In December 2020 we updated our Privacy Notice. Some of the key changes included the following:
- Moved and updated information related to Fraud Prevention Agencies into an Appendix
- Being clearer about who we are and what we do
- Clarified the lawful bases relied upon and that we use fraud detection services to undertake searches
- Enhanced the information about how long we hold information including making it clear that sometimes personal data is not destroyed if there are inter-dependencies between IT systems but that in those circumstances the bank will limit access and put personal information beyond use wherever possible
- Ensured that it is clear that we will continue to process information in both the UK and the EEA
- Simplified the layout
While we were making these changes, we also thought it would be a good time to clarify some elements, make some grammatical changes, provide some more examples of how we use your personal information and generally make other sections of the Privacy Notice easier to understand. Our updated Data Privacy Notice and our Data Privacy Summary is effective from 1 December 2020.
Should you wish to review earlier versions of our privacy notice, these can be accessed here: Privacy Notice May 2018
Your Personal Information
At Bank of Ireland UK we take protecting your personal information seriously. Full details about how your personal information will be used by us, as well as your rights can be found in our Privacy Notice.
It provides details about what information is collected, how it is used, who it is shared with and how you can control the use of your personal information.
Credit Reference Agencies
In order to process your application and manage your account we exchange information with Credit Reference Agencies. Further details can be found in our Privacy Notice.
Fraud Prevention Agencies
The personal information we collect from you is shared with Fraud Prevention Agencies, who use it to prevent and detect crime such as fraud and money-laundering and to verify your identity. Further details can be found in our Privacy Notice.
Other Privacy Notices you should read
If you were introduced to us by a broker or other intermediary, ask your broker or intermediary for a copy of their own Privacy Notice if you have not already seen it. You should also ask for a copy of the Privacy Notice of any third party product and service providers you contract with, including any you may ask us to share your information with.
Our Data Protection Officer (DPO)
If you have questions about how we use your information, you can reach our Data Protection Officer by writing to:
Bank of Ireland UK – Data Protection Officer
PO Box 3191
1 Temple Quay
Our products are also offered through our business partnerships with Post Office Limited and AA Financial Services Limited. To read our Privacy Notices for our partnerships with Post Office and AA, please visit our dedicated partner pages: AA and Post Office.
At Bank of Ireland (UK) plc we recognise that the way we use personal information plays an essential role in enabling our customers and communities to thrive. We take our management of your information very seriously and would like to make sure that you know what personal information we collect, how we use it and that you are aware of your rights in relation to its use. We therefore encourage you to read this privacy notice carefully.
If you provide us with personal information relating to another individual, for example when making an application for a joint account or whilst providing information relating to your business partner or any other third party, you must also show them a copy of this privacy notice to ensure that they know what we are doing with their personal information.
If you have questions or queries about how we use your personal information our Data Protection Officer will be happy to help – please see our ‘Contacting our Data Protection Officer’ section for further details.
- Who we are and what we do
Bank of Ireland (UK) plc (‘Bank of Ireland UK’) is a wholly owned subsidiary of The Governor and Company of the Bank of Ireland which, in turn is a subsidiary of, the Bank of Ireland Group plc (‘the Group’). Bank of Ireland UK is established in the United Kingdom and is the principal United Kingdom retail and commercial banking business of the Governor and Company of the Bank of Ireland. We work closely with members of the Group and its key partners to provide a range of financial products and services in the United Kingdom.
Frequently used trading names of Bank of Ireland (UK) plc include Bank of Ireland UK, Bank of Ireland Commercial Finance, Bank of Ireland Global Markets, Bank of Ireland Mortgages and Banking 365. In addition, Bank of Ireland UK has a wholly owned subsidiary, NIIB Group Limited, which in turn uses the trading name Northridge Finance and also has a wholly owned subsidiary, Marshall Leasing Limited.Bank of Ireland UK is a trading name of Bank of Ireland (UK) plc which is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is registered in England & Wales at Bow Bells House, 1 Bread Street, London, EC4M 9BE under the no. 7022885.
