Privacy notice for Insurance Intermediaries

Who are we?

Who does this Privacy notice apply to?

Why do we need your information?

What information do we collect and use about you?

Where else do we get information about you?

Who do we share your information with?

Marketing and cookies

What information do we collect when you visit our website or you email us?

Fraud prevention and detection

Security

What other Information Processing happens if you visit our offices?

How long do we keep your information for?

Legal Basis for using personal information

Your Rights

Automated decision-making

Contact us

Changes to this privacy notice

Who are we?

We are The Original Holloway Friendly Society (Holloway Friendly). We are the Data Controller for all information collected and stored about you, unless otherwise stated in this privacy notice. If you have any queries or concerns about how we handle your information, or want to exercise your rights, please contact us at the contact points listed under ‘Your Rights’.

Who does this Privacy notice apply to?

This privacy notice relates to personal information we collect and use about people who are employed by, work for, manage or own intermediary firms. We obtain information where the intermediary firm introduces customers to us, uses our websites including Kaleidoscope, our adviser centre or our online systems. It also covers where we market our products to advisers and intermediary firms. A separate privacy notice covers how we use personal information about our Members and potential Members.

Where we use the word ‘you’ in this privacy notice, we mean a person working at or for an insurance intermediary/advisory firm or someone using our websites including Kaleidoscope or someone receiving our marketing material.

This privacy notice should be read in conjunction with the Terms of Business between Holloway Friendly and your firm, if there is one. Our standard Terms of Business can be found here

Why do we need your information?

We use your information:

to allow you and your firm to introduce business to us.
  • set up an account with us;
  • maintain that account; and pay and reclaim commission
  • administer and manage policies that your clients have with us;
  • manage queries and complaints which may involve you, your firm or your client;

We will use your information to carry out necessary background checks to make sure you and your firm are legitimate persons to do business with in accordance with our standard Terms of Business. If you are an owner, director or partner of your firm, we will carry out appropriate verification and credit checks. We use personal information for these purposes to comply with requirements we have under financial conduct rules and laws relating to anti-money laundering, financial crime and to prevent and detect fraud (see the section on fraud prevention and detection and our standard Terms of Business for more information).

2. to market our products and services and make improvements to our operations:

– we will use your personal information to keep you informed about our products and services which we understand will be of interest to you, consistent with your marketing preferences. You can update your preferences by emailing advisersupport@holloway.co.uk.  We explain more about this in the section on marketing and cookies


3. to meet responsibilities we have to our regulators, tax officials, law enforcement, or otherwise meet our legal responsibilities

e.g. to complete regulatory returns required by FCA rules.

4. to allow you to access our websites including Kaleidoscope, our adviser centre and our online systems

Kaleidoscope is a unique website specifically built to help advisers with their income protection training needs and sales practice, as such we hold records of training activity you undertake once you have registered.

We will also use your personal information for research and statistical purposes to analyse how advisers use our websites, electronic services and other products and services so we can improve our understanding and enhance our products and services.

Holloway Friendly will not sell your information to another company or use it to market the products or services of other companies to you. We do share information with third parties for various reasons. Find out more about third parties.

Details of the legal basis for using your information can be found here. If you would like any more information please email dataprotectionofficer@holloway.co.uk.

What information do we collect and use about you?

When we talk about personal information we mean information about an individual that can identify them. We will collect some or all of the following personal information about you:

  • basic personal details such as your name, job title, business and/or personal address, email address, and telephone number;
  • account registration details, including username and passwords;
  • information about the firm you work for and your role within the firm, including the firm name, firm size, firm role and FCA number;
  • information about your marketing preferences.

We collect information about you when you or your firm does business with us through a number of channels, such as:

  • if you or your firm sign a terms of business with us, or you use any of our online adviser platform services;
  • if you record CPD with our CPD system;
  • If you contact or communicate with us.

