Norton Finance Group Limited is made up of three entities:
- Norton Home Loans Limited,
- Norton Financial Services Limited
- Norton Finance and Mortgages Limited.
Collection and use of data
Any time you enquire about or apply for finance, we collect and store information regarding the application or enquiry. We may also collect data about you through a credit reference agency (CRA). Personal data is used for various purposes, including to:
- Process the application you have made by reference to lender information.
- Provide your information to a lender for them to assess your suitability.
- Make searches at a CRA.
- Offer other products that are available to you.
We may keep your information for several years to fulfil regulatory requirements. We will contact you for marketing purposes with products we feel may be of interest to you. You can change your mind about receiving marketing communications at any time by contacting us.
Who are the Credit Reference Agencies and how can I contact them?
There are three main CRAs in the UK, all of which are regulated by the Financial Conduct Authority (FCA) and can be contacted online:
Contact details for each of the CRAs can be found on a separate PDF.
What do Credit Reference Agencies use personal data for?
CRAs receive personal data that’s part of, derived from or used in credit activity. Lenders and creditors may use different CRA services, which can all use and store personal data for:
- Credit reporting and affordability checks
- Verifying data and detecting instances of fraud
- Account management
- Tracing and debt recovery
- Statistical analysis, analytics and profiling
- Database activities
- Other uses with your permission, or when required or permitted by law
Each CRA also acts as a Fraud Prevention Agency (FPA). Data may be used by an FPA to prevent fraud and money laundering, cross-check details on proposals and insurance claims, trace an individual’s whereabouts and recover debt owed.
What are the Credit Reference Agencies’ legal grounds for handling personal data?
CRAs are legally entitled to handle personal data for a range of legitimate interests such as:
- Promoting responsible lending and helping stop over-indebtedness
- Preventing and detecting crime and fraud
- Supporting tracing and collections
- Complying with and supporting compliance with legal and regulatory requirements
What kinds of personal data do Credit Reference Agencies use and where do they get it from?
Personal data including an individual’s name, date of birth and current and previous addresses are used for identification purposes by CRAs. Further data can also be obtained about:
- financial accounts
- late and missing repayments
- credit limits
- court judgements
- insolvency and more.
This information is collected from different sources for each CRA, so they may not always hold the same data. Common sources used include Royal Mail, Insolvency Service, Companies House and Registry Trust Limited.
Who do Credit Reference Agencies share data with?
Data can be shared with FPAs, members of the credit reference agency data sharing arrangements (usually banks, building societies and other lenders), public bodies, law enforcement and regulators. It can also be shared with the individual the data refers to.
When an organisation uses a CRA’s services, it will be explained at the point of application that this is the case. In certain instances, businesses can compel CRAs by law to disclose data for specific purposes.
Where is personal data stored and sent?
All three CRAs are based in the UK along with their main databases. They may have operations in and outside of the European Economic Area (EEA), where personal data can also be accessed.
Personal data use is safeguarded by European data protection standards. However, sometimes CRAs will send or allow access to personal data from elsewhere. In these instances, they will be responsible for arranging suitable precautions, as the same high levels of legal protection may not apply outside of the EEA.
For how long is personal data retained?
The length of time personal data is kept by a CRA varies depending on its type. Much of the financial data is retained for six years from initial settlement dates, while identification data remains only for as long as it’s needed. Search footprints vary as Experian and Equifax keep most records for one year, while TransUnion retains them for two.
Do the Credit Reference Agencies make decisions about me or profile me?
The lender is the one that decides whether to offer an individual credit. CRAs provide the data and analytics that can lead to different decisions from lenders, as some will value certain factors over others.
When requested, CRAs can use the data obtained to create scores, which may profile you. Individuals’ data may be taken as an example by lenders to inform decisions on similar cases in future. However, this is just one of a range of variables lenders use.
What can I do if I want to see the personal data held about me?
You have a right to find out what personal data CRAs hold about you. Contact each one to find out more about your access rights:
What can I do if my personal data is wrong?
If you think any personal data a CRA holds is incorrect or incomplete you have a right to challenge it. They won’t be able to change the data without permission from the organisation that supplied it, so they will need to take reasonable steps to check it first. If the data is wrong, the CRA will update its records. But if they believe it is correct, it will remain.
You can add a note to your file stating that you disagree with the information provided, or explain the circumstances further. Do this by contacting the relevant CRA using the links above.
Can I object to the use of my personal data and have it deleted?
You also have the right to lodge an objection with a CRA about the processing of your personal data by contacting them. Under General Data Protection Regulation (GDPR), your right to object doesn’t automatically lead to processing being stopped or data deleted. In many cases, CRAs will have compelling, overriding grounds to keep using the personal data. For example, if an objection could be used to hide a poor credit history, allowing an individual to get credit they shouldn’t be eligible for.
Can I restrict what the Credit Reference Agencies do with my data?
Article 18 of the GDPR sets out your rights to restrict processing of your personal data. It isn’t an absolute right and processing may continue when your consent is given if it’s for the establishment, exercise or defence of legal claims, or the protection of the rights of another legal person. CRAs will consider and respond to any such requests received.
Who can I complain to if I’m unhappy about the use of my information?
Contact the CRA directly so they can investigate any concerns. Should you be unhappy with the investigation, you can refer it to the Financial Ombudsman Service for free. This is an independent public body that aims to settle disputes between consumers and businesses.
Or you can refer concerns to the Information Commissioner’s Office (ICO). This body regulates the handling of personal data in the UK.
Where can I find out more?
The ICO’s Credit Explained leaflet provides extra advice and information. While more information about each CRA and what they do with personal data is available on their own respective websites.