Bank of Ireland UK is a Controller of personal information under data protection legislation and is registered with the Information Commissioner’s Office under the primary registration number Z2076174. BANK OF IRELAND UK also undertakes some processing activities on behalf of the Group and when it does this it is a Processor.
- Personal information held
Most of the information we have is provided to us directly by you, however we also receive information about you indirectly from other sources such as credit reference agencies and we produce some information ourselves, for example, information about the way you use our products and services. The information we collect will depend on the nature of the relationship you have with us. We would like to reassure you that we only collect what is absolutely necessary to fulfil our contractual, legal and regulatory obligations, where it is in our legitimate business interests or you have given your consent.
The categories of information we collect about you are set out in Table 1.
We also collect information you’ve asked us to, for example details about other accounts or holdings with other companies, information from your credit broker as well as information that helps us combat fraud.
Call recordings, online chats and other communications On occasion we monitor and record our conversations when we speak on the telephone or through any online webchat.
We will have information that you have provided to us when filling in forms, making a claim or when communicating to us whether that is in person, by letter, email, online or otherwise.
CCTV We monitor Group assets for the safety of our staff and customers, through the use of CCTV. Special category/ sensitive data & criminal convictions On occasion we collect and use sensitive or special category information. This may include information about your race, ethnic origin, political views, religious beliefs, trade union membership, genetics, biometrics, health, sex life, or sexual orientation or any criminal convictions.
- Joint or multiple account holders
If you make an application with others, including an application on behalf of a business or other organisation, we will also collect the personal information mentioned throughout this privacy notice for all other applicants/parties. You must provide a copy of this privacy notice to all applicants/parties before sharing their information with us to ensure they also know what we are doing with their personal information.
When you open an account with others, this will mean that your information will be shared with the other applicant(s). For example, transactions made by you can be seen by your joint account holder and vice versa.
In respect of joint accounts (or business/other organisational accounts) and products, we will treat any instruction or consent received from an individual account holder as an instruction or consent on behalf of all account holders, until such time as we are told otherwise. If any consent provided in respect of a joint account is withdrawn, it will be withdrawn on behalf of all of you.
For this reason, we suggest that all account holders/parties discuss any decisions related to the account(s) together prior to making any changes, so that you each maintain full awareness of the treatment of all your personal information.
If you are married or financially linked to another person in the context of a particular product or service, a financial association may also be created between your records and theirs, including any previous and subsequent names used by you (for example, if you apply jointly or one is guaranteeing the debts of another). This means that we may treat your financial affairs as affecting each other. These links will remain on your and their files until you or they break that link. We will make searches on all joint applicants and evidence of that search will be left on all applicant records. The personal information you have either provided, we have collected from you or we have received from third parties for a Joint Account will also be used to prevent fraud and money laundering, and to verify the identity of each applicant.
- How we use your information and the legal basis for doing so
Before using your information we always ensure we have a valid reason, known as a ‘lawful basis’ for doing so. Below you will find an explanation of the different lawful bases we rely on and the reasons for their use.
Where we have your consent we will:
- Engage in electronic direct marketing;
- Undertake profiling of your information to allow us to automatically evaluate, analyse and predict various behaviours, preferences and situations – more information is provided under the ‘automated decision making & profiling section’;
- Apply data analytics solutions to your information to help us make informed business decisions such as how to improve the quality of a service we provide to you, your financial needs, detecting and identifying fraud;
- Process sensitive or special category data where there is no other applicable lawful basis.
If this applies to you we will explain how we would like to use your information and what we will do with it before we ask for your consent.
Prior to entering into an agreement or contract and while the contract is in place we will use your information to assess and provide the products and services you have requested. This includes:
- Providing a quote before a contract is issued;
- Assessing and processing applications for the products and services we offer which may also include profiling;
- Administering and managing existing products or services you have with us;
- Providing servicing communications to you such as changes in the terms and conditions of our products and services – these communications are separate from any marketing communications which we only issue electronically if we have your permission;
- Conducting credit reviews when you have applied to use one of our credit facilities. We use Credit Reference Agencies to search for details relating to your credit history. Where we make these searches the Credit Reference Agencies may keep a record of the search even if the application does not proceed. This record will be available to other organisations and could affect your ability to get credit elsewhere– further details can be found in our “Automated Decision Making” section.