If you are an owner, director or partner of your firm, we may collect information about your date of birth, National Insurance Number and current and previous three years’ addresses.

Where else do we get information about you?

If you are seeking or have a Terms of Business agreement with us, In addition to information you supply, we will also obtain publicly available data such as data available on the FCA register to verify the authorisations held by you and to examine its regulatory record. We reserve the right to perform credit searches and to search industry databases, such as the Elixir 2000 database, relating to Your creditworthiness and that of any owners, partners executives and/or senior management or if a sole trader, the sole trader. We will provide information to the Elixir 2000 Industry database as amended from time to time about commission debts and other relevant information about commission for regulatory, legal and administrative purposes including if we commence legal action against you. Such information can be viewed by other members of The Elixir 2000 group which includes the Financial Conduct Authority and other financial service companies who are members.

If you are an owner, director or partner of your firm, we may perform credit checks on you.  We will gather your consent for this specifically.

We also obtain information from Touchstone to assist us with marketing insights e.g. to identify insurance intermediaries who may be interested in our products.

We sometimes share information as part of marketing activity and dealing with your clients and our Members. More information on who we share data with and what data is shared can be found here.

Who do we share your information with?

If you request a quote, or submit an application on behalf of your client, information about you and your firm may be shared with and processed by our service providers who help us to facilitate the administration of our business. See below for further details of these suppliers.

We will also share information about you with:

  • our regulators and law enforcement as necessary for purposes of fraud prevention and detection;
  • online or digital partners we work with so we can communicate with you through their platforms;
  • your clients if they have queries about the services between you, them and us.

From time to time, we appoint third parties to support us in supplying services to you. Where these third parties need to access your information or process it to do their jobs, we remain responsible to you for how they do this. They are called Data Processors. We have contracts in place with all of our Data Processors which prohibit them doing anything with your information unless we have instructed them to do it, or explicitly allowed them to do it. They will not share your personal information with any organisation apart from us without our agreement, unless they are legally obliged to do so e.g. if they suspect money laundering. They will hold your information securely and retain it for the period we instruct, in line with this Privacy Notice.

None of our Data Processors are allowed to send your personal information outside the European Economic Area without our express permission. If any of our Data Processors ask our permission, we will insist they take the steps to protect your information before agreeing to their request.

We may appoint new third parties from time to time and will update our privacy notice when we do.

Table of Data Processors:

Name/Category of Recipient

Processing undertaken

Information They Receive

SmartCredit Ltd

Checking against sanction list for money laundering. This may include sharing Data with Experian.

Name, address and date of birth.

RHM Telecommunications

Storage of Telephone calls.

Any information you discuss with us in a recorded telephone call.

Medicals Direct Screenings Ltd

Tele-interviewing our mutual customer.

Name and contact details at firm, registration number adviser name

MorganAsh

Tele-interviewing.

Name and contact details at firm, registration number adviser name

Varistha Ltd

IT development, support and data storage.

Name and contact details at firm, registration number adviser name, bank details

OAC plc

Actuarial support including setting prices, assessing risks, measuring claims experience and capital management.

All information relating to quotes, plan applications, policies and claims. Often such data is aggregated and/or anonymised. e.g. names are not routinely included.

Printwaste Recycling & Shredding

Confidential and Non Confidential waste collection and destruction.

Confidential and non- confidential waste created at our office.

Capita Life and Pensions Regulated Services

Underwriting support.

Name and contact details at firm, registration number adviser name.

IRESS Portal Limited

Portal Services.

Details provided by you allow a quote to be created online.

Fraud Prevention Agencies and investigators

Identification of people who may be likely to undertake fraud.

Typically name, address, age and other details to allow identification such as National Insurance or passport numbers.

Whitehall Printing Co. (Avon) Ltd

Printing and issuing letters, checking the information we hold about your address is correct from publicly available sources such as the electoral roll and other registers.

Name and contact details at firm, registration number adviser name.

