Call free on 0800 694 5566 Open 24 hours a day.

More than any bank

Norton Finance Group’s privacy policy and personal data use

Norton Finance Group Limited is made up of three entities:

All these branches adhere to the same privacy policy in a commitment to maintaining the privacy and protection of the personal data collected. Individuals’ personal data is received, held and processed by Norton Finance in accordance with the Data Protection Act 1998 (DPA98).

This page details all the key elements involved in the privacy policy, to help you easily understand how your personal data is stored and processed, and find out what action you can take to see it. The full Privacy Policy and ‘fair processing notice’ for Norton Finance Group can be found in a separate PDF here.

Collection and use of data

Any time you enquire about or apply for finance, we collect and store information regarding the application or enquiry. We may also collect data about you through a credit reference agency (CRA). Personal data is used for various purposes, including to:

We may keep your information for several years to fulfil regulatory requirements. We will contact you for marketing purposes with products we feel may be of interest to you. You can change your mind about receiving marketing communications at any time by contacting us.

Lending companies

Every lending company will have their own privacy policy, which customers should refer to as well. Norton Finance and almost all lenders will check the information supplied on any applications against data held by CRAs. Lenders will use this to assess the borrower, make sure the details provided are true, and accept or refuse the application. They may use this information for analysis even if an individual doesn’t take out a loan with that lender.  

Who are the Credit Reference Agencies and how can I contact them?

There are three main CRAs in the UK, all of which are regulated by the Financial Conduct Authority (FCA) and can be contacted online:

Contact details for each of the CRAs can be found on a separate PDF.

What do Credit Reference Agencies use personal data for?

CRAs receive personal data that’s part of, derived from or used in credit activity. Lenders and creditors may use different CRA services, which can all use and store personal data for:

Each CRA also acts as a Fraud Prevention Agency (FPA). Data may be used by an FPA to prevent fraud and money laundering, cross-check details on proposals and insurance claims, trace an individual’s whereabouts and recover debt owed.

What are the Credit Reference Agencies’ legal grounds for handling personal data?

CRAs are legally entitled to handle personal data for a range of legitimate interests such as:

What kinds of personal data do Credit Reference Agencies use and where do they get it from?

Personal data including an individual’s name, date of birth and current and previous addresses are used for identification purposes by CRAs. Further data can also be obtained about:

This information is collected from different sources for each CRA, so they may not always hold the same data. Common sources used include Royal Mail, Insolvency Service, Companies House and Registry Trust Limited.

Who do Credit Reference Agencies share data with?

Data can be shared with FPAs, members of the credit reference agency data sharing arrangements (usually banks, building societies and other lenders), public bodies, law enforcement and regulators. It can also be shared with the individual the data refers to.

When an organisation uses a CRA’s services, it will be explained at the point of application that this is the case. In certain instances, businesses can compel CRAs by law to disclose data for specific purposes.

Where is personal data stored and sent?

All three CRAs are based in the UK along with their main databases. They may have operations in and outside of the European Economic Area (EEA), where personal data can also be accessed.

Personal data use is safeguarded by European data protection standards. However, sometimes CRAs will send or allow access to personal data from elsewhere. In these instances, they will be responsible for arranging suitable precautions, as the same high levels of legal protection may not apply outside of the EEA.

For how long is personal data retained?

The length of time personal data is kept by a CRA varies depending on its type. Much of the financial data is retained for six years from initial settlement dates, while identification data remains only for as long as it’s needed. Search footprints vary as Experian and Equifax keep most records for one year, while TransUnion retains them for two.

Do the Credit Reference Agencies make decisions about me or profile me?

The lender is the one that decides whether to offer an individual credit. CRAs provide the data and analytics that can lead to different decisions from lenders, as some will value certain factors over others.

When requested, CRAs can use the data obtained to create scores, which may profile you. Individuals’ data may be taken as an example by lenders to inform decisions on similar cases in future. However, this is just one of a range of variables lenders use.

What can I do if I want to see the personal data held about me?

You have a right to find out what personal data CRAs hold about you. Contact each one to find out more about your access rights:

What can I do if my personal data is wrong?

If you think any personal data a CRA holds is incorrect or incomplete you have a right to challenge it. They won’t be able to change the data without permission from the organisation that supplied it, so they will need to take reasonable steps to check it first. If the data is wrong, the CRA will update its records. But if they believe it is correct, it will remain.

You can add a note to your file stating that you disagree with the information provided, or explain the circumstances further. Do this by contacting the relevant CRA using the links above.

Can I object to the use of my personal data and have it deleted?

You also have the right to lodge an objection with a CRA about the processing of your personal data by contacting them. Under General Data Protection Regulation (GDPR), your right to object doesn’t automatically lead to processing being stopped or data deleted. In many cases, CRAs will have compelling, overriding grounds to keep using the personal data. For example, if an objection could be used to hide a poor credit history, allowing an individual to get credit they shouldn’t be eligible for.

Can I restrict what the Credit Reference Agencies do with my data?

Article 18 of the GDPR sets out your rights to restrict processing of your personal data. It isn’t an absolute right and processing may continue when your consent is given if it’s for the establishment, exercise or defence of legal claims, or the protection of the rights of another legal person. CRAs will consider and respond to any such requests received.

Who can I complain to if I’m unhappy about the use of my information?

Contact the CRA directly so they can investigate any concerns. Should you be unhappy with the investigation, you can refer it to the Financial Ombudsman Service for free. This is an independent public body that aims to settle disputes between consumers and businesses.

Or you can refer concerns to the Information Commissioner’s Office (ICO). This body regulates the handling of personal data in the UK.

Where can I find out more?

The Norton Finance Group privacy policy and ‘fair processing notice’ provides comprehensive coverage here.

The ICO’s Credit Explained leaflet provides extra advice and information. While more information about each CRA and what they do with personal data is available on their own respective websites.

For your FREE, no-obligation quote

Get a Quote Now

Alternatively, call FREE on 0800 694 5566 Open 24 hours a day.


Categories


Featured Articles

Call us FREE on 0800 694 5566

24 hours a day, 7 days a week.

Complete our quick online form.

Get a Quote Now