If you are making a joint application your information will be linked to the other applicants by the Credit Reference Agencies. The association created between applicants will remain in place until you or another applicant is successful in asking the Credit Reference Agency for the link to be removed.
Details of the credit references agencies we use are provided in Table 2.
Credit Reference Agencies Contact Details Privacy Notice Equifax Ltd www.equifax.co.uk Customer Service Centre, PO Box 10036, Leicester, LE3 4FS www.equifax.co.uk/crain Experian Ltd www.experian.co.uk Consumer Help Service, PO BOX 8000, Nottingham, NG80 7WE www.experian.co.uk/crain TransUnion International UK
One Park Lane, Leeds, West Yorkshire, LS3 1EP www.transunion.co.uk/crain
We use your information to support the day to day administration of our business and to identify and pursue new business opportunities. This includes:
- Preventing, detecting and investigating suspicious or fraudulent activities;
- Informing Credit Reference Agencies about the performance and management of your account and your dealings with us including details of credit facilities and credit history with us. We may also tell them of any missed payments, defaults and any change of address;
- Carrying out relevant marketing and promotional activities;
- Developing and improving our products and services through activities such as reviewing customer feedback and assessing how you use our products and services;
- Monitoring and reviewing call recordings, online chats and other business activity for quality assurance, training and compliance purposes;
- Testing and validating the effectiveness of products, services and system enhancements;
- Performing audit, statistical or research activities (including anonymising your information) to help us understand trends in our customer behaviour including how products and services are used to help us:
- Improve the products and services we offer our customers, colleagues and communities;
- Develop products and services that better meet our customers’ needs and behaviours; and
- Understand and manage our risks better.
- Collecting and managing debt;
- Tracing you where we have a legitimate reason for doing so e.g. debt collection;
- Managing and monitoring Group assets including the use of CCTV in order to:
- Ensure the safety of our staff and customers
- Investigate suspected illegal activity or misconduct within our property
- Carrying out profiling that does not have a legal or other significant effect on you, please see the section ‘Automated decision making & profiling’ for more details;
- Assisting the Group with any proposed sale, merger or acquisition of the Group’s assets. We will only disclose your personal information if the third party agrees to keep it confidential and to use it only to consider the possible transaction. If the transaction goes ahead, the buyers, transferee or merger partner may use or disclose your personal information in the same way as set out in this notice;
- Managing and administering the Group’s legal affairs;
- Supporting the Group’s strategic planning and portfolio management through activities such as financial, regulatory and risk reporting;
- Managing designated accounts on behalf of National Asset Management Agency;
- Supporting the management of our information security and network controls with the aim of preventing cyber-attacks, unauthorised access and other criminal or malicious activities;
- Combining information from different sources to better understand any risks to the Group, serve your needs and understand more about you;
- Where it may be in the legitimate interest of someone other than you.
Where we are obliged to process your personal information to comply with the law, including our regulatory obligations, for example:
- Confirming your identity;
- Sharing your information with law enforcement agencies, tax authorities and other regulatory bodies;
- In relation to legal claims which may be your own, ours or those of third parties;
- Complying with our obligation to provide access to your account information where you or your joint account holder(s) have instructed an Account Information Service Provider (AISP), a Payment Initiation Service Provider (PISP), or Credit Based Payment Instrument Issuer (CBPII) to access your information;
- Screening applications and monitoring accounts to identify criminal activity such as fraud, terrorist financing, bribery, corruption and money laundering. If our searches, including those undertaken by fraud detection services, identify or raise suspicions of fraudulent activity we will pass your information to fraud prevention agencies and/or law enforcement. These agencies will use your personal information to prevent fraud and money laundering and to verify your identity. If fraud is detected you can be refused certain services, finance or employment. Further details about how your information will be used by fraud prevention agencies and your data protection rights can be found in appendix A.
The Fraud Prevention Agencies we use are detailed in Table 3 below.
Fraud Prevention Agencies Contact Details Privacy Notice Cifas
Consumer Affairs, 6th Floor, Lynton House, 7-12 Tavistock Square, London, WC1H 9LT www.cifas.org.uk/fpn National Hunter www.nhunter.co.uk PO Box 4744, Stone, Staffordshire, ST15 9FE www.nhunter.co.uk/privacypolicy
On occasion we may process your information where it is necessary for reasons of substantial public interest and/or for employment, social care and social protection such as:
- Where we need to provide support for individuals with a particular disability or medical condition or if you are a vulnerable customer;
- Safeguarding children and individuals at risk including the economic well-being of certain individuals;
- Protecting the public against dishonesty, including preventing and detecting unlawful acts;
- Complying with Government and regulatory Codes of Practice;
- We may share your personal information with other people and organisations such as members of our Group, your relatives, social services, your carer, or the person who has power of attorney over your affairs or a court of protection order if it is reasonable to do so.
In exceptional circumstances we will use and/or disclose information we hold about you to identify, locate or protect your vital interests or those of another individual.
- Automated decision making & profiling
When you make an application for a credit product and other financial services we use automated decision making tools often known as credit scoring to look at whether you’re likely to be able to afford the product or service and how likely you are to meet any payments. We use this information to decide whether to provide or deny credit.
When assessing your application we will consider four sources:
- The information you provide on your application;
- Information provided by credit reference agencies;
- Information that may already be held about you by companies within the Group;
- Other information that is publicly available.
If you submit an application to us and it is subsequently declined through this automated process, you can contact us within one month of your receipt of our decision and request we reconsider our decision. You also have the right to ask that the decision is not made based solely using a credit scoring system.
Throughout the duration of your relationship with us we may also use another form of automated decision making known as profiling.
Profiling the information we hold about you enables us to evaluate, analyse or predict your financial situation, preferences, reliability, behaviour and location. For example, we may profile your information:
- To assess your transaction history and/or current repayments and/or account balances to predict when you might want to increase an existing credit facility or consider a new loan or savings product;
- When you or any authorised user on your account uses a payment card or payment card information to perform a transaction, the information may be sent to us to evaluate and determine whether to approve, decline or refer a transaction for further review;
- To analyse the frequency or your use of online services or mobile banking to tailor or understand the effectiveness of our methods of communication.
With the exception of credit scoring that we use to enter into a contract with you or to monitor your ongoing credit status, we will not use profiling to make a decision about you that has a legal or other significant effect on you without your explicit consent or where otherwise permitted by law.
You may ask us not to make decisions about you that are based solely on automated processing. If you do this, you may not be offered some products or services that we might otherwise have offered to you.
- Who we share your information with
On occasion we may share your information with other members of the Group and external third parties. We only share your information where we have a legal basis for doing so and only if the third party agrees to manage your information in line with our own data protection standards.
The types of organisations we share your information with are outlined in Table 4.
