Data privacy policy statement

We’ll only use data in a way that is specified on our How we use your information page. This explains when we collect personal information and what we do with it, including those times when we have a business, legal or regulatory requirement to share it. We regularly review our policy and use it alongside our ‘just in time’ Customer Advisory Notices. Any significant changes are communicated to individuals in a timely manner.

We keep an accurate and up to date Record of Data Processing (RoDP). This details the data that is processed within the Society or with any third parties, and ensures that data is only used for the intended purpose and legal basis upon which it was collected.

We use only the minimum amount of information needed for the processing of personal data under each defined purpose.

We ensure that as far as reasonably practicable, personal information is accurate and up to date, and stored in line with the defined periods set out in our retention schedules. A deletion programme is in place for data that has fallen outside of these.

Through the Data Governance Record Management and Retention Standard, we ensure that records within the Society are effectively identified, managed and retained in the right place, for the right period of time.

We have dedicated teams who are responsible for ensuring the security of systems and data. All employees (including temporary workers and contractors) understand the importance of keeping data safe and secure, and undertake mandatory annual data privacy training as a minimum, with the Data Privacy team delivering a regular programme of bespoke, role-based training.

Our security policies and controls govern all relevant business areas and outline how Nationwide protects the confidentiality, integrity and availability of information and systems, and access control ensures employees only have access to data they need to perform their role. Encryption and de-identification techniques are used to ensure identifiable information is anonymised where possible.

We take the security and privacy of data very seriously, and undergo regular testing and auditing of these functions, including PCI DSS and the NIST cyber maturity framework, which cover all our data security operations. We also have a Physical Security policy documenting the approach to managing physical security risk.

We ensure individuals’ rights are always respected in the processing of data. And that systems and processes are in place to ensure data subject rights can be easily exercised through all of our core channels.

We will only share information with our partners and suppliers that support the operation of the business, where we’re required to do so, or with specific third parties that customers have authorised us to deal with. Our Supplier Security Team ensure that due diligence is completed before we engage with a third party, including security checks and reviews.

We never use data in a way that would intentionally cause detriment to a data subject, but we understand that, at times, things can still go wrong. When this happens, we have an Incident Management team process that ensures we resolve the issue and minimise the impacts through an incident investigation, and that corrective action is taken. We use well-established incident management, disaster recovery and business continuity plans to ensure the minimum amount of impact or harm. In the event of a data breach, we are committed to notifying data subjects in a timely manner when appropriate, and have clear and accessible mechanisms for individuals to raise concerns about data privacy. We regularly test key privacy processes such as information rights requests, and breach identification and privacy impact assessments, to make sure they are working properly.