About The Insurance & Mortgage Market
The personal information that we collect and process will be shared with other participants in the insurance and mortgage market. You may not have direct contact with some of the organisations that we share data with. Data is transferred within the insurance and mortgage market as follows:-
- When you take out an insurance policy or mortgage: HFA Group or another Insurance/Mortgage Broker will be the initial data controller. The insurers and Lenders that we ask to quote for your business will also be a data controllers. HFA Group can advise you of the identities of other insurance and mortgage market participants that have been provided with your personal data.
- An employer or another organisation takes out an insurance policy for your benefit: Your employer or the organisation that took out the policy should provide you with details of who they have provided your personal data to. HFA Group’s Compliance Team can advise you of the identities of other insurance market participants that we provided with your personal data.
- If you are not a policyholder, borrower or an insured: you should contact the organisation that collected your personal data who should provide you with details of the relevant data protection contact.
Processing Your Personal Information
The personal information that we collect will depend on the reason and depth of our contact with you. We will collect more detailed information about you if you ask us to provide a quotation or take out a policy or mortgage than if you just ask us about what we do.
Depending on the cover or loan that you are interested in we may ask you to supply sensitive data (sensitive data is information relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership) because it is relevant to your insurance policy or claim. We may also record information regarding criminal convictions for the purposes of preventing, detecting and investigating fraud and to comply with anti-money laundering regulations.
About The Data We Collect & How We Look After It
If you are a prospective or existing customer, or an associated party to an insurance policy, a mortgage customer, a witness to an accident or are making a claim against one of the clients that we place cover for, and have submitted your personal information, then this section details how we will look after your data. This section also covers the personal information we collect about you and use if you are a loss adjuster, loss assessor, wholesale broker, third party producing broker, estate agent, builder, surveyor, appointed representative, insurer, bank, building society or lender.
Personal Information That We Might Collect
- Your name, date of birth, gender, relationship to the customer (where are you not the prospective policyholder or borrower), identification information such as national insurance number, passport number or driving licence number
- Contact details including address, telephone number and email address
- Information about your job including job title, business description, education, employment history, salary, bonus, and professional certifications
- Information relating to the advice that you request or the services that we are providing. For example, we might need information relating to your previous insurance policies and claims history or credit or lending arrangements in order to advise on your future needs
- Information which is relevant to the insurance policy or mortgage that we have placed or any claims made under an insurance policy that we have arranged. For example where we have placed property insurance or a mortgage for you, we will hold information about your property and the individuals living there.
- Information obtained from requests for mid-term adjustments which may reveal changes in your personal circumstances which are relevant to the insurance policy we placed
- Financial information such as your financial history and needs, income, bank details, payment details and information obtained as a result of our credit checks
- Information obtained when we carry out checks of sanction lists or obtained as a result of carrying out due diligence
- Information captured during recordings of our telephone calls
- Information which is relevant to the incident you have witnessed
- Your marketing preferences and information we record about your preferences when doing business with us
We will only collect personal information that is relevant to the purpose we are instructed to act.
- We may ask you for details of your current or former physical or mental health – for example
- If you have made a medical claim under a previous insurance policy when you provide details of your claims history or details about your current health because it is relevant to a life or health insurance policy you want us to place.
- If you are making a claim, as a customer or a third party, against a policy we have placed
- We may receive details of offences and alleged offences, cautions, court sentences, county court judgements
- We might receive information relating to professional disciplinary actions that you are or have been the subject of
- Under some circumstances we might be provided with details of your political opinions, religious or philosophical beliefs or trade union membership
- You might provide other special categories of information up when communicating with us. We will only process such information to the extent necessary in connection with the insurance policy or where in connection with legal proceedings. Any further processing will only be with your explicit consent.