Categories Description Members of the Bank of Ireland Group We may share your information with other members of the Bank of Ireland Group. Our Business Partners We work in close partnership with the Post Office, AA Financial Services and First Rate Exchange Services to offer a range of products. We therefore share your information with these organisations in line with our terms and conditions. From time to time we may also work with other organisations and if we do so we will let you know. Brokers and Dealers Some of our products are offered through a dealer or broker. If a dealer or broker is used, we will share your personal information with them but this will only be the minimum needed. Insurers When you apply for insurance with us we will pass your details to our insurance partner Royal Sun Alliance (RSA). RSA may subsequently share your information with other insurers to prevent fraudulent claims. Guarantors We will share your information with any Guarantor of your liabilities to us. Service Providers To support our business and the products and services we offer we use service providers to process information on our behalf. These include but are not limited to services such as:
- Keepers of asset registers, for example where we record that there is a security interest held against a car or check if there is an existing interest
- Document storage, destruction , archiving and printing facilities
- Consultancy services e.g. legal advisors, medical advisors, property surveyors, conveyancers, researchers
- Marketing,research and analysis companies
- Marketing companies
- Payment facilitators e.g. SWIFT, Moneygram, PayUK
- Analytics companies
- Investment companies
- Software development contractors
- Data processors
- Computer maintenance contractors
- Property contractors, consultants, conveyancers and valuers
- ATM administrators
- Courts and Court-appointed persons/entities,
- Receivers, liquidators, examiners, official Assignee for Bankruptcy and equivalent in other jurisdictions
- Debt collection agencies, budgeting and advice agencies, tracing agencies
- National Asset Management Agency and its agents or other parties designated by or agreed with National Asset Management Agency or designated under the relevant legislation
- Business partners and joint venture partners
- Member companies of the Finance and Leasing Association
- Associate members of International Factors Group
- Rating agencies
- Healthcare professionals
- Business associates and other advisers
- Financial organisations
- Credit reference agencies
- Finance houses, trade associations and professional bodies
- Central and local government
- Pension fund administrators
- Persons making an enquiry or complaint
- Police forces and security organisations, ombudsmen and regulatory authorities
- Correspondent banks and other financial institutions (e.g. for syndicated deals)
- Fraud and financial crime prevention agencies
- Suppliers of credit to which facilities management services are provided
- Credit card issuers and merchant acquirers, for example VISA and MasterCard
- Supply of status opinions to other financial institutions in accordance with banking practice
- Credit bureau
- Trustees of collective investment undertakings & pensions trustees
- Insurers and re-insurers
- Brokers or dealers who introduced you to us or third parties acting on their behalf
Government departments, Law enforcement and regulatory bodies On occasion we may be required to share your information with government departments, law enforcement agencies and regulatory bodies. This is usually to support the prevention of crime and to enable us to meet our legal and regulatory obligations. It may also be to enable other organisations to fulfil their public tasks. This includes organisations such as:
- Central Bank of Ireland
- Companies House
- Data Protection Commission
- Financial Conduct Authority
- Financial Ombudsman Service
- Financial Services Compensation Scheme
- Fraud prevention agencies
- Her Majesty’s Revenue and Customs (HMRC)
- Information Commissioner’s Office
- Lending Standards Board
- National Crime Agency
- Police services
- Prudential Regulation Authority
- US, EU and other designated authorities
Credit Reference Agencies When processing applications for one of our credit facilities we share your information with credit referencing agencies that will perform credit reviews. These agencies may retain a record of the search even if the application does not proceed. The credit reference agencies we use are Equifax Ltd.,, Experian Ltd., TransUnion International UK Ltd. Third parties acting on behalf of the Bank of Ireland Group plc. and/or Bank of Ireland (UK) plc. We may share your information with third parties connected with the sale, merger or acquisition of the Group’s assets; law companies who may assist with legal advice or litigation; market research companies or consultants who are conducting research or offering advice. Third parties acting on your behalf with your consent or to protect your vital interests or those of another person We may share your information with third parties where you have provided us with your consent and/or where this is in the vital interests of either you or another person. This may include legal representatives, accountants, financial advisors, family members, Account Information Service Providers (AISP), Payment Initiation Service Providers (PISP) and Credit Based Payment Instrument Issuer (CBPII), other financial organisations, employers, medical professionals.
- Consequences of not providing information
We will only collect information that is necessary to perform our contract with you, comply with our legal and regulatory obligations, where it is in our legitimate business interests or we have your consent. If you choose not to provide this information we may not be able to provide or continue to provide the products and services you have applied for.
