complain to the Information Commissioner’s office if you have any concerns about how we collect, use, share or keep your personal data by contacting them at:

Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Web: ico.org.uk

If you require any more details about how we collect, use, share and store your personal data, or about your rights and how to exercise them, please contact:

Data Protection Officer
Skipton Building Society
The Bailey
Skipton
North Yorkshire
BD23 1DN

Tel: 0345 850 1700


Web: skipton.co.uk/contact-us/contact-us-form

A child-friendly overview of our Privacy Notice is also available in our Young Savers’ Privacy Notice.

Our Privacy Pledge

We care about the security of your data and we're just as committed to protecting it as we are to protecting your money.

Protecting your personal data
Privacy Pledge
Version Info: