Privacy & Data Protection Policy
Our commitment to privacy within Howden Insurance Brokers Limited
At Howden Insurance Brokers Limited ("HIBL") ("we", "us", "our"), we regularly collect and use information which may identify individuals ("personal data"), including insured persons or claimants. We understand our responsibilities to handle your personal data with care, to keep it secure and to comply with applicable data protection laws.
The purpose of this Privacy Notice is to provide a clear explanation of when, why and how we collect and use personal data. We have designed it to be as user friendly as possible, and have labelled sections to make it easy for you to navigate to the information that may be most relevant to you and to allow you to click on a topic to find out more.
Do read this Privacy Notice with care. It provides important information about how we use personal data and, where we hold your data, explains your legal rights. This Privacy Notice is not intended to override the terms of any agreement or other contract which you have with us or any rights you might have available under applicable data protection laws.
We may amend this Privacy Notice from time to time for example, to keep it up to date or to comply with legal requirements or changes in the way we operate our business. We will notify you about material changes by prominently posting a notice on our website. We encourage you to periodically check back and review this Privacy Notice so that you will always know what information we collect, how we use it, and with whom we share it.
This version of the Privacy Notice was published on the 21 April 2022
Who does this Privacy Notice relate to?
This Privacy Notice relates to the following types of individuals, where we hold your personal information:
- Individuals who are clients, including prospective clients who have received an insurance quotation, former clients who have previously held an insurance policy arranged or administered by us, and client representatives, for example those with power of attorney;
- Representatives and contacts associated with prospective, current and former clients;
- Visitors to our websites;
- Individuals who contact us with a query, concern or complaint;
- Individuals named on insurance policies, such as named drivers, joint policy holders, or beneficiaries;
- Individuals who request information from us or permit us to contact them for marketing purposes;
There are types of individuals who this Privacy Notice does not relate to, for example our employees and sub-contractors (including prospective and former employees and sub-contractors). If you are one of these individuals and would like further information on how we collect, use and store your data, please contact us. Our contact details are shown in the “how you can contact us” section of this Privacy Notice.
- Who is responsible for looking after your personal data?
HIBL is a subsidiary of Howden Broking Group Limited (“HBG”), which is part of the Howden Group, whose registered office is at One Creechurch Place, London, EC3A 5AF. HIBL is an independent Lloyd’s of London insurance broker, authorised and regulated by the Financial Conduct Authority (“FCA”). Our FCA Firm Reference Number is 309639. We trade under various trading / brand names. These details can be checked on the Financial Services Register by visiting https://register.fca.org.uk. We are registered with the Information Commissioner’s Office (ICO) under registration Z6189879.
HIBL will generally collect and process personal data in its capacity as a Data Controller however it may also provide services to clients or insurers in its capacity as a Data Processor, for example via the provision of a platform through which personal data is collected and processed. Where this is the case, we will process your personal information in line with our legal obligations and contractual commitments made to the entity acting as Data Controller.
- WHAT personal data do we collect?
We collect your personal data and use it in different ways depending on your relationship with us, for example if you are a policyholder, related party or claimant, and how you have interacted with us. This can include information we receive from other third parties. Depending on your relationship with us, we may hold the following types of personal data about you
- Identity and contact data: for example, your name, date of birth, postal address, telephone number and e-mail address.
- Claims data: for example, data relating to claims made via us, or your previous claims experience.
- Payment and account data: for example, your bank account details or brokerage fees.
- Location data: for example, your postal or IP address, the location of any insured property, and in the event of a claim, where the incident occurred.
- Correspondence data: for example, copies of letters and e-mails we send you or you send to us, and notes or call recordings of any telephone conversations.
- Internet data: for example, information collected by cookies and other online technologies such as Google Analytics, as you use our website or contact us by online methods.
- Information we obtain from other sources: for example from credit agencies, anti-fraud and other financial crime prevention agencies and other data providers. This can include demographic data and interest-based data.
- Complaint data: for example, what the complaint was, how we investigated it and how we resolved it, including any contact with the Financial Ombudsman Service or other third party adjudicator services.
Some of our processes combine different sets of information we hold. This can include combining different data sets we have about you, or combining your information with that of other individuals.
Special Category Data
Certain types of information are known as “special category data” under data protection law, and receive additional protection due to their sensitivity, for example information that reveals your health or medical conditions, criminal conviction history, race or ethnicity, your political views or your religious beliefs.
We will only collect this information where we have a legal basis for doing so, and where it is strictly necessary, such as:
- When it is relevant to the type of insurance you are enquiring about, have purchased, previously held or that you have been named on;
- When it is relevant to a claim you have made or that someone else has made against you;
- Where it is relevant to a complaint or issue you have raised with us; and,
- To arrange alternate forms of correspondence for you, such as Braille, audio format or Touch-Type services.
- What PURPOSES do we use your personal data for and what is our LEGAL BASIS?
We are required to establish a legal basis to use your personal data (please see Appendix 2 for further details). We use your information for the following lawful reasons:
- To enter into or perform a contract: for example to provide you with an insurance quotation, to start, change or cancel an insurance policy, to administer the policy, to manage any claims which arise, to answer any queries you may have, action your requests or perform any debt recovery
- To comply with a legal obligation: for example the rules set by our regulator the FCA, to fulfil your data rights under data privacy laws, handle complaints about data privacy or our financial products and services, and to comply with other legal requirements such as preventing money laundering and other financial crimes
- For our legitimate business interests: for example to offer a renewal, detect and prevent fraud, for statistical analysis, to monitor and improve our business and our products and services, demonstrate compliance with applicable laws and regulations and some marketing activities. Where we rely on this lawful reason, we assess our business needs to ensure they are proportionate and do not affect your rights. In some instances, you also have the right to object to this kind of use. For more information on our legitimate interests, please refer to Appendix 2
- With your consent: for example if you consent to us contacting you for marketing purposes. You can withdraw your consent at any time, for more information please visit the “Your data rights” section of this Privacy Notice.
- To protect vital interests: in extreme or unusual circumstances, we may need to use your information to protect your life or the lives of others.
Special Category Data
The processing of special category data, such as health data, requires an additional legal basis to the grounds set out above. This additional legal basis will typically be:
- your explicit consent;
- the establishment, exercise or defence by us or third parties of legal claims; or
- a substantial public interest exemption provided under local laws of EU Member States and other countries implementing the General Data Protection Requirements (“GDPR”), such as where the processing is necessary for an insurance purpose, or to detect or prevent unlawful acts, or to prevent fraud
PLEASE NOTE – Our lawful basis for processing your special categories of data will usually be that it is necessary for reasons of substantial public interest and subject to appropriate protections. In the limited circumstances where the benefits are not secured by insurance, and no other legal basis is available, the legal basis of our processing will be your explicit consent. Where necessary, documentation that you need to complete to provide that information will include a provision where you can indicate that consent. You may withdraw your consent to such processing at any time, however you should be aware that if you choose to do so we may be unable to continue to provide insurance services to you (and it may not be possible for the insurance cover to continue), or continue to support you in administering a claim. This may also mean that your policy will need to be cancelled. If you choose to withdraw your consent we will tell you more about the possible consequences, including that we may no longer be able to act as your broker of record or place or administer your policy and that you may have difficulties finding other cover. Further, we may not be able to support you in processing your claim.
- Who do we SHARE your personal data with?
Where applicable, we share your personal data with the following types of third parties when we have a valid reason to do so:
- Other Howden Group companies (including those who are in run-off but who may still carry out certain regulated activities) and our Appointed Representatives.