- What rights do I have over my personal information
Under data protection legislation, you have a number of rights including the right to:
- Be informed if an organisation is using your personal data;
- Ask whether or not we are using or storing your personal information and to ask for a copy of that information;
- Ask us to correct/rectify inaccurate or incomplete information;
- Request human intervention if you disagree with a decision based solely on automated processing, although there are some exceptions;
- Withdraw your consent for us using your information where processing was based on us obtaining your consent;
- Request we erase your information in certain circumstances;
- Restrict how we use your information in some situations;
- In some circumstances object to the way we process your information;
- Request we port or transfer your information to another organisation or provide it to you in an accessible format for you to pass on.
Additional information on how you can exercise your rights is available here.
If you are unhappy about the way we have used your information, please let our Data Protection Officer know so we can help put things right. You also have the right to raise a complaint with the data protection regulator, the Information Commissioner (ICO) www.ico.org.uk.
- Transferring your personal data outside of the UK
The transfer and disclosure of personal data may take place worldwide. Where this takes place outside of the UK it will be on the basis of either:
- Appropriate or suitable safeguards as required by applicable laws or regulations
- An adequacy decision by the UK Government.
You can find out more information on the safeguards we rely on by contacting our Data Protection Officer.
- How long do we hold your information?
The length of time we hold your data depends on a number of factors, such as legal, operational or regulatory rules and the type of financial product we have provided to you.
These factors include:
- The regulatory rules contained in laws and regulations or set by authorities like the Bank of England, Financial Conduct Authority and the Prudential Regulation Authority.
- The type of financial product we have provided to you. For example, we may keep data relating to a mortgage product for a longer period compared to data regarding a single payment transaction.
- Whether you and we are in a legal or some other type of dispute with another person or each other.
- The type of data we hold about you.
- Whether you or a regulatory authority ask us to keep it for a valid reason.
- Whether we use your data for long-term statistical modelling, provided that such modelling does not affect any decision we make about you.
As a general rule, we keep your information for a specified period after the date on which a transaction has completed and/or you cease to be a customer. In most cases this period is 7 years but may be up to 13 years if we had a legal deed (such as a mortgage deed) in place. If we are not able to completely delete, destroy or anonymise your personal information within these times because, for example, there are inter-dependencies between IT systems, we will limit access to your personal information or put it beyond use wherever possible.
Please note that in some circumstances we may be required for legal or regulatory reasons to retain your information for longer periods, for example whilst supporting an investigation by a law enforcement agency or where litigation is in progress.
- Other privacy notices
Ensure you read the Privacy Notices issued by Credit Reference Agencies and Fraud Prevention Agencies which are available from their websites (see Table 2 on page 6 and Table 3 on page 8 of this notice for the website addresses).
If you were introduced to us by a broker or other intermediary, ask your broker or other intermediary, such as a motor dealer, for a copy of its own Privacy Notice if you have not already seen it. You should also ask for a copy of the Privacy Notice of any third party product and service provider you contract with.
- Changes to our Privacy Notice
It may be necessary to update this Privacy Notice from time to time, however if that is the case we will notify you of any significant changes by one or more of the following methods: post, SMS, e-mail or when you log into 365 online. We will also ensure the most recent version of the privacy notice is available here.
This privacy notice was last updated on 6 November 2020 and is effective from 1 December 2020.
- Contacting our Data Protection Officer
If you have any questions about how we use your information please let our Data Protection Officer know by either emailing firstname.lastname@example.org or writing to:
Bank of Ireland UK – Data Protection Officer
PO Box 3191
1 Temple Quay
If you require a copy of this privacy notice in braille, large print or audio, please contact us.
- Appendix A: Fraud Prevention Agencies
Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.
The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
This information may be your name, address, date of birth, address, contact details, financial information, employment details, device identifiers including IP address and vehicle details.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to prevent, detect and investigate crime.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making – if you want to know more please contact us using the details above.
Consequences of processing
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
Please note National Hunter rules currently do not allow for processing National Hunter data outside of the European Economic area.
Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data.
For more information or to exercise your data protection rights, please contact us using the contact details above.
You also have a right to complain to the Information Commissioner’s Office which regulates the processing of personal data.