Security
We are committed to protecting your privacy and keeping your personal data secure. We regularly review our security procedures.
How we keep you safe
- Strict security procedures are followed whenever your information is obtained and stored.
- Any pages used to display or collect personal data are encrypted, which makes it virtually impossible for someone else to read. The data is stored in a secure area that can only be accessed by authorised personnel.
- Our websites are regularly tested by specialist, external security organisations.
- We will always verify your identity before discussing or disclosing confidential information.
- Online sessions will automatically expire and log you out after a period of inactivity.
- Access to your online account will be locked out after three failed access attempts. You will need to call us to unlock your account.
How you can help keep yourself safe
- Never share or write down your password.
- Do not use passwords that are easy to guess.
- When you have finished your transaction or task, please log off.
- Emails are not a secure way of sharing information. Third parties could intercept, access or alter information sent by email. Skipton Building Society does not support the use of email to provide sensitive information, but we recognise it may the quickest or easiest solution for customers in some situations. The Society is not responsible for and cannot accept liability for any damage resulting from emails being sent to, or received by, the Society.
- Make sure the email address and phone number you have registered with Skipton Building Society are accurate and up to date.
- Beware of 'phishing' emails. If you mistakenly respond to a phishing email, tell us about it straight away.
What is a 'phishing email?
An email alleging to be from a UK bank, building society, or other legitimate company encouraging you to visit a fraudulent website, invest money or reveal personal details. Skipton Building Society, or companies within the Skipton Building Society group, will never send emails asking for confidential information or security details and you should not respond to emails asking you to reveal personal information or passwords. Be vigilant and, if you are unsure or concerned about any communication that seems to be from Skipton Building Society, please call our helpline on 0800 085 0459.
This does not extend to external websites accessed from this site, including those of other members of the Skipton Building Society Group. Please read the terms and conditions of any other sites separately.
Privacy
When you register as an Intermediary, introduce clients to us, or contact us to make an enquiry or a complaint, Skipton Building Society collects personal data about you.
This Privacy Notice details the types of personal data we collect either from you or from others, what we do with it, who we share it with, how long we keep it and your rights.
It does not extend to any external websites you may access from this site - this includes sites that are available from other members of the Skipton Building Society Group. Other organisations will inform you how they use your personal data.
When we refer to 'we', 'our', 'us' and the 'Society' in this Privacy Notice we mean Skipton Building Society which, for Data Protection purposes, is the Data Controller.
Personal data we collect | We use this to: |
---|---|
Name, title, address, contact details (including business and any previous changes) |
|
Location and web browsing history |
|
Telephone and voice recording (including web chat, IP and/or MAC address where known, your location based on your mobile phone signals). |
|
Car registration |
|
Nationality and national identifiers, for example, national insurance, passport and driving licence numbers |
|
In general we do not collect, use or share sensitive personal data about you but in some cases the personal data we do not collect may reveal this. Sensitive personal data is defined by data protection regulations as 'special category', for example, your ethnic or racial origin, health, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation and genetics or biometrics. We also collect personal data relating to criminal convictions, (including pending convictions, bankruptcy/receivership, county court judgements, court records and pending orders). This will be limited to what's needed, we will only collect and use this special category personal data when we have to in order to meet a legal obligation, with your explicit consent or where we believe you or another person may be at risk.
There are times when we need to share your personal data with others. We will only do this where data protection law allows it, with adequate protection and where appropriate we will have contracts in place to protect the security and confidentiality of your data or where you have asked us to. We will limit the data shared to what is needed and will ensure appropriate security measures are taken in order to protect you and keep your data safe and secure.