- Other Insurers, intermediaries including but not limited to other Insurance Brokers and Managing General Agencies, Risk Management Assessors, Uninsured Loss Recovery Agencies and Third Party Administrators who work with us to help manage the process and administer our policies,
- Service Providers who help manage our IT and back office systems, or who provide platforms and portals for administering policies and member details
- Our regulators, which may include the FCA and ICO, as well as other regulators and law enforcement agencies in the E.U. and around the world,
- Credit reference agencies, Premium Finance Providers, and organisations working to prevent fraud in financial services,
- Solicitors (who may be legal representatives for you, us or a third party claimant) and other professional services firms (including our auditors)
- Marketing fulfilment, webinar and customer satisfaction service providers, acting on our behalf in facilitating online events, providing marketing communications and capturing feedback from our customers on our service levels,
- Third Party Administrators, Loss Adjusters and Claims Experts who work with us to help manage the claims process,
- Potential purchasers of our businesses.
We may also make your information available to other companies which are part of Howden Group Holdings, whom support us in providing our services to you. They may use this information for statistical analysis, business reporting or for external business development purposes for which they may receive remuneration, such as providing market insight to insurers on a confidential basis. We and they will only disclose your personal data to third parties outside of the Howden Group in accordance with Data Protection Law, or in an anonymised and/or aggregated format where necessary to support the purposes stated above. Finally, insurance involves the use and disclosure of your personal data by various insurance market participants. The Lloyd’s and London Insurance Market Core Uses Information Notice sets out how insurance market participants process your personal data during the insurance lifecycle. Please review this Notice as well as our Privacy Notice.
- International Transfers
For business purposes, to help prevent/detect crime or where required by Law or Regulation, we may need to transfer, or allow access to, your personal data to parties based overseas. These parties include brokers, insurers, re-insurers, service providers, other Howden Group companies & law enforcement agencies. Where we do this, we will ensure that your information is transferred in accordance with the applicable Data Protection requirements.
If the Data Protection laws of the country where we transfer your data are not recognised as being equivalent to those in the UK, we will ensure that the recipient enters into a formal legal agreement that reflects the standards required.
You have the right to ask us for more information about the safeguards we have put in place as mentioned above. Contact us as set out in Section 9 of this Privacy Notice if you would like further information or to request a copy where the safeguard is documented (which may be redacted to ensure confidentiality).
- Automated Decision Making and Profiling
If you are an Insured Person undertaking a credit check through a premium finance lender, we may use Automated Decision Making to determine what action to take based on the resulting credit score. We do not use Profiling.
Please note: You have certain rights in respect of Automated Decision Making and Profiling. See Section 8 for more information about your rights.
- How long do we keep your personal data?
We will retain your personal data for as long as is reasonably necessary for the purposes listed in Section 3 of this Privacy Notice. In most cases this will be for seven (7) years following the end of our relationship with you however, in some circumstances we may retain your personal data for longer periods of time, for instance;
- Where we are required to do so in accordance with legal, regulatory, tax or accounting requirements;
- So that we have an accurate record of your dealings with us in the event of any complaints or challenges;
- If we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
We maintain a data retention policy which we apply to records in our care. Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business. You can request a copy by contacting us on the details shown in Section 9 of this Privacy Notice.
- What are your rights?
Data protection law gives you rights relating to your personal data. This section gives you an overview of these and how they relate to the information you give us. The UK supervisory authority for data rights, the Information Commissioner’s Office (ICO), has also published detailed information about your rights on their website: www.ico.org.uk
- Your right of access
You have a right to request copies of the personal data we hold on you, along with meaningful information on how it is used and who we share it with. This right always applies, but there are some instances where we may not be able to provide you with all the information we hold. If this is the case, we will confirm why we are unable to provide it - unless there is a valid legal reason that means we cannot let you know why.
- Your right to rectification
If personal data we hold is inaccurate or incomplete, and this has an impact on the way we are using your data, you have the right to have any inaccuracies corrected and for any incomplete data to be completed. If you ask us to rectify your personal data, we will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why.
- Your right to erasure (the right to “be forgotten”)
You have the right to request that your personal data is erased in certain circumstances. If you ask us to erase your personal data, we will either confirm to you that this has been done, or if we are unable to delete it, let you know why and also inform you how long we will hold it for. For more information, see Section 7 of this Privacy Notice.