Collecting Your Personal Information
- We could receive your information directly from you or from someone else on your behalf in a number of ways including where it is submitted in application and proposal forms, fact finds, initial disclosure documents, witness statements and more generally during any forms of communication such as email, text, letters and telephone
- Other sources of data include other third parties who might introduce customers to us such as another broker and insurers, lead generators or call centres
- We may be given your data by other brokers or professionals such as estate agents who act directly for you and who have approached us to facilitate the placement of an insurance policy or mortgage policy for you
- We may receive your data from other third parties involved in the relevant insurance policy or claim such as claimants, witnesses to an incident, loss adjusters, claims handlers and medical experts or, in the case of claims, form our customer who is the policyholder.
- If you are buying or selling a home to one of our clients we may receive your data from other third parties involved in the process, for example solicitors, estate agents or form our customer.
- We may find your data via publically available sources such as internet search engines and social media sites or provided as a result of a customer satisfaction surveys or market research
- We may be given access to your data by companies who take regulatory responsibility for us as our Regulatory Principal.
- Your data might be acquired from insurance industry fraud prevention and detection databases and sanctions screening tools and from credit reference agencies, government agencies such as the DVLA or HMRC and from professional regulators
Using Your Personal Information
We may process your information for a number of different purposes. We will rely on the following legal grounds for processing your data:
- We need to use your personal information to enter into or perform a contract with you, for example, in order to fulfil our obligations under our contract and place appropriate insurance cover or arrange a mortgage or loan. We need to use your personal information to provide you with a quote and determine market placement.
- We have a genuine business need to use your personal information such as maintaining our business records and keeping records of insurance policies and mortgages that we place and analysing and improving our business model and services. When using your personal information for these purposes, we have considered your rights and ensured that our business need does not cause you harm
- We have a legal or regulatory obligation to use your personal information. For example, our regulators impose certain record-keeping rules which we must adhere to
When the information that we process is classed as a special category of information, we must have one of the following additional legal grounds for such processing:
- It is necessary for an insurance or mortgage purpose and it is in the substantial public interest. This will apply where we are advising or arranging an insurance policy, assisting with any claims under a policy, advising or arranging a mortgage or loan and undertaking any activities to prevent and detect fraud.
- You have provided your consent. There may be some circumstances that without your consent to use your special categories of information we would be unable to arrange your insurance cover or lending. We will notify you when this will be applicable and why your consent is necessary
- Where the use of your special categories of information is necessary to establish, exercise or defend our legal rights, for example legal proceedings are being brought against us or we want to bring a legal claim ourselves.
Please see below for further details of the different ways we use your personal information and the legal grounds we rely on when doing so
|Purpose for processing||Legal grounds for using your personal information||Legal grounds for using your special categories of information|
|To evaluate your insurance or borrowing needs, risk appetite and obtain quotes for you||It is necessary to enter into/perform our contract. We have a legitimate interest and a genuine business need (to determine market placement and place insurance cover or lending for you that is in line with your needs)||It is necessary for an insurance or lending purpose|
|To set you up as a customer including carrying out fraud, credit and anti-money laundering checks and, in the case of lending, affordability checks.||It is necessary to enter into/perform our contractWe have a legitimate interest and a genuine business need (to carry out appropriate credit checks and fraud checks)We have a legal or regulatory obligation||The prevention and detection of fraud is in the substantial public interestIt is necessary for an insurance or lending purposeIt is necessary to establish, exercise or defend our legal rights|
|Communicating with you and responding to any enquiries you have||It is necessary to enter into/perform our contractWe have a legitimate interest and a genuine business need (to respond to our prospective customers and keep them updated on any future placing of insurance cover or lending needs)||It is necessary for an insurance or lending purpose It is necessary to establish, exercise or defend our legal rights|
|Complying with our legal or regulatory obligations (such as our requirements to report to the FCA)||We have a legal or regulatory obligation||It is necessary to establish, exercise or defend our legal rightsIt is necessary for an insurance or lending purpose|
|Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers)||We have a legitimate interest and a genuine business need (to continually improve our services)||It is necessary for an insurance or lending purpose|
|Managing our business operations such as maintaining accounting records, analysing financial results, complying with internal audit requirements and receiving professional advice (e.g. tax or legal advice)||We have a legitimate interest and a genuine business need (to carry out business operations and activities that are necessary for the everyday running of a business)|
|Monitoring applications, reviewing, assessing, tailoring and improving our products and services and similar products and services offered by HFA Group||We have a legitimate interest and a genuine business need (to market our services)|
|To arrange appropriate insurance cover and provide policy documentation||It is necessary to enter into/perform our contractWe have a legitimate interest and a genuine need (to ensure that you have the appropriate policy documentation)||It is necessary for an insurance purpose|
|To arrange appropriate mortgages and/or loans and provide relevant documentation||It is necessary to enter into/perform our contractWe have a legitimate interest and a genuine need (to ensure that you have the appropriate mortgage and/or loan documentation)||It is necessary for a lending purpose|
|To assist in any claims made under an insurance policy we have placed||It is necessary to enter into/perform our contractWe have a legitimate interest and a genuine business need (to assist customers in any claims they have)||It is necessary for an insurance purpose|
|To assist with any renewals, mid-term adjustments of your insurance policy or cancellations||It is necessary to enter into/perform our contractWe have a legitimate interest and a genuine business need (to provide you with appropriate broking services where you request a renewal, mid-term adjustment or cancellation of the insurance policy we have placed)||It is necessary for an insurance purpose|
|Prevention and detection of and investigating and prosecuting fraud. This might include sharing your personal information with third parties such as the police, and other insurance, lenders and financial services providers.||It is necessary to enter into/perform our contractWe have a legitimate interest and a genuine business need (to ensure that we take all necessary precautions to prevent fraud)||The prevention and detection of fraud is in the substantial public interest.It is necessary for an insurance or lending purpose.It is necessary to establish, exercise or defend our legal rights.|
|Tracing and recovering debt||We have a legitimate interest and a genuine business need (to trace and receive any debt which is owed to us)||It is necessary to establish, exercise or defend our legal rights|
|Monitoring usage of any of the various HFA Group websites||We have a legitimate interest and a genuine business need (to assess usage of our website)|
|To apply for and claim on our own insurance||We have a legitimate interest and a genuine business need (to have our own insurance)||We have your explicit consentIt is necessary to establish, exercise or defend our legal rights|
|To enter into business relationships which facilitate and enable us to place insurance policies and mortgages and/or loans for our customers||It is necessary to enter into/perform our contractWe have a legitimate interest and a genuine business need (to enter into arrangements with other insurance and lending partners so that we can provide services to our customers)||It is necessary for an insurance or lending purpose|
Sharing Your Personal Information
From time to time, we may share your personal information with the following third parties for the purposes set out above:
- our insurance partners such as other insurance intermediaries, insurers, reinsurers or other companies who act as insurance distributors
- Banks, Building Societies and other Lenders and Mortgage Companies
- other brokers who act directly for you and who have approached us to facilitate the placement of an insurance policy or lending for you
- other third parties who assist in the administration of insurance policies and mortgages such as accountants, auditors, lawyers, estate agents, home builders, surveyors and other experts
- fraud detection agencies and other third parties who operate and maintain fraud detection registers; investigative firms we ask to look into claims on our behalf in relation to suspected fraud
- our regulators and Regulatory Principal
- the police and other third parties or law enforcement agencies where reasonably necessary for the prevention or detection of crime
- other insurers who provide our own insurance
- industry bodies
- debt collection agencies
- credit reference agencies
- our third party services providers such as IT suppliers, finance and payment providers, actuaries, auditors, lawyers, marketing agencies, document management providers, tax advisers and insurance software providers
- selected third parties in connection with the sale, transfer or disposal of our business
How Do We Protect Your Personal Information When Sending It Abroad?
We do not transfer any personal information used or stored for marketing purposes outside of the European Union.
What Marketing Activities Do We Carry Out?
If you have provided your consent for marketing, we may from time to time provide you with information about our products or services or those of our partners. We will send you marketing communications where we think you will be interested in receiving them. We do not send out generic marketing communications by email but we may send you (non-marketing) service related communications.