SalesForce

Management of adviser details for relationship management.

Adviser name and contact details, interactions with business.

Elixir 2000 Database

Reference and business checking of advisers and firms

Name and address of advisory firm, including FCA number, debts that arise and contact details, legal action status, company liability, Director personal guarantee.

Touchstone

Identifying sales and marketing opportunities

Company name and address including FCA number, Agency Reference Number and Postcode.

 

Other Recipients

We disclose personal information to other third parties where we are required or permitted to do so by law or regulation or where you give your consent. Once we have done so, these third parties become responsible for your information and become Data Controllers in their own right.

Category/Name of Recipient

Why do we share your personal information

Where to find more information

Financial Conduct Authority

We are required by law to share information with our regulator at their request.

https://www.fca.org.uk/privacy

Prudential Regulation Authority

We are required by law to share information with our regulator at their request.

www.bankofengland.co.uk

Financial Ombudsman Service

At your request, the ombudsman will consider a complaint you make to him about us if we have not been able to resolve it to your satisfaction.

http://www.financial-ombudsman.org.uk/help/privacy_statement.html

Information Commissioner’s Office

At your request, the Information Commissioner’s Office, will consider a complaint you make to them about us if we have not been able to resolve it to your satisfaction. If we need to explain your role for a mutual customer.

https://ico.org.uk/global/priv...

The police, HMRC and other crime prevention agencies

Where they request information to prevent or detect crime e.g. where they have a court order or where we reasonably suspect a crime may have been committed.

Police or HMRC Websites

Ernst and Young LLP

So they can act as our Internal Auditor. All information relating to quotes, plan applications, policies and claims, where relevant to an audit they are undertaking.

www.ey.com/uk/en/home/privacy-notice http://www.ey.com/uk/en/home/privacy-notice

PricewaterhouseCoopers

So they can act as our external Auditor. External Auditors have to be given access to all information on request to perform their role

https://www.pwc.com/gx/en/site-information.html

 

Marketing and cookies

We use your personal information to send you direct marketing communications about our products and services that we feel you’ll be interested in. This may be in the form of email, post, telephone and SMS.

To protect your privacy rights and your choice and control over the use of your personal information, we will always allow you the opportunity to choose not to receive marketing communications when you register your contact information with us and to choose how to receive information. In addition, you can always subsequently ‘opt out’ or changing your chosen marketing preferences by using the unsubscribe links you will find in our marketing emails.

Within Kaleidoscope you can also amend your marketing preferences – www.holloway.co.uk/kaleidoscope or advisersupport@holloway.co.uk

We rely on third-party advertising technology (such as the deployment of cookies or small text files on our website) to collect information about you, which is used to optimise what you may see on our websites.

You can read more about cookies we collect under “What information do we collect when you visit our website or you email us?”

What information do we collect when you visit our website or you email us?

We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to analyse aggregate information. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.

Cookies contain information that is transferred to your computer's hard drive. They help us to improve our site and to deliver a better and more personalised service. They enable us:

  • To estimate our audience size and usage pattern.
  • To recognise you when you return to our site.

You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our site.

Our cookies do not store sensitive information such as your name, address or payment details.

However, if you'd prefer to restrict, block or delete cookies you can use your browser to do this. Each browser is different, so check the 'Help' menu of your particular browser (or your mobile phone's handset manual) to learn how to change your cookie preferences.

What is a cookie?

A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows the website to "remember" your actions or preferences over time.

Most Internet browsers support cookies; however, users can set their browsers to decline certain types of cookies or specific cookies. Further, users can delete cookies at any time.

Why do we use cookies?

We use cookies to learn how you interact with our content and to improve your experience when visiting our website.

Third-party cookies belong to and are managed by other parties, such as google analytics. These cookies may be required to render certain forms and so we can produce information about how people use our website to enable us to improve it.