- Your right to restrict processing
You can ask us to restrict the use of your personal data in certain circumstances. If you ask us to restrict the use of your personal data, we will either confirm to you that this has been done, or if we are unable to restrict it, we will inform you why.
- Your right to object to direct marketing
You can object to receiving direct marketing from us, for example by clicking on the unsubscribe link in any email you receive from us. If you do so, we will ensure that you do not receive such material going forward, unless you change your mind and specifically request it in the future.
- Your right to object to automated decision-making
You can object to decisions made about you using your personal data undertaken by purely automated means. If you do so, we will arrange for someone to assess the automated decision and confirm the outcome of this assessment to you.
- Your right to challenge our legitimate interests
You can challenge the use of your personal data where we use a legitimate business interest as a legal basis to process your information. You can find more information on when we use this legal basis in section 3 of this Privacy Notice. If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why.
- Your right to object to the use of your information for statistical purposes
You can object to us using your personal data for statistical purposes in some instances. If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why.
- Your right to data portability
In certain circumstances, you have the right to request that your personal data be compiled into a common, machine readable format and either provided directly to you or sent by us to a third-party you nominate. If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why.
To exercise your rights you may contact us as set out in Section 9 however please note the following:
- We take the confidentiality of all records containing personal data seriously, and reserve the right to ask you for proof of your identity if you make a request.
- We will not ask for a fee to exercise any of your rights in relation to your personal data, unless your request for access to information is unfounded, repetitive or excessive, in which case we will charge a reasonable amount in the circumstances. We will let you know of any charges before completing your request.
- We aim to respond to any valid requests within one month unless it is particularly complicated or you have made several requests, in which case we aim to respond within three months. We will let you know if we are going to take longer than one month. We might ask you if you can help by telling us what exactly you want to receive or are concerned about. This will help us to action your request more quickly.
- Local laws, including in the UK, provide for additional exemptions, in particular to the right of access, whereby personal data can be withheld from you in certain circumstances, for example where it is subject to legal privilege.
- Third Party Rights. We do not have to comply with a request where it would adversely affect the rights and freedoms of other data subjects.
- Your right to complain
If you are unhappy with how we have used your personal data or if you believe we have failed to fulfil your data rights, you have the right to complain to us, and can contact us to raise your concerns using the details shown in Section 9 of this Privacy Notice.
If you remain unhappy with our response you may raise a complaint with a supervisory authority responsible for data protection and privacy.
In the UK, the supervisory authority is the Information Commissioner’s Office (ICO), who can be contacted using the following details:
By e-mail: [email protected]
By telephone: 0303 123 1113
By post: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
- How you can contact us
Should you wish to enforce a right or to make a complaint, please contact [email protected]. We aim to provide a final response within one month of receiving a request, unless the request is particularly complex in which case we will let you know when we expect to complete it by.
Appendix 1 - CATEGORIES OF PERSONAL DATA
DETAILS OF INFORMATION THAT WE TYPICALLY CAPTURE
Name, address, telephone number, email address.
Policy number, relationship to the policyholder, details of policy including insured amount, exceptions etc., previous claims, voice recordings
Personal Risk Information
Gender, date of birth, claims history and special categories of Data including:
Bank account details (where you are the payer of the policy premium)
Name, email address, interests / marketing list assignments, record of permissions or marketing objections, website data (including online account details, IP address), company name, company address, phone number and job title
Policy Information (excluding third party claimants)
Policy number, relationship to the policyholder/Insured Person, details of policy including insured amount, exceptions etc., previous claims, voice recordings
Details of incident giving rise to claim, including:
Bank account details used for payment
Address, history of fraudulent claims, details of incident giving rise to claim including:
Appendix 2 - LEGAL BASIS FOR PROCESSING
The basis on which we use the information
Set up a record on our systems
Carry out background, sanction, fraud and credit checks
Assess risk and provide information in order to place policy
Provide client care and support
Receive premiums and payments
Comply with legal and regulatory obligations
Receive notification of claim
Monitor and detect fraud
Comply with legal and regulatory obligations