To find out more about the types of organisations and/or individuals we may share personal data with and why see below:
Who we share personal data with | We share personal data to: |
---|---|
Your mortgage club/network |
|
Solicitors, licensed conveyancers, valuers, panel managers and other professional advisers |
|
Financial organisations |
|
Other companies in the Skipton Building Society Group |
|
Mailing houses and printers |
|
Information Technology service providers |
|
Credit reference agencies |
|
Fraud prevention agencies |
|
Law enforcement agencies including police forces, private investigators, security organisations and prosecuting authorities |
|
Courts and tribunal |
|
Ombudsmen and regulatory organisations, for example, Financial Ombudsman Service, Financial Conduct Authority, Prudential Regulation Authority, Financial Services Compensation Scheme, Information Commissioner's Office |
|
Trade associations and industry groups, for example, UK Finance, Building Societies Association |
|
HMRC |
|
Central and local government departments and agencies, for example, Department of Work and Pensions (DWP), Jobcenter Plus, local councils |
|
Tracing agents and appointed receivers and trustees in bankruptcy |
|
Research and insight agencies |
|
Management Consultancy firms |
|
Other organisations involved in handling mergers, acquisitions and other corporate transactions |
|
External auditors, risk and rating agencies, for example, Moody's, Fitch |
|
Data modelling and risk organisations |
|
We can only collect, use, share and keep your personal data when we have a lawful basis for doing so. The lawful basis will be different dependant on the relationship you have with us and what we do with your personal data.
To find out more about what the different lawful bases are, what they mean and how they affect you, see below:
Lawful basis | More details about what this means |
---|---|
Legal obligation | Where we are required by law to collect, use, share or keep personal data we will do so.
As an organisation operating in a regulated industry we have to comply with the laws and regulations set by government bodies and our regulators. Our regulators are the Financial Conduct Authority, Prudential Regulation Authority and, for personal data, the Information Commissioner’s Office. If we are unable to meet our legal obligations we will be unable to continue with your application and provide the ongoing management of your accounts, products and services. |
Contract | This is where you choose to enter into an agreement with us or make an enquiry with the intention of entering into an agreement. This includes the terms and conditions for the ongoing management of those accounts, and products and services once opened. If you do not enter into an agreement with us we will be unable to continue with your application and provide the ongoing management of your accounts, products and services. |
Legitimate business interest | This is where we or another third party has a valid interest in the personal data we collect, use share and keep as long as it does not unduly affect you or cause you undue detriment, damage or distress. You have a right to challenge our legitimate interest if you believe we do not have a valid reason to collect, use, share or hold your data. |
Consent | This is where we ask for your agreement to carry out certain activities such as marketing. You can withdraw your consent at any time. If you withdraw your consent for marketing you may miss out on information about our products, services, offers and other news that may be of interest to you. We will however continue to contact you regarding the administration of your existing accounts and relationships with us. |
Explicit consent | Where we collect, use, share or keep special category (sensitive) personal data we will tell you and ask for your explicit consent before we do this. |
Vital interest | This is applied in very limited circumstances where we feel you or another individual may be at serious risk, for example, life or death circumstances and no other lawful basis can be applied. |
We will use your personal data to identify you, manage your experience and relationship with us as an Intermediary, link you to your mortgage club/network, to communicate with you and deal with your enquiries and applications. We will also use your personal data for crime and fraud prevention purposes, meet legal and regulatory requirements, protect you and your clients, provide security and colleague training.
When you register as an Intermediary, you will be taking the steps necessary to enter into a contract with us.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
More information about how we use this data is below:
Identity checks
In order to process your application, we are required by law to identify you and assess your suitability as an Intermediary. We do this by using automated systems provided by one or more credit reference agencies.
To do this, we will share your data with the credit reference agencies and they will give us data about you. This will include public data, for example, from the electoral register and other data, for example, from your credit applications about your financial situation, financial history, shared credit and specific fraud prevention data.
We will use this data to:
- identify you
- assess your suitability as an Intermediary
- prevent criminal activity, fraud and money laundering
- manage your relationships as an Intermediary
- trace and recover debts
We will continue to exchange data about you with credit reference agencies while you have a relationship with us.
The credit reference agency checks we carry out are a condition of the contract you take out when registering as an Intermediary.
Any documents requested or provided to help prove your identity may be checked with the issuing authority and/or anyone who has certified a copy.
The information we obtain from credit reference agencies is owned by them and limited to what is needed for our own purposes. We will tell you if your application is rejected because of information we have received from credit reference agencies but will not be able to provide any details. You will need to contact the credit reference agencies directly to request a full credit report if you require details of what they hold about you.