How Long Do We Keep Personal Information For?
|Providing a quotation||15 months from date of collection|
|Providing or administering an insurance policy or mortgage||Depending on the type of policy this would be between 5 and 40 years from date of policy termination date. For Mortgages between three years and the term of the regulated mortgage contract or home purchase plan|
|Handling a claim||6 years from first date of claim notification|
|Dealing with a complaint||5 years from first date of complaint notification|
We do not use automated processing for decision making purposes.
Under data protection law you have the right to make certain requests in relation to the personal information that we hold about you. We will not usually make a charge for dealing with these requests. To make a request, please contact us using the details provided in the “Contact us” section below.
We will always respond to any request you make, however there may be times where we are not able to comply (for example if doing so would conflict with our obligation to comply with other regulatory and/ or legal requirements). If we can’t comply with your request, we will tell you why.
There may also be circumstances where exercising some of these rights (such as the right to erasure, the right to restriction of processing and the right to withdraw consent) will mean your insurance can no longer be provided and it may result in cancellation of your policy. Under these circumstances you will lose the right to bring any claim or receive any benefit, including in relation to any event that occurred before you exercised your right of erasure, if our ability to handle the claim has been prejudiced. Your policy terms and conditions set out what will happen in the event your policy is cancelled.
The Right To Access Your Personal Information
You are entitled to a copy of the personal information we hold about you and certain details of how we use it. We will usually provide you with your information in writing, unless you request otherwise, or where you have made the request using electronic means, in which case the information will, where possible, be provided to you by electronic means.
The Right To Rectification
We take reasonable steps to ensure that information we hold about you is accurate and complete. However, you can ask us to amend or update it if you do not believe this is the case.
The Right To Erasure
You have the right to ask us to erase your personal information in certain circumstances, for example where you withdraw your consent or where the personal information we collected is no longer necessary for the original purpose. If there is a regulatory and/or legal obligations which means we cannot comply with your request we will let you know.
The Right To Restrictions Of Processing
In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that we no longer need to use your personal information or where you think that the personal information we hold about you may be inaccurate.
The Right To Data Portability
You have the right, under certain circumstances, to ask that we transfer personal information that you have provided to us to another third party of your choice
The Right To Object To Marketing
You can ask us to stop sending you marketing messages at any time. If you opt out of receiving marketing messages, we may still send you (non-marketing) service related communications which relate to the product you have bought.
The Right To Withdraw Consent
We will ask for your consent for certain uses of your personal information. Where we do this, you have the right to withdraw your consent to further use of your personal information.
The Right To Complain
If you have any questions or complaints relating to how we use your personal data, or if you wish to exercise any of your rights regarding your personal data, please contact the Compliance Team using the details provided in the “Contact us” section below. We will respond to you as soon as is possible. The length of time will depend on the type and complexity of the request, but you will receive a response, normally no later than one month from the initial request.
If you are unhappy about how we respond to your enquiry or if you believe that any use of your personal information by us is in breach of applicable data protection laws and/or regulations you have a right to complain to the Information Commissioner’s Office. More information can be found on the Information Commissioner’s Office website: www.ico.org.uk.
This will not affect any other legal rights or remedies that you have.
How We Protect Your Information
To protect your information we use a range of organisational and technical security measures. Where we have given you (or you have chosen) a password, you are responsible for keeping this password confidential. Please do not share your password with anyone.
Internally, HFA Group restricts access to your information as appropriate to those who need to know that information for the purposes set out above. We use firewalls to block unauthorised traffic to the servers and the actual servers are located in a secure location which can only be accessed by authorised personnel. Our internal procedures cover the storage, access and disclosure of your information.
You may contact us if you have any questions about how we collect, store or use your personal information. Please write to The Compliance Team, Mortgage Advice Services, 16 St Christopher’s Way, Pride Park, Derby, DE24 8JY or email: firstname.lastname@example.org