Session Cookies

Session cookies are temporary cookies that are used to remember you during the course of your visit to the website, and they expire when you close the web browser.

Persistent Cookies

Persistent cookies are used to remember your preferences within the website and remain on your desktop or mobile device even after you close your browser or restart your computer. We use these cookies to analyse user behaviour to establish visit patterns so that we can improve our website functionality for you and others who visit our website(s).

How are third party cookies used?

For some of the functions within our websites we use third party suppliers, for example, when you visit a page with videos embedded from or links to YouTube. These videos or links (and any other content from third party suppliers) may contain third party cookies, and we encourage you to consult the privacy policies of these third party vendors on their websites for information regarding their use of cookies.

How do I reject and delete cookies?

You can change your preferences by changing your browser settings. Please note that most browsers automatically accept cookies. Therefore, if you do not wish cookies to be used, you may need to actively delete or block the cookies.

If you reject the use of cookies, you will still be able to visit our websites but some of the functions may not work correctly. You may also visit www.allaboutcookies.org Opens in a new window for details on how to delete or reject cookies and for further information on cookies generally. By using our website without deleting or rejecting some or all cookies, you agree that we can place those cookies that you have not deleted or rejected on your device.

Here's a list of the main types of cookies we use, and what we use them for.

Cookie

Description

Opt-Out Link/More details regarding specific privacy policy

Google Analytics

We use Google Analytics to understand how our media campaigns work and how you interact with our website in order to improve the user experience.

https://tools.google.com/dlpage/gaoptout

LinkedIn

The LinkedIn insight tag allows us to perform campaign reporting and unlock valuable insights about website visitors that may come via the campaigns we run on LinkedIn.

www.linkedin.com

 We use Transport Layer Security (TLS) to encrypt and protect email traffic. We'll also monitor any emails sent to us, including file attachments, for viruses or malicious software.

Fraud prevention and detection

In order to prevent and detect fraud we may need to check your details with fraud prevention agencies, and at any time:

  • share information about you with other organisations and public bodies including the Police;
  • undertake credit searches and additional fraud searches;
  • check and/or file your details with fraud prevention agencies and databases, and if you give us false or inaccurate information and we suspect fraud, we will record this to prevent fraud and money laundering.

We and other organisations may also search these agencies and databases to:

  • trace debtors, recover debt, prevent fraud;
  • check your identity to prevent money laundering, unless you furnish us with other satisfactory proof of identity.

Security

We are committed to protecting the confidentiality and security of the information that you provide to us and we put in place appropriate technical, physical and organisational security measures to protect against any unauthorised access or damage to, or disclosure or loss of, your information.

You should also be aware that communications over the internet, such as emails, are not secure unless they have been encrypted. Our websites may contain links to other third-party websites. These other websites will be subject to their own privacy notice which may differ from this privacy notice. You should carefully read the privacy notice of these websites before submitting any personal information.

What other Information Processing happens if you visit our offices?

In order to protect our Members’ information, our premises and staff, we operate a CCTV system at our Head Office which covers the building, car park and an access road which is also used by the general public. We operate digital access systems which require authorised people, including visitors, to carry a digital chip to enter and move within the premises. The location of the chip can be traced by our Human Resources function so the location of staff and visitors can be identified in an emergency.

How long do we keep your information for?

We’ll keep your personal information in accordance with our internal retention policies. We keep it if we need to do so to meet legal, regulatory, tax or accounting needs.

We may also retain personal information, where we have identified a legal basis for doing so, in an aggregated form. This allows us to continue to develop and improve our products and services.

If we receive a request to close a Kaleidoscope account we will delete all records of training and CPD within one calendar month.

If you have any questions you can contact us here or email dataprotectionofficeer@holloway.co.uk

Legal Basis for using personal information

Why we need the Information

Categories of Information we process for that purpose

The Legal Basis for Processing

To allow you and your firm to introduce, set up and administer business as an insurance intermediary on behalf of mutual clients and their policies.