More details about which credit reference agencies we use, their role as fraud prevention agencies, what personal data they hold (including how they use and share it), their retention periods and your data protection rights with the credit reference agencies, are explained in more detail in the Credit Reference Agency Data Notice (CRAIN).
The CRAIN is accessible from each of the three credit reference agencies – Any of these three links will take you to the same CRAIN document: TransUnion, Equifax, Experian.
Fraud prevention
We will use and share your data with fraud prevention agencies to carry out checks for the prevention of fraud, money laundering and to verify your identity. We and fraud prevention agencies may also allow law enforcement agencies to access and use your data to detect, investigate and prevent crime. The fraud prevention checks we carry out are a condition of the contract you take out when registering as an Intermediary.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to register you as an Intermediary, or we may stop providing existing services and registration to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies. Fraud prevention agencies can hold your data for different periods of time. If you are considered to pose a fraud or money laundering risk your data can be held for up to six years.
Data held by credit reference and fraud prevention agencies can be accessed by other financial organisations, law enforcement and government agencies and may result in others refusing to provide services, finance or employment to you.
Crime prevention and public safety
We have a legitimate interest to prevent crime and contribute to public safety. Within our premises we have CCTV in operation. Footage may be reviewed by ourselves, or passed to police or law enforcement agencies upon request, following any incidents relating to the security and/or safety of individuals and to assist with any ongoing crime investigations.
Communicating with you
We will use any of the contact details we hold for you to communicate with you about the products and services you hold with us, contact you as requested and to send you information we are required to provide you with by law.
Marketing
We may use your information to provide details about our products, services, news and offers that we believe may be of interest to you and your clients. The communications sent to you will be based on a range of factors including what products you introduce to us, where you live, data received from third parties, for example, customer lifestyle information from external data agencies and other information gained about your behaviours and dealings with us.
We will only get in touch with these types of communication if you have given your consent to be contacted for marketing purposes, and only contact you by the methods you have agreed to, for example, post, telephone, email or text.
You can change your marketing consents at any time by logging into Skipton Intermediaries eMortgages and going to ‘My Account’, calling the Intermediary support line on 0345 601 6683.
Research, performance and customer relationship management
We have a legitimate interest to provide you and your clients with the best products, services and experience. To do this, we need to understand what your, your client’s and other customers’ needs and circumstances are, what you like about Skipton and any improvements you think could be made.
We use external agencies including research companies to help us gain such insights, carry out research, and obtain feedback about products, services and experiences. We will pass your contact details to the agencies so they can contact you. They will share the data they obtain from you with us, this can be at an individual level, at group level or anonymised. This supports a wide range of business decision making such as product development.
In addition, we use data for profiling and segmentation to create a broad understanding of our Intermediaries. This helps shape our communications, products and other activity. We also carry out behaviour and trend analysis, including the use of financial, behavioural and other models. In this way we can understand not only what is important to our Intermediaries now, but also predict future behaviours and needs. This includes looking at information we hold about you, or that we may have received from other sources, such as credit reference agencies.
Quality assurance and communication monitoring
We may sometimes access your data as part of our internal quality assurance processes, to ensure that you have received the best and correct outcome for your situation. These monitoring activities also allow us to carry out ongoing training with our colleagues.
We will record and monitor some of your contact with us, this includes telephone calls, email and, where you use Skipton Link, the verbal content of the meeting - we do not record or monitor visual content. This is to help us in our continuous attempts to improve customer service and to offer additional protection and security. We also retain information for evidential purposes and to meet legal and regulatory requirements. Telephone calls, Skipton Link and other electronic communications may also be monitored for reasons of staff training.
Sale of purchase of all or part of our business
If we sell or transfer all or part of our business, we may share or transfer Intermediary records and data as part of the proposed/actual sale or transfer. Before we do this we will ensure there is adequate protection in place by imposing contractual obligations on the buyer/seller to ensure the security and confidentiality of your data.
Improvement of our systems, security and integrity
We continually look to improve our systems, delivering change and new functionality. To ensure that these improvements are robust and suitable for use, we use customer data within our testing environments, this could include information relating to you as the Intermediary. We ensure that these activities are carried out in a secure and controlled environment.
Transfers outside the UK or EEA
If we need to transfer data outside the UK or European Economic Area (EEA) and the country it’s transferred to is not on an approved list for having adequate security controls in place, we will limit when we do this and the amount of personal data we send.
We have a subsidiary company called Jade Software Corporation Limited based in New Zealand, which provides us with systems and technical support. New Zealand is on a list of countries approved by The Information Commissioner’s Office as having adequate security controls in place.
We will ensure that there is adequate protection in place before sending anything to other countries outside the UK or EEA, including to the USA. When we use third party systems, application support and cloud based providers we will impose contractual obligations on the recipients and put additional supplementary controls in place to ensure the security and ensure controls are in place to protect the security and confidentiality of your data.
Whenever fraud prevention agencies transfer your personal data outside of the UK or European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Cookies
We may store data about you using cookies, (files which are sent by us to your computer or other device you use to access our website) which we can access when you visit our site in future. We do this to provide the online services you request, understand your needs, improve our website services and provide a better experience for you.
For full information relating to our use of cookies and similar technologies please read our Cookie Policy.
How long we keep your data
We have a Records Management and Retention Policy in place to determine how long personal data needs to be kept, which is based on our legal, regulatory and business requirements. How long we keep your personal data is based on your relationship with us, membership status and the types of accounts, products and services you have with us. When determining retention periods we consider the following:
- legal and regulatory guidance, case law and unexpected outcomes
- maximum or minimum retention periods identified by the law or our regulators
- ours and others' contractual rights and obligations
- your expectations
- current or future operational requirements
- the cost of maintaining, storing, archiving and retrieving the data
- forensic requirements, for example, the potential need to access data no longer actively used in order to manage or respond to complaints and disputes
- our policies and standards
- the risks involved in retention, deletion and removal
- the capability or restraints of our systems and technology.
In accordance with the payment card industry data security standard (PCI-DSS), we do not store cardholder data on our systems.
If we do not receive any applications from you for more than a year we will record you as inactive on our panel.
You have certain rights in relation to your personal data, not all rights apply in all cases and these are explained in more detail below:
You have a right to: | What this means |
---|---|
Be informed |
|
Access your personal data | We will allow you access to and give you details of the personal data we hold about you including the data covered in 'Your right to be informed' section at the top of this table. |
Have inaccurate or incomplete personal data corrected | we will correct and/or update your personal data if you inform us or we identify that it is inaccurate or incomplete. |
Request erasure | we will delete your personal data if:
|
Restrict the collection, use, sharing and keeping of personal data | we will put on hold the collection, use, sharing and deletion of your personal data when:
|
Object | You can object to the collection, use, sharing and retention of your personal data where:
|
Challenge automated decisions | We will give you the opportunity to discuss with us and review the accuracy of any decisions made based on an automated assessment. |
If you have any concerns about how we collect, use, share or keep your personal data or you think there has been a breach, you can contact us to make a complaint or find out more about our complaints procedure, by calling 0345 601 6683.
If you do make a complaint we will follow our internal complaints procedure to resolve your complaint quickly and fairly. If we cannot resolve your complaint to meet your expectations, you may contact:
The Financial Ombudsman Service (FOS)
Exchange Tower
London
E14 9SR
Telephone: 0800 023 4567
Email: complaint.info@financial-ombudsman.org.uk
Web: financial-ombudsman.org.uk
You also have a right to complain to the Information Commissioner's office if you have any concerns about how we collect, use, share or keep your personal data by contacting them at:
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Web: ico.org.uk
If you require any more details about how we collect, use, share and store your personal data or about your rights and how to exercise them, please contact us:
Data Protection Officer
Skipton Building Society
The Bailey
Skipton
North Yorkshire
BD23 1DN
Telephone: 0800 085 0459
Web: skipton.co.uk/contact-us
You can also find out how we use your clients personal data in our customer Privacy Policy on skipton.co.uk and in the 'How we use your personal data' section of our application process.