Your name, business address, contact details and FCA number.

Processing is necessary, at your request, to take steps prior to entering into or for the performance of a contract with you .

To allow you and your firm to service and maintain the ongoing management of client policies.

Your name, business address, contact details and FCA number.

Processing is necessary to comply with our legal obligations and for the performance of our contract to pay commission, administer client policies and respond to queries or claims.

To market our products and services and make improvements to our operations.

Your name, business address, contact details and FCA number.

With your consent processing is necessary to keep you informed about our own products and services.

Processing is also necessary for our legitimate interests to improve the products and services we offer, to grow our business and develop our brand.

To meet responsibilities, we have to our regulators, tax officials, law enforcement, or otherwise meet our legal responsibilities.

Your name, business address, contact details and FCA number.

Processing is necessary to comply with our legal obligations to which we are subject (other than a contractual obligation)

To conduct necessary checks to prevent, detect and investigate fraud.

Your name, business address, your firm name, FCA number.

Depending if you are a director, owner, partner or sole trader we may need your name, business address, contact details and FCA number to perform credit and fraud checks.

We would obtain your consent initially as part of the application process.

If you do not allow us this information, we will not be able to conduct the necessary checks that would allow us to conduct business with you.

Thereafter processing is necessary to comply with our legal obligations to verify your identity and prevent fraud.

To run Holloway Friendly’s business efficiently and in line with legal and regulatory obligations e.g. running effective compliance monitoring, internal and external audit functions, keeping accounting records and managing risk. 

Your name, business address, contact details and FCA number.

Processing is necessary to comply with our legal obligations to effectively organise and control our affairs responsibly and effectively, with adequate risk management systems.

To monitor the use of our websites and electronic services.

Your name, business address, contact details and FCA number.

Processing is necessary for our legitimate interests to ensure our products and services are suitable for the intending audience and are safe and secure.

 

Your Rights

You have legal rights under data protection laws in relation to your personal information.

We aim to respond to all valid requests within one month. It may however take us longer if the request is particularly complicated or you have made several requests. We’ll always let you know if we think a response will take longer than one month.

We may not always be able to do what you have asked, for example if it would impact the rights of others, or if we’re otherwise legally obliged or entitled to deal with the request in a different way.

Accessing personal information

You can ask us to:

  • confirm whether or not we have and are using your personal information
  • get a copy of your personal information
Withdrawing consent

Where we’ve asked for your consent to use your personal information, you’ll always have the right to withdraw such consent. Please email dataprotectionofficer@holloway.co.uk if you want to do this. If you withdraw your consent, we may not be able to provide certain products and services to you. If this is the case, we’ll tell you at the time you ask to withdraw your consent.

Correcting / erasing personal information

You can ask us to:

  • correct any information about you which is incorrect. We’ll be happy to correct such information but will need to verify the accuracy of it first.
  • erase your personal information if you think we no longer need to use it for the purpose we collected it from you.
  • erase your personal information if you have either withdrawn your consent to us using your information (if we originally asked for your consent to use your information), or exercised your right to object to further legitimate use of your information, where we have used it unlawfully or where we’re subject to a legal obligation to erase your personal information.


We may not always be able to comply with your request, for example, if we need to keep using your personal information in order to comply with our legal obligation or where we need to use it to establish, exercise or defend legal claims.

Restricting our use of personal information

You can ask us to restrict our use of your personal information in certain circumstances, for example, where:

  • you think the information is inaccurate and we need to verify it;
  • our use of your personal information is not lawful but you do not want us to erase it;
  • the information is no longer required for the purposes for which it was collected but we need it to establish, exercise or defend legal claims; or
  • you have objected to our use of your personal information but we still need to verify if we have overriding grounds to use it.

We can continue to use your personal information following a request for restriction if we have your consent to use it; or you need to use it to establish, exercise or defend legal claims, or we need to use it to protect the rights of another individual or a company.

Objecting to use of personal information

You can object to any use of your personal information which we have justified on the basis of our legitimate interest, if you believe your fundamental rights and freedoms to data protection outweigh our legitimate interest in using the information. If you raise an objection, we may continue to use the personal information if we can demonstrate that we have compelling legitimate interests to use the information.

You can also object to use of your personal information for direct marketing purposes. We explain in the marketing and cookies of this privacy notice more about our approach to direct marketing and how you can easily manage your marketing preferences.

Requesting a transfer of personal information

You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller (e.g. another company).

You may only exercise this right where we use your personal information in order to perform a contract with you, or where we asked for your consent to use your personal information. This right does not apply to any personal information which we hold or process based on our legitimate interest or which is not held in digital form.

Automated decision-making

We do not make any automated decision with regards to intermediary firms.

Contact us

If you want to exercise any of these rights, complain to us or ask us questions please email us at Dataprotectionofficer@holloway.co.uk or write to us at:

Data Protection Officer
Holloway House
71 Eastgate Street
Gloucester
GL1 1PW


Your right to complain

You have the right to make a complaint to the Information Commissioner’s Office (ICO at any time about the way we use your personal information. More information can be found at the ICO’s website https://ico.org.uk). The ICO is the supervisory authority for data protection matters for Data Controllers based in the UK.

Important note to intermediary firms handling client data

You and We each acknowledge that we are both Data Controllers in our own right. Each party will only supply to the other, such information about Clients, including potential Clients, as is required to allow us both to discharge our roles as Data Controller in respect of the data subject in accordance with the Data Protection Legislation. Each party is separately responsible for complying with the Data Protection Legislation. For the avoidance of doubt, it is not envisaged that either party will be processing data as the Data Processor of the other party.

You warrant that You will only pass personal data, including special categories of personal data, as defined in Data Protection Legislation, to Us as the customer’s agent and/or with their permission and will draw all of Our data protection notices and Our current privacy notice, in force from time to time and available on Our website, to the Data Subject’s attention. You will document the Data Subject’s consent wherever required, including but not limited to, on Our application forms and ‘on line’ application system.

You warrant that any personal data supplied to Us by You, is not subject to any prohibition or restriction that:

a. would prevent or restrict You from providing the personal data to Us,

b. would prevent Us from processing the personal data, including ensuring that any required consent is valid, for such purposes as are outlined in the Society’s privacy notice

c. is limited to what is necessary for Us to undertake the activity specified.

You acknowledge that where You receive personal data about the data subject from Us, including but not limited to underwriting decisions, You do so as the customer’s agent/or as Data Controller in Your own right. Should You retain copies or further process such personal data, including transmitting it to third parties, You do so as Data Controller in Your own right.

Each party will supply reasonable assistance to the other to allow data subjects to properly exercise their rights, including relaying requests of the data subject to exercise such rights promptly to the other party where the data subject has misdirected such requests.

Each party shall relay any regulatory correspondence relating to the other, including but not limited to the ICO where that correspondence relates to the processing of the other party.

Where You are granted access to personal data as the agent of the customer and/or to fulfil Your own legal, regulatory and contractual obligations by Us, You will take all appropriate technical and organisational measures to protect the personal data, including limiting the access of staff to the data appropriately, to at least the standard required of a Data Controller under the Data Protection Legislation.

Each party will inform the other party as soon as practicable of any data breach or data loss requiring data subject or ICO notification if it relates to mutual customers, including such information as has to be included In the notifications to data subjects or the ICO.

Changes to this privacy notice

We may amend this privacy notice from time to time for example, to keep it up-to-date or to comply with legal requirements. You should regularly check this privacy notice for updates. If there are any significant changes made to the use of your personal we will notify you by posting a notice on our website.

This privacy notice was last updated on 1 July 2019.

Download acrobat reader